ansible实验

1. 实验内容

  • 使用ansible技术重构FTP、NFS、DHCP、DNS、Samba服务器的自动安装与自动配置

2. 实验环境

机器HostOnly IP地址
Control node192.168.50.129
Managed nodes192.168.50.130

3. 实验原理

Ansible

Ansible是一个开源配置管理工具,可以使用它来自动化任务,部署应用程序实现IT基础架构。Ansible可以用来自动化日常任务,比如,服务器的初始化配置、安全基线配置、更新和打补丁系统,安装软件包等。

无需客户端

  • Ansible是无客户端Agent的,所以无需在客户机上安装或配置任何程序,就可以运行Ansible任务。由于Ansible不会在客户机上安装任何软件或运行监听程序,因此消除了许多管理开销,同时Ansible的更新也不会影响任何客户机。
    • 虽说如此,还是要在目标节点配置python依赖
      使用SSH进行通讯
  • 默认情况下,Ansible使用SSH协议在管理机和客户机之间进行通信。可以使用SFTP与客户机进行安全的文件传输

Ansible ad-hoc单行命令执行

ad-hoc命令行是我们可以随手执行的单个ansible任务,是ansible任务快速执行方式

Ansible Playbook

Playbook 是Ansible提供的最强大的任务执行方法。与ad-hoc命令不同,Playbooks配置在文件中,可以重用和共享给其他人。

playbooks是以YAML标记语言来定义的。每个playbook由一个或多个play组成。play的目标是将一组主机映射到任务中去。每个play包含一个或多个任务,这些任务每次执行一次。

1
2
3
4
5
Tasks:任务,由模板定义的操作列表
Variables:变量
Templates:模板,即使用模板语法的文件
Handlers:处理器 ,当某条件满足时,触发执行的操作
Roles:角色

4. 实验内容

4.1. FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
- hosts: 192.168.50.130
  remote_user: root
  tasks:
  - name: install vsftpd
    apt: name=vsftpd
  - name: create new user
    user: name=ftpusr system=yes password=passwd
  - name: create ftp directory for zzr
    file:
        path: "/etc/fptusr/ftp"
        owner: "nobody"
        group: "nogroup"
        state: directory
  - name: config vsftpd
    template: src=./vsftpd.conf dest=/etc/vsftpd.conf
  - name: modify hosts.allow
    lineinfile:
        path: /etc/hosts.allow
        line: "vsftpd:ALL:allow"
  - name: modify vsftpd.userlist
    lineinfile:
        path: /etc/vsftpd.userlist
        line: "ftpusr"
  - name: restart vsftpd
    service:
      name: vsftpd
      state: restarted

4.2. NFS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- hosts: 192.168.50.130
  remote_user: root
  vars:
    nfsmounts:
      - {  path: "/mnt/public", src: "192.168.50.129:/public" }
      - {  path: "/mnt/protected", src: "192.168.50.129:/protected" }
  tasks:
  - name: install nfs-common
    apt: name=nfs-common
  - name: mkdir public
    file: path="/mnt/public" owner="nobody" group="nogroup" state=directory  - name: mkdir protected
    file: path="/mnt/protected" owner="nobody" group="nogroup" state=directory
  - name: mount nfs
    mount:
      fstype: nfs
      opts: defaults
      dump: 0
      passno: 0
      state: mounted
      src: "{{item.src}}"
      path: "{{item.path}}"
    with_items: "{{nfsmounts}}"

4.3. DHCP

主节点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
- hosts: 192.168.50.129
  remote_user: host
  tasks:
  - name: install dhcp
    apt: name=isc-dhcp-server
  - name: config dhcpd.conf
    template: src=./dhcpd.conf dest=/etc/dhcp/dhcpd.conf
  - name: config netplan
    template: dest=/etc/netplan/50-cloud-init.yaml src=./net1.yml
  - name: netplan apply
    command: "netplan generate && netplan apply"
  - name: modify isc-dhcp-server
    template:
        dest: /etc/default/isc-dhcp-server
        src: ./isc-dhcp-server
        backup: yes
  - name: restart dhcp
    service:
      name: isc-dhcp-server
      state: restarted

目标节点

1
2
3
4
5
- hosts: 192.168.50.130
  remote_user: root
  tasks:
  - name: condig netplan
    template: dest=/etc/netplan/50-cloud-init.yaml src=./net2.yml

4.4. DNS

服务器主机

1
2
3
4
5
6
7
8
9
10
11
12
13
- hosts: 192.168.50.129
  remote_user: root
  tasks:
  - name: install bind9
    apt: name=bind9
  - name: config named.conf.default-zones
    template: dest=/etc/bind/named.conf.default-zones src=./named.conf.default-zones
  - name: config db.test.com
    template: dest=/etc/bind/db.test.com src=./db.test.com
  - name: restart bind9
    service:
      name:bind9
      state:restartedp

目标主机

1
2
3
4
5
6
7
- hosts: 192.168.50.130
  remote_user: root
  tasks:
  - name: modify hosts.allow
    lineinfile:
        path: /etc/resolv.conf
        line: "nameserver 192.168.50.129"

4.5. Samba

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
- hosts: 192.168.50.130
  remote_user: root
  tasks:
  - name: install samba
    apt: name=samba
  - name: install smbclient
    apt: name=smbclient
  - name: adduser samba
    user: name=samba system=yes password=passwd
  - name: mkdir samba
    file:
        path: "/samba"
        owner: "samba"
        group: "nogroup"
        state: directory
  - name: chmod samba
    command: "chmod o+w /samba"
  - name: config smb.conf
    template: dest=/etc/samba/smb.conf src=./smb.conf
  - name: restart samba
    service: name=samba state=restarted

5. 常见问题

5.1. Failed to connect to the host via ssh: Permission denied

1

没有在ansible管理节点(即安装ansible的节点)上添加目标节点(即需要管理的节点)的ssh认证信息。

1
2
3
4
ssh-keygen
ssh-copy-id root@目标节点IP

ansible -m ping all

2

Uncomment remote_user and set the user to what you want to log in as

1
remote_user=root

6. 参考