playbook部署lamp
环境
| 主机IP | 需要安装的服务 | name |
|---|---|---|
| 192.168.23.132 | ansible | ansible |
| 192.168.23.133 | httpd | httpd |
| 192.168.23.134 | mysql | mysql |
| 192.168.23.135 | php | php |
项目结构
[root@yc lamp]# tree
.
├── ansible.cfg
├── app
│ └── php
│ ├── php.yml
│ └── vars
│ └── php_vars
├── base
│ └── base.yml
├── database
│ └── mysql
│ ├── mysql.yml
│ ├── packages
│ │ └── mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz
│ ├── secret.yml
│ └── vars
│ └── mysql_vars
├── inventory
├── lamp.yml
└── web
└── httpd
├── httpd_install.yml
├── httpd_config.yml
├── packages
│ ├── apr-1.7.0.tar.gz
│ ├── apr-util-1.6.1.tar.gz
│ └── httpd-2.4.46.tar.bz2
└── vars
└── httpd_vars
准备工作:
//映射主机名
[root@yc ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.23.132 ansible
192.168.23.133 httpd
192.168.23.134 mysql
192.168.23.135 php
//配置centos源
[root@yc ~]# rm -rf /etc/yum.repos.d/*
[root@yc ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
[root@yc ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
[root@yc ~]# sed -i 's|$releasever|8|' /etc/yum.repos.d/CentOS-Base.repo
//配置epel源
[root@yc ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
[root@yc ~]# sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
[root@yc ~]# sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
[root@yc ~]# sed -i 's|$releasever|8|' /etc/yum.repos.d/epel*
[root@yc ~]# yum clean all
[root@yc ~]# yum makecache
//安装ansible
[root@yc ~]# yum -y install ansible
//编写清单
[root@yc ~]# vim /etc/ansible/inventory
192.168.23.133
192.168.23.134
192.168.23.135
//更改配置文件
[root@yc ~]# vim /etc/ansible/ansible.cfg
inventory = /etc/ansible/inventory //取消注释并把路径改成inventory
//使用ssh-keygen生成私钥和公钥
[root@yc ~]# ssh-keygen -t rsa //后面直接回车
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:hOhPvjrJRzNg+zV3F2fi36lgiGltUl8wSxsmeKEzYg0 root@ansible
The key's randomart image is:
+---[RSA 3072]----+
| E . |
| .o.o . |
| .o.*.o * |
| .+ ..+ + * o o|
| ..o. S. o o = |
| .++ B + o o |
| . +oO * = . .o|
| + +.o . . .o|
| .+. .. |
+----[SHA256]-----+
//给httpd、mysql、php三台主机设置免密登录
[root@yc1 ~]# ssh-copy-id root@192.168.23.133
[root@yc2 ~]# ssh-copy-id root@192.168.23.134
[root@yc2 ~]# ssh-copy-id root@192.168.23.135
//测试是否连通
[root@yc lamp]# ansible all -m ping
192.168.23.135 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
192.168.23.133 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
192.168.23.134 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
编写yum的playbook
[root@yc lamp]# cat yum.yml
---
- hosts: all
vars:
baseurl_8: https://mirrors.aliyun.com/epel/8/Modular/x86_64/
baseurl_7: https://mirrors.aliyun.com/epel/7/x86_64/
tasks:
- name: yum config for 8
yum_repository:
name: "{{ item }}"
baseurl: https://mirrors.aliyun.com/centos/8/{{ item }}/x86_64/os/
enabled: yes
gpgcheck: no
mode: 0644
file: "{{ item }}"
description: "{{ item }}"
state: present
loop:
- BaseOS
- AppStream
when: >
( ansible_facts["distribution"] == "RedHat" and
ansible_facts["distribution_major_version"] == "8" )
or
( ansible_facts["distribution"] == "CentOS" and
ansible_facts["distribution_major_version"] == "8" )
- name: yum config for 7
yum_repository:
name: base
baseurl: https://mirrors.aliyun.com/centos/7/os/x86_64/
enabled: yes
gpgcheck: no
mode: 0644
file: base
description: base
state: present
when: >
( ansible_facts["distribution"] == "RedHat" and
ansible_facts["distribution_major_version"] == "7" )
or
( ansible_facts["distribution"] == "CentOS" and
ansible_facts["distribution_major_version"] == "7" )
- name: yum config epel for 8
yum_repository:
name: epel
baseurl: "{{ baseurl_8 }}"
enabled: yes
gpgcheck: no
mode: 0644
file: epel
description: epel
state: present
when: >
( ansible_facts["distribution"] == "RedHat" and
ansible_facts["distribution_major_version"] == "8" )
