管理节点安装ansible环境
[root@m01 ~]# yum install yum install epel-release ansible libselinux-python -y
被管理节点安装ansibel环境
[root@web01 ~]# yum install epel-release libselinux-python -y [root@web02 ~]# yum install epel-release libselinux-python -y [root@lb01 ~]# yum install epel-release libselinux-python -y [root@lb02 ~]# yum install epel-release libselinux-python -y
备份ansible的hosts文件然后修改
# 备份ansible的hosts文件
[root@m01 ~]# cp /etc/ansible/hosts{,.bak}
# 修改配置文件,添加被管理节点IP地址
[root@m01 ~]# cat /etc/ansible/hosts
[tang]
192.168.207.133
192.168.207.138
192.168.207.139
192.168.207.140
配置免密登录客户端机器,批量管理
每次执行ansible命令都要输出root的用户密码,如果主机密码不一致,还得输入多次
可以在/etc/ansible/hosts 主机列表文件中添加指定配置参数,实现远程管理主机的效果
1.修改/etc/ansible/hosts文件,在文件中定义主机密码
[root@m01 ~]# tail -3 /etc/ansible/hosts
[chaoge]
192.168.178.111 ansible_ssh_user=root ansible_ssh_pass=111111
192.168.178.110 ansible_ssh_user=root ansible_ssh_pass=111111
#################SSH方式##################
1.编写脚本 创建密钥对,分发给被管理节点
[root@m01 ~]# cat /server/scripts/distribution.sh
#!/bin/bash
rm -rf ~/.ssh/id_rsa*
ssh-keygen -f ~/.ssh/id_rsa -P "" > /dev/null 2>&1
SSH_Pass=123456
Key_Path=~/.ssh/id_rsa.pub
for ip in 133 138 139 140
do
sshpass -p$SSH_Pass ssh-copy-id -i $Key_Path "-o StrictHostKeyChecking=no" 192.168.207.$ip
done
[root@m01 scripts]#
2.执行脚本,快速分发公钥,实现免密登录
[root@m01 ~]# sh /server/scripts/distribution.sh
自生成密钥和证书
# 生成私钥文件,利用字shell降低文件权限 [root@chaogelinux key]# (umask 077;openssl genrsa -out server1024.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ...++++++ e is 65537 (0x10001) # 自己签发证书,crt证书扩展名 [root@chaogelinux key]# openssl req -new -x509 -key server1024.key -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:chaoge Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:pythonav.cn Email Address []:yc_uuu@163.com
web_nginx剧本
[root@m01 ~]# cat /server/scripts/web_nginx.yaml
- hosts: 192.168.207.133, 192.168.207.138
tasks:
- name: stop selinux
shell: setenforce 0 ; sed -i '/SELINUX/s/enforcing/disable/g' /etc/selinux/config
- name: stop firewalld
systemd: name=firewalld enabled=no state=stopped
- name: set ulimit
shell: sed -i '61a * soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535' /etc/security/limits.conf warn=False
- name: create nginx group
group: name=nginx gid=1500 state=present
- name: create nginx user
user: name=nginx group=nginx shell=/sbin/nologin create_home=no uid=1500
- name: install nginx Environmental Science
shell: yum install -y vim net-tools gcc gcc-c++ autoconf automake make zlib zlib-devel openssl openssl-devel pcre pcre-devel wget httpd-tools warn=False
- name: install nginx service
shell: cd /opt ; wget http://tengine.taobao.org/download/tengine-2.3.2.tar.gz
- name: decompression & make & make install
shell: cd /opt ; tar -xf tengine-2.3.2.tar.gz;mkdir -p /opt/nginx/ ;cd /opt/tengine-2.3.2 ;./configure --user=nginx --group=nginx --prefix=/opt/nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-threads --with-file-aio;make & make install
- name: create nginx extra directory
file: dest=/opt/nginx/conf/extra state=directory owner=nginx group=nginx
- name: copy conf file
copy: src=/server/conf/web_nginx.conf dest=/opt/nginx/conf/nginx.conf backup=yes owner=nginx group=nginx
- name: copy nginx default conf
copy: src=/server/conf/web_default_nginx.conf dest=/opt/nginx/conf/extra/web_default_nginx.conf owner=nginx group=nginx
- name: chown nginx dir
file: dest=/opt/nginx state=directory owner=nginx group=nginx recurse=yes
- name: start nginx server
shell: /opt/nginx/sbin/nginx
lb_nginx剧本
[root@m01 ~]# cat /server/scripts/lb_nginx.yaml
- hosts: 192.168.207.139, 192.168.207.140
tasks:
- name: stop selinux
shell: setenforce 0 ; sed -i '/SELINUX/s/enforcing/disable/g' /etc/selinux/config
- name: stop firewalld & disbale
systemd: name=firewalld enabled=no state=stopped
- name: set ulimit
shell: sed -i '61a * soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535' /etc/security/limits.conf warn=False
- name: install nginx Environmental Science
shell: yum install -y net-tools vim gcc gcc-c++ autoconf automake make zlib zlib-devel openssl openssl-devel pcre pcre-devel wget httpd-tools warn=False
- name: install nginx service
shell: cd /opt ; wget http://tengine.taobao.org/download/tengine-2.3.2.tar.gz
- name: create nginx group
group: name=nginx gid=1500 state=present
- name: create nginx user
user: name=nginx group=nginx shell=/sbin/nologin create_home=no
- name: decompression & make & make install
shell: cd /opt ; tar -xf tengine-2.3.2.tar.gz;mkdir -p /opt/nginx/ ;cd /opt/tengine-2.3.2 ;./configure --user=nginx --group=nginx --prefix=/opt/nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-threads --with-file-aio;make & make install
- name: create key dir
