日拱一卒
0%

Posted on

创建和使用角色

httpd 软件包已安装,设为在 系统启动时启用启动

防火墙 已启用并正在运行,并使用允许访问 Web 服务器的规则

1
Welcome to HOSTNAME on IPADDRESS

其中,HOSTNAME 是受管节点的 完全限定域名IPADDRESS 则是受管节点的 IP 地址。

创建一个名为 /home/greg/ansible/apache.yml 的 playbook:

该 play 在 webservers 主机组中的主机上运行并将使用 apache 角色

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[greg@control ansible]$ ansible-galaxy role init apache --init-path roles/
- Role apache was created successfully
[greg@control ansible]$ vim roles/apache/tasks/main.yml 
---
- name: Install the Apache
  yum:
    name: httpd
    state: present
- name: Start service httpd, if not started
  service:
    name: httpd
    state: started
    enabled: yes
- name: Start service firewalld, if not started
  service:
    name: firewalld
    state: started
    enabled: yes
- firewalld:
    service: http
    permanent: yes
    immediate: yes
    state: enabled
- name: Template a file to /var/www/html/index.html
  template:
    src: index.html.j2
    dest: /var/www/html/index.html
[greg@control ansible]$ ansible all -m setup > facts.yml
[greg@control ansible]$ vim roles/apache/templates/index.html.j2
Welcome to {{ ansible_facts['fqdn'] }} on {{ ansible_facts['default_ipv4']['address'] }}
[greg@control ansible]$ vim /home/greg/ansible/apache.yml
---
- name: 创建和使用角色
  hosts: webservers
  roles:
  - apache
[greg@control ansible]$ ansible-playbook apache.yml 
[greg@control ansible]$ curl node3
Welcome to node3.lab.example.com on 172.25.250.11
[greg@control ansible]$ curl node4
Welcome to node4.lab.example.com on 172.25.250.12

Posted on

使用 Ansible Galaxy 安装角色

使用 Ansible Galaxy 和要求文件 /home/greg/ansible/roles/requirements.yml。从以下 URL 下载角色并安装到 /home/greg/ansible/roles

http://materials/haproxy.tar 此角色的名称应当为 balancer

http://materials/phpinfo.tar 此角色的名称应当为 phpinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[greg@control ansible]$ mkdir /home/greg/ansible/roles
[greg@control ansible]$ vim /home/greg/ansible/roles/requirements.yml
---
- name: balancer
  src: http://materials/haproxy.tar
- name: phpinfo
  src: http://materials/phpinfo.tar
[greg@control ansible]$ ansible-galaxy role install -p /home/greg/ansible/roles -r /home/greg/ansible/roles/requirements.yml
- downloading role from http://materials/haproxy.tar
- extracting balancer to /home/greg/ansible/roles/balancer
- balancer was installed successfully
- downloading role from http://materials/phpinfo.tar
- extracting phpinfo to /home/greg/ansible/roles/phpinfo
- phpinfo was installed successfully
[greg@control ansible]$ ansible-galaxy role list
# /etc/ansible/roles
# /home/greg/ansible/roles
- balancer, (unknown version)
- phpinfo, (unknown version)
...

Posted on

使用 RHEL 系统角色

安装 RHEL 系统角色软件包,并创建符合以下条件的 playbook /home/greg/ansible/timesync.yml

所有受管节点 上运行

使用 timesync 角色

配置该角色,以使用当前有效的 NTP 提供商

配置该角色,以使用时间服务器 172.25.254.254

配置该角色,以启用 iburst 参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[greg@control ansible]$ cat /usr/share/doc/rhel-system-roles/timesync/example-timesync-playbook.yml
[greg@control ansible]$ vim /home/greg/ansible/timesync.yml
---
- name: 使用 RHEL 系统角色(OLD)
  hosts: all
  vars:
    timesync_ntp_servers:
      - hostname: 172.25.254.254
        iburst: yes
  roles:
    - rhel-system-roles.timesync
[greg@control ansible]$ ansible-playbook timesync.yml 
[greg@control ansible]$ ansible all -a 'chronyc sources -v'
node5 | CHANGED | rc=0 >>
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample       
===============================================================================
^* classroom.example.com         8   6    17     4    -82us[ -184us] +/-  751us
...

Posted on

使用 RHEL 系统角色

安装 RHEL 系统角色软件包,并创建符合以下条件的 playbook /home/greg/ansible/selinux.yml

所有受管节点 上运行

使用 selinux 角色

配置该角色,配置被管理节点的 selinux 为 enforcing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[greg@control ansible]$ yum search rhel
...
rhel-system-roles.noarch : Set of interfaces for unified system management
[greg@control ansible]$ sudo yum install -y rhel-system-roles.noarch
...
Installed:
  rhel-system-roles-1.0.1-1.el8.noarch                                                                                                                                                                       
[greg@control ansible]$ rpm -ql rhel-system-roles 
...
/usr/share/ansible/roles
...
[greg@control ansible]$ vim ansible.cfg 
...
# additional paths to search for roles in, colon separated
roles_path    = /etc/ansible/roles:/home/greg/ansible/roles:/usr/share/ansible/roles
...
[greg@control ansible]$ cat /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml 
[greg@control ansible]$ vim /home/greg/ansible/selinux.yml
---
- name: 使用 RHEL 系统角色(NEW)
  hosts: all
  vars:
    selinux_policy: targeted
    selinux_state: enforcing
  tasks:
    - name: execute the role and catch errors
      block:
        - include_role:
            name: rhel-system-roles.selinux
      rescue:
        # Fail if failed for a different reason than selinux_reboot_required.
        - name: handle errors
          fail:
            msg: "role failed"
          when: not selinux_reboot_required
        - name: restart managed host
          shell: sleep 2 && shutdown -r now "Ansible updates triggered"
          async: 1
          poll: 0
          ignore_errors: true
        - name: wait for managed host to come back
          wait_for_connection:
            delay: 10
            timeout: 300
        - name: reapply the role
          include_role:
            name: rhel-system-roles.selinux
[greg@control ansible]$ ansible-playbook selinux.yml 
[greg@control ansible]$ ansible all -a 'getenforce'
node3 | CHANGED | rc=0 >>
Enforcing
node4 | CHANGED | rc=0 >>
Enforcing
node2 | CHANGED | rc=0 >>
Enforcing
node5 | CHANGED | rc=0 >>
Enforcing
node1 | CHANGED | rc=0 >>
Enforcing

Posted on

安装软件包

创建一个名为 /home/greg/ansible/packages.yml 的 playbook:

phpmariadb 软件包安装到 devtestprod 主机组中的主机上

RPM Development Tools 软件包组安装到 dev 主机组中的主机上

dev 主机组中主机上的 所有软件包更新为最新版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[greg@control ansible]$ vim /home/greg/ansible/packages.yml
---
- name: 安装软件包_1
  hosts: dev,test,prod
  tasks:
  - name: ensure a list of packages installed
    yum:
      name: "{{ packages }}"
      state: present
    vars:
      packages:
      - php
      - mariadb
- name: 安装软件包_2
  hosts: dev
  tasks:
  - name: install the 'RPM Development Tools' package group
    yum:
      name: "@RPM Development Tools"
      state: present
  - name: upgrade all packages
    yum:
      name: '*'
      state: latest
[greg@control ansible]$ ansible-playbook packages.yml 
...
PLAY RECAP ********************************************************************************************************************************************************************************************************
node1                      : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
node2                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
node3                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
node4                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0