首页Ansible

# Ansible 项目实战 (六)

# 1. Ansilbe 管理集群架构

# 1. 服务器地址规划
角色主机名称外网地址内网地址
routesrouteeth0:192.168.40.200eth1:172.16.1.200
lbserverslb01/eth1:172.16.1.3/VIP:172.16.1.100
lbserverslb02/eth1:172.16.1.4/VIP:172.16.1.100
proxyserversproxy01/eth1:172.16.1.5 gateway:172.16.1.200
proxyserversproxy02/eth1:172.16.1.6 gateway:172.16.1.200
webserversweb01/eth1:172.16.1.7 gateway:172.16.1.200
webserversweb02/eth1:172.16.1.8 gateway:172.16.1.200
webserversweb03/eth1:172.16.1.9 gateway:172.16.1.200
dbserversdb01/eth1:172.16.1.51 gateway:172.16.1.200
redisserversredis/eth1:172.16.1.41 gateway:172.16.1.200
nfsserversnfs/eth1:172.16.1.32 gateway:172.16.1.200
backupserversbackup/eth1:172.16.1.31 gateway:172.16.1.200
dnsserversdns-master192.168.40.91 gateway:172.16.1.200eth1:172.16.1.91
dnsserversdns-slave192.168.40.92 gateway:172.16.1.200eth1:172.16.1.92
# 2. 基础环境准备

1.Ansible 安装

#1. 下载 epel 源
[root@manager ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@manager ~]# yum install ansible redis -y
[root@manager ~]# systemctl start redis && systemctl enable redis
#2. 查看版本
[root@manager ~]# ansible --version
#3. 安装 Python3 配置缓存 facts 变量
[root@manager ~]# yum install openssl-devel bzip2-devel expat-devel gdbm-devel readline-devel \
sqlite-devel gcc gcc-c++ openssl-develzlib zlib-devel python3 python3-devel -y
[root@manager ~]# pip3 install -i https://mirrors.aliyun.com/pypi/simple/ --upgrade pip
[root@manager roles]# pip3 install redis==2.10.6
2.Ansible 配置
[root@manager ~]# cd /etc/ansible/roles/
[root@manager roles]# cp /etc/ansible/ansible.cfg ./
[root@manager roles]# cp /etc/ansible/hosts ./
#Ansible 配置内容
[root@manager roles]# vim /etc/ansible/roles/ansible.cfg
...
[defaults]
inventory      = ./hosts
host_key_checking = False
forks          = 50
gathering = smart
fact_caching = redis
fact_caching_timeout = 86400
fact_caching_connection = localhost:6379
...
3. 主机清单文件
[root@manager roles]# cat hosts 
[dnsservers]
172.16.1.91
172.16.1.92
[routes]
172.16.1.200
[lbservers]
172.16.1.3
172.16.1.4
[proxyservers]
172.16.1.5
172.16.1.6
[webservers]
172.16.1.7
172.16.1.8 
172.16.1.9
[dbservers]
172.16.1.51
[redisservers]
172.16.1.41
[nfsservers]
172.16.1.32
[backupservers]
172.16.1.31
4. 配置免密登录
#1. 免密登录脚本
[root@manager ~]# mkdir /scripts
[root@manager ~]# cat login.sh 
#!/bin/bash
#Description: 多机器密码不一致的情况下,实现如何批量免密登陆操作
#**************************************************************
work_dir=/scripts
pub_file=/root/.ssh/id_rsa.pub
yum install expect -y &> /dev/null
function_upssh()
{
expect -c "
  spawn ssh-copy-id -i ${pub_file} root@$1
  expect {
    \"*yes/no*\" {send \"yes\r\";exp_continue}
    \"*password*\" {send $2\r;exp_continue}}"
}
[ -f ${pub_file} ] || ssh-keygen -t rsa -P '' -f /root/.ssh/id_rsa
for Ip in $(awk '{print $1}' ${work_dir}/hosts.txt)
do
  Passwd=$(awk -v I=${Ip} '{if(I==$1) print $2}' ${work_dir}/hosts.txt)
  function_upssh ${Ip} ${Passwd}
done
#2. 主机密码文件
[root@manager ~]# cat hosts.txt 
172.16.1.91 talent
172.16.1.92 talent
172.16.1.200 talent
172.16.1.3 talent
172.16.1.4 talent
172.16.1.5 talent
172.16.1.6 talent
172.16.1.7 talent
172.16.1.8 talent
172.16.1.9 talent
172.16.1.51 talent
172.16.1.41 talent
172.16.1.32 talent
172.16.1.31 talent
#3. 执行脚本实现免密登录
[root@manager scripts]# sh login.sh
5. 测试连通性
[root@manager ~]# ansible all -m ping
6.roles 变量目录及文件
[root@manager roles]# mkdir group_vars
[root@manager roles]# touch group_vars/all
# 3. 网络配置初始化
#1. 网络配置初始化
[root@manager roles]# cat network_init.yml 
- hosts: all:!dnsservers:!routes
  tasks:
    - name: debug
      debug:
        msg: "test"
    - name: Delete Gateway
      lineinfile:
        path: /etc/sysconfig/network-scripts/ifcfg-eth1
        regexp: '^GATEWAY='
        state: absent
    - name: Delete DNS
      lineinfile:
        path: /etc/sysconfig/network-scripts/ifcfg-eth1
        regexp: '^DNS*'
        state: absent
    - name: Add  DNS
      lineinfile:
        path: /etc/sysconfig/network-scripts/ifcfg-eth1
        line: "DNS1=223.5.5.5"
    - name: Add Gateway
      lineinfile:
        path: /etc/sysconfig/network-scripts/ifcfg-eth1
        line: "GATEWAY=172.16.1.200"
    - name: Restart Network
      systemd:
        name: network
        state: restarted
  
