Ansible Roles 详解与实战案例
主机规划
添加用户账号
说明:
1、 运维人员使用的登录账号;
2、 所有的业务都放在 /app/ 下「yun用户的家目录」,避免业务数据乱放;
3、 该用户也被 ansible 使用,因为几乎所有的生产环境都是禁止 root 远程登录的(因此该 yun 用户也进行了 sudo 提权)。
1 # 使用一个专门的用户,避免直接使用root用户 2 # 添加用户、指定家目录并指定用户密码 3 # sudo提权 4 # 让其它普通用户可以进入该目录查看信息 5 useradd -u 1050 -d /app yun && echo '123456' | /usr/bin/passwd --stdin yun 6 echo "yun ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers 7 chmod 755 /app/
Ansible 配置清单Inventory
之后文章都是如下主机配置清单
1 [yun@ansi-manager ansible_info]$ pwd 2 /app/ansible_info 3 [yun@ansi-manager ansible_info]$ cat hosts_key 4 # 方式1、主机 + 端口 + 密钥 5 [manageservers] 6 172.16.1.180:22 7 8 [proxyservers] 9 172.16.1.18[1:2]:22 10 11 # 方式2:别名 + 主机 + 端口 + 密码 12 [webservers] 13 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=22 14 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=22 15 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=22
Ansible Roles 基本概述
前面已经学习了 变量、tasks 和 handlers,那怎样组织 playbook 才是最好的方式呢?
简单的回答就是:使用 roles。roles 基于一个已知的文件结构,去自动的加载某些 vars_files,tasks 以及 handlers。以便 playbook 更好的调用。相比 playbook,roles 的结构更加的清晰有层次。
假如:无论我们安装什么软件都会安装时间同步服务,那么每个 playbook 都要编写时间同步服务的 task。此时我们可以将时间同步服务 task 写好,等到用的时候再调用即可。
注意事项:在编写 roles 的时候,最好能够将一个 task 拆分为一个文件,方便后续复用「彻底打散」。
Roles 目录结构
在 roles 目录下,可以使用如下命令创建目录
ansible-galaxy init nfs roles # 其中 nfs 为目录名称
这样创建的目录是全目录,但是我们可能只需要部分目录,因此实际应用中大多数都由我们自己创建目录,而不是用命令创建目录。
示例目录构造如下:
1 [yun@ansi-manager tmp]$ tree ./ 2 ./ 3 ├── sit.yml 4 ├── webservers.yml 5 └── roles 6 └── nfs # 角色名称 7 ├── defaults # 角色默认变量(最低优先级) 8 │ └── main.yml 9 ├── files # 文件存放 10 ├── handlers # 触发任务 11 │ └── main.yml 12 ├── meta # 依赖关系 13 │ └── main.yml 14 ├── README.md # 使用说明 15 ├── tasks # 具体任务 16 │ └── main.yml 17 ├── templates # 模板文件 18 └── vars # 角色其他变量 19 └── main.yml 20 21 10 directories, 10 files
目录说明:
1、首先要有 roles 目录,然后在 roles 目录下创建相应的目录。
2、roles 下的目录名最好见文知意,如 common 目录表示基础目录,是必要的;nfs 目录表示安装 nfs 服务;memcached 目录表示安装 memcached 服务;等等。
3、可以根据自身需要创建 roles 下的二级目录,不需要的目录可以不创建,没需要全目录创建。
4、roles 目录下的二级目录中,有些目录必须包含一个 main.yml 文件,以便 ansible 使用。
Roles 依赖关系
roles 允许在使用 role 时自动引入其他 role。roles 的依赖关系存储在 role 目录中的 meta/main.yml 文件中。
例如:安装 WordPress 是需要先确保 Nginx 和 PHP 都能正常运行,此时都可以在 WordPress 的 role 中定义依赖 Nginx 和 php-fpm 的 role。
1 [yun@ansi-manager playbook]$ cat /app/roles/wordpress/meta/main.yml
2 ---
3 dependencies:
4 - { role: nginx }
5 - { role: php-fpm }
此时 WordPress 的 role 会先执行 Nginx 的 role,然后执行 php-fpm 的 role,最后再执行 WordPress 本身的 role。
Ansible Roles 案例实战-部署 NFS 服务
整体目录结构
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ ll 4 total 4 5 drwxrwxr-x 2 yun yun 17 Sep 15 19:41 group_vars 6 -rw-rw-r-- 1 yun yun 108 Sep 15 19:37 nfs_server.yml 7 drwxrwxr-x 4 yun yun 35 Sep 15 18:00 roles 8 [yun@ansi-manager ansible_roles]$ tree # 目录结构 9 . 10 ├── group_vars 11 │ └── all 12 ├── nfs_server.yml 13 └── roles 14 ├── nfs # 服务端 15 │ ├── handlers 16 │ │ └── main.yml 17 │ ├── tasks 18 │ │ ├── config.yml 19 │ │ ├── install.yml 20 │ │ ├── main.yml 21 │ │ ├── mkdir.yml 22 │ │ ├── start_NFS.yml 23 │ │ └── start_rpcbind.yml 24 │ └── templates 25 │ └── exports.j2 26 └── nfs_client # 客户端 27 └── tasks 28 └── main.yml 29 30 9 directories, 11 files
服务端信息
目录结构
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ tree roles/nfs 4 roles/nfs 5 ├── handlers 6 │ └── main.yml 7 ├── tasks 8 │ ├── config.yml 9 │ ├── install.yml 10 │ ├── main.yml 11 │ ├── mkdir.yml 12 │ ├── start_NFS.yml 13 │ └── start_rpcbind.yml 14 └── templates 15 └── exports.j2 16 17 4 directories, 8 files
