RH294系統資訊
在練習期間,您將操作下列虛擬系統:
真實機: foundation:
kiosk:redhat
root: Asimov
workstation.lab.example.com 172.25.250.9 Ansible control node
servera.lab.example.com 172.25.250.10 Ansible managed node
serverb.lab.example.com 172.25.250.11 Ansible managed node
serverc.lab.example.com 172.25.250.12 Ansible managed node
serverd.lab.example.com 172.25.250.13 Ansible managed node
bastion.lab.example.com 172.25.250.254 Ansible managed node
workstation為ansible節點
servera、serverb、serverc、serverd、bastion為受控主機
已經全部設定好ssh的基於金鑰認證
Ansible 控制節點上已建立了使用者帳戶 student。此帳戶預裝了 SSH金鑰,
允許在 Ansible 控制節點和各個 Ansible 受管節點之間進行SSH 登入。
請勿對系統上的 student SSH 組態檔進行任何修改。
您可以從 root 帳戶使用 su 存取此使用者帳戶
1、
[kiosk@foundation ~]$ virt-manager
[kiosk@foundation ~]$ rht-vmctl reset all
輸入y確認重置所有主機
[kiosk@foundation ~]$ ssh -X root@workstation
[root@workstation ~]# dnf install -y ansible
[root@workstation ~]# vim /etc/sudoers.d/student
student ALL=(ALL) NOPASSWD: ALL
[root@workstation ~]# for i in server{a..d} bastion
> do scp /etc/sudoers.d/student root@$i:/etc/sudoers.d/
> done
2、更改workstation、servera、serverb、serverc、serverd、bastion
主機的/etc/hosts檔案,把檔案中content.example.com對應的ip改為172.25.254.250
[root@workstation ~]# for i in server{a..d} bastion
> do scp /etc/hosts root@$i:/etc/hosts
> done
3、使用xshell將考試環境需要的那些檔案都上傳到/content/目錄下
4、關閉bastion的httpd服務
ssh root@bastion
systemctl stop httpd
systemctl disable httpd
按照下方所述,在控制節點workstation.lab.example.com 上安裝和設定Ansible:
安裝所需的軟體包
建立名為/home/student/ansible/inventory的靜態清單檔案, 以滿足以下需求:
servera是dev主機組的成員
serverb是test主機組的成員
serverc和serverd是prod主機組的成員
bastion是balancers主機組的成員
prod組是webservers主機組的成員
建立名為/home/student/ansible/ansible.cfg的組態檔, 以滿足以下要求:
主機清單檔案為/home/student/ansible/inventory
playbook中使用的角色的位置包括/home/student/ansible/roles
[student@workstation ~]$ mkdir ansible
[student@workstation ~]$ cd ansible
[student@workstation ansible]$ cp /etc/ansible/ansible.cfg /home/student/ansible/
[student@workstation ansible]$ mkdir /home/student/ansible/roles
[student@workstation ansible]$ vi ansible.cfg
[defaults]
inventory = /home/student/ansible/inventory
remote_user = student
roles_path = /home/student/ansible/roles
host_key_checking = false
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false
[student@workstation ansible]$ vim inventory
[dev]
servera
[test]
serverb
[prod]
serverc
serverd
[balancers]
bastion
[webservers:children]
prod
驗證:
[student@workstation ansible]$ ansible all -m ping
作為系統管理員, 您需要在受管節點上安裝軟體.
