管理节点安装ansible环境
[root@m01 ~]# yum install yum install epel-release ansible libselinux-python -y
被管理节点安装ansibel环境
[root@web01 ~]# yum install epel-release libselinux-python -y [root@web02 ~]# yum install epel-release libselinux-python -y [root@lb01 ~]# yum install epel-release libselinux-python -y [root@lb02 ~]# yum install epel-release libselinux-python -y
备份ansible的hosts文件然后修改
# 备份ansible的hosts文件 [root@m01 ~]# cp /etc/ansible/hosts{,.bak} # 修改配置文件,添加被管理节点IP地址 [root@m01 ~]# cat /etc/ansible/hosts [tang] 192.168.207.133 192.168.207.138 192.168.207.139 192.168.207.140
配置免密登录客户端机器,批量管理
每次执行ansible命令都要输出root的用户密码,如果主机密码不一致,还得输入多次
可以在/etc/ansible/hosts 主机列表文件中添加指定配置参数,实现远程管理主机的效果
1.修改/etc/ansible/hosts文件,在文件中定义主机密码 [root@m01 ~]# tail -3 /etc/ansible/hosts [chaoge] 192.168.178.111 ansible_ssh_user=root ansible_ssh_pass=111111 192.168.178.110 ansible_ssh_user=root ansible_ssh_pass=111111 #################SSH方式################## 1.编写脚本 创建密钥对,分发给被管理节点 [root@m01 ~]# cat /server/scripts/distribution.sh #!/bin/bash rm -rf ~/.ssh/id_rsa* ssh-keygen -f ~/.ssh/id_rsa -P "" > /dev/null 2>&1 SSH_Pass=123456 Key_Path=~/.ssh/id_rsa.pub for ip in 133 138 139 140 do sshpass -p$SSH_Pass ssh-copy-id -i $Key_Path "-o StrictHostKeyChecking=no" 192.168.207.$ip done [root@m01 scripts]# 2.执行脚本,快速分发公钥,实现免密登录 [root@m01 ~]# sh /server/scripts/distribution.sh
自生成密钥和证书
# 生成私钥文件,利用字shell降低文件权限 [root@chaogelinux key]# (umask 077;openssl genrsa -out server1024.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ...++++++ e is 65537 (0x10001) # 自己签发证书,crt证书扩展名 [root@chaogelinux key]# openssl req -new -x509 -key server1024.key -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:chaoge Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:pythonav.cn Email Address []:yc_uuu@163.com
web_nginx剧本
[root@m01 ~]# cat /server/scripts/web_nginx.yaml - hosts: 192.168.207.133, 192.168.207.138 tasks: - name: stop selinux shell: setenforce 0 ; sed -i '/SELINUX/s/enforcing/disable/g' /etc/selinux/config - name: stop firewalld systemd: name=firewalld enabled=no state=stopped - name: set ulimit shell: sed -i '61a * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535' /etc/security/limits.conf warn=False - name: create nginx group group: name=nginx gid=1500 state=present - name: create nginx user user: name=nginx group=nginx shell=/sbin/nologin create_home=no uid=1500 - name: install nginx Environmental Science shell: yum install -y vim net-tools gcc gcc-c++ autoconf automake make zlib zlib-devel openssl openssl-devel pcre pcre-devel wget httpd-tools warn=False - name: install nginx service shell: cd /opt ; wget http://tengine.taobao.org/download/tengine-2.3.2.tar.gz - name: decompression & make & make install shell: cd /opt ; tar -xf tengine-2.3.2.tar.gz;mkdir -p /opt/nginx/ ;cd /opt/tengine-2.3.2 ;./configure --user=nginx --group=nginx --prefix=/opt/nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-threads --with-file-aio;make & make install - name: create nginx extra directory file: dest=/opt/nginx/conf/extra state=directory owner=nginx group=nginx - name: copy conf file copy: src=/server/conf/web_nginx.conf dest=/opt/nginx/conf/nginx.conf backup=yes owner=nginx group=nginx - name: copy nginx default conf copy: src=/server/conf/web_default_nginx.conf dest=/opt/nginx/conf/extra/web_default_nginx.conf owner=nginx group=nginx - name: chown nginx dir file: dest=/opt/nginx state=directory owner=nginx group=nginx recurse=yes - name: start nginx server shell: /opt/nginx/sbin/nginx