tasks任务目录信息
1 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/main.yml 2 - include_tasks: install.yml 3 - include_tasks: config.yml 4 - include_tasks: mkdir.yml 5 - include_tasks: start_rpcbind.yml 6 - include_tasks: start_NFS.yml 7 8 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/install.yml 9 - name: "install package NFS " 10 yum: 11 name: 12 - nfs-utils 13 - rpcbind 14 state: present 15 16 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/config.yml 17 - name: "NFS server config and edit restart" 18 template: 19 src: exports.j2 20 dest: /etc/exports 21 owner: root 22 group: root 23 mode: '644' 24 notify: "reload NFS server" 25 26 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/mkdir.yml 27 - name: "create NFS dir" 28 file: 29 path: /data 30 owner: yun 31 group: yun 32 state: directory 33 recurse: yes 34 35 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/start_rpcbind.yml 36 - name: "rpcbind server start" 37 systemd: 38 name: rpcbind 39 state: started 40 daemon_reload: yes 41 enabled: yes 42 43 [yun@ansi-manager ansible_roles]$ cat roles/nfs/tasks/start_NFS.yml 44 - name: "NFS server start" 45 systemd: 46 name: nfs 47 state: started 48 daemon_reload: yes 49 enabled: yes
handlers任务目录信息
1 [yun@ansi-manager ansible_roles]$ cat roles/nfs/handlers/main.yml 2 - name: "reload NFS server" 3 systemd: 4 name: nfs 5 state: reloaded
模板目录信息
1 [yun@ansi-manager ansible_roles]$ cat roles/nfs/templates/exports.j2
2 {{ nfs_dir }} 172.16.1.0/24(rw,sync,root_squash,all_squash,anonuid=1050,anongid=1050)
客户端信息
客户端就比较简单了,就一个挂载任务
1 [yun@ansi-manager ansible_roles]$ cat roles/nfs_client/tasks/main.yml
2 - name: "mount NFS server"
3 mount:
4 src: 172.16.1.180:{{ nfs_dir }}
5 path: /mnt
6 fstype: nfs
7 opts: defaults
8 state: mounted
变量信息
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ cat group_vars/all 4 # NFS 服务端目录 5 nfs_dir: /data
playbook 信息
1 [yun@ansi-manager ansible_roles]$ cat nfs_server.yml 2 --- 3 # NFS server 4 - hosts: manageservers 5 roles: 6 - nfs 7 8 - hosts: proxyservers 9 roles: 10 - nfs_client
任务执行
1 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key --syntax-check nfs_server.yml # 语法检测 2 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key -C nfs_server.yml # 预执行,测试执行 3 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key nfs_server.yml # 执行
Ansible Roles 案例实战-部署 memcached 服务
整体目录结构
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ ll 4 total 8 5 -rw-rw-r-- 1 yun yun 71 Sep 16 09:05 memcached_server.yml 6 drwxrwxr-x 5 yun yun 52 Sep 16 08:38 roles 7 [yun@ansi-manager ansible_roles]$ tree roles/ 8 roles/ 9 └── memcached 10 ├── handlers 11 │ └── main.yml 12 ├── tasks 13 │ ├── config.yml 14 │ ├── install.yml 15 │ ├── main.yml 16 │ └── start.yml 17 └── templates 18 └── memcached.j2 19 20 11 directories, 15 files
服务信息
目录结构
1 [yun@ansi-manager memcached]$ pwd 2 /app/ansible_info/ansible_roles/roles/memcached 3 [yun@ansi-manager memcached]$ ll 4 total 0 5 drwxrwxr-x 2 yun yun 22 Sep 16 08:56 handlers 6 drwxrwxr-x 2 yun yun 76 Sep 16 08:53 tasks 7 drwxrwxr-x 2 yun yun 26 Sep 16 08:55 templates 8 [yun@ansi-manager memcached]$ tree 9 . 10 ├── handlers 11 │ └── main.yml 12 ├── tasks 13 │ ├── config.yml 14 │ ├── install.yml 15 │ ├── main.yml 16 │ └── start.yml 17 └── templates 18 └── memcached.j2 19 20 3 directories, 6 files
