脚本目录结构:
--[root@scsv01181 initialization_basic_ansible]# cat site.yml
- hosts: test
roles:- install_zabbix_agent
- install_java1.8
- check_iptables
- replace_yumrepo
- install_check_sshd
- install_maintainer_tools
- selinux_stop
- set_ulimit_maxfiles
- set_timezone
- set_kernel_args
-
install_ntp_or_chrony
每一个项目的目录结构
--[root@scsv01181 roles]# cat check_iptables/tasks/main.yml - name: check iptables status
shell: ps aux |grep iptables|grep -v grep|wc -l
register: iptables - name: if have iptables process to stop it
shell: systemctl stop iptables
when: iptables.stdout != "0" - name: check firewalld status
shell: ps aux |grep firewall|grep -v grep|wc -l
register: firewall - name: if have firewall process to stop it
shell: systemctl stop firewalld
when: firewall.stdout != "0" - name: disable iptables
shell: systemctl disable iptables
when: firewall.stdout != "0" - name: disable firewalld
shell: systemctl disable firewalld
when: firewall.stdout != "0" - name: print iptanles and firewalld info
debug:
msg: "iptables and firewalld is not running"
when: iptables.stdout == "0" and firewall.stdout == "0"
--[root@scsv01181 roles]# cat install_check_sshd/tasks/main.yml
- name: check sshd is or not install
shell: rpm -qa|grep openssh-server|wc -l warn=False
register: sshd_count - name: print sshd install info
debug:
msg: "sshd is not install"
when: sshd_count.stdout == "0" - name: check sshd is or not running
shell: ps aux |grep /usr/sbin/sshd |grep -v grep|wc -l
register: ssh_process_count
when: sshd_count.stdout == "1" - name: print sshd is not running
debug:
msg: "sshd service is not running"
when: ssh_process_count.stdout == "0" - name: start sshd service
service: name=sshd state=started
when: ssh_process_count.stdout == "0" - name: make sshd servuice enabled of system started
service: name=sshd enabled=yeswhen: ssh_process_count == "0"
--[root@scsv01181 roles]# cat install_java1.8/tasks/main.yml
- name: check the java version
shell: java -version
ignore_errors: yes
register: javaversion - debug:
msg: "{{ javaversion.stderr_lines[0] }}" - name: print java version
debug:
msg: "java is installed and the version is 1.8"
when: javaversion.stderr_lines[0].count('1.8') == 1 - name: find java 1.8 package name
shell: yum list|grep openjdk.x86_64|grep 1.8|cut -d " " -f1|uniq warn=False
register: java_version -
debug:
msg: "{{ java_version.stdout }}" - name: install java 1.8 package
shell: yum install -y {{ java_version.stdout }}
when: javaversion.stderr_lines[0].count('1.8') != 1
--[root@scsv01181 roles]# cat install_maintainer_tools/tasks/main.yml
- name: install telnet for system
yum: state=present name=telnet - name: install iftop for system
yum: state=present name=iftop - name: install sysstat for system
yum: state=present name=sysstat - name: install iotop for system
yum: state=present name=iotop - name: install vim for system
yum: state=present name=vim - name: install dstat for system
yum: state=present name=dstat - name: install openssl for system
yum: state=present name=openssl,openssl-devel
--[root@scsv01181 roles]# cat install_ntp_or_chrony/tasks/main.yml
- name: check ntp is not install
shell: ps aux |grep ntp|grep -v grep|wc -l
register: count_ntp - name: check chrony is or not install
shell: ps aux |grep chrony|grep -v grep|wc -l
register: count_chrony - name: stop chrony
service: name=chronyd state=stoped
when: count_chrony.stdout == "1" -
name: disable chronyd
service: name=chronyd enabled=no
when: count_chrony.stdout == "1" - name: install ntp client
yum: state=present name=ntp
when: count_ntp.stdout != "1" - name: copy local ntp config file to remote host
copy: src=ntp.conf dest=/etc/ntp.conf mode=644 owner=root group=root backup=yes force=yes
when: count_ntp.stdout != "1" - name: start ntp client
service: name=ntpd state=started - name: make the ntp clinet service enable
service: name=ntpd enabled=yes
--[root@scsv01181 roles]# cat install_zabbix_agent/tasks/main.yml
- name: install zabbix-agent for zabbix-server
yum: state=present name=zabbix-agent - name: make the zabbix-agent enable
shell: systemctl enable zabbix-agent - name: copy base zabbix-agent configuration file
copy: src=zabbix_agentd.conf dest=/etc/zabbix/zabbix_agentd.conf mode=644 owner=root group=root backup=yes force=yes - name: get hostname daxie
shell: echo {{ ansible_hostname }}|tr 'a-z' 'A-Z'
register: hostname - debug:
msg: "{{ hostname.stdout }}" - name: configuration zabbix-agent file hostname
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^Hostname='
line: 'Hostname={{ hostname.stdout}}' - name: configuration zabbix-agent file hostname
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^HostMetadata='
line: 'HostMetadata={{ META_DATA}}' - name: start zabbix-agent
service: name=zabbix-agent state=started - debug:
msg: "now zabbix-agent is running and configuration complete" - name: configuration zabbix-agent server address
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^Server='
line: 'Server={{ SERVERIP }}' - name: configuration zabbix-agent server active address
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: 'ServerActive='
line: 'ServerActive={{ SERVERIP }}'
--[root@scsv01181 roles]# cat replace_yumrepo/tasks/main.yml
- name: copy current local yum repo to remote host
copy: src=SAIC-CentOS.repo dest=/etc/yum.repos.d/ mode=644 owner=root group=root backup=yes force=yes - name: clean yum repo
shell: yum clean all warn=False- name: yum makecahce
shell: yum makecache warn=False
--[root@scsv01181 roles]# cat selinux_stop/tasks/main.yml
- name: configuration SELINUX for system
lineinfile:
dest: /etc/selinux/config
regexp: '^SELINUX='
line: 'SELINUX=disabled' - name: get the status of selinux
shell: getenforce
register: selinux_num - name: temporary change for system
shell: setenforce 0
when: selinux_num.stdout == "1"
--[root@scsv01181 roles]# cat set_kernel_args/tasks/main.yml
-
name: 开启SYN Cookies
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_syncookies = 1' -
name: TIME-WAIT sockets重新用于新的TCP连接
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_tw_reuse = 1' -
name: 开启TCP连接中TIME-WAIT sockets的快速回收
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_tw_recycle = 1' -
name: 当keepalive起用的时候,TCP发送keepalive消息的频度
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_keepalive_time = 600' -
name: SYN队列长度
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_max_syn_backlog = 16384' -
name: 表示系统同时保持TIME_WAIT套接字的最大数量
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_max_tw_buckets = 36000' -
name: 设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_synack_retries = 3' -
name: 套接字由本端要求关闭的保持时间
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_fin_timeout = 10' -
name: 禁止IP转发
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.ip_forward = 0' -
name: 禁止发送ICMP重定向
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.all.send_redirects = 0' -
name: 禁止发送ICMP重定向,默认定向目录关闭
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.default.send_redirects = 0' -
name: 记录可疑的包源地址
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.all.log_martians = 1' -
name: 记录可疑的包源地址,默认地址
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.default.log_martians = 1' - name: make the change effective
shell: sysctl -p
--[root@scsv01181 roles]# cat set_timezone/tasks/main.yml
- name: set the time local
shell: timedatectl set-timezone Asia/Shanghai warn=False
--[root@scsv01181 roles]# cat set_ulimit_maxfiles/tasks/main.yml
- name: configuration ulimit soft max files for system
lineinfile:
dest: /etc/security/limits.conf
regexp: '^$'
line: '* soft nofile 65536' - name: configuration ulimit hard max files for system
lineinfile:
dest: /etc/security/limits.conf
regexp: '^$'
line: '* hard nofile 65536' - name: temporary configuration ulimit max files
shell: ulimit -n 65536
引用的文件都会直接放在当前项目的files目录里面作为文件根目录
转载于:https://blog.51cto.com/13945009/2166411