-
Ansible上通过roles简化playbook演示介绍
目录
一.roles介绍
1.作用
主要适用于层次性、结构化来组织playbook任务。根据层次型结构自动装载变量文件、tasks、和handlers等。主要应用于基于主机构建服务和构建进程场景、代码服用程度较高的场景。
2.role的目录结构
在playbook中通过“roles: role文件”来引用role,role的目录结构不要求全部完整,根据role要实现的功能来添加目录和文件
名称 含义 tasks 至少要包含一个main.yaml,用来定义这个角色的任务列表,可以使用include引入其他tasks files 存放copy或script模块调用的文件 templates template模块寻找jinja2模版的目录 handlers 要包含一个main.yaml,来定义这个角色用到的handlers vars 要包含一个main.yaml,用来定义这个角色要用到的变量 mate 要包含一个main.yaml,用来定义这个角色的特殊设置 3.role和tasks的执行优先级顺序
pre_tasks > roles > tasks > post_tasks
二.自定义一个httpd的角色
1.完整目录结构展示
- [root@main roles]# tree .
- .
- ├── ansible.cfg #存放ansible配置文件
- ├── httpd #role目录
- │ ├── handlers #存放handlers
- │ │ └── main.yaml
- │ ├── tasks #存放主要执行的任务
- │ │ ├── config.yaml #关于配置httpd
- │ │ ├── group.yaml #关于配置httpd属组
- │ │ ├── install.yaml #关于安装httpd
- │ │ ├── main.yaml #关于所有任务的引入
- │ │ ├── start.yaml #关于启动httpd
- │ │ └── user.yaml #关于配置httpd属主
- │ ├── templates #存放要部署下发的文件
- │ │ └── httpd.conf.j2
- │ └── vars #存放变量
- │ └── main.yaml
- ├── httpd_roles.yaml #最终指定执行role的playbook文件
- └── myhosts #主机清单文件
2.主要的各个目录配置
(1)vars目录和templates目录
- [root@main httpd]# cat vars/main.yaml #自定义在受管节点的httpd服务要用到的参数
- port: 8090
- user: sulibao
- group: sulibao
-
- [root@main httpd]# cp httpd.conf /root/roles/httpd/templates/httpd.conf.j2
- #从本地拷贝httpd的配置文件到templates目录,且为j2格式
- #需要修改参数的话就按照j2变量格式去修改
- [root@main httpd]# cat templates/httpd.conf.j2 | grep Listen;cat templates/httpd.conf.j2 | grep User;cat templates/httpd.conf.j2 | grep Group
- # Listen: Allows you to bind Apache to specific IP addresses and/or
- # Change this to Listen on specific IP addresses as shown below to
- #Listen 12.34.56.78:80
- Listen "{{ port }}" #
- # User/Group: The name (or #number) of the user/group to run httpd as.
- User "{{ user }}" #
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
- # User/Group: The name (or #number) of the user/group to run httpd as.
