本文介绍Ansible playbook的实际应用案例,包括通过register获取命令执行结果并使用多种方式展示回显信息,自动化部署MySQL主从复制环境,以及初始化CentOS 7系统的详细步骤。
ansible那点事——playbook范例
一、playbook范例
1、通过register获取返回结果,使用debug多种方式打印回显信息
- hosts: node-2
user: root
tasks:
- name: test shell command
shell: ps -ef | grep java
register: result
- name: print msg1
debug:
msg: "{{ result }}"
- name: print msg2
debug:
msg: "{{ result.stdout }}"
- name: print msg3
debug:
msg: "{{ result.stdout_lines }}"
- name: print msg4
debug: var=result.stdout
2、playbook搭建mysql主从复制(yum方式)
整个role目录结构:
roles
├── mysql
│ ├── files
│ ├── handlers
│ │ └── main.yaml
│ ├── tasks
│ │ └── main.yaml
│ ├── templates
│ │ ├── my1.cnf.j2
│ │ ├── my2.cnf.j2
│ │ └── pass.sh
│ └── vars
│ └── main.yaml
└── site.yaml
- 编写roles/mysql/tasks/main.yaml
- name: yum.repo
copy: src=/etc/yum.repos.d/mysql.repo dest=/etc/yum.repos.d/mysql.repo
tags: yum_copy
- name: install mysql
shell: yum install mysql-community-server -y
- name: run mysql
service: name=mysqld state=started enabled=yes
- name: copy conf
template: src=/etc/ansible/mysql/roles/mysql/templates/my1.cnf.j2 dest=/etc/my.cnf
notify: restart mysql
when: ansible_hostname == "node-2"
- name: cp conf
template: src=/etc/ansible/mysql/roles/mysql/templates/my2.cnf.j2 dest=/etc/my.cnf
notify: restart mysql
when: ansible_hostname == "node-3"
- name: change pass
template: src=/etc/ansible/mysql/roles/mysql/templates/pass.sh dest=/root/pass.sh
- name: exec pass
shell: bash /root/pass.sh
tags: pass
- name: grant
shell: mysql -uroot -p'123' -e "grant replication slave on *.* to 'liang'@'%' identified by '123';"
when: ansible_hostname == "node-2"
- name: slave configure
shell: mysql -uroot -p'123' -e "change master to master_host='node-2',master_user='liang',master_password='123';"
shell: mysql -uroot -p'123' -e "start slave;"
when: ansible_hostname == "node-3"
- 编写roles/mysql/handlers
- name: restart mysql
service: name=mysqld state=restarted
- 编写roles/mysql/templates
cp /etc/my.cnf /etc/ansible/mysql/roles/mysql/templates/my1.cnf.j2
cp /etc/my.cnf /etc/ansible/mysql/roles/mysql/templates/my2.cnf.j2
ls templates/
my1.cnf.j2 my2.cnf.j2 pass.sh
cat pass.sh
#!/bin/bash
systemctl stop firewalld && setenforce 0 && systemctl restart mysqld
pass=`grep 'temporary password' /var/log/mysqld.log |awk '{print $NF}'`
mysqladmin -uroot -p"$pass" password "123"
- 编写roles/site.yaml
- hosts: node-2,node-3
roles:
- mysql
- 执行playbook
ansible-playbook site.yaml
3、playbook初始化centos7系统
- name: Set 8 for minimum password length # 设置密码长度最小为8位
shell: authconfig --passminlen=8 --update
- name: Set 4 for maximum number of allowed consecutive characters of the same class #允许同一类的最大连续字符数设置4位
shell: authconfig --passmaxclassrepeat=4 --update
- name: The parameter is set in a config below #使能密码中至少包含一个小写字母
shell: authconfig --enablereqlower --update
- name: the parameter is set in a config below #使能密码中至少包含一个大写字母
shell: authconfig --enablerequpper --update
- name: the parameter is set in a config below #使能密码中至少包含一个数字
shell: authconfig --enablereqdigit --update
- name: the parameter is set in a config below #使能密码中至少包含一个特殊字符
shell: authconfig --enablereqother --update
- name: Setting the password rules
lineinfile: dest=/etc/security/pwquality.conf line={{ item }}
with_items:
- 'maxsequence = 4' # 设置同一类的允许连续字符的最大数目