or
( ansible_facts["distribution"] == "CentOS" and
ansible_facts["distribution_major_version"] == "8" )
- name: yum config epel for 7
yum_repository:
name: epel
baseurl: "{{ baseurl_7 }}"
enabled: yes
gpgcheck: no
mode: 0644
file: epel
description: epel
state: present
when: >
( ansible_facts["distribution"] == "RedHat" and
ansible_facts["distribution_major_version"] == "7" )
or
( ansible_facts["distribution"] == "CentOS" and
ansible_facts["distribution_major_version"] == "7" )
- name: close selinux(1)
shell: setenforce 0
- name: close selinux(2)
lineinfile:
path: /etc/selinux/config
regexp: '^SELINUX='
line: 'SELINUX=disabled'
- name: close firewalld(1)
service:
name: firewalld
state: stopped
- name: close firewalld(2)
shell: systemctl disable firewalld
配置变量
[root@yc lamp]# mkdir ~/lamp/vars
[root@yc lamp]# vim ~/lamp/vars/apache
user: apache
path_packages: "/root"
httpd_packages:
- bzip2
- make
- "openssl-devel"
- "pcre-devel"
- "expat-devel"
- libtool
- gcc
- "gcc-c++"
- "libxml2-devel"
[root@yc lamp]# vim ~/lamp/vars/mysql
user: mysql
path_packages: "/root"
path_data: "/opt/data"
mysql_packages:
- "ncurses-devel"
- "openssl-devel"
- openssl
- cmake
- "mariadb-devel"
- "ncurses-compat-libs"
[root@yc lamp]# vim ~/lamp/vars/php
php_packages:
- libxml2
- "libxml2-devel"
- openssl
- "openssl-devel"
- bzip2
- "bzip2-devel"
- libcurl
- "libcurl-devel"
- "libicu-devel"
- libjpeg
- "libjpeg-devel"
- libpng
- "libpng-devel"
- "openldap-devel"
- "pcre-devel"
- freetype
- "freetype-devel"
- gmp
- "gmp-devel"
- libmcrypt
- "libmcrypt-devel"
- readline
- "readline-devel"
- libxslt
- "libxslt-devel"
- mhash
- "mhash-devel"
- "php-mysqlnd"
下载源码包
[root@yc lamp]# mkdir ~/lamp/packages
//下载httpd源码包
[root@yc lamp]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2 ~/lamp/packages
[root@yc lamp]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz ~/lamp/packages
[root@yc lamp]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz ~/lamp/packages
//下载mysql源码包
[root@yc lamp]# wget https://downloads.mysql.com/archives/get/p/23/file/mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz ~/lamp/packages
安装httpd的playbook
[root@yc lamp]# vim ~/lamp/web/httpd/httpd_install.yml
---
- hosts: httpd
vars_files: vars/httpd_vars
tasks:
- name: install packages
yum:
name: '{{ httpd_packages }}'
state: present
- name: install tools
yum:
name: "@Development tools"
state: present
- name: create user {{ user }}
user:
name: '{{ user }}'
system: yes
create_home: no
shell: /sbin/nologin
state: present
- name: copy apr package
copy:
src: ./packages/apr-1.7.0.tar.gz
dest: '{{ path_packages }}'
- name: copy apr-util package
copy:
src: ./packages/apr-util-1.6.1.tar.gz
dest: '{{ path_packages }}'
- name: copy httpd package
copy:
src: ./packages/httpd-2.4.46.tar.bz2
dest: '{{ path_packages }}'
- name: unzip all
shell: tar xf {{ path_packages }}/apr-1.7.0.tar.gz && tar xf {{ path_packages }}/apr-util-1.6.1.tar.gz && tar xf {{ path_packages }}/httpd-2.4.46.tar.bz2
- name: delete notes for apr
shell: sed -i 's|$RM "$cfgfile"|#$RM "$cfgfile"|' ./apr-1.7.0/configure
- name: install apr
shell: cd {{ path_packages }}/apr-1.7.0 && ./configure --prefix=/usr/local/apr && make && make install && cd
- name: install apr-util
shell: cd {{ path_packages }}/apr-util-1.6.1 && ./configure --prefix=/usr/local/apr-util --with apr=/usr/local/apr && make && make install && cd
- name: install httpd
shell: cd {{ path_packages }}/httpd-2.4.46 && ./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork && make && make install && cd
安装mysql的playbook
---
- hosts: mysql
vars_files: vars/mysql_vars
tasks:
- name: install packages
yum:
name: '{{ mysql_packages }}'
state: present
- name: copy mysql package
copy:
src: ./packages/mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz
