playbook 目录
[root@ansible ~/ansible]# tree system_init
system_init
├── hosts
├── roles
│ ├── 10_kernal_optimization
│ │ ├── files
│ │ │ └── my-default.conf
│ │ └── tasks
│ │ ├── config.yml
│ │ ├── copyfile.yml
│ │ └── main.yml
│ ├── 11_max_limits
│ │ ├── tasks
│ │ │ ├── boot.yml
│ │ │ ├── main.yml
│ │ │ └── modify.yml
│ │ └── vars
│ │ └── main.yml
│ ├── 12_disable_ipv6
│ │ └── tasks
│ │ ├── disipv6.yml
│ │ ├── grub.yml
│ │ └── main.yml
│ ├── 1_copy_ssh_key
│ │ └── tasks
│ │ └── main.yml
│ ├── 2_close_selinux
│ │ └── tasks
│ │ ├── main.yml
│ │ └── selinux.yml
│ ├── 3_close_firewalld
│ │ └── tasks
│ │ └── main.yml
│ ├── 4_copy_repo
│ │ ├── tasks
│ │ │ ├── copy.yml
│ │ │ ├── main.yml
│ │ │ └── remove.yml
│ │ └── templates
│ │ ├── Centos-7.repo
│ │ └── epel-7.repo
│ ├── 5_sshconfig
│ │ └── tasks
│ │ ├── config.yml
│ │ ├── main.yml
│ │ └── restart.yml
│ ├── 6_rpm_upgrade
│ │ └── tasks
│ │ ├── main.yml
│ │ └── upgrade.yml
│ ├── 7_kernel_upgrade
│ │ ├── files
│ │ │ └── kernel-lt-4.4.228-2.el7.elrepo.x86_64.rpm
│ │ ├── tasks
│ │ │ ├── config.yml
│ │ │ ├── copypkg.yml
│ │ │ ├── install.yml
│ │ │ └── main.yml
│ │ └── vars
│ │ └── main.yml
│ ├── 8_ntp_server
│ │ └── tasks
│ │ ├── config.yml
│ │ ├── install.yml
│ │ ├── main.yml
│ │ └── start.yml
│ └── 9_install_some_must
│ └── tasks
│ ├── install.yml
│ └── main.yml
└── site.yml
30 directories, 39 files
hosts
[nodes]
#10.0.30.1 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.2 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.3 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.4 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.5 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.6 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.7 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.8 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.9 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.10 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.11 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.12 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.13 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.14 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.15 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.16 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.30.17 ansible_ssh_user=root ansible_ssh_pass=123456
site.yml
- hosts: nodes
remote_user: root
roles:
- 1_copy_ssh_key
- 2_close_selinux
- 3_close_firewalld
- 4_copy_repo
- 5_sshconfig
- 6_rpm_upgrade
- 7_kernel_upgrade
- 8_ntp_server
- 9_install_some_must
- 10_kernal_optimization
- 11_max_limits
- 12_disable_ipv6
一共 12 个角色:
- 1_copy_ssh_key - 拷贝密钥到主机,设置 ssh 互信
- 2_close_selinux - 关闭 selinux
- 3_close_firewalld - 关闭 firewalld
- 4_copy_repo - 拷贝 repo 源文件
- 5_sshconfig - 修改ssh参数
UseDNS、GSSAPIAuthentication - 6_rpm_upgrade - 升级所有rpm包
- 7_kernel_upgrade - 升级内核
- 8_ntp_server - 配置 ntp 时间同步
- 9_install_some_must - 安装CentOS 必须一些软件包
- 10_kernal_optimization - 一些内核优化参数
- 11_max_limits - 修改最大句柄
- 12_disable_ipv6 - 禁止ipv6
1_copy_ssh_key
roles/1_copy_ssh_key/
└── tasks
└── main.yml
1 directory, 1 fil
tasks/main.yml
- name: Set authorized key taken from file
authorized_key:
user: root
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
2_close_selinux