請按照下方所述, 建立一個名為/home/student/ansible/adhoc.sh的shell指令碼,
該指令碼將使用Ansible臨時命令在各個受管節點上安裝yum儲存庫:
儲存庫1:
儲存庫的名稱為 rh294_BASE
描述為 rh294 base software
基礎URL為 http://content.example.com/rhel8.0/x86_64/dvd/BaseOS
GPG簽名檢查為啟用狀態
GPG金鑰URL為 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
儲存庫為開啟狀態
儲存庫2:
儲存庫的名稱為 rh294_STREAM
描述為 rh294 stream software
基礎URL為 http://content.example.com/rhel8.0/x86_64/dvd/AppStream
GPG簽名檢查為啟用狀態
GPG金鑰URL為 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
儲存庫為開啟狀態
[student@workstation ansible]$ vim adhoc.sh
#!/bin/bash
ansible all -m yum_repository -a "name=rh294_BASE description='rh294 base software'
file=rhel_dvd baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS gpgcheck=yes
gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes"
ansible all -m yum_repository -a "name=rh294_STREAM description='rh294 stream software'
file=rhel_dvd baseurl=http://content.example.com/rhel8.0/x86_64/dvd/AppStream
gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes"
[student@workstation ansible]$ chmod +x adhoc.sh
[student@workstation ansible]$ ./adhoc.sh
建立一個名為 /home/student/ansible/packages.yml的 playbook:
將 php 和 mariadb 軟體包安裝到 dev、test 和 prod 主機組中的主機上
將 RPM Development Tools 軟體包組安裝到 dev主機組中的主機上
將 dev 主機組中主機上的所有軟體包更新為最新版本
[student@workstation ansible]$ vim packages.yml
---
- name: install pkgs
hosts: dev, test, prod
tasks:
- name: install mariadb php
yum:
name:
- php
- mariadb
state: present
- name: install group pkgs
hosts: dev
tasks:
- name: install Development Tools
yum:
name: "@Development Tools"
state: present
- name: update all pkgs
hosts: dev
tasks:
- name: update pkgs
yum:
name: '*'
state: latest
[student@workstation ansible]$ ansible-playbook packages.yml
安裝 RHEL 系統角色軟體包,並建立符合以下條件的playbook /home/student/ansible/timesync.yml:
在所有受管節點上執行
使用 timesync 角色
設定該角色,以使用當前有效的 NTP 提供商
設定該角色,以使用時間伺服器 classroom.example.com
設定該角色,以啟用 iburst 引數
[student@workstation ansible]$ sudo yum -y install rhel-system-roles
[student@workstation ansible]$ mkdir roles
[student@workstation ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.timesync/ /home/student/ansible/roles/timesync
[student@workstation ansible]$ vim timesync.yml
---
- name: set time sync
hosts: all
vars:
timesync_ntp_servers:
- hostname: classroom.example.com
iburst: yes
roles:
- timesync
[student@workstation ansible]$ ansible-playbook timesync.yml
使用selinux角色
設定該角色,開啟所有受控節點的selinux
[student@workstation ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.selinux /home/student/ansible/roles/selinux
vim selinux.yml
---
- name: set selinux
hosts: all
vars:
selinux_state: enforcing
roles:
- role: selinux
become: true
[student@workstation ansible]$ ansible-playbook selinux.yml
使用 Ansible Galaxy 和要求檔案 /home/student/ansible/roles/requirements.yml,從以下 URL 下載角色並安裝到 /home/student/ansible/roles:
http://content.example.com/haproxy.tar.gz 此角色的名稱應當為 balancer
http://content.example.com/phpinfo.tar.gz 此角色的名稱應當為 phpinfo
[student@workstation ansible]$ vim roles/requirements.yml
---
- name: balancer
src: http://content.example.com/ansible2.8/haproxy.tar.gz
- name: phpinfo
