通过Ansible的playbook初始化系统

main.yaml

1
2
3
4
5
6
- import_playbook: hostname.yaml
- import_playbook: packages.yaml
- import_playbook: partion.yaml
- import_playbook: user.yaml
- import_playbook: download.yaml
- import_playbook: optimize.yaml

variables.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
---
services: xxx
packages:
- dos2unix
- tree
- telnet
- htop
- iftop
- lrzsz
- zip
- unzip
- lsof
- bind-utils
- screen
- mtr
- net-tools
- parted

hostname.yaml

根据服务名称设置主机名(包含服务名称、公/私网IP后缀),并添加hosts解析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
- hosts: localhost
vars_files:
- variables.yaml
tasks:
- name: determine if variable is defined
fail: msg="The variable service is not defined"
when: service == "xxx"
- name: get the variables of private_ip_tail
shell: echo {{ ansible_eth0.ipv4.address }} | awk -F "." '{print $NF}'
register: private
- name: define hostname if eth1 is not exist
shell: echo {{ service }}_{{ private.stdout }}
register: hostname
when: ansible_eth1.ipv4 is undefined
- name: get the variables of public_ip_tail
shell: echo {{ ansible_eth1.ipv4.address }} | awk -F "." '{print $NF}'
register: public
when: ansible_eth1.ipv4 is defined
- name: define hostname if eth1 is exist
shell: echo {{ service }}_{{ private.stdout }}_{{ public.stdout }}
register: hostname
when: ansible_eth1.ipv4 is defined
- name: set hostname
hostname: name="{{ hostname.stdout }}"
- name: update mappings from /etc/hosts
lineinfile: path="/etc/hosts" regexp="^{{ ansible_eth0.ipv4.address }}" line="{{ ansible_eth0.ipv4.address }} {{ hostname.stdout }}"
- name: Add mappings to /etc/hosts
blockinfile:
path: /etc/hosts
block: |
10.30.206.112 jenkins.ztjystore.com
marker: "# {mark} ANSIBLE MANAGED BLOCK for jenkins deploy webserver"

packages.yaml

安装相关的软件包

1
2
3
4
5
- hosts: localhost
tasks:
- name: install the common packages
yum: name={{ item }} state=present
with_items: "{{ packages }}"

partion.yaml

判断是否存在第2个磁盘,若存在且未分区则进行分区

1
2
3
4
5
6
7
8
9
10
11
12
13
14
- hosts: localhost
tasks:
- name: determine if device is exist
shell: blkid -s TYPE /dev/sdb1
register: filesystem
when: ansible_devices.sdb is defined
ignore_errors: True
- name: Create a new primary partition if the partion is not exist or is not filesystem
parted: device=/dev/sdb number=1 state=present
when: ansible_devices.sdb is defined and filesystem.stdout.find('TYPE') != 1
- name: make filesystem for /dev/sdb1
filesystem: dev=/dev/sdb1 fstype=ext4
- name: Add mount point to fstab
mount: src=/dev/sdb1 path=/data fstype=ext4 state=mounted

user.yaml

创建普通用户,并对需要的用户赋予sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
- hosts: localhost
tasks:
- name: create user
user: name={{ item.user }} group=admin uid={{ item.uid }}
with_items:
- { uid: 1001, user: log_user }
- { uid: 1002, user: yunwei }
- { uid: 1003, user: tomcat }
- name: set password for user
shell: echo "{{ item.passwd }}" | passwd --stdin {{ item.user }}
with_items:
- { passwd: "xxxxxx", user: log_user }
- { passwd: "xxxxxx", user: yunwei }
- name: grant sudo to user(yunwei)
copy:
content: |
{{ item.user }} ALL=(ALL) NOPASSWD:ALL
dest: /etc/sudoers.d/yunwei
validate: '/usr/sbin/visudo -cf %s'
with_items:
- { user: yunwei }

download.yaml

下载相关的脚本或工具包到指定的目录,并设置权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
- hosts: localhost
tasks:
- name: create directory
file: path="{{ item }}" state=directory mode=0750 group=admin
with_items:
- /server/tools
- /server/scripts
- /data/
- name: download the tomcat template
get_url: url={{ item }} dest=/server/tools/ validate_certs=false
with_items:
- http://ztjy-upgrade.oss-cn-hangzhou.aliyuncs.com/public/template.tar.gz
- name: download the tomcatctl.sh
get_url: url={{ item }} dest=/server/scripts/tomcatctl.sh validate_certs=false mode=700
with_items:
- http://ztjy-upgrade.oss-cn-hangzhou.aliyuncs.com/public/tomcatctl.sh
- name: set the mode of tomcatctl.sh to 755
file: src="/server/scripts/tomcatctl.sh" dest="/bin/tomcatctl.sh" mode=750 group=admin state=link
- name: unarchive the osscmd
unarchive: src="http://ztjy-upgrade.oss-cn-hangzhou.aliyuncs.com/public/osscmd.tar.gz" dest="/server/scripts/" validate_certs=false remote_src=yes
- name: unarchive the jdk1.7
unarchive: src="http://ztjyupdate.ztjystore.cn/jdk1.7.0_67.zip" dest="/data/" owner=tomcat group=admin validate_certs=false remote_src=yes
- name: unarchive the jdk1.8
unarchive: src="https://ztjyupdate.ztjystore.cn/jdk-8u11-linux-x64.tar.gz" dest="/data/" owner=tomcat group=admin validate_certs=false remote_src=yes
- name: unarchive the tomcat template
unarchive: src="/server/tools/template.tar.gz" dest="/data/" owner=tomcat group=admin remote_src=yes
- name: rename the template directory
shell: mv /data/template/ /data/{{ service }}/

- name: deny other user to webapps
file: path="/data/{{ service }}/tomcat/webapps/" mode=750 state=directory

#optimize.yaml

相关的优化项(ulimit、环境变量、SELINUX等)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
- hosts: localhost
tasks:
- name: Add PAM limits for admin group
pam_limits: domain="@admin" limit_type="-" dest="/etc/security/limits.d/admin.conf" limit_item={{ item.key }} value={{ item.value }}
with_items:
- { key: nproc , value: 10240 }
- { key: nofile, value: 10240 }
- name: Add environment variables
blockinfile:
path: /etc/profile
block: |
export {{ item.key }}={{ item.value }}
marker: "# {mark} ANSIBLE MANAGED BLOCK for environment variables"
with_items:
- { key: HISTTIMEFORMAT , value: '"%F %T "' }
- name: Disable DNS resolv for ssh
lineinfile: path=/etc/ssh/sshd_config regexp=".*UseDNS" line="UseDNS no"
notify:
- restart ssh server
- name: Disable SELINUX
lineinfile: path=/etc/selinux/config regexp="^SELINUX=" line="SELINUX=disabled"


handlers:
- name: restart ssh server
service: name=sshd state=restarted
坚持原创技术分享,您的支持将鼓励我继续创作!
0%