roles/2_close_selinux/
└── tasks
├── main.yml
└── selinux.yml
1 directory, 2 files
tasks/main.yml
- name: Get selinux
shell: getenforce
register: sestatus
- include: selinux.yml
when: sestatus.stdout != 'Disabled'
- getenforce获取远程主机selinux是否开启
- 开启则包含执行selinux.yml
- 不进行判断的话,如果selinux已经关闭了,就会报错
tasks/selinux.yml
- name: close selinux
shell: setenforce 0
- name: disabled selinux
replace:
path: /etc/selinux/config
regexp: "SELINUX=enforcing"
replace: "SELINUX=disabled"
3_close_firewalld
roles/3_close_firewalld/
└── tasks
└── main.yml
1 directory, 1 file
tasks/main.yml
- name: close firewalld
systemd:
name: firewalld
state: stopped
enabled: no
4_copy_repo
roles/4_copy_repo/
├── tasks
│ ├── copy.yml
│ ├── main.yml
│ └── remove.yml
└── templates
├── Centos-7.repo
└── epel-7.repo
首先使用 curl 将 repo 下载到 templates 目录:
curl http://mirrors.aliyun.com/repo/Centos-7.repo -o roles/4_copy_repo/templates/Centos-7.repo
curl http://mirrors.aliyun.com/repo/epel-7.repo -o roles/4_copy_repo/templates/epel-7.repo
tasks/main.yml
- include: remove.yml
- include: copy.yml
tasks/remove.yml
- name: Find system repo files
find:
paths: /etc/yum.repos.d
patterns: '*.repo'
register: system_repo
- name: Rmove system repo files
file:
path: "{{ item.path }}"
state: absent
with_items:
- "{{ system_repo.files }}"
首先通过 find 模块找到 *.repo 系统默认repo源文件,再使用 file 模块删除。
tasks/copy.yml
- name: Copy repo files
template:
src: "{{ item }}"
dest: "/etc/yum.repos.d/{{ item }}"
with_items:
- Centos-7.repo
- epel-7.repo
通过 template 模块拷贝文件,这里使用 copy 也是可行的。
5_sshconfig
roles/5_sshconfig/
└── tasks
├── config.yml
├── main.yml
└── restart.yml
1 directory, 3 files
tasks/main.yml
- include: config.yml
- include: restart.yml
tasks/config.yml
- name: update ssh config parameter UseDNS
replace:
path: /etc/ssh/sshd_config
regexp: "^#UseDNS yes"
replace: "UseDNS no"
- name: update ssh config parameter GSSAPIAuthentication
replace:
path: /etc/ssh/sshd_config
regexp: "^GSSAPIAuthentication yes"
replace: "GSSAPIAuthentication no"
UseDNS:当客户端试图登录SSH服务器时,服务器端先根据客户端的IP地址进行DNS PTR反向查询出客户端的主机名,建议关闭;GSSAPIAuthentication登陆的时候客户端需要对服务器端的IP地址进行反解析,如果服务器的IP地址没有配置PTR记录,那么就容易在这里卡住了,建议关闭。
tasks/restart.yml
- name: restart sshd
systemd:
name: sshd
state: restarted
6_rpm_upgrade
roles/6_rpm_upgrade/
└── tasks
├── main.yml
└── upgrade.yml
1 directory, 2 files
tasks/main.yml
- include: upgrade.yml
tasks/upgrade.yml
- name: upgrade all rpm
yum:
name: '*'
state: latest
exclude: kernel*
7_kernel_upgrade
roles/7_kernel_upgrade/
├── files
│ └── kernel-lt-4.4.228-2.el7.elrepo.x86_64.rpm
├── tasks
│ ├── config.yml
│ ├── copypkg.yml
│ ├── install.yml
│ └── main.yml
└── vars
└── main.yml
3 directories, 6 files
首先下载 内核rpm 包到 files 目录,设置变量:
vars/main.yml
KERNEL_VERSION: "4.4.228-2"
DOWNLOAD_DIR: "/usr/local/src/"
设置变量。
tasks/main.yml
- include: copypkg.yml
- include: install.yml
- include: config.yml
tasks/copypkg.yml
- name: Copy kernel-lt package
copy:
src: "kernel-lt-{{ KERNEL_VERSION }}.el7.elrepo.x86_64.rpm"
dest: "{{ DOWNLOAD_DIR }}"
将内核rpm包拷贝到目标主机。
tasks/install.yml
- name: install kernel-lt
yum:
name: "{{ DOWNLOAD_DIR }}/kernel-lt-{{ KERNEL_VERSION }}.el7.elrepo.x86_64.rpm"
state: present
tasks/config.yml
- name: update boot kernel
shell: "grub2-set-default 0"
- name: update boot grub