src: http://content.example.com/ansible2.8/phpinfo.tar.gz
[student@workstation ansible]$ ansible-galaxy install -r /home/student/asnible/roles/requirements.yml -p /home/student/ansible/roles/
根據下列要求,在/home/student/ansible/roles中建立名為apache的角色:
httpd軟體包已安裝,設為在系統啟動時啟用並啟動
防火牆已啟用並正在執行,並使用允許存取Web伺服器的規則
模板檔案 index.html.j2 已存在,用於建立具有以下輸出的檔案/var/www/html/index.html:
Welcome to HOSTNAME on IPADDRESS
其中,HOSTNAME是受管節點的完全限定域名,IPADDRESS則是受管節點的IP地址。
按照下方所述,建立一個使用此角色的playbook /home/student/ansible/newrole.yml:
該playbook在webservers主機組中的主機上執行
[student@workstation ansible]$ cd roles/
[student@workstation roles]$ ansible-galaxy init apache
[student@workstation roles]$ vim http/tasks/main.yml
---
# tasks file for http
- name: install httpd firewalld
yum:
name:
- httpd
- firewalld
state: present
- name: cp file
template:
src: index.html.j2
dest: /var/www/html/index.html
- name: start httpd
service:
name: httpd
state: started
enabled: yes
- name: restart firewalld
service:
name: firewalld
state: restarted
enabled: yes
- name: firewalld for http
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
[student@workstation roles]$ vim http/templates/index.html.j2
Welcome to {{ansible_fqdn}} on {{ansible_enp1s0.ipv4.address}}
[student@workstation ansible]$ vim newrole.yml
---
- name: use http role
hosts: webservers
roles:
- apache
[student@workstation ansible]$ ansible-playbook newrole.yml
驗證結果:
[student@workstation ansible]$ curl http://serverc
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://serverd
Welcome to serverd.lab.example.com on 172.25.250.13
根據下列要求,建立一個名為 /home/student/ansible/roles.yml的playbook:
playbook中包含一個play,該play在balancers主機組中的主機上執行並將使用balancer角色。
此角色設定一項服務,以在webservers主機組中的主機之間平衡Web伺服器請求的負載。
瀏覽到balancers主機組中的主機(例如http://bastion.lab.example.com/ )將生成以下輸出:
Welcome to serverc.example.com on 172.25.1.12
重新載入瀏覽器將從另一Web伺服器生成輸出:
Welcome to serverd.example.com on 172.25.1.13
playbook 中包含一個 play,該 play 在 webservers主機組中的主機上執行並將使用 phpinfo 角色。
通過 URL /hello.php 瀏覽到 webservers 主機組中的主機將生成以下輸出:
Hello PHP World from FQDN
其中,FQDN是主機的完全限定名稱。
例如,瀏覽到 http://serverc.lab.example.com/hello.php 會生成以下輸出:
Hello PHP World from serverc.lab.example.com
另外還有 PHP 設定的各種詳細資訊,如安裝的PHP 版本等。
同樣,瀏覽到 http://serverd.lab.example.com/hello.php 會生成以下輸出:
Hello PHP World from serverd.lab.example.com
另外還有 PHP 設定的各種詳細資訊,如安裝的PHP 版本等。
[student@workstation ansible]$ vim roles.yml
---
- name: gather facts for webservers
hosts: webservers //獲取webservers的事實變數,因為你要在webservers主機組上平衡WEB伺服器的負載。
- name: balancer role
hosts: balancers
roles:
- balancer
- name: php role
hosts: webservers
roles:
- phpinfo
再來執行該playbook
[student@workstation ansible]$ ansible-playbook roles.yml
驗證:
[student@workstation ansible]$ curl http://bastion.lab.example.com
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://bastion.lab.example.com
Welcome to serverd.lab.example.com on 172.25.250.13
[student@workstation ansible]$ curl http://serverc.lab.example.com/hello.php
Hello PHP World form serverc.lab.example.com
[student@workstation ansible]$ curl http://serverd.lab.example.com/hello.php
Hello PHP World form serverd.lab.example.com
