使用roles一键优化企业架构
环境
| 外网IP |
内网IP |
主机名 |
| 10.0.0.5 |
172.16.1.5 |
lb01 (负载均衡) |
| 10.0.0.6 |
172.16.1.6 |
lb02 |
| 10.0.0.7 |
172.16.1.7 |
web01(服务器) |
| 10.0.0.8 |
172.16.1.8 |
web02 |
| 10.0.0.9 |
172.16.1.9 |
web03 |
| 10.0.0.31 |
172.16.1.31 |
nfs (共享存储) |
| 10.0.0.41 |
172.16.1.41 |
backup |
| 10.0.0.51 |
172.16.1.51 |
db01 (数据库) |
| 10.0.0.52 |
172.16.1.52 |
db02 |
| 10.0.0.53 |
172.16.1.53 |
db03(代理机) |
| 10.0.0.54 |
172.16.1.54 |
db04(代理机) |
| 10.0.0.61 |
172.16.1.61 |
m01 (跳板机) |
| 10.0.0.71 |
172.16.1.71 |
zabbix |
流程分析
1.安装ansible
2.优化ansible
3.推送公钥
4.开启防火墙
5.开启80 443 873 nfs等端口和服务白名单
6.关闭selinux
7.创建同一的用户
推送公钥脚本
#推送过后,使用172.16.1.网段, 跳板机可以直接连接,10.0.0.网段第一次的连接只需要输入yes
#使用该脚本可以向新克隆的虚拟机推送该公钥
vim /root/jb.sh
#!/bin/bash
pass='1'
ip='172.16.1.'
ip2='10.0.0.'
[ -f /root/.ssh/id_rsa ] || \
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
for i in 5 6 7 8 9 31 41 51 52 53 54 61 71 81;
do
sshpass -p $pass ssh-copy-id -i /root/.ssh/id_rsa.pub -o stricthostkeychecking=no root@${ip}${i}
sshpass -p $pass ssh-copy-id -i /root/.ssh/id_rsa.pub -o stricthostkeychecking=no root@${ip2}${i}
done
chmod 600 /root/jb.sh
1.安装absible
[root@m01 ~]# yum install -y ansible
2.优化ansible
[root@m01 ~]# vim /etc/ansible/ansible.cfg #改为
host_key_checking = False
3.创建密钥对
[root@m01 ~]# ssh-keygen
4.推送公钥
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.5
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.6
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.8
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.9
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.31
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.41
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.51
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.52
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.53
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.54
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.61
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.71
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.81
#或者使用脚本推送公钥
sh jb.sh
5.编辑主机清单
[root@m01 ~]# vim /etc/ansible/hosts
[web_group]
web01 ansible_ssh_host=172.16.1.7 asible_ssh_user=root ansible_ssh_port=22
web02 ansible_ssh_host=172.16.1.8 asible_ssh_user=root ansible_ssh_port=22
web03 ansible_ssh_host=172.16.1.9 asible_ssh_user=root ansible_ssh_port=22
[db_group]
db01 ansible_ssh_host=172.16.1.51 asible_ssh_user=root ansible_ssh_port=22
db02 ansible_ssh_host=172.16.1.52 asible_ssh_user=root ansible_ssh_port=22
db03 ansible_ssh_host=172.16.1.53 asible_ssh_user=root ansible_ssh_port=22
db04 ansible_ssh_host=172.16.1.54 asible_ssh_user=root ansible_ssh_port=22
[nfs_group]
nfs ansible_ssh_host=172.16.1.31 asible_ssh_user=root ansible_ssh_port=22
[redis_group]
redis ansible_ssh_host=172.16.1.81 asible_ssh_user=root ansible_ssh_port=22
[lb_group]
lb01 ansible_ssh_host=172.16.1.5 asible_ssh_user=root ansible_ssh_port=22
lb02 ansible_ssh_host=172.16.1.6 asible_ssh_user=root ansible_ssh_port=22
[backup_group]
backup ansible_ssh_host=172.16.1.41 asible_ssh_user=root ansible_ssh_port=22