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
8_ntp_server
roles/8_ntp_server/
└── tasks
├── config.yml
├── install.yml
├── main.yml
└── start.yml
1 directory, 4 files
tasks/main.yml
- include: install.yml
- include: config.yml
- include: start.yml
tasks/install.yml
- name: install ntp ntpdate rpm
yum:
name:
- ntp
- ntpdate
state: latest
tasks/config.yml
- name: delete default configration
lineinfile:
dest: /etc/ntp.conf
regexp: "^server"
state: absent
- name: delete ntpdate configration
lineinfile:
dest: /etc/ntp/step-tickers
regexp: "^0"
state: absent
- name: add ntp server
lineinfile:
dest: /etc/ntp.conf
line: "server tiger.sina.com.cn
server ntp1.aliyun.com"
- name: add ntpdate configration
lineinfile:
dest: /etc/ntp/step-tickers
line: "ntp1.aliyun.com"
- 配置
/etc/ntp.conf- ntp server 配置文件 - 配置
/etc/ntp/step-tickersntpdate 配置文件
tasks/start.yml
- name: start ntpd
systemd:
name: ntpd
state: started
enabled: yes
启动服务并开机启动。
9_install_some_must
roles/9_install_some_must/
└── tasks
├── install.yml
└── main.yml
1 directory, 2 files
tasks/main.yml
- include: install.yml
tasks/install.yml
- name: yum install some must rpm
yum:
name:
- vim
- wget
- unzip
- htop
- iftop
- iotop
- gcc
- net-tools
这个安装可根据需求自行定制。
10_kernal_optimization
roles/10_kernal_optimization/
├── files
│ └── my-default.conf
└── tasks
├── config.yml
├── copyfile.yml
└── main.yml
2 directories, 4 files
files/my-default.conf
fs.file-max = 655350
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 2000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_max_syn_backlog = 20000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
vm.swappiness = 1
参数也不再解释了, 可自行查询,根据需求增减。
tasks/main.yml
- include: copyfile.yml
- include: config.yml
tasks/copyfile.yml
- name: copy sysctl file
copy:
src: my-default.conf
dest: /etc/sysctl.d/
tasks/config.yml
- name: sysctl enable
shell: sysctl -p /etc/sysctl.d/my-default.conf
执行命令, 永久生效。
11_max_limits
roles/11_max_limits/
├── tasks
│ ├── boot.yml
│ ├── main.yml
│ └── modify.yml
└── vars
└── main.yml
2 directories, 4 files
vars/main.yml
LIMITS_FILE: "/etc/security/limits.conf"
BOOT_FILE: "/etc/rc.d/rc.local"
定义变量。
tasks/main.yml
- include: modify.yml
- include: boot.yml
tasks/modify.yml
- name: modify limits
lineinfile:
dest: "{{ LIMITS_FILE }}"
line: "* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535"
为 /etc/security/limits.conf 追加内容。
tasks/boot.yml
- name: modify limits
lineinfile:
dest: "{{ BOOT_FILE }}"
line: "ulimit -SHn 65535"
- name: add permission
file:
path: /etc/rc.d/rc.local
owner: root
group: root
mode: '0755'
- name: temporary ulimit
shell: "ulimit -SHn 65535"
设置临时和永久生效。
12_disable_ipv6
roles/12_disable_ipv6/
└── tasks
├── disipv6.yml
├── grub.yml
└── main.yml
1 directory, 3 files
tasks/main.yml
- include: disipv6.yml
- include: grub.yml
tasks/disipv6.yml
- name: modify grub
lineinfile:
path: /etc/default/grub
regexp: "(GRUB_CMDLINE_LINUX.*quiet)"
line: "\1 ipv6.disable=1""
backrefs: yes
注意: 这里使用了简单的正则表达式。
tasks/grub.yml
- name: renew grub.cfg
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
- name: renew efi grub
shell: "grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg"
执行:
[root@ansible ~/ansible/system_init]# ansible-playbook -i hosts site.yml