base

使用roles一键优化企业架构

环境

外网IP	内网IP	主机名
10.0.0.5	172.16.1.5	lb01 （负载均衡）
10.0.0.6	172.16.1.6	lb02
10.0.0.7	172.16.1.7	web01(服务器)
10.0.0.8	172.16.1.8	web02
10.0.0.9	172.16.1.9	web03
10.0.0.31	172.16.1.31	nfs （共享存储）
10.0.0.41	172.16.1.41	backup
10.0.0.51	172.16.1.51	db01 （数据库）
10.0.0.52	172.16.1.52	db02
10.0.0.53	172.16.1.53	db03（代理机）
10.0.0.54	172.16.1.54	db04（代理机）
10.0.0.61	172.16.1.61	m01 （跳板机）
10.0.0.71	172.16.1.71	zabbix

流程分析

1.安装ansible
2.优化ansible
3.推送公钥
4.开启防火墙
5.开启80 443 873 nfs等端口和服务白名单
6.关闭selinux
7.创建同一的用户

推送公钥脚本

#推送过后，使用172.16.1.网段， 跳板机可以直接连接，10.0.0.网段第一次的连接只需要输入yes
#使用该脚本可以向新克隆的虚拟机推送该公钥

vim /root/jb.sh	    
#!/bin/bash 
pass='1'
        ip='172.16.1.'
        ip2='10.0.0.'
	    [ -f /root/.ssh/id_rsa ] || \
        ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa

        for i in  5 6 7 8 9 31 41 51 52 53 54 61 71 81;
        do
        sshpass -p $pass ssh-copy-id -i /root/.ssh/id_rsa.pub -o stricthostkeychecking=no root@${ip}${i}
        
        sshpass -p $pass ssh-copy-id -i /root/.ssh/id_rsa.pub -o stricthostkeychecking=no root@${ip2}${i}
        
        done
	    chmod 600 /root/jb.sh

1.安装absible
[root@m01 ~]# yum install -y ansible
2.优化ansible
[root@m01 ~]#  vim /etc/ansible/ansible.cfg		#改为
host_key_checking = False
3.创建密钥对
[root@m01 ~]# ssh-keygen
4.推送公钥
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.5
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.6
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.8
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.9
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.31
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.41
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.51
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.52
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.53
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.54
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.61
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.71
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.81

#或者使用脚本推送公钥
sh jb.sh

5.编辑主机清单
[root@m01 ~]# vim /etc/ansible/hosts
[web_group]
web01 ansible_ssh_host=172.16.1.7 asible_ssh_user=root ansible_ssh_port=22
web02 ansible_ssh_host=172.16.1.8 asible_ssh_user=root ansible_ssh_port=22
web03 ansible_ssh_host=172.16.1.9 asible_ssh_user=root ansible_ssh_port=22

[db_group]
db01 ansible_ssh_host=172.16.1.51 asible_ssh_user=root ansible_ssh_port=22
db02 ansible_ssh_host=172.16.1.52 asible_ssh_user=root ansible_ssh_port=22
db03 ansible_ssh_host=172.16.1.53 asible_ssh_user=root ansible_ssh_port=22
db04 ansible_ssh_host=172.16.1.54 asible_ssh_user=root ansible_ssh_port=22

[nfs_group]
nfs ansible_ssh_host=172.16.1.31 asible_ssh_user=root ansible_ssh_port=22

[redis_group]
redis ansible_ssh_host=172.16.1.81 asible_ssh_user=root ansible_ssh_port=22

[lb_group]
lb01 ansible_ssh_host=172.16.1.5 asible_ssh_user=root ansible_ssh_port=22
lb02 ansible_ssh_host=172.16.1.6 asible_ssh_user=root ansible_ssh_port=22

[backup_group]
backup ansible_ssh_host=172.16.1.41 asible_ssh_user=root ansible_ssh_port=22

[zabbix_group]
zabbix ansible_ssh_host=172.16.1.71 asible_ssh_user=root ansible_ssh_port=22

[m01_group]
m01 ansible_ssh_host=172.16.1.61 asible_ssh_user=root ansible_ssh_port=22

6.仪式（检测）
[root@m01 ~]# ansible '*' -m ping

ansible优化

1.下载
[root@m01 ~]#  yum install -y ansible
2.优化
[root@m01 ~]#  vim /etc/ansible/ansible.cfg		#改为
host_key_checking = False