tasks任务目录信息
1 [yun@ansi-manager memcached]$ cat tasks/main.yml 2 - include_tasks: install.yml 3 - include_tasks: config.yml 4 - include_tasks: start.yml 5 6 [yun@ansi-manager memcached]$ cat tasks/install.yml 7 - name: " install package memcached" 8 yum: 9 name: memcached 10 state: present 11 12 [yun@ansi-manager memcached]$ cat tasks/config.yml 13 - name: "memcached server config and edit restart" 14 template: 15 src: memcached.j2 16 dest: /etc/sysconfig/memcached 17 owner: root 18 group: root 19 mode: '644' 20 notify: "restart memcached server" 21 22 [yun@ansi-manager memcached]$ cat tasks/start.yml 23 - name: "memcached server start" 24 systemd: 25 name: memcached 26 state: started 27 daemon_reload: yes 28 enabled: yes
handlers任务目录信息
1 [yun@ansi-manager memcached]$ cat handlers/main.yml 2 - name: "restart memcached server" 3 systemd: 4 name: memcached 5 state: restarted
模板目录信息
1 [yun@ansi-manager memcached]$ cat templates/memcached.j2
2 PORT="11211"
3 USER="memcached"
4 MAXCONN="1024"
5 CACHESIZE="{{ ansible_memtotal_mb // 2 }}"
6 OPTIONS=""
playbook 信息
1 [yun@ansi-manager ansible_roles]$ cat memcached_server.yml 2 --- 3 # memcached server 4 - hosts: manageservers 5 roles: 6 - memcached
任务执行
1 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key --syntax-check memcached_server.yml # 语法检测 2 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key -C memcached_server.yml # 预执行,测试执行 3 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key memcached_server.yml # 执行
Ansible Roles 案例实战-部署 Rsync 服务
整体目录结构
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ ll 4 total 12 5 drwxrwxr-x 2 yun yun 17 Sep 29 09:33 group_vars 6 drwxrwxr-x 7 yun yun 86 Sep 29 08:49 roles 7 -rw-rw-r-- 1 yun yun 116 Sep 29 09:50 rsyncd_server.yml 8 [yun@ansi-manager ansible_roles]$ tree roles/ 9 roles/ 10 ├── rsync_client 11 │ ├── tasks 12 │ │ └── main.yml 13 │ └── templates 14 │ └── rsync.password.j2 15 └── rsyncd 16 ├── handlers 17 │ └── main.yml 18 ├── tasks 19 │ ├── config.yml 20 │ ├── install.yml 21 │ ├── main.yml 22 │ ├── mkdir.yml 23 │ └── start_rsyncd.yml 24 └── templates 25 ├── rsyncd.conf.j2 26 └── rsync.password.j2 27 28 18 directories, 25 files
服务端信息
目录结构
1 [yun@ansi-manager rsyncd]$ pwd 2 /app/ansible_info/ansible_roles/roles/rsyncd 3 [yun@ansi-manager rsyncd]$ tree 4 . 5 ├── handlers 6 │ └── main.yml 7 ├── tasks 8 │ ├── config.yml 9 │ ├── install.yml 10 │ ├── main.yml 11 │ ├── mkdir.yml 12 │ └── start_rsyncd.yml 13 └── templates 14 ├── rsyncd.conf.j2 15 └── rsync.password.j2 16 17 3 directories, 8 files
tasks任务目录信息
1 [yun@ansi-manager rsyncd]$ pwd 2 /app/ansible_info/ansible_roles/roles/rsyncd 3 [yun@ansi-manager rsyncd]$ cat tasks/main.yml 4 - include_tasks: install.yml 5 - include_tasks: config.yml 6 - include_tasks: mkdir.yml 7 - include_tasks: start_rsyncd.yml 8 9 [yun@ansi-manager rsyncd]$ cat tasks/install.yml 10 - name: "Install package rsync" 11 yum: 12 name: rsync 13 state: present 14 15 [yun@ansi-manager rsyncd]$ cat tasks/config.yml 16 - name: "rsyncd server config and edit restart" 17 template: 18 src: rsyncd.conf.j2 19 dest: /etc/rsyncd.conf 20 