#2. 执行 playbook  
[root@manager roles]# ansible-playbook network_init.yml
# 2. Ansilbe 基础模块
当我们的服务器上架并按照好操作系统后,都会有一些基础的操作,建议将所有服务器都会涉及的基础配置存放在名为 base 的 roles 下。我们称其为 “初始化模块”。
  • 关闭防火墙 Firewalld Selinux
  • 创建统一用户 www,uid 为 666,gid 为 666
  • 添加 base epel 仓库
  • 特定主机需要添加特定的仓库源 nginx php mysql zabbix elk
  • 安装基础软件包 rsync tree unzip vim wget lrzsz 等
  • 内核升级、内核参数调整、文件描述符调整
# 2.1 创建 Roles 目录结构
[root@manager roles]# mkdir base/{vars,tasks,templates,handlers,files} -p
[root@manager roles]# cd base/tasks/
# 2.2 关闭防火墙管理
[root@manager tasks]# cat firewall.yml 
- name: Disable Selinux Firewall
  selinux:
    state: disabled
- name: Disable Firewalld
  systemd:
    name: firewalld
    state: stopped
    enabled: no
# 2.3 创建进程用户
[root@manager tasks]# cat user.yml 
- name: Create Group User
  group:
    name: ""
    gid: ""
- name: Create User 
  user:
    name: ""
    uid: ""
    group: ""
    create_home: no
    shell: /sbin/nologin
# 2.4 配置 YUM 仓库
[root@manager tasks]# cat yum_repository.yml
- name: Add Base Yum Repository
  ansible.builtin.get_url:
    url: "https://mirrors.aliyun.com/repo/Centos-7.repo"
    dest: "/etc/yum.repos.d/Centos-7.repo"
    mode: '0644'
    