建立一個名為/home/student/ansible/lv.yml 的playbook,它將在所有受管節點上執行以執行下列任務:
建立符合以下要求的邏輯卷:
邏輯卷建立在research卷組中
邏輯卷名稱為data
邏輯卷大小為1500MiB
使用ext4檔案系統格式化邏輯卷
如果無法建立請求的邏輯卷大小,應顯示錯誤訊息
Could not create logical volume of that size,並且應改為使用大小 800MiB。
如果卷組research 不存在 ,應顯示錯誤訊息
Volume group does not exist。
不要以任何方式掛載邏輯卷
前期環境
首先執行lvm_pre.yml
[student@workstation ansible]$ ansible-playbook lvm_pre.yml
[student@workstation ansible]$ vim lv.yml
---
- name: create lvm
hosts: all
tasks:
- name: create lv data
block:
- name: create lv 1500M
lvol:
lv: data
vg: research
size: 1500M
rescue:
- name: output fail message
debug:
msg: Could not create logical volume of that size
- name: create lv 800M
lvol:
lv: data
vg: research
size: 800M
always:
- name: format lv
filesystem:
dev: /dev/research/data
fstype: ext4
when: "'research' in ansible_lvm.vgs"
- name: search not exists
debug:
msg: Volume group does not exist
when: "'research' not in ansible_lvm.vgs"
[student@workstation ansible]$ ansible-playbook lv.yml
建立和使用分割區
建立名為partition.yml的playbook,對所有節點進行操作:
在vdb上建立一個主分割區1500MiB
使用ext4檔案系統進行格式化
將檔案系統掛載到/newpart
如果分割區大小不滿足,產生報錯資訊 could not create partition os that size
則建立分割區大小變成800MiB
如果磁碟不存在,產生報錯資訊:disk does not exist
[student@workstation ansible]$ vim partition.yml
---
- name: create partition
hosts: all
tasks:
- name: create part1
block:
- name: create part 1500
parted:
device: /dev/vdb
number: 1
part_type: primary
part_start: 10MiB
part_end: 1510MiB
state: present
rescue:
- name: output fail message
debug:
msg: could not create partition os that size
- name: create part 800
parted:
device: /dev/vdb
number: 1
part_type: primary
part_start: 10MiB
part_end: 800MiB
state: present
always:
- name: format part
filesystem:
dev: /dev/vdb1
fstype: ext4
- name: create mount point
file:
path: /newpart
state: directory
- name: mount
mount:
src: /dev/vdb1
path: /newpart
fstype: ext4
state: mounted
when: "ansible_devices.vdb is defined"
- name: vdb not exist
debug:
msg: disk does not exist
when: "ansible_devices.vdb is not defined"
[student@workstation ansible]$ ansible-playbook partition.yml
由於練習環境原因,此playbook無法正常執行。
將一個初始模板檔案從http://content.example.com/hosts.j2下載到/home/student/ansible
完成該模板,以便用它生成以下檔案:針對每個清單主機包含一行內容,其格式與 /etc/hosts 相同
建立名為 /home/student/ansible/hosts.yml 的playbook,它將使用此模板在 dev 主機組中的主機上生成檔案 /etc/myhosts。
該 playbook 執行後,dev 主機組中主機上的檔案/etc/myhosts 應針對每個受管主機包含一行內容:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.24.1.6 servera.lab1.example.com servera
172.24.1.7 serverb.lab1.example.com serverb
172.24.1.8 serverc.lab1.example.com serverc
172.24.1.9 serverd.lab1.example.com serverd
172.24.1.10 bastion.lab1.example.com bastion
[student@workstation ansible]$ wget http://content.example.com/hosts.j2
[student@workstation ansible]$ vim hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups.all %}
{{ hostvars[host].ansible_enp1s0.ipv4.address }} {{ hostvars[host].ansible_fqdn }} {{ hostvars[host].ansible_hostname }}
{% endfor %}
[student@workstation ansible]$ vim hosts.yml
驗證:
[root@servera ~]# cat /etc/myhosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.254 bastion.lab.example.com bastion
