一步一个脚印—我是如何自动化批量部署服务器来简化部署流程

图片[1]-一步一个脚印—我是如何自动化批量部署服务器来简化部署流程-音域动漫

前言:

2022年到来了公司也快放假了,今年的工作进入了尾声,马上就可以放长假来休息休息。那么与此同时钱还是要赚的,最近接了个单子,客户购买了20台服务器要部署服务,那么这其中需要部署的有Docker、NFS、CEPH、和云计算(OpenStack或者Ovirt)等。其实相当于自建了个机房,那么购买来了服务器除了安装系统之外,最主要的是要初步设置一下服务器。这种前期工作是重复且枯燥无味的。那么可以全自动批量的来完成这些前期的工作。

先决条件:

一、本篇只涉及服务器前期的部署,后面的服务器项不在本篇范围之内

二、我已经提前分配好了IP地址,主机名(或FQDN),磁盘分区等。并且安装采用最小化安装。

三、由于习惯问题,我在本篇文章对脚本进行讲解所使用的注释是 // 如果你不删除直接复制使用的话肯定会报错

四、当然,这是重中之重,本人是初学者,所以逻辑会很复杂并且很长。请不要喷我,我会努力的!

注、 pacemaker+drbd+nfs 真**香!

内容和详解:

# cat site.yml

---
- name: reload system
  hosts: new_servers
  vars:
    selinux_policy: targeted
    selinux_state: disabled          //关闭SElinux
    timesync_ntp_servers:          //设置chronyd服务器
      - hostname: ntp.aliyun.com
        iburst: yes
      - hostname: ntp1.aliyun.com
        iburst: yes
      - hostname: ntp2.aliyun.com
        iburst: yes

  pre_tasks:
    - name: Set yum Tsinghua repos         //先对Yum源进行配置,我使用了清华大学源
      shell: >
            /usr/bin/sed -e 's|^mirrorlist=|#mirrorlist=|g' -e 's|^#baseurl=http://mirror.centos.org|baseurl=https://mirrors.tuna.tsinghua.edu.cn|g' -i.bak /etc/yum.repos.d/CentOS-*.repo

  roles:
          - rhel-system-roles.selinux          //调用红帽官方SElinux roles
          - rhel-system-roles.timesync            //调用红帽官方Timesync roles
          - reload_system           //调用自己写的roles
# cat reload_system/tasks/main.yml   //先来看一下tasks文件吧

---
# tasks file for reload_system

- name: Set security limits       //调整用户可以打开文件的最大数目为65535
  lineinfile:
    dest: /etc/security/limits.conf
    regexp: "^'* - nofile 65535'"
    line: '* - nofile 65535'
    state: present

- name: Stop firewalld     //关闭系统默认开启的防火墙并禁止开机启动
  service:
    name: firewalld
    state: stopped
    enabled: no

- name: Update Packages      //升级软件包
  yum:
    name: "*"
    state: latest

- name: Remove postfix    //删除默认安装的postfix软件包
  yum:
    name: postfix
    state: absent

- name: Install base Packages   //安装软件包
  yum:
    name: "{{ item }}"
    state: present
  loop: "{{ YUM_PACKAGES }}"
  notify: set epel repository

- name: Run handlers now            //立刻执行上面所通知到的handlers
  meta: flush_handlers

- name: Create directory    //创建自定义目录,如果父目录不存在则自动创建
  file:
    path: "{{ item }}"
    recurse: yes
    state: directory 
  loop: "{{ MKDIR }}"

- name: Create user        //添加管理用户并设置密码
  user:
    name: "{{ item['NAME'] }}"
    password: "{{ PASSWORD }}"
    state: present
  loop: "{{ USERLIST }}"