dest: '{{ path_packages }}'
- name: create user {{ user }}
user:
name: '{{ user }}'
system: yes
create_home: no
shell: /sbin/nologin
state: present
- name: mkdir data
file:
path: '{{ path_data }}'
owner: '{{ user }}'
group: '{{ user }}'
state: directory
- name: install mysql
shell: tar xf {{ path_packages }}/mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz -C /usr/local/
- name: soft link
file:
src: /usr/local/mysql-5.7.31-linux-glibc2.12-x86_64
dest: /usr/local/mysql
state: link
- name: chown mysql
file:
path: /usr/local/mysql-5.7.31-linux-glibc2.12-x86_64
owner: '{{ user }}'
group: '{{ user }}'
state: directory
- name: my.cnf config
lineinfile:
path: /etc/my.cnf
line: |
[mysqld]
basedir = /usr/local/mysql
datadir = /opt/data
socket = /tmp/mysql.sock
port = 3306
pid-file = /opt/data/mysql.pid
user = mysql
skip-name-resolve
state: present
- name: copy start shell
shell: cp -a /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
- name: start shell config(1)
lineinfile:
path: /etc/init.d/mysqld
regexp: '^basedir='
line: basedir=/usr/local/mysql
- name: start shell config(2)
lineinfile:
path: /etc/init.d/mysqld
regexp: '^datadir='
line: datadir={{ path_data }}
- name: man_db config
lineinfile:
path: /etc/man_db.conf
regexp: '^MANDATORY_MANPATH /usr/local/share/man'
line: "MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/mysql/man"
- name: path config
shell: echo 'export PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/myslq.sh && source /etc/profile.d/myslq.sh
- name: initialize mysql
shell: /usr/local/mysql/bin/mysqld --initialize --user=mysql --datadir=/opt/data > /root/sqlpass 2>&1
- name: lib config
shell: echo "/usr/local/mysql/lib" > /etc/ld.so.conf.d/mysql.conf && ldconfig
- name: start mysql
shell: service mysqld start
配置httpd的playbook
[root@yc lamp]# vim ~/lamp/web/httpd/httpd_config.yml
- hosts: httpd
tasks:
- name: path config
shell: echo "export PATH=/usr/local/apache/bin:$PATH" > /etc/profile.d/httpd.sh && source /etc/profile.d/httpd.sh
- name: delete servername notes
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '^#ServerName'
line: ServerName www.example.com:80
- name: include config
file:
src: /usr/local/apache/include
dest: /usr/local/include/httpd
state: link
- name: man_db config
lineinfile:
path: /etc/man_db.conf
regexp: '^MANDATORY_MANPATH /usr/local/share/man'
line: "MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/apache/man"
- name: enable module(1)
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '^#LoadModule proxy_module'
line: LoadModule proxy_module modules/mod_proxy.so
- name: enable module(2)
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '^#LoadModule proxy_fcgi_module'
line: LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
- name: add index.php
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '^ DirectoryIndex'
line: ' DirectoryIndex index.php index.html'
- name: add type
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '^ AddType application/x-gzip .gz .tgz'
line: " AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
"
- name: add virtualhost
lineinfile:
path: /etc/httpd24/httpd.conf
regexp: '<VirtualHost *:80>'
line: |
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/"
ServerName yuqinghao.com
ProxyRequests Off
ProxyPassMatch ^/(.*.php)$ fcgi://192.168.100.4:9000/var/www/html/$1
<Directory "/usr/local/apache/htdocs/">
Options none
AllowOverride none
Require all granted
</Directory>
</VirtualHost>
state: present
- name: restart apache
shell: /usr/local/apache/bin/apachectl restart
安装mysql的playbook
[root@yc lamp]# vim ~/lamp/database/mysql/mysql.yml
---
- hosts: mysql
vars_files: vars/mysql_vars
tasks:
- name: install packages
yum:
name: '{{ mysql_packages }}'
state: present
- name: copy mysql package
copy:
src: ./packages/mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz
dest: '{{ path_packages }}'
- name: create user {{ user }}
user:
name: '{{ user }}'
system: yes
create_home: no
shell: /sbin/nologin
state: present
- name: mkdir data
file:
path: '{{ path_data }}'
owner: '{{ user }}'
group: '{{ user }}'
state: directory
- name: install mysql
shell: tar xf {{ path_packages }}/mysql-5.7.31-linux-glibc2.12-x86_64.tar.gz -C /usr/local/
- name: soft link
file:
src: /usr/local/mysql-5.7.31-linux-glibc2.12-x86_64
dest: /usr/local/mysql
state: link
- name: chown mysql
file:
path: /usr/local/mysql-5.7.31-linux-glibc2.12-x86_64
owner: '{{ user }}'
group: '{{ user }}'
state: directory
- name: my.cnf config
lineinfile:
path: /etc/my.cnf
line: |
[mysqld]
basedir = /usr/local/mysql
datadir = /opt/data
socket = /tmp/mysql.sock
port = 3306
pid-file = /opt/data/mysql.pid
user = mysql
skip-name-resolve
state: present
- name: copy start shell
shell: cp -a /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
- name: start shell config a
lineinfile:
path: /etc/init.d/mysqld
regexp: '^basedir='
line: basedir=/usr/local/mysql
- name: start shell config b
lineinfile:
path: /etc/init.d/mysqld
regexp: '^datadir='
line: datadir={{ path_data }}
- name: man_db config
lineinfile:
path: /etc/man_db.conf
regexp: '^MANDATORY_MANPATH /usr/local/share/man'
line: "MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/mysql/man"
- name: path config
shell: echo 'export PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/myslq.sh && source /etc/profile.d/myslq.sh
- name: initialize mysql
shell: /usr/local/mysql/bin/mysqld --initialize --user=mysql --datadir=/opt/data > /root/sqlpass 2>&1
- name: lib config
shell: echo "/usr/local/mysql/lib" > /etc/ld.so.conf.d/mysql.conf && ldconfig
- name: start mysql
shell: service mysqld start
编写修改mysql密码的playbook
//编写修改密码剧本
[root@yc lamp]# vim ~/lamp/database/mysql/secret.yml
---
- hosts: mysql
vars:
user: mysql
tasks:
- name: change pass
shell: /usr/local/mysql/bin/mysql -uroot -p"$(awk '/password/{print$NF}' /root/sqlpass)" --connect-expired-password -e "set password = password("123456");"
//加密修改密码剧本
[root@yc lamp]# ansible-vault encrypt ~/lamp/database/mysql/secret.yml
New Vault password: yanchuang
Confirm New Vault password: yanchuang
Encryption successful
//记录加密密码
[root@yc lamp]# echo 'yanchuang' > ~/lamp/database/mysql/.mypass
//修改权限只允许root读写
[root@yc lamp]# chmod 600 ~/lamp/database/mysql/.mypass
//使用加密密码查看加密剧本
[root@yc lamp]# ansible-vault view --vault-password-file=lamp/database/mysql/.mypass ~/lamp/database/mysql/secret.yml
安装php的playbook
[root@yc lamp]# cat php.yml
---
- hosts: php
vars_files: vars/php_vars
tasks:
- name: install packages
yum:
name: '{{ php_packages }}'
state: present
- name: install php
yum:
name: php-*
state: present
- name: mkdir index.php
file:
path: /var/www/html/index.php
state: touch
- name: index.php config
lineinfile:
path: /var/www/html/index.php
line: "<?php
phpinfo();
?>"
state: present
- name: chown html
file:
path: /var/www/html
owner: apache
group: apache
state: directory
- name: change listen address
lineinfile:
path: /etc/php-fpm.d/www.conf
regexp: '^listen = /run/php-fpm/www.sock'
line: "listen=0.0.0.0:9000"
- name: change web address
lineinfile:
path: /etc/php-fpm.d/www.conf
regexp: '^listen.allowed_clients = 127.0.0.1'
line: "listen.allowed_clients = 192.168.23.132"
- name: start php
service:
name: php-fpm
state: restarted
导入任务
[root@yc lamp]# vim ~/lamp/lamp.yml
---
- name: config yum
import_playbook: ./base/base.yml
- name: install httpd
import_playbook: ./web/httpd/httpd_install.yml
- name: config httpd
import_playbook: ./web/httpd/httpd_install.yml
- name: install mysql
import_playbook: ./database/mysql/mysql.yml
- name: install php
import_playbook: ./app/php/php.yml