lb_nginx剧本
[root@m01 ~]# cat /server/scripts/lb_nginx.yaml - hosts: 192.168.207.139, 192.168.207.140 tasks: - name: stop selinux shell: setenforce 0 ; sed -i '/SELINUX/s/enforcing/disable/g' /etc/selinux/config - name: stop firewalld & disbale systemd: name=firewalld enabled=no state=stopped - name: set ulimit shell: sed -i '61a * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535' /etc/security/limits.conf warn=False - name: install nginx Environmental Science shell: yum install -y net-tools vim gcc gcc-c++ autoconf automake make zlib zlib-devel openssl openssl-devel pcre pcre-devel wget httpd-tools warn=False - name: install nginx service shell: cd /opt ; wget http://tengine.taobao.org/download/tengine-2.3.2.tar.gz - name: create nginx group group: name=nginx gid=1500 state=present - name: create nginx user user: name=nginx group=nginx shell=/sbin/nologin create_home=no - name: decompression & make & make install shell: cd /opt ; tar -xf tengine-2.3.2.tar.gz;mkdir -p /opt/nginx/ ;cd /opt/tengine-2.3.2 ;./configure --user=nginx --group=nginx --prefix=/opt/nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-threads --with-file-aio;make & make install - name: create key dir file: dest=/opt/nginx/key state=directory owner=nginx group=nginx - name: copy key copy: src=/server/key/server1024.key dest=/opt/nginx/key/server1024.key owner=nginx group=nginx - name: copy crt copy: src=/server/key/server.crt dest=/opt/nginx/key/server.crt owner=nginx group=nginx - name: copy conf file copy: src=/server/conf/lb_nginx.conf dest=/opt/nginx/conf/nginx.conf backup=yes owner=nginx group=nginx - name: copy proxy conf file copy: src=/server/conf/proxy.conf dest=/opt/nginx/conf/proxy.conf owner=nginx group=nginx - name: chown nginx dir file: dest=/opt/nginx state=directory owner=nginx group=nginx recurse=yes - name: start nginx service shell: /opt/nginx/sbin/nginx
lb01_keepalived剧本
[root@m01 ~]# cat /server/scripts/lb_keepalived_master.yaml - hosts: 192.168.207.139 tasks: - name: install keepalived yum: name=keepalived state=present - name: copy keepalived conf copy: src=/server/conf/keepalived_master.conf dest=/etc/keepalived/keepalived.conf backup=yes - name: copy check_nginx conf copy: src=/server/scripts/check_nginx.sh dest=/etc/keepalived/check_nginx.sh - name: start keepalived systemd: name=keepalived enabled=yes state=started
lb02_keepalived剧本
[root@m01 ~]# cat /server/scripts/lb_keepalived_backup.yaml - hosts: 192.168.207.140 tasks: - name: install keepalived yum: name=keepalived state=present - name: copy keepalived conf copy: src=/server/conf/keepalived_backup.conf dest=/etc/keepalived/keepalived.conf backup=yes - name: copy check_nginx conf copy: src=/server/scripts/check_nginx.sh dest=/etc/keepalived/check_nginx.sh - name: start keepalived systemd: name=keepalived enabled=yes state=started
web_nginx配置文件