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
按照下方所述,建立一個名為 /home/student/ansible/issue.yml 的 playbook:
該 playbook 將在所有清單主機上執行
該 playbook 會將 /etc/issue 的內容替換為下方所示的一行文字:
在 dev 主機組中的主機上,這行文字顯示為:Development
在 test 主機組中的主機上,這行文字顯示為:Test
在 prod 主機組中的主機上,這行文字顯示為:Production
[student@workstation ansible]$ vim issue.yml
---
- name: modify issue
hosts: all
tasks:
- name: input to issue
copy:
content: |
{% if 'dev' in group_names %}
Development
{% elif 'test' in group_names %}
Test
{% elif 'prod' in group_names %}
Production
{% endif %}
dest: /etc/issue
[student@workstation ansible]$ ansible-playbook issue.yml
驗證:
[root@servera ~]# cat /etc/issue
Development
[root@serverb ~]# cat /etc/issue
Test
[root@serverc ~]# cat /etc/issue
Production
[root@serverd ~]# cat /etc/issue
Production
按照下方所述,建立一個名為 /home/student/ansible/webcontent.yml 的 playbook:
該 playbook 在 dev 主機組中的受管節點上執行
建立符合下列要求的目錄 /webdev:
所有者為 devops 組
具有常規許可權:owner=read+write+execute,group=read+write+execute,other=read+execute
具有特殊許可權: set group ID
用符號連結將 /var/www/html/webdev 連結到 /webdev
建立檔案 /webdev/index.html,其中包含如下所示的單行文字:Development
在 dev 主機組中主機上瀏覽此目錄(例如 http://servera.lab.example.com/webdev/ )將生成以下輸出:
Development
[student@workstation ansible]$ vim webcontent.yml
---
- name: web station
hosts: dev
tasks:
- name: install httpd firewalld
yum:
name:
- httpd
- firewalld
state: present
- name: create group
group:
name: devops
state: present
- name: create /webdev
file:
path: /webdev
state: directory
group: devops
mode: 2775
- name: cp
copy:
content: Development
dest: /webdev/index.html
- name: set selinux context
sefcontext:
target: /webdev(/.*)?
setype: httpd_sys_content_t
- name: shell
shell:
cmd: restorecon -Rv /webdev
- name: create link to /var/www/html/webdev
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: restart httpd
service:
name: httpd
state: restarted
enabled: yes
- name: restart firewalld
service:
name: firewalld
state: restarted
enabled: yes
- name: firewall for http
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
[student@workstation ansible]$ ansible-playbook webcontent.yml
驗證:
[student@workstation ansible]$ curl http://servera.lab.example.com/webdev/
Development
建立一個名為 /home/student/ansible/hwreport.yml的 playbook,它將在所有受管節點上生成含有以下資訊的輸出檔案 /root/hwreport.txt:
輸出檔案中的每一行含有一個 key=value 對。
您的 playbook 應當:
從 http://content.example.com/hwreport.empty 下載檔案,並將它儲存為/root/hwreport.txt
使用正確的值修改 /root/hwreport.txt
如果硬體項不存在,相關的值應設為NONE
[student@workstation ansible]$ vim hwreport.yml
---
- name: get hwreport
hosts: all
tasks:
- name: Create report file
get_url:
url: http://content.example.com/hwreport.empty
dest: /root/hwreport.txt
- name: get inventory_hostname
replace:
path: /root/hwreport.txt
regexp: 'inventoryhostname'
replace: "{{ inventory_hostname }}"
- name: get mem
replace:
path: /root/hwreport.txt
regexp: 'memory_in_MB'
replace: "{{ ansible_memtotal_mb }}"
- name: get bios
replace:
path: /root/hwreport.txt
regexp: 'BIOS_version'
replace: "{{ ansible_bios_version }}"
- name: get vda
replace:
path: /root/hwreport.txt
regexp: 'disk_vda_size'
replace: "{{ ansible_devices.vda.size if ansible_devices.vda is defined else 'NONE'}}"