- 'difok = 6' # 允许的新、旧密码相同字符的个数为6位
- name: Setting the password duplication strategy #修改密码不能使用上次密码
lineinfile:
dest: /etc/pam.d/system-auth
regexp: '^password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
line: 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=1'
backrefs: yes
- name: Setting the login policy #设置账户密码锁定,普通用户密码连续输错6次,账户锁定600秒,root用户锁定60秒
lineinfile:
dest: /etc/pam.d/sshd
regexp: '#%PAM-1.0'
line: 'auth required pam_tally2.so deny=6 unlock_time=600 even_deny_root root_unlock_time=60'
insertafter: '#%PAM-1.0'
backrefs: yes
- name: Setting up a common user Su #开启用户的su
lineinfile:
dest: /etc/pam.d/su
regexp: '^#auth required pam_wheel.so use_uid'
line: 'auth required pam_wheel.so use_uid'
- name: Set wheel group users free of sudo #开启wheel组的免密sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
- name: Add the user 'sauser' with a specific uid and a primary group of 'wheel' #添加xuser用户 uid 2048 加入wheel组 shell为/bin/bash 家目录为 /home/xuser
user:
name: xuser
password: '$6$cYbg7R6j$Q4uARdTl8m9MCx5RtR64xb7yPgZDGqtTsuwU8vYsAY/XloFwnLr8ezTf5eYCmzwm7Tv32PgbtDcFh0KHMZzmh1'
uid: 2048
groups: wheel
shell: /bin/bash
createhome: yes
home: /home/xuser
state: present
- name: Add the user 'devuser' with a specific uid and a primary group of 'wheel' #添加devuser用户 uid 2047 加入wheel组 shell为/bin/bash 家目录为 /home/devuser
user:
name: devuser
password: '$6$3JULDzh/$KrVsYViaT3b1l4btL6VdnJdTlcHqP5Bn2Wd.qtZW90q3pQFzpMvJHQbACA7r9Z7S9.ZagRXZVRupbBchcYGFW.'
uid: 2047
groups: wheel
shell: /bin/bash
createhome: yes
home: /home/devuser
state: present
- name: Setting devuser user sudo permissions # 设置devuser的sudo权限
lineinfile:
dest: /etc/sudoers
line: 'devuser ALL=(ALL) NOPASSWD: ALL,!/bin/su,!/bin/su - root,!/bin/su root,!/usr/bin/passwd root,!/usr/sbin/visudo,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers,!/usr/bin/sudo -i,/bin/vi /etc/ssh/*,!/usr/bin/vim /etc/ssh/*,!/bin/chmod 777 /etc/*,!/bin/chmod 777 *,!/bin/chmod 777,!/bin/chmod -R 777 *,!/bin/bash,!/bin/sh,!/bin/tcsh'
- name: Set root nologin #禁止root运程登陆
lineinfile:
dest: /etc/ssh/sshd_config
state: present
regexp: '^#PermitRootLogin'
line: 'PermitRootLogin no'
- name: Set sshd DNS #设置ssh禁止DNS查询
lineinfile:
dest: /etc/ssh/sshd_config
state: present
regexp: '^#UseDNS'
line: 'UseDNS no'
- name: Stop firewalld #关闭防火墙
service: name=firewalld state=stopped enabled=no
- name: Shutdwon selinux. #关闭selinux
replace: dest=/etc/selinux/config regexp=^SELINUX=enforcing replace=SELINUX=disabled
- name: Stop postfix #关闭postfix
service: name=postfix state=stopped enabled=no
- name: Mkdir yumrepo direcrtory #创建yum源文件备份目录
file: path=/etc/yum.repos.d/yumrepo.bak state=directory mode=0755
- name: Backup yum.repo #备份yum源文件
shell: mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/yumrepo.bak/
#ignore_errors: yes
- name: Configure yum source #添加新的yum源文件
get_url:
url: http://172.17.0.30/CentOS-YUM/Pub/YumRepoFile/CentOS7/CentOS7-Base.repo
dest: /etc/yum.repos.d/CentOS-Base.repo
- name: Install base rpm package #安装初始系统所需基础包
yum: name={{ item }} state=latest
with_items:
- bash-completion-extras.noarch
- lrzsz
- nc
- vim
- iotop
- iftop
- dstat
- tcpdump
- ipmitool
- net-tools
- libselinux-python
- iptraf
- chrony
- name: Chrony conf #清空chrony配置文件
shell: echo '' > /etc/chrony.conf
