码迷,mamicode.com
首页 > 其他好文 > 详细

ansible基于role 机器初始化脚本案例

时间:2018-08-30 19:59:17      阅读:489      评论:0      收藏:0      [点我收藏+]

标签:png   clean   grep -v   war   asi   rip   max   openjdk   禁止ip   

脚本目录结构:
技术分享图片
技术分享图片
技术分享图片
--[root@scsv01181 initialization_basic_ansible]# cat site.yml
  • hosts: test
    roles:
    • install_zabbix_agent
    • install_java1.8
    • check_iptables
    • replace_yumrepo
    • install_check_sshd
    • install_maintainer_tools
    • selinux_stop
    • set_ulimit_maxfiles
    • set_timezone
    • set_kernel_args

    • install_ntp_or_chrony
      技术分享图片
      每一个项目的目录结构
      技术分享图片
      --[root@scsv01181 roles]# cat check_iptables/tasks/main.yml

    • name: check iptables status
      shell: ps aux |grep iptables|grep -v grep|wc -l
      register: iptables
    • name: if have iptables process to stop it
      shell: systemctl stop iptables
      when: iptables.stdout != "0"
    • name: check firewalld status
      shell: ps aux |grep firewall|grep -v grep|wc -l
      register: firewall
    • name: if have firewall process to stop it
      shell: systemctl stop firewalld
      when: firewall.stdout != "0"
    • name: disable iptables
      shell: systemctl disable iptables
      when: firewall.stdout != "0"
    • name: disable firewalld
      shell: systemctl disable firewalld
      when: firewall.stdout != "0"
    • name: print iptanles and firewalld info
      debug:
      msg: "iptables and firewalld is not running"
      when: iptables.stdout == "0" and firewall.stdout == "0"

--[root@scsv01181 roles]# cat install_check_sshd/tasks/main.yml

  • name: check sshd is or not install
    shell: rpm -qa|grep openssh-server|wc -l warn=False
    register: sshd_count
  • name: print sshd install info
    debug:
    msg: "sshd is not install"
    when: sshd_count.stdout == "0"
  • name: check sshd is or not running
    shell: ps aux |grep /usr/sbin/sshd |grep -v grep|wc -l
    register: ssh_process_count
    when: sshd_count.stdout == "1"
  • name: print sshd is not running
    debug:
    msg: "sshd service is not running"
    when: ssh_process_count.stdout == "0"
  • name: start sshd service
    service: name=sshd state=started
    when: ssh_process_count.stdout == "0"
  • name: make sshd servuice enabled of system started
    service: name=sshd enabled=yes

    when: ssh_process_count == "0"

--[root@scsv01181 roles]# cat install_java1.8/tasks/main.yml

  • name: check the java version
    shell: java -version
    ignore_errors: yes
    register: javaversion
  • debug:
    msg: "{{ javaversion.stderr_lines[0] }}"
  • name: print java version
    debug:
    msg: "java is installed and the version is 1.8"
    when: javaversion.stderr_lines[0].count(‘1.8‘) == 1
  • name: find java 1.8 package name
    shell: yum list|grep openjdk.x86_64|grep 1.8|cut -d " " -f1|uniq warn=False
    register: java_version

  • debug:
    msg: "{{ java_version.stdout }}"

  • name: install java 1.8 package
    shell: yum install -y {{ java_version.stdout }}
    when: javaversion.stderr_lines[0].count(‘1.8‘) != 1

--[root@scsv01181 roles]# cat install_maintainer_tools/tasks/main.yml

  • name: install telnet for system
    yum: state=present name=telnet
  • name: install iftop for system
    yum: state=present name=iftop
  • name: install sysstat for system
    yum: state=present name=sysstat
  • name: install iotop for system
    yum: state=present name=iotop
  • name: install vim for system
    yum: state=present name=vim
  • name: install dstat for system
    yum: state=present name=dstat
  • name: install openssl for system
    yum: state=present name=openssl,openssl-devel

--[root@scsv01181 roles]# cat install_ntp_or_chrony/tasks/main.yml

  • name: check ntp is not install
    shell: ps aux |grep ntp|grep -v grep|wc -l
    register: count_ntp
  • name: check chrony is or not install
    shell: ps aux |grep chrony|grep -v grep|wc -l
    register: count_chrony
  • name: stop chrony
    service: name=chronyd state=stoped
    when: count_chrony.stdout == "1"

  • name: disable chronyd
    service: name=chronyd enabled=no
    when: count_chrony.stdout == "1"

  • name: install ntp client
    yum: state=present name=ntp
    when: count_ntp.stdout != "1"
  • name: copy local ntp config file to remote host
    copy: src=ntp.conf dest=/etc/ntp.conf mode=644 owner=root group=root backup=yes force=yes
    when: count_ntp.stdout != "1"
  • name: start ntp client
    service: name=ntpd state=started
  • name: make the ntp clinet service enable
    service: name=ntpd enabled=yes

