一 点睛
实例划分了6个角色,包括base-apache、common、db、 haproxy、nagios、web,分别对应6个功能环境部署,本篇介绍common角色
二 common角色
1 点睛
common的主要功能是部署、配置系统基础服务,包括yum源、安 装nagios插件、NTP服务、iptables、SELinux等。
2 代码
2.1 roles/common/tasks/main.yml
---
# This role contains common plays that will run on all nodes.
- name: Create the repository for EPEL
copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo
- name: Create the GPG key for EPEL
copy: src=RPM-GPG-KEY-EPEL-6 dest=/etc/pki/rpm-gpg
- name: install some useful nagios plugins
yum: name={{ item }} state=present
with_items:
- nagios-nrpe
- nagios-plugins-swap
- nagios-plugins-users
- nagios-plugins-procs
- nagios-plugins-load
- nagios-plugins-disk
- name: Install ntp
yum: name=ntp state=present
tags: ntp
- name: Configure ntp file
template: src=ntp.conf.j2 dest=/etc/ntp.conf
tags: ntp
notify: restart ntp
- name: Start the ntp service
service: name=ntpd state=started enabled=true
tags: ntp
- name: insert iptables template
template: src=iptables.j2 dest=/etc/sysconfig/iptables
notify: restart iptables
- name: test to see if selinux is running
command: getenforce
register: sestatus
changed_when: false
上述代码定义了两个远程文件复制copy,其中src(源文件)的默认位置在roles/common/files,使用with_item标签实现循环安装nagios插 件,同时安装ntp服务,引用模块文件 roles/common/templatesntp.conf.j2,且同步到目标主机/etc/ntp.conf位 置。配置系统iptables,引用roles/common/templates/iptables.j2模 板,“notify:restart iptables”,状态或模板发生变化时将通知处理程序 (handlers)来处理。“command:getenforce”运行getenforce来检测 selinux是否在运行状态,“changed_when:false”作用为不记录命令运行 结果的changed状态,即changed为False。
2.2 roles/common/handlers/main.yml
---
# Handlers for common notifications
- name: restart ntp
service: name=ntpd state=restarted
- name: restart iptables
service: name=iptables state=restarted
上述代码定义了两个处理程序,功能分别为重启ntp、iptables服 务,其中“name:restart ntp”与任务(tasks)定义中的“notify:restart ntp”是一一对应的,“name:restart iptables”同理。
2.3 roles/common/templates/iptables.j2
# {{ ansible_managed }}
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if (inventory_hostname in groups['webservers']) or (inventory_hostname in groups['monitoring']) %}
-A INPUT -p tcp --dport 80 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups['dbservers'] %}
-A INPUT -p tcp --dport 3306 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups['lbservers'] %}
-A INPUT -p tcp --dport {{ listenport }} -j ACCEPT
{% endif %}
{% for host in groups['monitoring'] %}
-A INPUT -p tcp -s {{ hostvars[host].ansible_default_ipv4.address }} --dport 5666 -j ACCEPT
{% endfor %}
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
“inventory_hostname”作为存放在Ansible的inventory文件中的主机名或IP,好处是可以不依靠Facts的主机名参数ansible_hostname或其他原因,一般情况下inventory_hostname等于ansible_hostname,但有时候 我们习惯在Ansible的inventory中使用IP地址,而ansible_hostname则返回主机名。模板使用了jinja2的语法,本例if...endif语句判断当前的 inventory_hostname是否在webservers及monitoring组中(定义具体在 hosts文件中),条件成立则添加80端口访问权限(-A INPUT -p tcp--dport 80-j ACCEPT)。For...endfor语句实现了循环开通允许monitoring组主机 访问5666端口,使用hostvars[host]得到主机对象,可以获得主机的Facts 信息,如hostvars[host].ansible_default_ipv4.address获取主机IP。
2.4 roles/common/templates/ntp.conf.j2
[root@localhost templates]# cat ntp.conf.j2
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server {{ ntpserver }}
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys