Ansible-简介
Ansible是一款开源运维自动化部署工具,它能够提高运维人员的工作效率,并减少人为失误。Ansible基于SSH协议进行自动化控制,受控节点无需安装受控软件。
角色-roles
剧本是通过YAML语言编写的可重复执行的任务列表,把常做操作编写为剧本文件,可以重复执行
角色是用于结构化组织Playbook,可将剧本视作功能,使用各种功能组成有个角色。
初始化环境
- 服务器和客户端基本配置
| 设备 | 主机名 | IP地址 | 服务 |
|---|---|---|---|
| 控制节点 | client.kylin.com | 192.168.189.120/24 | ansible,sshd |
| 受控节点 | server.kylin.com | 192.168.189.100/24 | sshd |
项目任务描述
某公司需要部署MySQL服务集群,由于服务器数量众多,基于市面自动化技术,故选择ansible
配置步骤
配置过程
一、配置SSH密钥,采用密钥登陆
plengong@plengong-vmwarevirtualplatform:~/Desktop$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/plengong/.ssh/id_rsa):
Created directory '/home/plengong/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/plengong/.ssh/id_rsa
Your public key has been saved in /home/plengong/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:tr3v6EgdY42W0fbmAjBNX2fM6C9rMmjWpI/35PtkRx0 plengong@plengong-vmwarevirtualplatform
The key's randomart image is:
+---[RSA 3072]----+
| . .+o|
| o o ..oo|
| o o +. E |
| o * .. o|
| S O . o.o|
| . * +.o...|
| o o=. oo+|
| . .=+=+oo.|
| .+==+=+o.|
+----[SHA256]-----+
plengong@plengong-vmwarevirtualplatform:~/Desktop$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/plengong/.ssh/id_rsa.pub"
The authenticity of host '192.168.85.100 (192.168.85.100)' can't be established.
ECDSA key fingerprint is SHA256:5fU6dObB1SdLgsUmhFAW/SlEjk4AfEIH2CW7pftNw6o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Authorized users only. All activities may be monitored and reported.
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
plengong@plengong-vmwarevirtualplatform:~/Desktop$
二、控制节点安装ansible,修改配置文件
安装Ansible
plengong@plengong-vmwarevirtualplatform:~/Desktop$ sudo apt install ansible -y
Input Password
Reading package lists... Done
Building dependency tree
Reading state information... Done
Setting up ansible (2.9.6+dfsg-1) ...
修改配置文件和设置主机清单
- 修改配置文件
| 行号 | 参数 | 解释 |
|---|---|---|
| 14 | inventory = /etc/ansible/hosts | 指定主机清单路径 |
| 68 | roles_path = /etc/ansible/roles | 指定角色路径 |
| 71 | host_key_checking = False | 禁用主机密钥检测 |
| 106 | remote_user = root | 默认使用登录用户 |
plengong@plengong-vmwarevirtualplatform:~/Desktop$ sudo vim /etc/ansible/ansible.cfg
14 inventory = /etc/ansible/hosts
68 roles_path = /etc/ansible/roles
71 host_key_checking = False
107 remote_user = root
- 设置主机清单
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ cat hosts
[mysql]
192.168.189.100
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ ansible mysql -m ping
[WARNING]: Platform linux on host 192.168.189.100 is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change
this. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
192.168.189.100 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$
三、创建角色,定义角色任务
创建mysql_install角色
plengong@plengong-vmwarevirtualplatform:~/Desktop$ cp -a /etc/ansible/ ./
plengong@plengong-vmwarevirtualplatform:~/Desktop$ cd ansible/
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ mkdir -p roles
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ cd roles/
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles$ ansible-galaxy init mysq_install
- Role mysq_install was created successfully
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles$ cd mysq_install/
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles/mysq_install$ ls -al
total 48
drwxrwxr-x 10 plengong plengong 4096 Dec 15 21:45 .
drwxrwxr-x 3 plengong plengong 4096 Dec 15 21:45 ..
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 defaults
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 files
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 handlers
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 meta
-rw-rw-r-- 1 plengong plengong 1328 Dec 15 21:45 README.md
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 tasks
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 templates
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 tests
-rw-rw-r-- 1 plengong plengong 539 Dec 15 21:45 .travis.yml
drwxrwxr-x 2 plengong plengong 4096 Dec 15 21:45 vars
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles/mysq_install$
定义角色任务
| 目录 | 备注 |
|---|---|
| tasks | 包含角色执行的任务 |
| files | 包含角色使用的静态文件 |
- files添加boost和mysql源码,执行脚本
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles/mysql_install/files$ ls -l
total 131084
-rwxrw-rw- 1 plengong plengong 83709983 Dec 15 00:24 boost_1_59_0.tar.gz
-rwxrw-rw- 1 plengong plengong 75 Dec 15 14:07 env.sh
-rwxrw-rw- 1 plengong plengong 50509574 Dec 13 20:50 mysql-5.7.16.tar.gz
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible/roles/mysql_install/files$
- tasks部署任务
- 模块以及在该剧本的作用
| 模块 | 说明 |
|---|---|
| script | 脚本模块:用于执行脚本 |
| file | 文件模块:创建文件夹 |
| unarchive | 解压模块:解压压缩包并复制受控节点 |
| user | 用户模块:创建用户 |
| shell | 命令模块:执行命令 |
| service | 服务模块:配置服务状态 |
- env.yml
---
- name: Create ENV
script:
env.sh
- name: Mysql Program Folder
file:
path: /usr/local/mysql/var
state: directory
- name: Decompress Boost Source Code
unarchive:
src: boost_1_59_0.tar.gz
dest: /usr/local
- name: Decompress Mysql Source Code
unarchive:
src: mysql-5.7.16.tar.gz
dest: /usr/local
- install.yml
---
- name: Compile Mysql Source Code
shell:
cmd: "cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DMYSQL_DATADIR=/usr/local/mysql/var -DSYSCONFDIR=/etc -DWITH_BOOST=/usr/local/boost_1_59_0 && make && make install"
chdir: /usr/local/mysql-5.7.16
- name: Create User
user:
name: mysql
shell: /sbin/nologin
- name: Initialize Mysql
shell:
/usr/local/mysql/bin/mysql_install_db --user mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var
- name: Create Mysql Configuration File and Server
shell:
rm -rf /etc/my.cnf&&cp /usr/local/mysql/support-files/my-default.cnf /etc/my.cnf&&cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysqld&&chmod a+x /etc/rc.d/init.d/mysqld
- name: Create Server Start item
shell:
chkconfig --add mysqld&&chkconfig mysqld on
- name: Add mysql environment variables
shell:
echo 'export PATH=$PATH:/usr/local/mysql/bin' > /etc/profile&&source /etc/profile
- name: start Server and enabled
service:
name: mysqld
state: started
enabled: yes
- main.yml
---
# tasks file for mysql_install
- include: env.yml
- include: install.yml
执行剧本调用角色,编译安装Mysql
- 配置剧本调用角色
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ cat mysql.yml
---
- name: one
hosts: mysql
roles:
- mysql_install
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$ ansible-playbook mysql.yml
PLAY [one] *********************************************************************
TASK [Gathering Facts] *********************************************************
[WARNING]: Platform linux on host 192.168.189.100 is using the discovered
Python interpreter at /usr/bin/python, but future installation of another
Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/
reference_appendices/interpreter_discovery.html for more information.
ok: [192.168.189.100]
TASK [mysql_install : Create ENV] **********************************************
changed: [192.168.189.100]
TASK [mysql_install : Mysql Program Folder] ************************************
changed: [192.168.189.100]
TASK [mysql_install : Decompress Boost Source Code] ****************************
changed: [192.168.189.100]
TASK [mysql_install : Decompress Mysql Source Code] ****************************
changed: [192.168.189.100]
TASK [mysql_install : Compile Mysql Source Code] *******************************
changed: [192.168.189.100]
TASK [mysql_install : Create User] *********************************************
changed: [192.168.189.100]
TASK [mysql_install : Initialize Mysql] ****************************************
changed: [192.168.189.100]
TASK [mysql_install : Create Mysql Configuration File and Server] **************
[WARNING]: Consider using the file module with state=absent rather than running
'rm'. If you need to use command because file is insufficient you can add
'warn: false' to this command task or set 'command_warnings=False' in
ansible.cfg to get rid of this message.
changed: [192.168.189.100]
TASK [mysql_install : Create Server Start item] ********************************
changed: [192.168.189.100]
TASK [mysql_install : Add mysql environment variables] *************************
changed: [192.168.189.100]
TASK [mysql_install : start Server and enabled] ********************************
changed: [192.168.189.100]
PLAY RECAP *********************************************************************
192.168.189.100 : ok=12 changed=11 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
plengong@plengong-vmwarevirtualplatform:~/Desktop/ansible$
安全加固MySQL
[root@localhost ~]# mysql_secure_installation
Securing the MySQL server deployment.
Connecting to MySQL server using password in '/root/.mysql_secret'
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: yes
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Using existing password for root.
Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : yes
New password:
Re-enter new password:
Estimated strength of the password: 100
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : yes
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : yes
Success.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : yes
Success.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : yes
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : yes
Success.
All done!
项目任务验证
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.16
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> alter user 'root'@'localhost' identified by 'MMS12ge**hao';
Query OK, 0 rows affected (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
mysql>