--[root@scsv01181 roles]# cat install_zabbix_agent/tasks/main.yml

  • name: install zabbix-agent for zabbix-server
    yum: state=present name=zabbix-agent
  • name: make the zabbix-agent enable
    shell: systemctl enable zabbix-agent
  • name: copy base zabbix-agent configuration file
    copy: src=zabbix_agentd.conf dest=/etc/zabbix/zabbix_agentd.conf mode=644 owner=root group=root backup=yes force=yes
  • name: get hostname daxie
    shell: echo {{ ansible_hostname }}|tr ‘a-z‘ ‘A-Z‘
    register: hostname
  • debug:
    msg: "{{ hostname.stdout }}"
  • name: configuration zabbix-agent file hostname
    lineinfile:
    dest: /etc/zabbix/zabbix_agentd.conf
    regexp: ‘^Hostname=‘
    line: ‘Hostname={{ hostname.stdout}}‘
  • name: configuration zabbix-agent file hostname
    lineinfile:
    dest: /etc/zabbix/zabbix_agentd.conf
    regexp: ‘^HostMetadata=‘
    line: ‘HostMetadata={{ META_DATA}}‘
  • name: start zabbix-agent
    service: name=zabbix-agent state=started
  • debug:
    msg: "now zabbix-agent is running and configuration complete"
  • name: configuration zabbix-agent server address
    lineinfile:
    dest: /etc/zabbix/zabbix_agentd.conf
    regexp: ‘^Server=‘
    line: ‘Server={{ SERVERIP }}‘
  • name: configuration zabbix-agent server active address
    lineinfile:
    dest: /etc/zabbix/zabbix_agentd.conf
    regexp: ‘ServerActive=‘
    line: ‘ServerActive={{ SERVERIP }}‘

--[root@scsv01181 roles]# cat replace_yumrepo/tasks/main.yml

  • name: copy current local yum repo to remote host
    copy: src=SAIC-CentOS.repo dest=/etc/yum.repos.d/ mode=644 owner=root group=root backup=yes force=yes
  • name: clean yum repo
    shell: yum clean all warn=False

    - name: yum makecahce

    shell: yum makecache warn=False

--[root@scsv01181 roles]# cat selinux_stop/tasks/main.yml

  • name: configuration SELINUX for system
    lineinfile:
    dest: /etc/selinux/config
    regexp: ‘^SELINUX=‘
    line: ‘SELINUX=disabled‘
  • name: get the status of selinux
    shell: getenforce
    register: selinux_num
  • name: temporary change for system
    shell: setenforce 0
    when: selinux_num.stdout == "1"

--[root@scsv01181 roles]# cat set_kernel_args/tasks/main.yml

  • name: 开启SYN Cookies
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_syncookies = 1‘

  • name: TIME-WAIT sockets重新用于新的TCP连接
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_tw_reuse = 1‘

  • name: 开启TCP连接中TIME-WAIT sockets的快速回收
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_tw_recycle = 1‘

  • name: 当keepalive起用的时候,TCP发送keepalive消息的频度
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_keepalive_time = 600‘

  • name: SYN队列长度
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_max_syn_backlog = 16384‘

  • name: 表示系统同时保持TIME_WAIT套接字的最大数量
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_max_tw_buckets = 36000‘

  • name: 设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_synack_retries = 3‘

  • name: 套接字由本端要求关闭的保持时间
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.tcp_fin_timeout = 10‘

  • name: 禁止IP转发
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.ip_forward = 0‘

  • name: 禁止发送ICMP重定向
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.conf.all.send_redirects = 0‘

  • name: 禁止发送ICMP重定向,默认定向目录关闭
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.conf.default.send_redirects = 0‘

  • name: 记录可疑的包源地址
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.conf.all.log_martians = 1‘

  • name: 记录可疑的包源地址,默认地址
    lineinfile:
    dest: /etc/sysctl.conf
    regexp: ‘^$‘
    line: ‘net.ipv4.conf.default.log_martians = 1‘

  • name: make the change effective
    shell: sysctl -p

--[root@scsv01181 roles]# cat set_timezone/tasks/main.yml

  • name: set the time local
    shell: timedatectl set-timezone Asia/Shanghai warn=False

--[root@scsv01181 roles]# cat set_ulimit_maxfiles/tasks/main.yml

  • name: configuration ulimit soft max files for system
    lineinfile:
    dest: /etc/security/limits.conf
    regexp: ‘^$‘
    line: ‘* soft nofile 65536‘
  • name: configuration ulimit hard max files for system
    lineinfile:
    dest: /etc/security/limits.conf
    regexp: ‘^$‘
    line: ‘* hard nofile 65536‘
  • name: temporary configuration ulimit max files
    shell: ulimit -n 65536

引用的文件都会直接放在当前项目的files目录里面作为文件根目录

ansible基于role 机器初始化脚本案例

标签:png   clean   grep -v   war   asi   rip   max   openjdk   禁止ip   

原文地址:http://blog.51cto.com/13945009/2166411
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!