owner: root 21 group: root 22 mode: '644' 23 notify: "restart rsyncd server" 24 25 - name: "rsyncd server password file" 26 template: 27 src: rsync.password.j2 28 dest: /etc/rsync.password 29 owner: root 30 group: root 31 mode: '400' 32 33 [yun@ansi-manager rsyncd]$ cat tasks/mkdir.yml 34 - name: "create rsync business backup dir" 35 file: 36 path: /backup/busi_data 37 owner: root 38 group: root 39 state: directory 40 recurse: yes 41 42 - name: "create rsync database backup dir" 43 file: 44 path: /backup/database 45 owner: root 46 group: root 47 state: directory 48 recurse: yes 49 50 [yun@ansi-manager rsyncd]$ cat tasks/start_rsyncd.yml 51 - name: "rsyncd server start" 52 systemd: 53 name: rsyncd 54 state: started 55 daemon_reload: yes 56 enabled: yes
handlers任务目录信息
1 [yun@ansi-manager rsyncd]$ cat handlers/main.yml 2 - name: "restart rsyncd server" 3 systemd: 4 name: rsyncd 5 state: restarted
模板目录信息
1 [yun@ansi-manager rsyncd]$ pwd
2 /app/ansible_info/ansible_roles/roles/rsyncd
3 [yun@ansi-manager rsyncd]$ cat templates/rsyncd.conf.j2 # 文件1
4 # 备注:更多参数与更多详解,参见 man rsyncd.conf
5 #rsync_config---------------start
6 uid = root
7 gid = root
8 use chroot = false
9 max connections = 200
10 timeout = 100
11 pid file = /var/run/rsyncd.pid
12 lock file = /var/run/rsync.lock
13 log file = /var/log/rsyncd.log
14 dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2
15 ignore errors = true
16 read only = false
17 list = false
18
19 ## 注意为了避免困惑 hosts allow 和 hosts deny 请二选其一
20 hosts allow = 172.16.1.0/24,10.9.0.0/16,120.27.48.179
21 # hosts deny = 10.0.0.0/16
22 # 支持多个认证账号
23 auth users = {{ auth_user }}
24 secrets file = /etc/rsync.password
25
26
27 # 数据备份 注意 path 目录的权限信息
28 [back_data_module]
29 path = /backup/busi_data/
30
31 # 数据库备份 注意 path 目录的权限信息
32 [back_db_module]
33 path = /backup/database/
34
35 #rsync_config---------------end
36
37 [yun@ansi-manager rsyncd]$ cat templates/rsync.password.j2 # 文件2
38 {{ auth_user }}:{{ auth_pawd }}
客户端信息
1 [yun@ansi-manager rsync_client]$ pwd
2 /app/ansible_info/ansible_roles/roles/rsync_client
3 [yun@ansi-manager rsync_client]$ tree # 目录结构
4 .
5 ├── tasks
6 │ └── main.yml
7 └── templates
8 └── rsync.password.j2
9
10 2 directories, 2 files
11 [yun@ansi-manager rsync_client]$ cat tasks/main.yml # tasks 信息
12 - name: "rsync passwrod file config"
13 template:
14 src: rsync.password.j2
15 dest: /etc/rsync.password
16 owner: root
17 group: root
18 mode: '400'
19
20 [yun@ansi-manager rsync_client]$ cat templates/rsync.password.j2 # 模板信息
21 {{ auth_pawd }}
变量信息
1 [yun@ansi-manager ansible_roles]$ pwd 2 /app/ansible_info/ansible_roles 3 [yun@ansi-manager ansible_roles]$ cat group_vars/all 4 # NFS 服务端目录 5 nfs_dir: /data 6 # rsync daemon 使用 7 auth_user: rsync_backup 8 auth_pawd: rsync_backup_pwd
playbook 信息
1 [yun@ansi-manager ansible_roles]$ cat rsyncd_server.yml 2 --- 3 # rsyncd server 4 - hosts: manageservers 5 roles: 6 - rsyncd 7 8 - hosts: proxyservers 9 roles: 10 - rsync_client
任务执行
1 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key --syntax-check rsyncd_server.yml # 语法检测 2 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key -C rsyncd_server.yml # 预执行,测试执行 3 [yun@ansi-manager ansible_roles]$ ansible-playbook -b -i ../hosts_key rsyncd_server.yml # 执行
Ansible Galaxy
https://galaxy.ansible.com