目录
一.roles介绍
1.作用
2.role的目录结构
3.role和tasks的执行优先级顺序
二.自定义一个httpd的角色
1.完整目录结构展示
2.主要的各个目录配置
(1)vars目录和templates目录
(2)tasks目录和handlers目录
(3)运行playbook测试
三.ansible galaxy安装roles
1.在线网站
2.配置roles_path
3.ansible-galaxy安装role
4.其他管理
四.系统角色
1.安装系统角色包
2.更改配置文件role路径便于对系统角色进行操作
3.介绍rhel提供的部分系统角色
4.timesync和selinux示例
(1)timesync
(2)selinux
一.roles介绍
1.作用
主要适用于层次性、结构化来组织playbook任务。根据层次型结构自动装载变量文件、tasks、和handlers等。主要应用于基于主机构建服务和构建进程场景、代码服用程度较高的场景。
2.role的目录结构
在playbook中通过“roles: role文件”来引用role,role的目录结构不要求全部完整,根据role要实现的功能来添加目录和文件
| 名称 | 含义 |
|---|---|
| tasks | 至少要包含一个main.yaml,用来定义这个角色的任务列表,可以使用include引入其他tasks |
| files | 存放copy或script模块调用的文件 |
| templates | template模块寻找jinja2模版的目录 |
| handlers | 要包含一个main.yaml,来定义这个角色用到的handlers |
| vars | 要包含一个main.yaml,用来定义这个角色要用到的变量 |
| mate | 要包含一个main.yaml,用来定义这个角色的特殊设置 |
3.role和tasks的执行优先级顺序
pre_tasks > roles > tasks > post_tasks
二.自定义一个httpd的角色
1.完整目录结构展示
[root@main roles]# tree .
.
├── ansible.cfg #存放ansible配置文件
├── httpd #role目录
│ ├── handlers #存放handlers
│ │ └── main.yaml
│ ├── tasks #存放主要执行的任务
│ │ ├── config.yaml #关于配置httpd
│ │ ├── group.yaml #关于配置httpd属组
│ │ ├── install.yaml #关于安装httpd
│ │ ├── main.yaml #关于所有任务的引入
│ │ ├── start.yaml #关于启动httpd
│ │ └── user.yaml #关于配置httpd属主
│ ├── templates #存放要部署下发的文件
│ │ └── httpd.conf.j2
│ └── vars #存放变量
│ └── main.yaml
├── httpd_roles.yaml #最终指定执行role的playbook文件
└── myhosts #主机清单文件2.主要的各个目录配置
(1)vars目录和templates目录
[root@main httpd]# cat vars/main.yaml #自定义在受管节点的httpd服务要用到的参数
port: 8090
user: sulibao
group: sulibao
[root@main httpd]# cp httpd.conf /root/roles/httpd/templates/httpd.conf.j2
#从本地拷贝httpd的配置文件到templates目录,且为j2格式
#需要修改参数的话就按照j2变量格式去修改
[root@main httpd]# cat templates/httpd.conf.j2 | grep Listen;cat templates/httpd.conf.j2 | grep User;cat templates/httpd.conf.j2 | grep Group
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
Listen "{{ port }}" #
# User/Group: The name (or #number) of the user/group to run httpd as.
User "{{ user }}" #
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
# User/Group: The name (or #number) of the user/group to run httpd as.
Group "{{ group }}" #(2)tasks目录和handlers目录
[root@main httpd]# cat tasks/user.yaml #创建用户
- name: create user
user:
name: "sulibao"
uid: 1050
system: yes
shell: /sbin/nologin
[root@main httpd]# cat tasks/group.yaml #创建组
- name: create group
group:
name: "sulibao"
gid: 1050
system: yes
[root@main httpd]# cat tasks/install.yaml #安装httpd
- name: install httpd
yum:
name: httpd
state: present
[root@main httpd]# cat tasks/start.yaml #启动httpd
- name: start httpd
service:
name: httpd
state: started
enabled: yes
[root@main httpd]# cat tasks/config.yaml #将templates内的配置文件推送给受管节点用
- name: config httpd
template:
src: /root/roles/httpd/templates/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
notify: restart httpd
[root@main httpd]# cat tasks/main.yaml #引用所有的任务
- import_tasks: user.yaml
- import_tasks: group.yaml
- import_tasks: install.yaml
- import_tasks: start.yaml
- import_tasks: config.yaml
[root@main httpd]# cat handlers/main.yaml
- name: restart httpd
service:
name: httpd
state: restarted(3)运行playbook测试
[root@main roles]# cat httpd_roles.yaml
---
- hosts: servera
roles:
- role: httpd #指定httpd角色目录
[root@main roles]# ansible-playbook httpd_roles.yaml
[root@main roles]# ansible servera -m shell -a 'ss -lntup | grep 8090' #端口变量运行正常
servera | CHANGED | rc=0 >>
tcp LISTEN 0 128 [::]:8090 [::]:* users:(("httpd",pid=2749,fd=4),("httpd",pid=2748,fd=4),("httpd",pid=2747,fd=4),("httpd",pid=2746,fd=4),("httpd",pid=2745,fd=4),("httpd",pid=2744,fd=4))
[root@main roles]# ansible servera -m shell -a 'ps u 2748' #进程确实是我们指定用户
servera | CHANGED | rc=0 >>
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
sulibao 2748 0.0 0.0 250100 3572 ? S 14:09 0:00 /usr/sbin/httpd -DFOREGROUND
[root@main roles]# ansible servera -m shell -a 'echo hello > /var/www/html/index.html'
servera | CHANGED | rc=0 >>
[root@main roles]# ansible servera -m shell -a 'curl localhost:8090' #能够正常访问
servera | CHANGED | rc=0 >>
hello 三.ansible galaxy安装roles
ansible-galaxy基于在线网站的公共内容资源库,可以在内进行搜索所需roles,便于从在线网站获取role和git存储库的role。
1.在线网站
Galaxy NG (ansible.com)
时而可用时而不可用,找到role后复制命令进行下载
2.配置roles_path
[root@main roles]# cat ansible.cfg | grep role
roles_path=/root/roles/myroles3.ansible-galaxy安装role
(1)默认通过网站在线安装
[root@main playkongzhi]# ansible-galaxy install role名称(2)通过文件安装,需要是yaml格式的文件
[root@main playkongzhi]# ansible-galaxy install -r 指定文件 -p 指定安装路径4.其他管理
(1)初始化角色结构
[root@main playkongzhi]# ansible-galaxy init role名称(2)列出角色名称
[root@main playkongzhi]# ansible-galaxy list(3)删除已安装角色
[root@main playkongzhi]# ansible-galaxy remove role名称(4)搜索角色
可以通过“--author(作者)”、“--platform(平台)”、“--galaxy-tags(标签)“等选项来缩小范围
[root@main playkongzhi]# ansible-galaxy search role名称 选项四.系统角色
1.安装系统角色包
注意:
角色默认是下载到/usr/share/ansible/roles
其帮助文档位于/usr/share/doc/rhel-system-roles-1.21.2(含示例)
[root@main roles]# yum list | grep roles
rhel-system-roles.noarch 1.21.2-1.el7_9 extras
[root@main roles]# yum install -y rhel-system-roles.noarch2.更改配置文件role路径便于对系统角色进行操作
roles目录路径后再使用":"跟上下载的系统角色目录路径,再就可以查看到我们可用的角色了,若不需要就再把路径改回来即可
[root@main roles]# cat ansible.cfg | grep role
roles_path=/root/roles/myroles:/usr/share/ansible/roles
[root@main roles]# ansible-galaxy list
# /root/roles/myroles
# /usr/share/ansible/roles
- linux-system-roles.ad_integration, (unknown version)
- linux-system-roles.certificate, (unknown version)
- linux-system-roles.cockpit, (unknown version)
- linux-system-roles.crypto_policies, (unknown version)
- linux-system-roles.firewall, (unknown version)
- linux-system-roles.ha_cluster, (unknown version)
- linux-system-roles.journald, (unknown version)
- linux-system-roles.kdump, (unknown version)
- linux-system-roles.kernel_settings, (unknown version)
- linux-system-roles.logging, (unknown version)
- linux-system-roles.metrics, (unknown version)
- linux-system-roles.nbde_client, (unknown version)
- linux-system-roles.nbde_server, (unknown version)
- linux-system-roles.network, (unknown version)
- linux-system-roles.podman, (unknown version)
- linux-system-roles.postfix, (unknown version)
- linux-system-roles.rhc, (unknown version)
- linux-system-roles.selinux, (unknown version)
- linux-system-roles.ssh, (unknown version)
- linux-system-roles.sshd, (unknown version)
- linux-system-roles.storage, (unknown version)
- linux-system-roles.timesync, (unknown version)
- linux-system-roles.tlog, (unknown version)
- linux-system-roles.vpn, (unknown version)
- rhel-system-roles.ad_integration, (unknown version)
- rhel-system-roles.certificate, (unknown version)
- rhel-system-roles.cockpit, (unknown version)
- rhel-system-roles.crypto_policies, (unknown version)
- rhel-system-roles.firewall, (unknown version)
- rhel-system-roles.ha_cluster, (unknown version)
- rhel-system-roles.journald, (unknown version)
- rhel-system-roles.kdump, (unknown version)
- rhel-system-roles.kernel_settings, (unknown version)
- rhel-system-roles.logging, (unknown version)
- rhel-system-roles.metrics, (unknown version)
- rhel-system-roles.nbde_client, (unknown version)
- rhel-system-roles.nbde_server, (unknown version)
- rhel-system-roles.network, (unknown version)
- rhel-system-roles.podman, (unknown version)
- rhel-system-roles.postfix, (unknown version)
- rhel-system-roles.rhc, (unknown version)
- rhel-system-roles.selinux, (unknown version)
- rhel-system-roles.ssh, (unknown version)
- rhel-system-roles.sshd, (unknown version)
- rhel-system-roles.storage, (unknown version)
- rhel-system-roles.timesync, (unknown version)
- rhel-system-roles.tlog, (unknown version)
- rhel-system-roles.vpn, (unknown version)3.介绍rhel提供的部分系统角色
| 名称 | 描述功能 |
|---|---|
| rhel-system-roles.timesync | 配置时间同步,使用网络时间协议配置 |
| rhel-system-roles.selinux | 配置selinux的模式、文件、端口上下文、用户等 |
| rhel-system-roles.network | 配置网络接口 |
| rhel-system-roles.kdump | 配置kdump崩溃恢复服务 |
| rhel-system-roles.postfix | 配置使用postfix配置邮件传输代理 |