- Group "{{ group }}" #
(2)tasks目录和handlers目录
- [root@main httpd]# cat tasks/user.yaml #创建用户
- - name: create user
- user:
- name: "sulibao"
- uid: 1050
- system: yes
- shell: /sbin/nologin
- [root@main httpd]# cat tasks/group.yaml #创建组
- - name: create group
- group:
- name: "sulibao"
- gid: 1050
- system: yes
- [root@main httpd]# cat tasks/install.yaml #安装httpd
- - name: install httpd
- yum:
- name: httpd
- state: present
- [root@main httpd]# cat tasks/start.yaml #启动httpd
- - name: start httpd
- service:
- name: httpd
- state: started
- enabled: yes
- [root@main httpd]# cat tasks/config.yaml #将templates内的配置文件推送给受管节点用
- - name: config httpd
- template:
- src: /root/roles/httpd/templates/httpd.conf.j2
- dest: /etc/httpd/conf/httpd.conf
- notify: restart httpd
- [root@main httpd]# cat tasks/main.yaml #引用所有的任务
- - import_tasks: user.yaml
- - import_tasks: group.yaml
- - import_tasks: install.yaml
- - import_tasks: start.yaml
- - import_tasks: config.yaml
-
- [root@main httpd]# cat handlers/main.yaml
- - name: restart httpd
- service:
- name: httpd
- state: restarted
(3)运行playbook测试
- [root@main roles]# cat httpd_roles.yaml
- ---
- - hosts: servera
- roles:
- - role: httpd #指定httpd角色目录
-
- [root@main roles]# ansible-playbook httpd_roles.yaml
-
- [root@main roles]# ansible servera -m shell -a 'ss -lntup | grep 8090' #端口变量运行正常
- servera | CHANGED | rc=0 >>
- tcp LISTEN 0 128 [::]:8090 [::]:* users:(("httpd",pid=2749,fd=4),("httpd",pid=2748,fd=4),("httpd",pid=2747,fd=4),("httpd",pid=2746,fd=4),("httpd",pid=2745,fd=4),("httpd",pid=2744,fd=4))
-
- [root@main roles]# ansible servera -m shell -a 'ps u 2748' #进程确实是我们指定用户
- servera | CHANGED | rc=0 >>
- USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
- sulibao 2748 0.0 0.0 250100 3572 ? S 14:09 0:00 /usr/sbin/httpd -DFOREGROUND
-
- [root@main roles]# ansible servera -m shell -a 'echo hello > /var/www/html/index.html'
- servera | CHANGED | rc=0 >>
-
- [root@main roles]# ansible servera -m shell -a 'curl localhost:8090' #能够正常访问
- servera | CHANGED | rc=0 >>
- hello
三.ansible galaxy安装roles
ansible-galaxy基于在线网站的公共内容资源库,可以在内进行搜索所需roles,便于从在线网站获取role和git存储库的role。
1.在线网站
时而可用时而不可用,找到role后复制命令进行下载
2.配置roles_path
- [root@main roles]# cat ansible.cfg | grep role
- roles_path=/root/roles/myroles
3.ansible-galaxy安装role
(1)默认通过网站在线安装
[root@main playkongzhi]# ansible-galaxy install role名称(2)通过文件安装,需要是yaml格式的文件
[root@main playkongzhi]# ansible-galaxy install -r 指定文件 -p 指定安装路径4.其他管理
(1)初始化角色结构
[root@main playkongzhi]# ansible-galaxy init role名称(2)列出角色名称
[root@main playkongzhi]# ansible-galaxy list(3)删除已安装角色
[root@main playkongzhi]# ansible-galaxy remove role名称(4)搜索角色
可以通过“--author(作者)”、“--platform(平台)”、“--galaxy-tags(标签)“等选项来缩小范围
[root@main playkongzhi]# ansible-galaxy search role名称 选项四.系统角色
1.安装系统角色包
注意:
角色默认是下载到/usr/share/ansible/roles
其帮助文档位于/usr/share/doc/rhel-system-roles-1.21.2(含示例)
- [root@main roles]# yum list | grep roles
- rhel-system-roles.noarch 1.21.2-1.el7_9 extras
- [root@main roles]# yum install -y rhel-system-roles.noarch
2.更改配置文件role路径便于对系统角色进行操作
roles目录路径后再使用":"跟上下载的系统角色目录路径,再就可以查看到我们可用的角色了,若不需要就再把路径改回来即可
- [root@main roles]# cat ansible.cfg | grep role
- roles_path=/root/roles/myroles:/usr/share/ansible/roles
-
- [root@main roles]# ansible-galaxy list
- # /root/roles/myroles
- # /usr/share/ansible/roles
- - linux-system-roles.ad_integration, (unknown version)
- - linux-system-roles.certificate, (unknown version)
- - linux-system-roles.cockpit, (unknown version)
- - linux-system-roles.crypto_policies, (unknown version)
