第九周
1. Ansible 常用模块及示例
| 模块名称 | 功能 | 示例 |
|---|---|---|
command |
在远程主机执行命令,不支持管道符、重定向符号等 | ansible 192.168.2.102 -m command -a 'date' |
shell |
在远程主机执行命令,支持管道符、重定向符号等复杂操作 | ansible 192.168.2.102 -m shell -a 'echo "Hello, Ansible!" > /tmp/hello.txt' |
copy |
将文件从控制节点复制到远程主机 | ansible 192.168.2.102 -m copy -a 'src=/path/to/local/file dest=/path/to/remote/file' |
file |
管理文件属性、创建软链接等 | ansible dbservers -m file -a 'owner=test01 group=mysql mode=644 path=/opt/fstab.bak' |
cron |
定义crontab任务计划 | ansible dbservers -m cron -a 'minute=30 hour="8,20" weekday="1-5" job="/usr/bin/cp -f /var/log/message /opt" name="backup1"' |
yum |
管理yum软件包 | ansible 192.168.2.102 -m yum -a 'name=httpd state=present' |
service |
管理服务 | ansible 192.168.2.102 -m service -a 'name=httpd state=started' |
user |
管理用户 | ansible 192.168.2.102 -m user -a 'name=testuser state=present' |
group |
管理用户组 | ansible 192.168.2.102 -m group -a 'name=testgroup state=present' |
2. Nginx 安装 playbook
[root@fan:~/project]#cat install-nginx.yaml
---
- hosts: all
vars:
nginx_install_method: "{{ nginx_install_method | default('package') }}"
nginx_version: "1.22.0" # 定义 Nginx 版本
nginx_source_url: "http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz" # 动态生成下载链接
nginx_install_dir: "/apps/nginx" # 定义安装目录
nginx_user: "nginx" # 定义运行用户
nginx_group: "nginx" # 定义运行组
nginx_conf_path: "{{ nginx_install_dir }}/conf/nginx.conf" # 定义配置文件路径
tasks:
- name: Disable SELinux temporarily
shell: setenforce 0
when: ansible_os_family == "RedHat"
- name: apt update and install nginx
shell: apt update -y && apt install -y nginx
when: nginx_install_method == "package" and ansible_os_family == "Debian"
- name: restart nginx
service:
name: nginx
state: restarted
when: nginx_install_method == "package" and ansible_os_family == "Debian"
- name: yum update -y and install nginx
shell: yum install -y nginx
when: nginx_install_method == "package" and ansible_os_family == "RedHat"
- name: restart nginx
service:
name: nginx
state: restarted
when: nginx_install_method == "package" and ansible_os_family == "RedHat"
- name: Install dependencies for Debian
shell: apt update -y && apt install -y build-essential libpcre3 libpcre3-dev openssl libssl-dev zlib1g-dev
when: ansible_os_family == "Debian" and nginx_install_method == "source"
- name: Install dependencies for RedHat
shell: yum install -y gcc pcre pcre-devel openssl openssl-devel zlib zlib-devel make
when: ansible_os_family == "RedHat" and nginx_install_method == "source"
- name: Create nginx group
group:
name: "{{ nginx_group }}"
system: yes
when: nginx_install_method == "source"
- name: Create nginx user
user:
name: "{{ nginx_user }}"
group: "{{ nginx_group }}"
system: yes
when: nginx_install_method == "source"
- name: Create nginx installation directory
file:
path: "{{ nginx_install_dir }}"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_group }}"
mode: '0755'
when: nginx_install_method == "source"
- name: Create nginx run directory
file:
path: "{{ nginx_install_dir }}/run"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_group }}"
mode: '0755'
when: nginx_install_method == "source"
- name: Create nginx.pid file
file:
path: "{{ nginx_install_dir }}/run/nginx.pid"
state: touch
owner: "{{ nginx_user }}"
group: "{{ nginx_group }}"
mode: '0644'
when: nginx_install_method == "source"
- name: Download Nginx source code
get_url:
url: "{{ nginx_source_url }}"
dest: "/root/nginx-{{ nginx_version }}.tar.gz"
when: nginx_install_method == "source"
- name: Extract Nginx source code
shell: tar -zxvf /root/nginx-{{ nginx_version }}.tar.gz -C /root/
when: nginx_install_method == "source"
- name: Compile and install Nginx
shell: |
cd /root/nginx-{{ nginx_version }} && ./configure \
--prefix={{ nginx_install_dir }} \
--user={{ nginx_user }} \
--group={{ nginx_group }} \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module && make && make install
when: nginx_install_method == "source"
- name: Modify nginx.conf to set pid file path
replace:
path: "{{ nginx_conf_path }}"
regexp: '^pid\s+.*;'
replace: 'pid {{ nginx_install_dir }}/run/nginx.pid;'
when: nginx_install_method == "source"
- name: Modify nginx.conf to set pid file path (if commented)
replace:
path: "{{ nginx_conf_path }}"
regexp: '^#pid\s+.*;'
replace: 'pid {{ nginx_install_dir }}/run/nginx.pid;'
when: nginx_install_method == "source"
- name: Create nginx.service file
template:
src: nginx.service.j2
dest: /etc/systemd/system/nginx.service
notify: reload systemd
- name: Enable and start nginx service
systemd:
name: nginx
enabled: yes
state: started
handlers:
- name: reload systemd
systemd:
daemon_reload: yes
[root@fan:~/project]#tree
.