- name: Set user sudoers        //将管理用户写入到sudoers并配置NOPASSWD属性
  lineinfile:
    dest: /etc/sudoers
    regexp: "^{{ item['NAME'] }}"
    line: "{{ item['NAME'] }}    ALL=(ALL)       NOPASSWD: ALL"
    validate: '/usr/sbin/visudo -cf %s'        //注意!/etc/sudoers是只读文件
    state: present
  loop: "{{ USERLIST }}"

- name: Set ssh port       //修改ssh端口
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^#Port 22'
    line: 'Port 27434'
    state: present
  notify: restart ssh

- name: Set ssh close root login           //关闭root用户通过ssh登录
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin yes'
    line: 'PermitRootLogin no'
    state: present

- name: Set ssh close cert login         //禁止使用证书登录(当然,我这么做是不安全的)
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '#PermitEmptyPasswords no'
    line: 'PermitEmptyPasswords no'
    state: present

- name: Set ssh close DNS          //关闭UseDNS功能
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '#UseDNS'
    line: 'UseDNS no'
    state: present
# cat reload_system/defaults/main.yml 

---
# defaults file for reload_system
MKDIR:                        //定义需要创建的文件目录
    - /application
    - /data
# cat reload_system/vars/main.yml

---
# vars file for reload_system
USERLIST:                     //定义需要创建的用户
  - NAME: ZhangT
  - NAME: SunG

PASSWORD: $6$JULzo08Rn3I69KAw$TcGpjlIcct.h0cSmqHdkEnh.yIjrTLrsYydM55JGxrcnS7.            //这里定义的密码是经过加密后的加密密钥

YUM_PACKAGES:           //安装软件包,因为有的可能是在epel源内,所以我将epel源放在了首位
  - epel-release
  - vim
  - lrzsz
  - wget
  - curl
  - bash-completion
# cat reload_system/handlers/main.yml

---
# handlers file for reload_system
- name: set epel repository            //配置修改EPEL源为清华大学源
  shell: >
         /usr/bin/sed -e 's!^metalink=!#metalink=!g' -e 's!^#baseurl=!baseurl=!g' -e 's!//download\.fedoraproject\.org/pub!//mirrors.tuna.tsinghua.edu.cn!g' -e 's!//download\.example/pub!//mirrors.tuna.tsinghua.edu.cn!g' -e 's!http://mirrors!https://mirrors!g' -i /etc/yum.repos.d/epel*.repo

- name: Update epel packages        //修改完EPEL后更新系统软件包
  yum:
    name: '*'
    state: latest
  listen: set epel repository

- name: restart ssh           //重启SSH服务,因为我将ssh重启后,root会被禁止登录,所以我将此任务放在了最后
  service:
     name: sshd
     state: restarted

执行结果(已执行过一遍所以可能会不同):

# ansible-playbook site_new_server.yml 

PLAY [reload system] ********************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************
ok: [10.53.59.20]

TASK [Set yum Tsinghua repos] ***********************************************************************************************************************************************
[WARNING]: Consider using the replace, lineinfile or template module rather than running 'sed'.  If you need to use command because replace, lineinfile or template is
insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [10.53.59.20]

TASK [rhel-system-roles.selinux : Install SELinux python2 tools] ************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Install SELinux python3 tools] ************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : refresh facts] ****************************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : Install SELinux tool semanage] ************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : Set permanent SELinux state if enabled] ***************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Set permanent SELinux state if disabled] **************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : Set ansible facts if needed] **************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : Fail if reboot is required] ***************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Warn if SELinux is disabled] **************************************************************************************************************
ok: [10.53.59.20] => {
    "msg": "SELinux is disabled on system - some SELinux modules can crash"
}

TASK [rhel-system-roles.selinux : Drop all local modifications] *************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Purge all SELinux boolean local modifications] ********************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Purge all SELinux file context local modifications] ***************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Purge all SELinux port local modifications] ***********************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Purge all SELinux login local modifications] **********************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.selinux : Set SELinux booleans] *********************************************************************************************************************

