一、应用场景
大规模部署。
要求保持环境一致性
涉及到大量配置繁琐的服务
二、部署规划以及实现的功能
Ansible-Playbook统一调度
分发秘钥
分发大容量文件
服务器初始化
部署服务
服务器安全配置
三、Ansible-playbook逻辑解读
1.Ansible-Playbook统一调度
[root@master src]# cat /opt/playbook/test.yaml
---
- hosts: test #定义的主机组,即应用的主机
remote_user: root # 远程用户为root
tasks:
- name: mkdir ssh dir #开始使用密码部署,需要安装sshpass
shell: mkdir -p /root/scripts/.ssh
- name: copy ssh file
copy: src=/root/scripts/.ssh/authorized_keys dest=/root/.ssh/authorized_keys
- name: rsync scripts #传输秘钥后可以实现rsync传输
synchronize: src=/root/scripts dest=/root rsync_opts=-avuz # rsync增量传输
- name: rsync tomcat jdk
synchronize: src=/opt/service dest=/opt rsync_opts=-avuz
- name: "initialize"
shell: sh /root/scripts/auto_fdisk.sh
- shell: sh /root/scripts/useradd.sh #存在多个相同模块时,后面的木块要加-
- shell: sh /root/scripts/init.sh
- shell: sh /root/scripts/service.sh
2./opt/service目录主要是需要传输的服务如tomcat、jdk
[root@master playbook]# tree -L 1 /opt/service
/opt/service
├── apache-tomcat-6.0.45
├── apache-tomcat-7.0.82
├── jdk1.6.0_13
├── jdk1.7.0_80
└── jdk1.8.0_181
3./root/scripts 主要是急需要执行的脚本和一些功能文件
[root@master playbook]# tree -L 1 -a /root/scripts
/root/scripts
├── auto_fdisk.sh #磁盘格式化脚本
├── bash_profile #JDK环境变量文件
├── host_name.txt #主机信息模板
├── init.sh #初始化脚本
├── iptables.sh #防火墙规则配置
├── limits.conf #内核优化
├── rm.sh #还原脚本
├── root #计划任务文件
├── service.sh #服务部署脚本
├── .ssh #秘钥目录
├── sysctl.conf #内核优化
└── useradd.sh #增加用户
四、部分功能脚本解析
1.增加用户
[root@master scripts]# cat useradd.sh
useradd Development
su Development
cd ~/
mkdir .ssh
chmod 700 .ssh
cd .ssh/
(cat << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbJ3nlWAAtsdV7ivuBllojMQOIbVQrKcrpwaQAewCtZQFAh7d8J8uSn6Rxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
bzGASDdbrwSIrAlu4M0yMRXP Development
EOF
) > /home/Development/.ssh/authorized_keys
chmod 600 /home/Development/.ssh/authorized_keys
exit
if ! grep 'Development' /etc/sudoers;then
chmod 700 /etc/sudoers
echo 'Development ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
chmod 400 /etc/sudoers
fi
echo 'AAAAAAAAAA' |sudo passwd --stdin saas #统一服务账号密码
echo 'BBBBBBBBBB' |sudo passwd --stdin root #统一root账号密码
[root@master scripts]# cat init.sh
#!/bin/bash
#修改系统参数和系统调优,防火墙规则配置
init(){
sed -i s\#'PermitRootLogin yes'\#'PermitRootLogin no'\#g /etc/ssh/sshd_config
systemctl restart sshd
#系统调优
rm -f /etc/security/limits.conf /etc/sysctl.conf
cp /root/scripts/limits.conf /etc/security/limits.conf && cp /root/sysctl.conf /etc/sysctl.conf
sysctl -p
#主机名
intranet_ip=$(ip addr show eth0|grep "([0-9]{1,3}[\.]){3}[0-9]{1,3}" -E -o|sed -n 1p)
host_name=$(grep $intranet_ip /root/scripts/host_name.txt|awk '{print $2}')
echo "$host_name" > /etc/hostname
echo "HOSTNAME=$host_name" >> /etc/sysconfig/network
hostnamectl set-hostname $host_name
#字符集
echo 'LANG="zh_CN.UTF-8"' > /etc/sysconfig/i18n
source /etc/sysconfig/i18n
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /etc/locale.conf
\cp /root/scripts/root /var/spool/cron/root
}
init
2.修改系统参数和系统调优,防火墙规则配置
root禁登
内核调优(最好写好配置文件覆盖分发)
[root@master scripts]# cat sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
#net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_tw_buckets = 6000
[root@master scripts]# cat limits.conf
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
3.服务部署脚本
[root@master scripts]# cat service.sh
#!/bin/bash
mv /opt/service/* /home/saas/
cp /root/scripts/bash_profile /home/saas/.bash_profile
chown -R saas:saas /home/saas/
#启动Tomcat
if ! grep '/home/saas/apache-tomcat-6.0.45/bin/startup.sh' /etc/rc.local;then echo 'su - saas -c "/home/saas/apache-tomcat-6.0.45/bin/startup.sh"' >> /etc/rc.local;fi
if ! grep 'sh /root/scripts/iptables.sh' /etc/rc.local;then echo 'sh /root/scripts/iptables.sh' >> /etc/rc.local;fi
su - saas -c "/home/saas/apache-tomcat-6.0.45/bin/startup.sh"
sh /root/scripts/iptables.sh
4.计划任务部署
[root@master scripts]# cat root
0 */3 * * * source /etc/profile;for I in $(find /home/saas/apache-tomcat-6.0.45 -size +200M|grep -e '\.txt$\|\.log$\|\.out$');do sh -c " > $I";done
0 */3 * * * source /etc/profile;for I in $(find /home/saas/apache-tomcat-7.0.82 -size +200M|grep -e '\.txt$\|\.log$\|\.out$');do sh -c " > $I";done
0 */3 * * * source /etc/profile;for I in $(find /var/log/ -size +200M|grep -e '\.txt$\|\.log$\|\.out$');do sh -c " > $I";done
5.主机信息列表
[root@master scripts]# cat host_name.txt
192.168.1.232 d-hd-public-zipkin-01
192.168.1.233 d-hd-public-public_service-01
192.168.1.234 master
192.168.1.235 d-hd-public-public_service-02
192.168.1.236 d-hd-public-zookeeper-01
192.168.1.237 d-hd-public-fms-01
192.168.1.238 d-hd-public-fmsfinance-01
192.168.1.239 d-hd-public-edi-01
192.168.1.240 d-hd-public-OA-01
192.168.1.241 d-hd-public-fms_crm-01
192.168.1.242 d-hd-public-fmsinance_air-01
192.168.1.243 d-hd-public-jenkins-01
192.168.1.244 d-hd-public-iboss-01
192.168.1.245 d-hd-public-nginx-01
192.168.1.246 d-hd-public-oracle-01
192.168.1.247 d-hd-public-oracle-01
6.还原脚本
[root@master scripts]# cat rm.sh
#!/bin/bash
pkill java
sed -i s\#'PermitRootLogin no'\#'PermitRootLogin yes'\#g /etc/ssh/sshd_config
systemctl restart sshd
rm /home/saas/ /home/Development/ /var/mail/Development /var/mail/saas -rf ; userdel saas;userdel Development
五、总结
1.需要安装sshpass。
2.仅提供/home/saas/apache-tomcat-6.0.45、/home/saas/apache-tomcat-7.0.82、/var/log/目录下,以.log、.out、.txt文件清理。请规范路径和命名 。
3.118.31.52.28:22为管理机,可以通过ansible批量管理其他机器。
4.这里只是一个简化版的playbook,并且不够规范。
