一 點睛
實例劃分了6個角色,包括base-apache、common、db、 haproxy、nagios、web,分別對應6個功能環境部署,本篇介紹common角色
二 common角色
1 點睛
common的主要功能是部署、配置系統基礎服務,包括yum源、安 裝nagios插件、NTP服務、iptables、SELinux等。
2 代碼
2.1 roles/common/tasks/main.yml
---
# This role contains common plays that will run on all nodes.
- name: Create the repository for EPEL
copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo
- name: Create the GPG key for EPEL
copy: src=RPM-GPG-KEY-EPEL-6 dest=/etc/pki/rpm-gpg
- name: install some useful nagios plugins
yum: name={{ item }} state=present
with_items:
- nagios-nrpe
- nagios-plugins-swap
- nagios-plugins-users
- nagios-plugins-procs
- nagios-plugins-load
- nagios-plugins-disk
- name: Install ntp
yum: name=ntp state=present
tags: ntp
- name: Configure ntp file
template: src=ntp.conf.j2 dest=/etc/ntp.conf
tags: ntp
notify: restart ntp
- name: Start the ntp service
service: name=ntpd state=started enabled=true
tags: ntp
- name: insert iptables template
template: src=iptables.j2 dest=/etc/sysconfig/iptables
notify: restart iptables
- name: test to see if selinux is running
command: getenforce
register: sestatus
changed_when: false
上述代碼定義了兩個遠程文件複製copy,其中src(源文件)的默認位置在roles/common/files,使用with_item標籤實現循環安裝nagios插 件,同時安裝ntp服務,引用模塊文件 roles/common/templatesntp.conf.j2,且同步到目標主機/etc/ntp.conf位 置。配置系統iptables,引用roles/common/templates/iptables.j2模 板,“notify:restart iptables”,狀態或模板發生變化時將通知處理程序 (handlers)來處理。“command:getenforce”運行getenforce來檢測 selinux是否在運行狀態,“changed_when:false”作用爲不記錄命令運行 結果的changed狀態,即changed爲False。
2.2 roles/common/handlers/main.yml
---
# Handlers for common notifications
- name: restart ntp
service: name=ntpd state=restarted
- name: restart iptables
service: name=iptables state=restarted
上述代碼定義了兩個處理程序,功能分別爲重啓ntp、iptables服 務,其中“name:restart ntp”與任務(tasks)定義中的“notify:restart ntp”是一一對應的,“name:restart iptables”同理。
2.3 roles/common/templates/iptables.j2
# {{ ansible_managed }}
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if (inventory_hostname in groups['webservers']) or (inventory_hostname in groups['monitoring']) %}
-A INPUT -p tcp --dport 80 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups['dbservers'] %}
-A INPUT -p tcp --dport 3306 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups['lbservers'] %}
-A INPUT -p tcp --dport {{ listenport }} -j ACCEPT
{% endif %}
{% for host in groups['monitoring'] %}
-A INPUT -p tcp -s {{ hostvars[host].ansible_default_ipv4.address }} --dport 5666 -j ACCEPT
{% endfor %}
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
“inventory_hostname”作爲存放在Ansible的inventory文件中的主機名或IP,好處是可以不依靠Facts的主機名參數ansible_hostname或其他原因,一般情況下inventory_hostname等於ansible_hostname,但有時候 我們習慣在Ansible的inventory中使用IP地址,而ansible_hostname則返回主機名。模板使用了jinja2的語法,本例if...endif語句判斷當前的 inventory_hostname是否在webservers及monitoring組中(定義具體在 hosts文件中),條件成立則添加80端口訪問權限(-A INPUT -p tcp--dport 80-j ACCEPT)。For...endfor語句實現了循環開通允許monitoring組主機 訪問5666端口,使用hostvars[host]得到主機對象,可以獲得主機的Facts 信息,如hostvars[host].ansible_default_ipv4.address獲取主機IP。
2.4 roles/common/templates/ntp.conf.j2
[root@localhost templates]# cat ntp.conf.j2
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server {{ ntpserver }}
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys