本文主要是介绍Ansible上通过roles简化playbook演示介绍,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
目录
一.roles介绍
1.作用
2.role的目录结构
3.role和tasks的执行优先级顺序
二.自定义一个httpd的角色
1.完整目录结构展示
2.主要的各个目录配置
(1)vars目录和templates目录
(2)tasks目录和handlers目录
(3)运行playbook测试
三.ansible galaxy安装roles
1.在线网站
2.配置roles_path
3.ansible-galaxy安装role
4.其他管理
四.系统角色
1.安装系统角色包
2.更改配置文件role路径便于对系统角色进行操作
3.介绍rhel提供的部分系统角色
4.timesync和selinux示例
(1)timesync
(2)selinux
一.roles介绍
1.作用
主要适用于层次性、结构化来组织playbook任务。根据层次型结构自动装载变量文件、tasks、和handlers等。主要应用于基于主机构建服务和构建进程场景、代码服用程度较高的场景。
2.role的目录结构
在playbook中通过“roles: role文件”来引用role,role的目录结构不要求全部完整,根据role要实现的功能来添加目录和文件
| 名称 | 含义 |
|---|---|
| tasks | 至少要包含一个main.yaml,用来定义这个角色的任务列表,可以使用include引入其他tasks |
| files | 存放copy或script模块调用的文件 |
| templates | template模块寻找jinja2模版的目录 |
| handlers | 要包含一个main.yaml,来定义这个角色用到的handlers |
| vars | 要包含一个main.yaml,用来定义这个角色要用到的变量 |
| mate | 要包含一个main.yaml,用来定义这个角色的特殊设置 |
3.role和tasks的执行优先级顺序
pre_tasks > roles > tasks > post_tasks
二.自定义一个httpd的角色
1.完整目录结构展示
[root@main roles]# tree .
.
├── ansible.cfg #存放ansible配置文件
├── httpd #role目录
│ ├── handlers #存放handlers
│ │ └── main.yaml
│ ├── tasks #存放主要执行的任务
│ │ ├── config.yaml #关于配置httpd
│ │ ├── group.yaml #关于配置httpd属组
│ │ ├── install.yaml #关于安装httpd
│ │ ├── main.yaml #关于所有任务的引入
│ │ ├── start.yaml #关于启动httpd
│ │ └── user.yaml #关于配置httpd属主
│ ├── templates #存放要部署下发的文件
│ │ └── httpd.conf.j2
│ └── vars #存放变量
│ └── main.yaml
├── httpd_roles.yaml #最终指定执行role的playbook文件
└── myhosts #主机清单文件2.主要的各个目录配置
(1)vars目录和templates目录
[root@main httpd]# cat vars/main.yaml #自定义在受管节点的httpd服务要用到的参数
port: 8090
user: sulibao
group: sulibao
[root@main httpd]# cp httpd.conf /root/roles/httpd/templates/httpd.conf.j2
#从本地拷贝httpd的配置文件到templates目录,且为j2格式
#需要修改参数的话就按照j2变量格式去修改
[root@main httpd]# cat templates/httpd.conf.j2 | grep Listen;cat templates/httpd.conf.j2 | grep User;cat templates/httpd.conf.j2 | grep Group
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
Listen "{{ port }}" #
# User/Group: The name (or #number) of the user/group to run httpd as.
User "{{ user }}" #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedLogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
# User/Group: The name (or #number) of the user/group to run httpd as.
Group "{{ group }}" #(2)tasks目录和handlers目录
[root@main httpd]# cat tasks/user.yaml #创建用户
- name: create useruser:name: "sulibao"uid: 1050system: yesshell: /sbin/nologin
[root@main httpd]# cat tasks/group.yaml #创建组
- name: create groupgroup:name: "sulibao"gid: 1050system: yes
[root@main httpd]# cat tasks/install.yaml #安装httpd
- name: install httpdyum:name: httpdstate: present
[root@main httpd]# cat tasks/start.yaml #启动httpd
- name: start httpdservice:name: httpdstate: startedenabled: yes
[root@main httpd]# cat tasks/config.yaml #将templates内的配置文件推送给受管节点用
- name: config httpdtemplate:src: /root/roles/httpd/templates/httpd.conf.j2dest: /etc/httpd/conf/httpd.confnotify: restart httpd
[root@main httpd]# cat tasks/main.yaml #引用所有的任务
- import_tasks: user.yaml
- import_tasks: group.yaml
- import_tasks: install.yaml
- import_tasks: start.yaml
- import_tasks: config.yaml
[root@main httpd]# cat handlers/main.yaml
- name: restart httpdservice:name: httpdstate: restarted(3)运行playbook测试
[root@main roles]# cat httpd_roles.yaml
---
- hosts: serveraroles:- role: httpd #指定httpd角色目录
[root@main roles]# ansible-playbook httpd_roles.yaml
[root@main roles]# ansible servera -m shell -a 'ss -lntup | grep 8090' #端口变量运行正常
servera | CHANGED | rc=0 >>
tcp LISTEN 0 128 [::]:8090 [::]:* users:(("httpd",pid=2749,fd=4),("httpd",pid=2748,fd=4),("httpd",pid=2747,fd=4),("httpd",pid=2746,fd=4),("httpd",pid=2745,fd=4),("httpd",pid=2744,fd=4))
[root@main roles]# ansible servera -m shell -a 'ps u 2748' #进程确实是我们指定用户
servera | CHANGED | rc=0 >>
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
sulibao 2748 0.0 0.0 250100 3572 ? S 14:09 0:00 /usr/sbin/httpd -DFOREGROUND
[root@main roles]# ansible servera -m shell -a 'echo hello > /var/www/html/index.html'
servera | CHANGED | rc=0 >>
[root@main roles]# ansible servera -m shell -a 'curl localhost:8090' #能够正常访问
servera | CHANGED | rc=0 >>
hello 三.ansible galaxy安装roles
ansible-galaxy基于在线网站的公共内容资源库,可以在内进行搜索所需roles,便于从在线网站获取role和git存储库的role。
1.在线网站
Galaxy NG (ansible.com)
时而可用时而不可用,找到role后复制命令进行下载
2.配置roles_path
[root@main roles]# cat ansible.cfg | grep role
roles_path=/root/roles/myroles3.ansible-galaxy安装role
(1)默认通过网站在线安装
[root@main playkongzhi]# ansible-galaxy install role名称(2)通过文件安装,需要是yaml格式的文件
[root@main playkongzhi]# ansible-galaxy install -r 指定文件 -p 指定安装路径4.其他管理
(1)初始化角色结构
[root@main playkongzhi]# ansible-galaxy init role名称(2)列出角色名称
[root@main playkongzhi]# ansible-galaxy list(3)删除已安装角色
[root@main playkongzhi]# ansible-galaxy remove role名称(4)搜索角色
可以通过“--author(作者)”、“--platform(平台)”、“--galaxy-tags(标签)“等选项来缩小范围
[root@main playkongzhi]# ansible-galaxy search role名称 选项四.系统角色
1.安装系统角色包
注意:
角色默认是下载到/usr/share/ansible/roles
其帮助文档位于/usr/share/doc/rhel-system-roles-1.21.2(含示例)
[root@main roles]# yum list | grep roles
rhel-system-roles.noarch 1.21.2-1.el7_9 extras
[root@main roles]# yum install -y rhel-system-roles.noarch2.更改配置文件role路径便于对系统角色进行操作
roles目录路径后再使用":"跟上下载的系统角色目录路径,再就可以查看到我们可用的角色了,若不需要就再把路径改回来即可
[root@main roles]# cat ansible.cfg | grep role
roles_path=/root/roles/myroles:/usr/share/ansible/roles
[root@main roles]# ansible-galaxy list
# /root/roles/myroles
# /usr/share/ansible/roles
- linux-system-roles.ad_integration, (unknown version)