- - linux-system-roles.firewall, (unknown version)
- - linux-system-roles.ha_cluster, (unknown version)
- - linux-system-roles.journald, (unknown version)
- - linux-system-roles.kdump, (unknown version)
- - linux-system-roles.kernel_settings, (unknown version)
- - linux-system-roles.logging, (unknown version)
- - linux-system-roles.metrics, (unknown version)
- - linux-system-roles.nbde_client, (unknown version)
- - linux-system-roles.nbde_server, (unknown version)
- - linux-system-roles.network, (unknown version)
- - linux-system-roles.podman, (unknown version)
- - linux-system-roles.postfix, (unknown version)
- - linux-system-roles.rhc, (unknown version)
- - linux-system-roles.selinux, (unknown version)
- - linux-system-roles.ssh, (unknown version)
- - linux-system-roles.sshd, (unknown version)
- - linux-system-roles.storage, (unknown version)
- - linux-system-roles.timesync, (unknown version)
- - linux-system-roles.tlog, (unknown version)
- - linux-system-roles.vpn, (unknown version)
- - rhel-system-roles.ad_integration, (unknown version)
- - rhel-system-roles.certificate, (unknown version)
- - rhel-system-roles.cockpit, (unknown version)
- - rhel-system-roles.crypto_policies, (unknown version)
- - rhel-system-roles.firewall, (unknown version)
- - rhel-system-roles.ha_cluster, (unknown version)
- - rhel-system-roles.journald, (unknown version)
- - rhel-system-roles.kdump, (unknown version)
- - rhel-system-roles.kernel_settings, (unknown version)
- - rhel-system-roles.logging, (unknown version)
- - rhel-system-roles.metrics, (unknown version)
- - rhel-system-roles.nbde_client, (unknown version)
- - rhel-system-roles.nbde_server, (unknown version)
- - rhel-system-roles.network, (unknown version)
- - rhel-system-roles.podman, (unknown version)
- - rhel-system-roles.postfix, (unknown version)
- - rhel-system-roles.rhc, (unknown version)
- - rhel-system-roles.selinux, (unknown version)
- - rhel-system-roles.ssh, (unknown version)
- - rhel-system-roles.sshd, (unknown version)
- - rhel-system-roles.storage, (unknown version)
- - rhel-system-roles.timesync, (unknown version)
- - rhel-system-roles.tlog, (unknown version)
- - rhel-system-roles.vpn, (unknown version)
3.介绍rhel提供的部分系统角色
名称 描述功能 rhel-system-roles.timesync 配置时间同步,使用网络时间协议配置 rhel-system-roles.selinux 配置selinux的模式、文件、端口上下文、用户等 rhel-system-roles.network 配置网络接口 rhel-system-roles.kdump 配置kdump崩溃恢复服务 rhel-system-roles.postfix 配置使用postfix配置邮件传输代理 rhel-system-roles.firewall 配置防火墙 4.timesync和selinux示例
(1)timesync
实际上,example文件已经给出了完整的模版,按照其中的参数修改为自己需求即可
- [root@main roles]# cat /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml
- ---
- - name: Example with multiple servers
- hosts: "{{ targets }}" #更改为自己管理的主机
- vars:
- timesync_ntp_servers:
- - hostname: 0.pool.ntp.org #hostname表示要同步的ntp服务器
- iburst: true
- - hostname: 1.pool.ntp.org
- iburst: true
- - hostname: 2.pool.ntp.org
- iburst: true
- - hostname: 3.pool.ntp.org
- iburst: true
- roles:
- - rhel-system-roles.timesync
- #将模板文件拷贝过来并改名
- [root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml timesync.yaml
- [root@main roles]# cat timesync.yaml
- ---
- - name: Example with multiple servers
- hosts: servera #修改hosts
- vars:
- timesync_ntp_servers:
- - hostname: 0.pool.ntp.org #就使用模版提供的ntp也行
- iburst: true #填写布尔值,启用或禁用快速初始化同步,默认为no,一般设置yes
- - hostname: 1.pool.ntp.org
- iburst: true
- - hostname: 2.pool.ntp.org
- iburst: true
- - hostname: 3.pool.ntp.org
- iburst: true
- roles:
- - rhel-system-roles.timesync
-
- [root@main roles]# ansible servera -m shell -a 'head /etc/chrony.conf'
- #查看是否应用成功