---

使用ansible-galaxy创建角色目录

[root@m01 ansible]# ansible-galaxy init base

阿里云仓库

[root@m01 base]# cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/epel.repo /etc/ansible/roles/base/files/

编辑tasks目录

#1.打开防火墙
[root@m01 base]# vim tasks/firewalld.yml 
- name: start firewalld
  service:
    name: firewalld
    state: started
    enabled: yes
#2.打开常用端口
[root@m01 base]# vim tasks/port.yml 
- name: Open Port
  firewalld:
    port: "{{ item }}"
    state: enabled
    permanent: no
  loop:
    - "{{ port }}"

- name: Open nfs
  firewalld:
    service: nfs
    state: enabled
    permanent: no
#3.关闭selinux
[root@m01 base]# vim tasks/selinux.yml 
- name: stop selinux
  selinux:
    state: disabled
#4.创建"www"用户
[root@m01 base]# vim tasks/user_group.yml 
- name: panduan "{{ ww_w }}"
  shell: 'id {{ ww_w }}'
  ignore_errors: yes
  register: id_www

- name: Create {{ ww_w }} Group
  group:
    name: "{{ ww_w }}"
    gid: "{{ uid_gid }}"
    state: present
  when: id_www.rc != 0

- name: Create {{ ww_w }} User
  user:
    name: "{{ ww_w }}"
    uid: "{{ uid_gid }}"
    group: "{{ ww_w }}"
    shell: /sbin/nologin
    create_home: false
  when: id_www.rc != 0

#换源
[root@m01 base]# vim tasks/base_epel.yml
- name: Push YUM Repo File
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: 'CentOS-Base.repo',dest: '/etc/yum.repos.d' }
    - { src: 'epel.repo',dest: '/etc/yum.repos.d' }
#安装基础包
[root@m01 base]# vim tasks/packages.yml
- name: Install Base Packages
  yum:
    name: "{{ packages }}"
#优化文件描述符
[root@m01 base]# vim tasks/limit.yml
- name: Modify File Miao Shu Fu
  pam_limits:
    domain: '*'
    limit_type: '-'
    limit_item: nofile
    value: '65535'

#5.编辑main.yml
[root@m01 base]# vim tasks/main.yml 
- include: firewalld.yml
- include: port.yml
- include: selinux.yml
- include: user_group.yml
- include: base_epel.yml
- include: limit.yml
- include: packages.yml

#6.编辑变量文件
[root@m01 base]# vim vars/main.yml 
uid_gid: 666
ww_w: www
#基础优化要安装的包
packages:
  - net-tools
  - vim
  - tree
  - htop
  - iftop
  - gcc
  - gcc-c++
  - glibc
  - iotop
  - lrzsz
  - sl
  - wget
  - unzip
  - telnet
  - nmap
  - nc
  - psmisc
  - dos2unix
  - bash-completion
  - sysstat
  - rsync
  - nfs-utils
  - httpd-tools

编辑vars目录

port:
  - "22/tcp"
  - "23/tcp"
  - "80/tcp"
  - "443/tcp"
  - "873/tcp"
  - "3306/tcp"
  - "9000/tcp"
  - "6379/tcp"
  - "8080/tcp"
  - "10050/tcp"
ww_w: www
uid_gid: 666

编辑入口文件

[root@m01 roles]# vim site.yml 
- hosts: all
  roles:
    - { role: base }

执行

[root@m01 roles]# ansible-playbook site.yml

#查看文件描述符
1：查看现在的文件描述符大小和用户最大进程数
查看全部
# ulimit -a

查看文件描述符大小，即最大打开的文件数
# ulimit -n

查看用户最大进程数大小
# ulimit -u

文件描述符大小和用户最大进程数修改，编辑配置文件
# vi  /etc/security/limits.conf
* - nofile 65535
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535


soft nproc： 单个用户可用的最大进程数量(软限制)
hard nproc：单个用户可用的最大进程数量(硬限制)
soft nofile： 可打开的文件描述符的最大数(软限制)
hard nofile：可打开的文件描述符的最大数(硬限制)
*   ：代表所有用户，也可以写成你需要修改的用户名