[root@m01 ~]# cat /server/conf/web_nginx.conf user nginx nginx; worker_processes 1; #全局错误日志定义类型,[ debug | info | notice | warn | error | crit ] error_log logs/error.log warn; pid logs/nginx.pid; # 最好与ulimit -n 的值保持一致 worker_rlimit_nofile 65535; events { use epoll; worker_connections 1024; } http { include mime.types; default_type application/octet-stream; charset utf-8; # client_header_buffer_size 32k; # large_client_header_buffers 4 64k; # client_max_body_size 8m; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 120; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; include extra/*.conf; }
lb_nginx配置文件
[root@m01 ~]# cat /server/conf/lb_nginx.conf user nginx nginx; worker_processes 1; #全局错误日志定义类型,[ debug | info | notice | warn | error | crit ] error_log logs/error.log warn; pid logs/nginx.pid; # 最好与ulimit -n 的值保持一致 worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; charset utf-8; # client_header_buffer_size 32k; # # large_client_header_buffers 4 64k; # # client_max_body_size 8m; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 120; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; upstream default { server 192.168.207.133 weight=1; server 192.168.207.138 weight=1; } server { listen 80; server_name www.tang.com; charset utf-8; rewrite ^(.*)$ https://$host$1 permanent; } server { listen 443 ssl; server_name _; access_log logs/default.log; charset utf-8; error_log logs/default_error.log; ssl_certificate /opt/nginx/key/server.crt; ssl_certificate_key /opt/nginx/key/server1024.key; location / { proxy_pass http://default; include proxy.conf; } } }
wed_default_nginx配置文件
[root@m01 ~]# cat /server/conf/web_default_nginx.conf server { listen 80; server_name www.tang.com; access_log logs/default.log ; charset utf-8; error_log logs/default_error.log; location / { root html; index index.html index.htm; } }
proxy配置文件
[root@m01 ~]# cat /server/conf/proxy.conf proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_connect_timeout 60; proxy_send_timeout 60; proxy_read_timeout 60; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;
keepalived_master配置文件
[root@m01 ~]# cat /server/conf/keepalived_master.conf global_defs { router_id lb01 } vrrp_script chk_nginx { script "/etc/keepalived/check_nginx.sh" #运行脚本,脚本内容下面有,就是起到一个nginx宕机以后,自动开启服务 interval 2 #检测时间间隔 weight -20 #如果条件成立的话,则权重 -20 } vrrp_instance VI_1 { state MASTER interface ens33 virtual_router_id 51 priority 150 advert_int 1 authentication { auth_type PASS auth_pass 1111 } # 将 track_script 块加入 instance 配置块 track_script { chk_nginx #执行 Nginx 监控的服务 } # 定义虚拟IP,也就是VIP,提供给用户访问的高可用地址,绑定网络接口ens33,别名ens33:3,主备节点要相同 virtual_ipaddress { 192.168.207.3/24 dev ens33 label ens33:3 } }
keepalived_backup配置文件
[root@m01 ~]# cat /server/conf/keepalived_backup.conf global_defs { router_id lb02 } vrrp_script chk_nginx { script "/etc/keepalived/check_nginx.sh" #运行脚本,脚本内容下面有,就是起到一个nginx宕机以后,自动开启服务 interval 2 #检测时间间隔 weight -20 #如果条件成立的话,则权重 -20 } vrrp_instance VI_1 { state BACKUP interface ens33 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } # 将 track_script 块加入 instance 配置块 track_script { chk_nginx #执行 Nginx 监控的服务 } # 定义虚拟IP,也就是VIP,提供给用户访问的高可用地址,绑定网络接口ens33,别名ens33:3,主备节点要相同 virtual_ipaddress { 192.168.207.3/24 dev ens33 label ens33:3 } }
keepalived检查nginx是否存活的脚本文件
[root@m01 ~]# cat /server/scripts/check_nginx.sh #!/bin/bash A=`ps -C nginx –no-header |wc -l` if [ $A -eq 0 ];then /opt/nginx/sbin/nginx sleep 2 if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then killall keepalived fi fi