- linux-system-roles.certificate, (unknown version)
- linux-system-roles.cockpit, (unknown version)
- linux-system-roles.crypto_policies, (unknown version)
- linux-system-roles.firewall, (unknown version)
- linux-system-roles.ha_cluster, (unknown version)
- linux-system-roles.journald, (unknown version)
- linux-system-roles.kdump, (unknown version)
- linux-system-roles.kernel_settings, (unknown version)
- linux-system-roles.logging, (unknown version)
- linux-system-roles.metrics, (unknown version)
- linux-system-roles.nbde_client, (unknown version)
- linux-system-roles.nbde_server, (unknown version)
- linux-system-roles.network, (unknown version)
- linux-system-roles.podman, (unknown version)
- linux-system-roles.postfix, (unknown version)
- linux-system-roles.rhc, (unknown version)
- linux-system-roles.selinux, (unknown version)
- linux-system-roles.ssh, (unknown version)
- linux-system-roles.sshd, (unknown version)
- linux-system-roles.storage, (unknown version)
- linux-system-roles.timesync, (unknown version)
- linux-system-roles.tlog, (unknown version)
- linux-system-roles.vpn, (unknown version)
- rhel-system-roles.ad_integration, (unknown version)
- rhel-system-roles.certificate, (unknown version)
- rhel-system-roles.cockpit, (unknown version)
- rhel-system-roles.crypto_policies, (unknown version)
- rhel-system-roles.firewall, (unknown version)
- rhel-system-roles.ha_cluster, (unknown version)
- rhel-system-roles.journald, (unknown version)
- rhel-system-roles.kdump, (unknown version)
- rhel-system-roles.kernel_settings, (unknown version)
- rhel-system-roles.logging, (unknown version)
- rhel-system-roles.metrics, (unknown version)
- rhel-system-roles.nbde_client, (unknown version)
- rhel-system-roles.nbde_server, (unknown version)
- rhel-system-roles.network, (unknown version)
- rhel-system-roles.podman, (unknown version)
- rhel-system-roles.postfix, (unknown version)
- rhel-system-roles.rhc, (unknown version)
- rhel-system-roles.selinux, (unknown version)
- rhel-system-roles.ssh, (unknown version)
- rhel-system-roles.sshd, (unknown version)
- rhel-system-roles.storage, (unknown version)
- rhel-system-roles.timesync, (unknown version)
- rhel-system-roles.tlog, (unknown version)
- rhel-system-roles.vpn, (unknown version)3.介绍rhel提供的部分系统角色
| 名称 | 描述功能 |
|---|---|
| rhel-system-roles.timesync | 配置时间同步,使用网络时间协议配置 |
| rhel-system-roles.selinux | 配置selinux的模式、文件、端口上下文、用户等 |
| rhel-system-roles.network | 配置网络接口 |
| rhel-system-roles.kdump | 配置kdump崩溃恢复服务 |
| rhel-system-roles.postfix | 配置使用postfix配置邮件传输代理 |
| rhel-system-roles.firewall | 配置防火墙 |
4.timesync和selinux示例
(1)timesync
实际上,example文件已经给出了完整的模版,按照其中的参数修改为自己需求即可
[root@main roles]# cat /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml
---
- name: Example with multiple servershosts: "{{ targets }}" #更改为自己管理的主机vars:timesync_ntp_servers:- hostname: 0.pool.ntp.org #hostname表示要同步的ntp服务器iburst: true- hostname: 1.pool.ntp.orgiburst: true- hostname: 2.pool.ntp.orgiburst: true- hostname: 3.pool.ntp.orgiburst: trueroles:- rhel-system-roles.timesync#将模板文件拷贝过来并改名
[root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/timesync/example-multiple-ntp-servers-playbook.yml timesync.yaml
[root@main roles]# cat timesync.yaml
---