file: dest=/opt/nginx/key state=directory owner=nginx group=nginx
- name: copy key
copy: src=/server/key/server1024.key dest=/opt/nginx/key/server1024.key owner=nginx group=nginx
- name: copy crt
copy: src=/server/key/server.crt dest=/opt/nginx/key/server.crt owner=nginx group=nginx
- name: copy conf file
copy: src=/server/conf/lb_nginx.conf dest=/opt/nginx/conf/nginx.conf backup=yes owner=nginx group=nginx
- name: copy proxy conf file
copy: src=/server/conf/proxy.conf dest=/opt/nginx/conf/proxy.conf owner=nginx group=nginx
- name: chown nginx dir
file: dest=/opt/nginx state=directory owner=nginx group=nginx recurse=yes
- name: start nginx service
shell: /opt/nginx/sbin/nginx
lb01_keepalived剧本
[root@m01 ~]# cat /server/scripts/lb_keepalived_master.yaml
- hosts: 192.168.207.139
tasks:
- name: install keepalived
yum: name=keepalived state=present
- name: copy keepalived conf
copy: src=/server/conf/keepalived_master.conf dest=/etc/keepalived/keepalived.conf backup=yes
- name: copy check_nginx conf
copy: src=/server/scripts/check_nginx.sh dest=/etc/keepalived/check_nginx.sh
- name: start keepalived
systemd: name=keepalived enabled=yes state=started
lb02_keepalived剧本
[root@m01 ~]# cat /server/scripts/lb_keepalived_backup.yaml
- hosts: 192.168.207.140
tasks:
- name: install keepalived
yum: name=keepalived state=present
- name: copy keepalived conf
copy: src=/server/conf/keepalived_backup.conf dest=/etc/keepalived/keepalived.conf backup=yes
- name: copy check_nginx conf
copy: src=/server/scripts/check_nginx.sh dest=/etc/keepalived/check_nginx.sh
- name: start keepalived
systemd: name=keepalived enabled=yes state=started
web_nginx配置文件
[root@m01 ~]# cat /server/conf/web_nginx.conf
user nginx nginx;
worker_processes 1;
#全局错误日志定义类型,[ debug | info | notice | warn | error | crit ]
error_log logs/error.log warn;
pid logs/nginx.pid;
# 最好与ulimit -n 的值保持一致
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
# client_header_buffer_size 32k;
# large_client_header_buffers 4 64k;
# client_max_body_size 8m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
include extra/*.conf;
}
lb_nginx配置文件
[root@m01 ~]# cat /server/conf/lb_nginx.conf
user nginx nginx;
worker_processes 1;
#全局错误日志定义类型,[ debug | info | notice | warn | error | crit ]
error_log logs/error.log warn;
pid logs/nginx.pid;
# 最好与ulimit -n 的值保持一致
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
# client_header_buffer_size 32k;
#
# large_client_header_buffers 4 64k;
#
# client_max_body_size 8m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
upstream default {
server 192.168.207.133 weight=1;
server 192.168.207.138 weight=1;
}
server {
listen 80;
server_name www.tang.com;
charset utf-8;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name _;
access_log logs/default.log;
charset utf-8;
error_log logs/default_error.log;
ssl_certificate /opt/nginx/key/server.crt;
ssl_certificate_key /opt/nginx/key/server1024.key;
location / {
proxy_pass http://default;
include proxy.conf;
}
}
}
wed_default_nginx配置文件
[root@m01 ~]# cat /server/conf/web_default_nginx.conf
server {
listen 80;
server_name www.tang.com;
access_log logs/default.log ;
charset utf-8;
error_log logs/default_error.log;
location / {
root html;
index index.html index.htm;
}
}
proxy配置文件
[root@m01 ~]# cat /server/conf/proxy.conf proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_connect_timeout 60; proxy_send_timeout 60; proxy_read_timeout 60; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;
keepalived_master配置文件
[root@m01 ~]# cat /server/conf/keepalived_master.conf
global_defs {
router_id lb01
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_nginx.sh" #运行脚本,脚本内容下面有,就是起到一个nginx宕机以后,自动开启服务
interval 2 #检测时间间隔
weight -20 #如果条件成立的话,则权重 -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
# 将 track_script 块加入 instance 配置块
track_script {
chk_nginx #执行 Nginx 监控的服务
}
# 定义虚拟IP,也就是VIP,提供给用户访问的高可用地址,绑定网络接口ens33,别名ens33:3,主备节点要相同
virtual_ipaddress {
192.168.207.3/24 dev ens33 label ens33:3
}
}
keepalived_backup配置文件
[root@m01 ~]# cat /server/conf/keepalived_backup.conf
global_defs {
router_id lb02
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_nginx.sh" #运行脚本,脚本内容下面有,就是起到一个nginx宕机以后,自动开启服务
interval 2 #检测时间间隔
weight -20 #如果条件成立的话,则权重 -20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
# 将 track_script 块加入 instance 配置块
track_script {
chk_nginx #执行 Nginx 监控的服务
}
# 定义虚拟IP,也就是VIP,提供给用户访问的高可用地址,绑定网络接口ens33,别名ens33:3,主备节点要相同
virtual_ipaddress {
192.168.207.3/24 dev ens33 label ens33:3
}
}
keepalived检查nginx是否存活的脚本文件
[root@m01 ~]# cat /server/scripts/check_nginx.sh
#!/bin/bash
A=`ps -C nginx –no-header |wc -l`
if [ $A -eq 0 ];then
/opt/nginx/sbin/nginx
sleep 2
if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
killall keepalived
fi
fi