ansible文档:https://docs.ansible.com/ansible/2.9/
1. nginx
角色: geerlingguy.nginx
Linux服务之nginx介绍及配置:https://www.cnblogs.com/dragonyear22/p/13482709.htmlB
[root@server1 ansible]# ansible-galaxy install geerlingguy.nginx
- downloading role 'nginx', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/3.1.0.tar.gz
- extracting geerlingguy.nginx to /mnt/ansible/roles/geerlingguy.nginx
- geerlingguy.nginx (3.1.0) was installed successfully
[root@server1 ansible]# ansible-galaxy list
# /mnt/ansible/roles
- apache, (unknown version)
- haproxy, (unknown version)
- geerlingguy.nginx, 3.1.0
[root@server1 ansible]# cat ansible.cfg
[defaults]
inventory = ./hosts
remote_user = westos
roles_path = ./roles
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[root@server1 ansible]# cd roles/
[root@server1 roles]# ls
apache geerlingguy.nginx haproxy
[root@server1 roles]# tree .
[root@server1 roles]# cd geerlingguy.nginx/
[root@server1 geerlingguy.nginx]# ls
defaults handlers LICENSE meta molecule README.md tasks templates vars
[root@server4 ~]# systemctl stop httpd
[root@server1 ansible]# cd roles/geerlingguy.nginx/defaults/
[root@server1 defaults]# vim main.yml
nginx_vhosts:
# Example vhost below, showing all available options:
- listen: "80" # default: "80"
server_name: "localhost" # default: N/A
root: "/var/www/html" # default: N/A
index: "index.html index.htm" # default: "index.html index.htm"
filename: "example.com.conf" # Can be used to set the vhost filename.
[root@server1 ansible]# vim playbook1.yml
---
- hosts: 192.168.0.4
roles:
- geerlingguy.nginx
[root@server1 ansible]# ansible-playbook playbook1.yml
[root@server4 conf.d]# cd /etc/nginx/conf.d/
[root@server4 conf.d]# ls
example.com.conf
[root@server4 conf.d]# cat example.com.conf
[root@server4 conf.d]# netstat -antlp
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31583/nginx: master
[root@server4 conf.d]# curl localhost
server4
[root@server1 ansible]# ansible-galaxy remove geerlingguy.nginx
[root@server1 ansible]# ansible-galaxy --list
[root@server1 roles]# ls
apache haproxy
[root@server4 conf.d]# systemctl stop nginx
[root@server4 conf.d]# systemctl disable nginx
Removed /etc/systemd/system/multi-user.target.wants/nginx.service.
2. 持续交付和滚动升级
[root@server1 ansible]# vim playbook1.yml
---
- hosts: all
roles:
- role: apache
when: inventory_hostname in groups['webserver']
- role: haproxy
when: ansible_hostname == '192.168.0.1'
[root@server1 ansible]# ansible-playbook playbook1.yml
[root@server4 conf.d]# systemctl stop httpd
server4处于维护状态
[root@server4 conf.d]# systemctl start httpd
[root@server1 haproxy]# vim /etc/haproxy/haproxy.cfg
stats socket /var/lib/haproxy/stats level admin
[root@server1 haproxy]# systemctl reload haproxy.service
[root@server1 haproxy]# echo "disable server app/server4" | socat stdio /var/lib/haproxy/stats
[root@server1 haproxy]# echo "enable server app/server4" | socat stdio /var/lib/haproxy/stats
disable
enable
滚动更新
3. noarch(时间同步角色)
时间同步角色:rhel-system-roles.timesync
[root@server1 ansible]# dnf install -y rhel-system-roles.noarch
[root@server1 ansible]# rpm -qa | grep role
rhel-system-roles-1.0-10.el8_1.noarch
[root@server1 ansible]# rpm -ql rhel-system-roles
/usr/share/ansible/roles
[root@server1 ansible]# cd /usr/share/ansible/roles
[root@server1 roles]# ls
linux-system-roles.kdump linux-system-roles.selinux rhel-system-roles.kdump rhel-system-roles.selinux
linux-system-roles.network linux-system-roles.storage rhel-system-roles.network rhel-system-roles.storage
linux-system-roles.postfix linux-system-roles.timesync rhel-system-roles.postfix rhel-system-roles.timesync
[root@server1 roles]# ansible-galaxy list
[root@server1 roles]# cd /mnt/ansible
[root@server1 ansible]# cat ansible.cfg
[defaults]
inventory = ./hosts
remote_user = westos
roles_path = /usr/share/ansible/roles ##更改角色路径
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[root@server1 ansible]# ansible-galaxy list
[root@server1 ansible]# cd /usr/share/ansible/roles/
[root@server1 roles]# cd rhel-system-roles.timesync
[root@server1 rhel-system-roles.timesync]# ls
COPYING defaults examples handlers library meta README.html README.md tasks templates tests vars
[root@server1 rhel-system-roles.timesync]# cd /usr/share/doc/rhel-system-roles/
[root@server1 rhel-system-roles]# ls
kdump network postfix selinux storage timesync
[root@server1 rhel-system-roles]# cd timesync/
[root@server1 timesync]# ls
COPYING example-timesync-playbook.yml example-timesync-pool-playbook.yml README.html README.md
[root@server1 timesync]# cp example-timesync-playbook.yml /mnt/ansible/
[root@server1 timesync]# cd /mnt/ansible/
[root@server1 ansible]# vim example-timesync-playbook.yml
---
- hosts: webserver
vars:
timesync_ntp_servers:
- hostname: 192.168.0.100
iburst: yes
roles:
- rhel-system-roles.timesync
[root@server1 ansible]# ansible-playbook example-timesync-playbook.yml
[root@foundation15 templates]# vim /etc/chrony.conf
# Allow NTP client access from local network.
allow 192.168/16
[root@foundation15 templates]# systemctl restart chronyd.service
[root@server4 conf.d]# cat /etc/chrony.conf ##server2 3 4
[root@server4 conf.d]# chronyc sources -v
4. selinux
通过角色改变selinux 值:rhel-system-roles.selinux
[root@server1 ~]# cd /usr/share/doc/rhel-system-roles/selinux
[root@server1 selinux]# ls
COPYING example-selinux-playbook.yml README.html README.md
[root@server1 selinux]# cp example-selinux-playbook.yml /mnt/ansible/
[root@server1 selinux]# cd /mnt/ansible/
[root@server4 conf.d]# cat /etc/sysconfig/selinux
[root@server4 conf.d]# getenforce
permissive
[root@server1 ansible]# vim selinux-playbook.yml
---
- hosts: server4
vars:
selinux_policy: targeted
selinux_state: enforcing
roles:
- rhel-system-roles.selinux
[root@server1 ansible]# ansible-playbook selinux-playbook.yml
[root@server4 conf.d]# getenforce
enforcing
permissive <----> enforcing 不需要重启 enforcing 、permissive <----> disabled 需要重启
[root@server1 ansible]# cp example-selinux-playbook.yml selinux-playbook.yml
[root@server3 ~]# getenforce
Disabled
[root@server4 ~]# getenforce
enforcing
[root@server1 ansible]# vim selinux-playbook.yml
[root@server1 ansible]# ansible-playbook selinux-playbook.yml
[root@server3 ~]# Connection to 192.168.0.3 closed by remote host.
Connection to 192.168.0.3 closed.
[root@foundation Desktop]# ssh root@192.168.0.3
[root@server3 ~]# getenforce
enforcing
改变selinux端口、服务的bool值、内核安全上下文、文件存储目录
[root@server3 ~]# getsebool -a | grep samba_enable_home_dirs
samba_enable_home_dirs --> off
[root@server3 ~]# getsebool samba_enable_home_dirs
samba_enable_home_dirs --> off
[root@server3 ~]# ll -Zd /tmp/
drwxrwxrwt. 13 root root system_u:object_r:tmp_t:s0 4096 Jul 9 14:41 /tmp/
[root@server1 ansible]# vim selinux-playbook.yml
[root@server1 ansible]# ansible-playbook selinux-playbook.yml
[root@server3 ~]# getsebool -a | grep samba
[root@server3 ~]# cd /samba/
[root@server3 samba]# ll -Zd .
drwxr-xr-x. 2 root root unconfined_u:object_r:samba_share_t:s0 6 Jul 9 14:49 .
[root@server3 samba]# vim /etc/httpd/conf/httpd.conf
Listen 82
[root@server3 samba]# systemctl restart httpd
[root@server3 samba]# netstat -antlp
执行命令前只能httpd端口更改为80和8080。
5.自动添加磁盘
使用角色添加磁盘
rhel-system-roles.storage
server4 添加10G 虚拟磁盘
[root@server1 ansible]# cat hosts
[test]
server2
[prod]
server3
server4
[webserver:children]
test
prod
[lb]
server1
[root@server1 ansible]# cp /usr/share/doc/rhel-system-roles/storage/README.md storage.yml
[root@server1 ansible]# vim storage.yml
---
##hosts文件与yml文件内需一致,ip对应ip,名称对应名称
- hosts: server4
roles:
- name: rhel-system-roles.storage
storage_pools:
- name: app
disks:
- vdb
volumes:
- name: shared
size: "5 GiB"
mount_point: "/mnt/app/shared"
fs_type: xfs
state: present
- name: users
size: "4.9 GiB"
mount_point: "/mnt/app/users"
fs_type: ext4
state: present
## state: absent 回收
[root@server1 ansible]# ansible-playbook storage.yml
[root@server1 ansible]# ansible-doc -l | grep vol ##支持各种卷
[root@server4 ~]# cat /etc/fstab
[root@server4 ~]# lvs
[root@server4 ~]# vgs
[root@server4 ~]# pvs
## state: absent 回收
[root@server4 ~]# vgremove app
[root@server4 ~]# pvremove /dev/vdb
用任务命令创建lv
[root@server1 ansible]# ansible-doc lvol
[root@server1 ansible]# ansible-doc mount
[root@server1 ansible]# vim lvs.yml
[root@server1 ansible]# ansible-playbook lvs.yml
[root@server1 ansible]# ansible server4 -m setup | less
搜索ansible_lvm
##absent 回收
[root@server4 ~]# lvremove /dev/demovg/demolv
[root@server4 ~]# vgremove demovg
[root@server4 ~]# pvremove /dev/vdb
第一次执行 state: mounted ##absent 回收
用任务命令进行设备分区
[root@server1 ansible]# cp lvs.yml parted.yml
[root@server1 ansible]# ansible-doc parted
[root@server1 ansible]# ansible-doc filesystem
/force
[root@server1 ansible]# vim parted.yml
[root@server1 ansible]# ansible-playbook parted.yml
[root@server1 ansible]# ansible server4 -m setup | less ##查看事实变量
/device