- name: get vdb
replace:
path: /root/hwreport.txt
regexp: 'disk_vdb_size'
replace: "{{ ansible_devices.vdb.size if ansible_devices.vdb is defined else 'NONE'}}"
[student@workstation ansible]$ ansible-playbook hwreport.yml
按照下方所述,建立一個 Ansible 庫來儲存使用者密碼:
庫名稱為 /home/student/ansible/locker.yml
庫中含有兩個變數,名稱如下:
pw_developer,值為 Imadev
pw_manager,值為 Imamgr
用於加密和解密該庫的密碼為whenyouwishuponastar
密碼儲存在檔案 /home/student/ansible/secret.txt中
[student@workstation ansible]$ vim locker.yml
---
pw_developer: lmadev
pw_manager: lmamgr
[student@workstation ansible]$ echo whenyouwishuponastar > secret.txt
[student@workstation ansible]$ chmod 600 secret.txt
[student@workstation ansible]$ ansible-vault encrypt locker.yml --vault-id=/home/student/ansible/secret.txt
從 http://content.example.com/user_list.yml 下載要建立的使用者的列表,並將它儲存到 /home/student/ansible
在本次考試中使用在其他位置建立的密碼庫 /home/student/ansible/locker.yml,建立名為/home/student/ansible/users.yml 的playbook,從而按以下所述建立使用者帳戶:
職位描述為 developer 的使用者應當:
在 dev 和 test 主機組中的受管節點上建立
從 pw_developer 變數分配密碼,密碼有效期為30天
是附加組 student 的成員
職位描述為 manager 的使用者應當:
在 prod 主機組中的受管節點上建立
從 pw_manager 變數分配密碼,密碼有效期為30天
是附加組 opsmgr 的成員
密碼應採用 SHA512 雜湊格式。
您的 playbook 應能夠在本次考試中使用在其他位置建立的庫密碼檔案/home/student/ansible/secret.txt 正常執行
[student@workstation ansible]$ wget http://content.example.com/user_list.yml
[student@workstation ansible]$ vim users.yml
---
- name: create developer user
hosts: dev, test
vars_files:
- /home/student/ansible/locker.yml
- /home/student/ansible/user_list.yml
tasks:
- name: create group student
group:
name: student
state: present
- name: create user in developer
user:
name: "{{ item.name }}"
groups: student
password: "{{ pw_developer | password_hash('sha512') }}"
state: present
loop: "{{ users }}"
when: item.job == "developer"
- name: chage
shell:
cmd: chage -M 30 {{ item.name }}
loop: "{{ users }}"
when: item.job == "developer"
- name: create manager user
hosts: prod
vars_files:
- /home/student/ansible/locker.yml
- /home/student/ansible/user_list.yml
tasks:
- name: create group opsmgr
group:
name: opsmgr
state: present
- name: create user in manager
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
state: present
loop: "{{ users }}"
when: item.job == "manager"
- name: chage1
shell:
cmd: chage -M 30 {{ item.name }}
loop: "{{ users }}"
when: item.job == "manager"
[student@workstation ansible]$ ansible-playbook users.yml --vault-id secret.txt
按照下方所述,更新現有 Ansible 庫的金鑰:
從 http://content.example.com/salaries.yml 下載 Ansible 庫到 /home/student/ansible
當前的庫密碼為 AAAAAAAAA
新的庫密碼為 bbe2de98389b
庫使用新密碼保持加密狀態
[student@workstation ansible]$ wget http://172.25.250.250/ansible2.8/salaries.yml
[student@workstation ansible]$ ansible-vault rekey salaries.yml
輸入舊密碼
輸入新密碼
確認新密碼
設定 cron 作業,該作業每隔 2 分鐘運⾏並執⾏以下命令:
logger "EX294 in progress",以⽤戶 natasha 身份運⾏
[student@workstation ansible]$ vim cron.yml
---
- name: create cron
hosts: all
tasks:
- name: create user
user:
name: natasha
state: present
- name: create cron for all
cron:
name: cy
minute: '*/2'
job: logger "EX294 in progress"
user: natasha
[student@workstation ansible]$ ansible-playbook cron.yml