├── install-nginx.yaml
└── templates
└── nginx.service.j2
2 directories, 2 files
[root@fan:~/project]#cat templates/nginx.service.j2
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile={{ nginx_install_dir }}/run/nginx.pid
ExecStart={{ nginx_install_dir }}/sbin/nginx -c {{ nginx_install_dir }}/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
LimitNOFILE=100000
[Install]
WantedBy=multi-user.target
3. 初始化主机 playbook
---
- hosts: all
vars:
system_type: "{{ system_type | default('rocky') }}"
tasks:
- name: Initialize hostname
hostname:
name: "{{ inventory_hostname }}"
- name: Replace yum source
yum_repository:
name: base
description: Base repository
baseurl: http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
gpgcheck: no
when: system_type == "rocky"
- name: Replace apt source
apt_repository:
repo: 'deb http://mirrors.aliyun.com/ubuntu/ {{ ansible_lsb.codename }} main restricted universe multiverse'
when: system_type == "ubuntu"
- name: Install time sync server
yum:
name: ntp
state: present
when: system_type == "rocky"
- name: Install time sync server
apt:
name: ntp
state: present
when: system_type == "ubuntu"
- name: Configure NTP
lineinfile:
path: /etc/ntp.conf
regexp: '^server'
line: 'server 0.centos.pool.ntp.org'
when: system_type == "rocky"
- name: Configure NTP
lineinfile:
path: /etc/ntp.conf
regexp: '^server'
line: 'server ntp.ubuntu.com'
when: system_type == "ubuntu"
- name: Start NTP service
service:
name: ntp
state: started
enabled: yes
- name: Disable firewall
firewalld:
state: stopped
enabled: no
when: system_type == "rocky"
- name: Install basic software
yum:
name: vim
state: present
when: system_type == "rocky"
- name: Install basic software
apt:
name: vim
state: present
when: system_type == "ubuntu"
- name: Set timezone
timezone:
name: Asia/Shanghai
- name: Create mage user
user:
name: mage
state: present
groups: wheel
append: yes
- name: Set sudo permission for mage
lineinfile:
path: /etc/sudoers
line: 'mage ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
- name: Disable SELinux
selinux:
policy: targeted
state: disabled
when: system_type == "rocky"
4. OpenVPN 部署安装过程
-
安装 OpenVPN
- 在 CentOS 上:
yum install -y epel-release yum install -y openvpn - 在 Ubuntu 上:
apt update apt install -y openvpn
- 在 CentOS 上:
-
配置 OpenVPN
- 生成密钥和证书:
- 安装 Easy-RSA:
yum install -y easy-rsa - 初始化 PKI 目录:
make-cadir ~/openvpn-ca cd ~/openvpn-ca ./easyrsa init-pki - 生成 CA 证书:
./easyrsa build-ca - 生成服务器密钥:
./easyrsa gen-req server nopass ./easyrsa sign-req server server - 生成客户端密钥:
./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 - 生成 Diffie-Hellman 参数:
./easyrsa gen-dh
- 安装 Easy-RSA:
- 生成密钥和证书:
-
配置 OpenVPN 服务器
- 编辑服务器配置文件
/etc/openvpn/server.conf,设置监听端口、协议、加密方式等参数。
- 编辑服务器配置文件
-
启动 OpenVPN 服务
- 在 CentOS 上:
systemctl start openvpn@server systemctl enable openvpn@server - 在 Ubuntu 上:
systemctl start openvpn-server@server systemctl enable openvpn-server@server
- 在 CentOS 上:
-
客户端配置
- 将生成的客户端密钥和证书文件拷贝到客户端。
- 编辑客户端配置文件,指定服务器地址、端口、密钥文件等信息。
-
连接 VPN
- 在客户端运行 OpenVPN 客户端软件,加载配置文件并连接到服务器。
5. OpenVPN 基本使用
- 连接 VPN:在客户端运行 OpenVPN 客户端软件,加载配置文件并连接到服务器。
- 断开 VPN:在客户端停止 OpenVPN 客户端软件。
- 查看连接状态:在服务器上可以使用
openvpn --status命令查看连接状态。
浙公网安备 33010602011771号