- name: Set chrony #配置chrony时间服务
lineinfile: dest=/etc/chrony.conf line={{ item }}
with_items:
- 'server 0.0.0.0'
- 'stratumweight 0'
- 'driftfile /var/lib/chrony/drift'
- 'rtcsync'
- 'makestep 10 3'
- 'bindcmdaddress 127.0.0.1'
- 'bindcmdaddress ::1'
- 'keyfile /etc/chrony.keys'
- 'commandkey 1'
- 'generatecommandkey'
- 'noclientlog'
- 'logchange 0.5'
- 'logdir /var/log/chrony'
- name: Start chrony #启动chrony时间服务
service: name=chronyd state=started enabled=yes
tags: chrony
- name: Change nofile limits. #设置系统初始软硬限制
lineinfile: dest=/etc/security/limits.conf line={{ item }}
with_items:
- '* - nofile 165535'
- '* soft nofile 165535'
- '* hard nofile 165535'
- '* soft nproc 165535'
- '* hard nproc 165535'
tags: limits
- name: Rm localtime #删除本地时间配置
file: path=/etc/localtime state=absent
- name: Set timezone #创建本地时间配置为亚洲上海
file: src=/usr/share/zoneinfo/Asia/Shanghai dest=/etc/localtime state=link
- name: Set LANG #配置系统默认字符集
lineinfile: dest=/etc/locale.conf regexp=^LANG= line=LANG=en_US.UTF-8
- name: Mkdir ipv6 conf #修改ipv6配置文件
shell: echo '' > /etc/modprobe.d/ipv6.conf
- name: Set ipv6 #关闭ipv6服务
lineinfile: dest=/etc/modprobe.d/ipv6.conf line={{ item }}
with_items:
- 'alias net-pf-10 off'
- 'alias ipv6 off'
tags: ipv6
- name: Set histsize #设置命令历史纪录条数
lineinfile:
dest: /etc/profile
regexp: '^HISTSIZE='
line: 'HISTSIZE=10000'
- name: Mkdir directory #创建保存历史命令目录
file: path=/var/log/.history state=directory mode="u=rwx,g=rwx,o=rwx"
- name: Copy histroy script #设置保存历史命令
copy: src=history.sh dest=/etc/profile.d/history.sh owner=root group=root mode="u=rw,g=r,o=r"
- name: Set timeout #设置终端回话超时时间
lineinfile:
dest: /etc/profile
line: 'export TMOUT=600'
- name: Soure profile
shell: source /etc/profile
- name: Disable ctrl+alt+del reboot #关闭ctrl+alt+del重启系统
file:
path: /usr/lib/systemd/system/ctrl-alt-del.target
state: absent
- name: Reload the configuration file #重新加载配置
shell: init q
- name: Update resolv #修改本地DNS服务器
lineinfile: dest=/etc/resolv.conf line={{ item }}
with_items:
- 'options timeout:1'
- 'nameserver 0.0.0.0'
- 'nameserver 0.0.0.0'
- 'nameserver 0.0.0.0'
tags: resolv
- name: Update sysctl #配置系统内核参数
lineinfile: dest=/etc/sysctl.conf line={{ item }}
with_items:
- 'net.ipv4.tcp_syncookies = 1'
- 'kernel.core_uses_pid=1'
- 'kernel.core_pattern=/tmp/core-%e-%p'
- 'fs.suid_dumpable=2'
- 'net.ipv4.tcp_tw_reuse=1'
- 'net.ipv4.tcp_tw_recycle=0'
- 'net.ipv4.tcp_timestamps=0'
- 'net.ipv4.ip_forward = 0'
- 'net.ipv4.conf.all.send_redirects = 0'
- 'net.ipv4.conf.default.send_redirects = 0'
- 'net.ipv4.tcp_max_syn_backlog = 1280'
- 'net.ipv4.icmp_echo_ignore_broadcasts = 1'
- 'net.ipv4.conf.all.accept_source_route = 0'
- 'net.ipv4.conf.all.accept_redirects = 0'
- 'net.ipv4.conf.all.secure_redirects = 0'
- 'net.ipv4.conf.all.log_martians = 1'
- 'net.ipv4.conf.default.accept_source_route = 0'
- 'net.ipv4.conf.default.accept_redirects = 0'
- 'net.ipv4.conf.default.secure_redirects = 0'
- 'net.ipv4.icmp_echo_ignore_broadcasts = 1'
- 'net.ipv4.icmp_ignore_bogus_error_responses = 1'
- 'net.ipv4.tcp_syncookies = 1'
- 'net.ipv4.conf.all.rp_filter = 1'
- 'net.ipv4.conf.default.rp_filter = 1'
- 'vm.max_map_count=655360'
tags: sysctl
- name: Restart sshd #重启ssh服务
service: name=sshd state=restarted enabled=yes
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