- name: Example with multiple servershosts: servera #修改hostsvars:timesync_ntp_servers:- hostname: 0.pool.ntp.org #就使用模版提供的ntp也行iburst: true #填写布尔值,启用或禁用快速初始化同步,默认为no,一般设置yes- hostname: 1.pool.ntp.orgiburst: true- hostname: 2.pool.ntp.orgiburst: true- hostname: 3.pool.ntp.orgiburst: trueroles:- rhel-system-roles.timesync
[root@main roles]# ansible servera -m shell -a 'head /etc/chrony.conf'
#查看是否应用成功
servera | CHANGED | rc=0 >>
#
# Ansible managed
#
# system_role:timesync
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
[root@main roles]# ansible servera -m shell -a 'chronyc sources'
servera | CHANGED | rc=0 >>
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ electrode.felixc.at 2 6 37 96 +49ms[+8671us] +/- 140ms
^- ntp5.flashdance.cx 2 6 75 34 +48ms[ +48ms] +/- 149ms
^* makaki.miuku.net 3 6 77 35 -29ms[ -69ms] +/- 128ms
#测试第一次这个可用,成功
^- a.chl.la 2 6 75 35 +48ms[ +48ms] +/- 139ms(2)selinux
修改过后需要重启
[root@main roles]# cp /usr/share/doc/rhel-system-roles-1.21.2/selinux/example-selinux-playbook.yml selinux.yaml
[root@main roles]# vim selinux.yaml
[root@main roles]# cat selinux.yaml
---
- name: Manage SELinux policy examplehosts: allvars:# Use "targeted" SELinux policy typeselinux_policy: targeted# Set "enforcing" modeselinux_state: enforcing #模版默认设置的是enforcing# Switch some SELinux booleansselinux_booleans:# Set the 'samba_enable_home_dirs' boolean to 'on' in the current# session only- {name: 'samba_enable_home_dirs', state: 'on'}# Set the 'ssh_sysadm_login' boolean to 'on' permanently- {name: 'ssh_sysadm_login', state: 'on', persistent: 'yes'}# Map '/tmp/test_dir' and its subdirectories to the 'user_home_dir_t'# SELinux file typeselinux_fcontexts:- {target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd'}# Restore SELinux file contexts in '/tmp/test_dir'selinux_restore_dirs:- /tmp/test_dir# Map tcp port 22100 to the 'ssh_port_t' SELinux port typeselinux_ports:- {ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present'}# Map the 'sar-user' Linux user to the 'staff_u' SELinux userselinux_logins:- {login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023',state: 'present'}# Manage modulesselinux_modules:# Install the 'localpolicy.cil' with priority 300- {path: "localpolicy.cil", priority: "300", state: "enabled"}# Disable the 'unconfineduser' module with priority 100- {name: "unconfineduser", priority: "100", state: "disabled"}# Remove the 'temporarypolicy' module with priority 400- {name: "temporarypolicy", priority: "400", state: "absent"}
# Prepare the prerequisites required for this playbooktasks:- name: Creates directoryfile:path: /tmp/test_dirstate: directorymode: "0755"- name: Add a Linux System Roles SELinux Useruser:comment: Linux System Roles SELinux Username: sar-user- name: Execute the role and catch errorsblock:- name: Include selinux roleinclude_role:name: rhel-system-roles.selinuxrescue:# Fail if failed for a different reason than selinux_reboot_required.- name: Handle errorsfail:msg: "role failed"when: not selinux_reboot_required
- name: Restart managed hostreboot:
- name: Wait for managed host to come backwait_for_connection:delay: 10timeout: 300
- name: Reapply the roleinclude_role:name: rhel-system-roles.selinux这篇关于Ansible上通过roles简化playbook演示介绍的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