TASK [rhel-system-roles.selinux : Set SELinux file contexts] ****************************************************************************************************************

TASK [rhel-system-roles.selinux : Restore SELinux labels on filesystem tree] ************************************************************************************************

TASK [rhel-system-roles.selinux : Restore SELinux labels on filesystem tree in check mode] **********************************************************************************

TASK [rhel-system-roles.selinux : Set an SELinux label on a port] ***********************************************************************************************************

TASK [rhel-system-roles.selinux : Set linux user to SELinux user mapping] ***************************************************************************************************

TASK [rhel-system-roles.selinux : Get SELinux modules facts] ****************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.selinux : include_tasks] ****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Set version specific variables] **********************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Populate service facts] ******************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Set variable `timesync_services` with filtered uniq service names] ***********************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Check that variable 'timesync_services' is defined] **************************************************************************************
ok: [10.53.59.20] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [rhel-system-roles.timesync : Check if only NTP is needed] *************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Check if single PTP is needed] ***********************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Check if both NTP and PTP are needed] ****************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Determine current NTP provider] **********************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Select NTP provider] *********************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Install chrony] **************************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Install ntp] *****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Install linuxptp] ************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Gather package facts] ********************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Run phc_ctl on PTP interface] ************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Check if PTP interface supports HW timestamping] *****************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate chrony.conf file] ***************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate chronyd sysconfig file] *********************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate ntp.conf file] ******************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate ntpd sysconfig file] ************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate ptp4l.conf file] ****************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate ptp4l sysconfig file] ***********************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate phc2sys sysconfig file] *********************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Generate timemaster.conf file] ***********************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Update network sysconfig file] ***********************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable chronyd] *************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable ntpd] ****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable ntpdate] *************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable sntp] ****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable ptp4l] ***************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable phc2sys] *************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Disable timemaster] **********************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Enable chronyd] **************************************************************************************************************************
ok: [10.53.59.20]

TASK [rhel-system-roles.timesync : Enable ntpd] *****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Enable ptp4l] ****************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Enable phc2sys] **************************************************************************************************************************
skipping: [10.53.59.20]

TASK [rhel-system-roles.timesync : Enable timemaster] ***********************************************************************************************************************
skipping: [10.53.59.20]

TASK [reload_system : Set security limits] **********************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Stop firewalld] ***************************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Update Packages] **************************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Remove postfix] ***************************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Install base Packages] ********************************************************************************************************************************
ok: [10.53.59.20] => (item=epel-release)
ok: [10.53.59.20] => (item=vim)
ok: [10.53.59.20] => (item=lrzsz)
ok: [10.53.59.20] => (item=wget)
ok: [10.53.59.20] => (item=curl)
ok: [10.53.59.20] => (item=bash-completion)

TASK [reload_system : Create directory] *************************************************************************************************************************************
ok: [10.53.59.20] => (item=/application)
ok: [10.53.59.20] => (item=/data)

TASK [reload_system : Create user] ******************************************************************************************************************************************
ok: [10.53.59.20] => (item={'NAME': 'ZhangT'})
ok: [10.53.59.20] => (item={'NAME': 'SunG'})

TASK [reload_system : Set user sudoers] *************************************************************************************************************************************
ok: [10.53.59.20] => (item={'NAME': 'ZhangT'})
ok: [10.53.59.20] => (item={'NAME': 'SunG'})

TASK [reload_system : Set ssh port] *****************************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Set ssh close root login] *****************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Set ssh close cert login] *****************************************************************************************************************************
ok: [10.53.59.20]

TASK [reload_system : Set ssh close DNS] ************************************************************************************************************************************
ok: [10.53.59.20]

PLAY RECAP ******************************************************************************************************************************************************************
10.53.59.20               : ok=34   changed=1    unreachable=0    failed=0    skipped=38   rescued=0    ignored=0
© 版权声明
THE END
喜欢就支持一下吧
点赞12 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容