- servera | CHANGED | rc=0 >>
- #
- # Ansible managed
- #
- # system_role:timesync
-
-
- server 0.pool.ntp.org iburst
- server 1.pool.ntp.org iburst
- server 2.pool.ntp.org iburst
- server 3.pool.ntp.org iburst
-
- [root@main roles]# ansible servera -m shell -a 'chronyc sources'
- servera | CHANGED | rc=0 >>
- 210 Number of sources = 4
- MS Name/IP address Stratum Poll Reach LastRx Last sample
- ===============================================================================
- ^+ electrode.felixc.at 2 6 37 96 +49ms[+8671us] +/- 140ms
- ^- ntp5.flashdance.cx 2 6 75 34 +48ms[ +48ms] +/- 149ms
- ^* makaki.miuku.net 3 6 77 35 -29ms[ -69ms] +/- 128ms
- #测试第一次这个可用,成功
- ^- a.chl.la 2 6 75 35 +48ms[ +48ms] +/- 139ms
(2)selinux
修改过后需要重启
- [root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/selinux/example-selinux-playbook.yml selinux.yaml
- [root@main roles]# vim selinux.yaml
- [root@main roles]# cat selinux.yaml
- ---
- - name: Manage SELinux policy example
- hosts: all
- vars:
- # Use "targeted" SELinux policy type
- selinux_policy: targeted
- # Set "enforcing" mode
- selinux_state: enforcing #模版默认设置的是enforcing
- # Switch some SELinux booleans
- selinux_booleans:
- # Set the 'samba_enable_home_dirs' boolean to 'on' in the current
- # session only
- - {name: 'samba_enable_home_dirs', state: 'on'}
- # Set the 'ssh_sysadm_login' boolean to 'on' permanently
- - {name: 'ssh_sysadm_login', state: 'on', persistent: 'yes'}
- # Map '/tmp/test_dir' and its subdirectories to the 'user_home_dir_t'
- # SELinux file type
- selinux_fcontexts:
- - {target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd'}
- # Restore SELinux file contexts in '/tmp/test_dir'
- selinux_restore_dirs:
- - /tmp/test_dir
- # Map tcp port 22100 to the 'ssh_port_t' SELinux port type
- selinux_ports:
- - {ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present'}
- # Map the 'sar-user' Linux user to the 'staff_u' SELinux user
- selinux_logins:
- - {login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023',
- state: 'present'}
- # Manage modules
- selinux_modules:
- # Install the 'localpolicy.cil' with priority 300
- - {path: "localpolicy.cil", priority: "300", state: "enabled"}
- # Disable the 'unconfineduser' module with priority 100
- - {name: "unconfineduser", priority: "100", state: "disabled"}
- # Remove the 'temporarypolicy' module with priority 400
- - {name: "temporarypolicy", priority: "400", state: "absent"}
-
- # Prepare the prerequisites required for this playbook
- tasks:
- - name: Creates directory
- file:
- path: /tmp/test_dir
- state: directory
- mode: "0755"
- - name: Add a Linux System Roles SELinux User
- user:
- comment: Linux System Roles SELinux User
- name: sar-user
- - name: Execute the role and catch errors
- block:
- - name: Include selinux role
- include_role:
- name: rhel-system-roles.selinux
- rescue:
- # Fail if failed for a different reason than selinux_reboot_required.
- - name: Handle errors
- fail:
- msg: "role failed"
- when: not selinux_reboot_required
-
- - name: Restart managed host
- reboot:
-
- - name: Wait for managed host to come back
- wait_for_connection:
- delay: 10
- timeout: 300
-
- - name: Reapply the role
- include_role:
- name: rhel-system-roles.selinux
-
相关阅读:
@RepositoryRestResource 和 @RepositoryRestController 浅析
Mybatis-Plus强大的条件构造器queryWrapper、updateWrapper
c#学习笔记
残差网络(ResNet)
MySQL 的“回表”是什么
第1关:Hive 的 Alter Table 操作
一文带你了解动态NAT以及NAPT实验配置
gdb调试程序教程
不要用第三方日志包了Microsoft.Extensions.Logging功能就很强大
自动气象站:无线数据传输、多场景应用
- 原文地址:https://blog.csdn.net/weixin_64334766/article/details/134058254