ansible拆分
通过ansible roles安装httpd服务
1.初始化
[root@192 roles]# pwd
/etc/ansible/roles
[root@192 roles]# ansible-galaxy init httpd
2.准备变量
[root@192 vars]# pwd
/etc/ansible/roles/httpd/vars
[root@192 vars]# cat main.yml
PORT: 8080
USERNAME: www
GROUPNAME: www
3.cp httpd.conf文件到templates里面
注:templates里面的文件必须是.j2文件
[root@192 templates]# cp -a /etc/httpd/conf/httpd.conf ./httpd.conf.j2
4.修改httpd.conf文件(引用第2步准备的变量)
注意大小写要和上面定义的变量保持一致
[root@192 templates]# cat httpd.conf.j2
......
Listen {
{
PORT}}
.....
User {
{
USERNAME}}
Group {
{
GROUPNAME}}
5.拆分写各个模块文件
[root@192 tasks]# pwd
/etc/ansible/roles/httpd/tasks
[root@192 tasks]# cat user.yaml
- name: create user
user: name=www uid=60 system=yes shell=/sbin/nologin
[root@192 tasks]# cat group.yaml
- name: create group
group: name=www gid=60 system=yes
[root@192 tasks]# cat install_httpd.yaml
- name: install httpd
yum: name=httpd state=installed
[root@192 tasks]# cat config.yaml
- name: copy config file
template: src="httpd.conf.j2" dest="/etc/httpd/conf/httpd.conf"
notify: start httpd
[root@192 tasks]# cat ../handlers/main.yml
- name: start httpd
service: name=httpd state=started
6.串起来拆分的文化
注意顺序
[root@192 tasks]# cat main.yaml
- include: group.yaml
- include: user.yaml
- include: install_httpd.yaml
- include: config.yaml
[root@192 roles]# cat httpd_roles.yaml
---
- hosts: web
remote_user: root
roles:
- role: httpd
7.执行ansible-playbook
[root@192 roles]# ansible-playbook httpd_roles.yaml
8.下游设备中验证
[root@192 ~]# netstat -anput | grep 80
tcp6 0 0 :::8080 :::* LISTEN 4956/httpd
ansible优化
Ansible - 主要配置参数的讲解
[defaults] 通用默认配置段;
inventory = /etc/ansible/hosts 被控端IP或者DNS列表;
library = /usr/share/my_modules/ Ansible默认搜寻模块的位置;
remote_tmp = $HOME/.ansible/tmp Ansible远程执行临时文件;
pattern = * 对所有主机通信;
forks = 5 并行进程数;
poll_interval = 15 回频率或轮训间隔时间;
sudo_user = root sudo远程执行用户名;
ask_sudo_pass = True 使用sudo,是否需要输入密码;
ask_pass = True 是否需要输入密码;
transport = smart 通信机制;
remote_port = 22 远程SSH端口;
module_lang = C 模块和系统之间通信的语言;
gathering = implicit 控制默认facts收集(远程系统变量);
roles_path= /etc/ansible/roles 用于playbook搜索Ansible roles;
host_key_checking = False 检查远程主机密钥;
#sudo_exe = sudo sudo远程执行命令;
#sudo_flags = -H 传递sudo之外的参数;
timeout = 10 SSH超时时间;
remote_user = root 远程登陆用户名;
log_path = /var/log/ansible.log 日志文件存放路径;
module_name = command Ansible命令执行默认的模块;
#executable = /bin/sh 执行的Shell环境,用户Shell模块;
#hash_behaviour = replace 特定的优先级覆盖变量;
#jinja2_extensions 允许开启Jinja2拓展模块;
#private_key_file = /path/to/file 私钥文件存储位置;
#display_skipped_hosts = True 显示任何跳过任务的状态;
#system_warnings = True 禁用系统运行ansible潜在问题警告;
#deprecation_warnings = True Playbook输出禁用“不建议使用”警告;
#command_warnings = False command模块Ansible默认发出警告;
#nocolor = 1 输出带上颜色区别,开启/关闭:0/1;
pipelining = False 开启pipe SSH通道优化;
[accelerate] accelerate缓存加速。
accelerate_port = 5099
accelerate_timeout = 30
accelerate_connect_timeout = 5.0
accelerate_daemon_timeout = 30
accelerate_multi_key = yes
1.关闭密钥检测host_key_checking = False
在/etc/ssh/ssh_config 文件中
ssh对主机public公钥检测等级的依据 -
no 不检测 yes 每次都检测 ask 询问 false 关闭检测
2.openssh链接优化
致使服务器根据客户端的IP进行DNS PTR反向解析(IP-域名)得到客户端的主机名,然后根据获取到的主机名 进行DNS正向A解析 验证 – 确保 IP一致
[root@192 ~]# cat /etc/ssh/sshd_config
.....
UseDNS no
3.关闭facts缓存
在写yaml文件中添加下句即可