| rhel-system-roles.firewall | 配置防火墙 |
4.timesync和selinux示例
(1)timesync
实际上,example文件已经给出了完整的模版,按照其中的参数修改为自己需求即可
[root@main roles]# cat /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml
---
- name: Example with multiple servers
hosts: "{{ targets }}" #更改为自己管理的主机
vars:
timesync_ntp_servers:
- hostname: 0.pool.ntp.org #hostname表示要同步的ntp服务器
iburst: true
- hostname: 1.pool.ntp.org
iburst: true
- hostname: 2.pool.ntp.org
iburst: true
- hostname: 3.pool.ntp.org
iburst: true
roles:
- rhel-system-roles.timesync
#将模板文件拷贝过来并改名
[root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml timesync.yaml
[root@main roles]# cat timesync.yaml
---
- name: Example with multiple servers
hosts: servera #修改hosts
vars:
timesync_ntp_servers:
- hostname: 0.pool.ntp.org #就使用模版提供的ntp也行
iburst: true #填写布尔值,启用或禁用快速初始化同步,默认为no,一般设置yes
- hostname: 1.pool.ntp.org
iburst: true
- hostname: 2.pool.ntp.org
iburst: true
- hostname: 3.pool.ntp.org
iburst: true
roles:
- rhel-system-roles.timesync
[root@main roles]# ansible servera -m shell -a 'head /etc/chrony.conf'
#查看是否应用成功
servera | CHANGED | rc=0 >>
#
# Ansible managed
#
# system_role:timesync
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
[root@main roles]# ansible servera -m shell -a 'chronyc sources'
servera | CHANGED | rc=0 >>
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ electrode.felixc.at 2 6 37 96 +49ms[+8671us] +/- 140ms
^- ntp5.flashdance.cx 2 6 75 34 +48ms[ +48ms] +/- 149ms
^* makaki.miuku.net 3 6 77 35 -29ms[ -69ms] +/- 128ms
#测试第一次这个可用,成功
^- a.chl.la 2 6 75 35 +48ms[ +48ms] +/- 139ms(2)selinux
修改过后需要重启
[root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/selinux/example-selinux-playbook.yml selinux.yaml
[root@main roles]# vim selinux.yaml
[root@main roles]# cat selinux.yaml
---
- name: Manage SELinux policy example
hosts: all
vars:
# Use "targeted" SELinux policy type
selinux_policy: targeted
# Set "enforcing" mode
selinux_state: enforcing #模版默认设置的是enforcing
# Switch some SELinux booleans
selinux_booleans:
# Set the 'samba_enable_home_dirs' boolean to 'on' in the current
# session only
- {name: 'samba_enable_home_dirs', state: 'on'}
# Set the 'ssh_sysadm_login' boolean to 'on' permanently
- {name: 'ssh_sysadm_login', state: 'on', persistent: 'yes'}
# Map '/tmp/test_dir' and its subdirectories to the 'user_home_dir_t'
# SELinux file type
selinux_fcontexts:
- {target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd'}
# Restore SELinux file contexts in '/tmp/test_dir'
selinux_restore_dirs:
- /tmp/test_dir
# Map tcp port 22100 to the 'ssh_port_t' SELinux port type
selinux_ports:
- {ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present'}
# Map the 'sar-user' Linux user to the 'staff_u' SELinux user
selinux_logins:
- {login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023',
state: 'present'}
# Manage modules
selinux_modules:
# Install the 'localpolicy.cil' with priority 300
- {path: "localpolicy.cil", priority: "300", state: "enabled"}
# Disable the 'unconfineduser' module with priority 100
- {name: "unconfineduser", priority: "100", state: "disabled"}
# Remove the 'temporarypolicy' module with priority 400
- {name: "temporarypolicy", priority: "400", state: "absent"}
# Prepare the prerequisites required for this playbook
tasks:
- name: Creates directory
file:
path: /tmp/test_dir
state: directory
mode: "0755"
- name: Add a Linux System Roles SELinux User
user:
comment: Linux System Roles SELinux User
name: sar-user
- name: Execute the role and catch errors
block:
- name: Include selinux role
include_role:
name: rhel-system-roles.selinux
rescue:
# Fail if failed for a different reason than selinux_reboot_required.
- name: Handle errors
fail:
msg: "role failed"
when: not selinux_reboot_required
- name: Restart managed host
reboot:
- name: Wait for managed host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: Reapply the role
include_role:
name: rhel-system-roles.selinux