[zabbix_group]
zabbix ansible_ssh_host=172.16.1.71 asible_ssh_user=root ansible_ssh_port=22
[m01_group]
m01 ansible_ssh_host=172.16.1.61 asible_ssh_user=root ansible_ssh_port=22
6.仪式(检测)
[root@m01 ~]# ansible '*' -m ping
ansible优化
1.下载
[root@m01 ~]# yum install -y ansible
2.优化
[root@m01 ~]# vim /etc/ansible/ansible.cfg #改为
host_key_checking = False
使用ansible-galaxy创建角色目录
[root@m01 ansible]# ansible-galaxy init base
阿里云仓库
[root@m01 base]# cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/epel.repo /etc/ansible/roles/base/files/
编辑tasks目录
#1.打开防火墙
[root@m01 base]# vim tasks/firewalld.yml
- name: start firewalld
service:
name: firewalld
state: started
enabled: yes
#2.打开常用端口
[root@m01 base]# vim tasks/port.yml
- name: Open Port
firewalld:
port: "{{ item }}"
state: enabled
permanent: no
loop:
- "{{ port }}"
- name: Open nfs
firewalld:
service: nfs
state: enabled
permanent: no
#3.关闭selinux
[root@m01 base]# vim tasks/selinux.yml
- name: stop selinux
selinux:
state: disabled
#4.创建"www"用户
[root@m01 base]# vim tasks/user_group.yml
- name: panduan "{{ ww_w }}"
shell: 'id {{ ww_w }}'
ignore_errors: yes
register: id_www
- name: Create {{ ww_w }} Group
group:
name: "{{ ww_w }}"
gid: "{{ uid_gid }}"
state: present
when: id_www.rc != 0
- name: Create {{ ww_w }} User
user:
name: "{{ ww_w }}"
uid: "{{ uid_gid }}"
group: "{{ ww_w }}"
shell: /sbin/nologin
create_home: false
when: id_www.rc != 0
#换源
[root@m01 base]# vim tasks/base_epel.yml
- name: Push YUM Repo File
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: 'CentOS-Base.repo',dest: '/etc/yum.repos.d' }
- { src: 'epel.repo',dest: '/etc/yum.repos.d' }
#安装基础包
[root@m01 base]# vim tasks/packages.yml
- name: Install Base Packages
yum:
name: "{{ packages }}"
#优化文件描述符
[root@m01 base]# vim tasks/limit.yml
- name: Modify File Miao Shu Fu
pam_limits:
domain: '*'
limit_type: '-'
limit_item: nofile
value: '65535'
#5.编辑main.yml
[root@m01 base]# vim tasks/main.yml
- include: firewalld.yml
- include: port.yml
- include: selinux.yml
- include: user_group.yml
- include: base_epel.yml
- include: limit.yml
- include: packages.yml
#6.编辑变量文件
[root@m01 base]# vim vars/main.yml
uid_gid: 666
ww_w: www
#基础优化要安装的包
packages:
- net-tools
- vim
- tree
- htop
- iftop
- gcc
- gcc-c++
- glibc
- iotop
- lrzsz
- sl
- wget
- unzip
- telnet
- nmap
- nc
- psmisc
- dos2unix
- bash-completion
- sysstat
- rsync
- nfs-utils
- httpd-tools
编辑vars目录
port:
- "22/tcp"
- "23/tcp"
- "80/tcp"
- "443/tcp"
- "873/tcp"
- "3306/tcp"
- "9000/tcp"
- "6379/tcp"
- "8080/tcp"
- "10050/tcp"
ww_w: www
uid_gid: 666
编辑入口文件
[root@m01 roles]# vim site.yml
- hosts: all
roles:
- { role: base }
执行
[root@m01 roles]# ansible-playbook site.yml
#查看文件描述符
1:查看现在的文件描述符大小和用户最大进程数
查看全部
# ulimit -a
查看文件描述符大小,即最大打开的文件数
# ulimit -n
查看用户最大进程数大小
# ulimit -u
文件描述符大小和用户最大进程数修改,编辑配置文件
# vi /etc/security/limits.conf
* - nofile 65535
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
soft nproc: 单个用户可用的最大进程数量(软限制)
hard nproc:单个用户可用的最大进程数量(硬限制)
soft nofile: 可打开的文件描述符的最大数(软限制)
hard nofile:可打开的文件描述符的最大数(硬限制)
* :代表所有用户,也可以写成你需要修改的用户名