- name: Add Epel Yum Repository
  ansible.builtin.get_url:
    url: "https://mirrors.aliyun.com/repo/epel-7.repo"
    dest: "/etc/yum.repos.d/epel.repo"
    mode: '0644'
- name: Add Nginx Yum Repository
  yum_repository:
    name: nginx
    description: Nginx Repository
    baseurl: http://nginx.org/packages/centos/7/$basearch/
    gpgcheck: no
- name: Add PHP Yum Repository
  yum_repository:
    name: php71w
    description: php Repository
    baseurl: http://us-east.repo.webtatic.com/yum/el7/x86_64/
    gpgcheck: no
# 2.5 按照基础软件包
[root@manager tasks]# cat yum_pkg.yml 
- name: Installed Packages All
  yum:
    name: ""
    state: present
  loop:
      - rsync
      - nfs-utils
      - net-tools
      - bind-utils
      - wget
      - tree
      - lrzsz
      - vim
      - unzip
      - httpd-tools
      - bash-completion
      - iotop
      - gzip
      - psmisc
      - yum-utils
      - telnet
      - jq
      - git
      - ntpdate
      - nfs-utils
      - dos2unix
      - lvm2
      - device-mapper-persistent-data
      - MySQL-python
      - iftop
      - glances
# 2.6 调整文件描述符
[root@manager tasks]# cat limits.yml 
- name: Change Limit /etc/security/limit.conf
  pam_limits:
    domain: "*"
    limit_type: ""
    limit_item: ""
    value: ""
  loop:
    - { limit_type: 'soft', limit_item: 'nofile',value: '100000' }
    - { limit_type: 'hard', limit_item: 'nofile',value: '100000' }
# 2.7 配置内核参数
[root@manager tasks]# cat kernel.yml 
- name: Change Port Range
  sysctl:
    name: net.ipv4.ip_local_port_range
    value: '1024 65000'
    sysctl_set: yes
- name: Enabled Forward
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
- name: Enabled tcp_reuse
  sysctl:
    name: net.ipv4.tcp_tw_reuse
    value: '1'
    sysctl_set: yes
- name: Chanage tcp tw_buckets
  sysctl:
    name: net.ipv4.tcp_max_tw_buckets
    value: '5000'
    sysctl_set: yes
- name: Chanage tcp_syncookies
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: '1'
    sysctl_set: yes
- name: Chanage tcp max_syn_backlog
  sysctl:
    name: net.ipv4.tcp_max_syn_backlog
    value: '8192'
    sysctl_set: yes
- name: Chanage tcp Established Maxconn
  sysctl:
    name: net.core.somaxconn
    value: '32768'
    sysctl_set: yes
    state: present
- name: Chanage tcp_syn_retries
  sysctl:
    name: net.ipv4.tcp_syn_retries
    value: '2'
    sysctl_set: yes
    state: present
- name: Chanage net.ipv4.tcp_synack_retries
  sysctl:
    name: net.ipv4.tcp_synack_retries
    value: '2'
    sysctl_set: yes
    state: present
# 2.8 配置时间同步
[root@manager tasks]# cat rsyn_time.yml 
- name: Rsync Host Time
  cron:
    name: Rsync Host Time
    minute: '*/5'
    job: /usr/sbin/ntpdate ntp1.aliyun.com &> /dev/null
# 2.9 配置入口文件
[root@manager tasks]# cat main.yml 
- name: Firewalld
  include: firewall.yml
- name: Kernel Parameters
  include: kernel.yml
- name: limits
  include: limits.yml
- name: user
  include: user.yml
- name: yum_repository
  include: yum_repository.yml
- name: yum packages
  include: yum_pkg.yml
- name: rsyn time
  include: rsyn_time.yml
# 2.10 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# 2.11 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
└── network_init.yml
#2. 执行 base roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
[root@manager roles]# ansible-playbook top.yml -t base
# 3. Ansilbe 应用模块
# 3.1 NFS 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir nfs-server/{vars,tasks,templates,handlers,files} -p
[root@manager roles]# cd nfs-server/
2. 准备 nfs 配置文件 templates/expots.j2
[root@manager nfs-server]# cat templates/expots.j2 
<!--swig9--> <!--swig10-->(rw,all_squash,anonuid=<!--swig11-->,anongid=<!--swig12-->) 
<!--swig13--> <!--swig14-->(rw,all_squash,anonuid=<!--swig15-->,anongid=<!--swig16-->)
3. 准备 nfs 角色的 tasks 任务
[root@manager nfs-server]# cat tasks/main.yml 
- name: Configre NFS Server
  template:
    src: expots.j2
    dest: /etc/exports
    owner: root
    group: root
    mode: '0644'
  notify: Restart NFS Server
- name: Create NFS dir
  file:
    path: ""
    state: directory
    owner: ""
    group: ""
    mode: '0755'
    recurse: yes
  loop:
    - ""
    - ""
- name: Start NFS Server
  systemd:
    name: nfs
    state: started
4. 准备 nfs 角色的 handlers
[root@manager nfs-server]# cat handlers/main.yml 
- name: Restart NFS Server
 systemd:
   name: nfs
   state: restarted
5. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
6. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
└── top.yml
#2. 执行 nfs roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
[root@manager roles]# ansible-playbook top.yml -t nfs
#3. 验证测试
[root@manager roles]# showmount -e 172.16.1.32
Export list for 172.16.1.32:
/data/zrlog 172.16.1.0/24
/data/blog  172.16.1.0/24
# 3.2 MySQL 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir mysql-server/{vars,tasks,templates,handlers,files} -p
2. 准备 MySQL 角色的 tasks 任务
[root@manager roles]# cat mysql-server/tasks/main.yml 
# 1. 配置 YUM 源
- name: Add MySQL <!--swig22--> Yum Repository
  yum_repository:
    name: mysql-community
    description: MySQL <!--swig23--> Community Server
    baseurl: https://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
    gpgkey: https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
    gpgcheck: yes
    enabled: yes
    sslverify: yes
# 2. 导入 MySQL KEY
- name: Import MySQL GPG key
  rpm_key:
    key: https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
    state: present
# 3. 安装 MySQL Server
- name: Installed MySQL Server <!--swig24-->
  yum:
    name: "mysql-community-server"
    state: present
# 4. 启动并设置开机自启
- name: Start MySQL Server
  service:
    name: mysqld
    state: started
    enabled: yes
# 5. 获取初始临时密码
- name: Get MySQL Init Passwd
  shell: grep 'temporary password' /var/log/mysqld.log | awk '{print $NF}'
  register: mysql_temp_password
  changed_when: false
# 6. 修改 root 密码(首次登录必须修改)
- name: Change MySQL Root Passwd
  shell: |
    mysql -u root -p'' --connect-expired-password \
    -e "ALTER USER 'root'@'localhost' IDENTIFIED BY ''; flush privileges;"
  ignore_errors: yes  # 忽略可能的临时密码失效问题(如已手动修改过)
# 7. 删除 MySQL 中匿名用户账号
- name: Removes all anonymous user accounts
  mysql_user:
    login_user: root
    login_password: ""
    name: ''
    host_all: yes
    state: absent
# 8. 创建用户
- name: Create Super User <!--swig28-->
  mysql_user:
    name: ""
    host: ""  # 允许所有 IP(可指定具体 IP 如 192.168.1.%)
    password: ""
    priv: ""
    state: present
    login_user: root
    login_password: ""
  when: mysql_root_password is defined
3. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
4. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
└── top.yml
#2. 执行 mysql roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs-server
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
[root@manager roles]# ansible-playbook top.yml -t mysql
# 3.3 Redis 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir redis/{tasks,templates,handlers,files} -p
2. 准备 redis 角色的 tasks 任务
[root@manager roles]# cat redis/tasks/main.yml 
- name: Installed Redis Server
  yum:
    name: redis
    state: present
- name: Configure Redis Server
  template:
    src: redis.conf.j2
    dest: /etc/redis.conf
    owner: redis
    group: root
    mode: '0640'
  notify: Restart Redis Server
- name: Start Redis Server
  systemd:
    name: redis
    state: started
    enabled: yes
3. 准备 redis 角色的配置文件 redis.conf.j2
[root@manager roles]# cat redis/templates/redis.conf.j2 
...
bind 127.0.0.1 <!--swig34-->
...
4. 准备 redis 角色的 handlers
[root@manager roles]# cat redis/handlers/main.yml 
- name: Restart Redis Server
  systemd:
    name: redis
    state: restarted
5. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 redis roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
[root@manager roles]# ansible-playbook top.yml -t redis
# 3.4 Nginx 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir nginx/{tasks,templates,handlers,files} -p
2. 准备 nginx 角色的 tasks 任务
[root@manager roles]# cat nginx/tasks/main.yml 
- name: Install Nginx Server
  yum:
    name: nginx
    enablerepo: nginx
    state: present
- name: Configure Nginx nginx.conf
  template:
    src: nginx.conf.j2
    dest: ""
  notify: Restart Nginx Server
- name: Start Nginx Server
  systemd:
    name: nginx 
    state: started
    enabled: yes
3. 准备 nginx 角色配置文件 nginx.conf.j2
[root@manager roles]# cat nginx/templates/nginx.conf.j2 
user <!--swig36-->;
worker_processes  <!--swig37-->;
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
    worker_connections  <!--swig38-->;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$http_x_via"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    include <!--swig39-->;
}
4. 准备 nginx 角色的 handlers
[root@manager roles]# cat nginx/handlers/main.yml 
- name: Restart Nginx Server
  systemd:
    name: nginx
    state: restarted
5. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 192.168.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '192.168.1.%'
mysql_server_ip: 192.168.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
6. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 nginx roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
[root@manager roles]# ansible-playbook top.yml -t nginx
# 3.5 PHP 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir php-fpm/{tasks,templates,handlers,files} -p
2. 准备 php-fpm 角色的 tasks 任务
[root@manager roles]# cat php-fpm/tasks/main.yml
- name: Installed PHP-FPM Server
  yum: 
    name: "" 
    enablerepo: php71w
    state: present
  loop:
      - php71w 
      - php71w-cli 
      - php71w-common 
      - php71w-devel 
      - php71w-embedded 
      - php71w-gd 
      - php71w-mcrypt 
      - php71w-mbstring 
      - php71w-pdo 
      - php71w-xml 
      - php71w-fpm 
      - php71w-mysqlnd 
      - php71w-opcache 
      - php71w-pecl-memcached 
      - php71w-pecl-redis 
      - php71w-pecl-mongodb
- name: Configure PHP php.ini php-fpm
  template:
    src: ""
    dest: ""
  loop:
    - {src: php.ini.j2 , dest: "" }
    - { src: fpm-www.conf.j2 ,dest: "" }
  notify: Restart PHP Server
- name: Start PHP-FPM Server
  systemd:
    name: php-fpm
    state: started
    enabled: yes
3. 准备 php-fpm 角色配置文件 fpm-www.conf.j2
[root@manager roles]# cat php-fpm/templates/fpm-www.conf.j2 
[www]
user = <!--swig45-->
group = <!--swig46-->
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = <!--swig47-->
pm.start_servers = <!--swig48-->
pm.min_spare_servers = <!--swig49-->
pm.max_spare_servers = <!--swig50-->
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
4. 准备 php-fpm 角色的 templates 配置文件 php.ini.j2
[root@manager roles]# cat php-fpm/templates/php.ini.j2 
...
session.save_handler = <!--swig51-->
session.save_path = ""
...
5. 准备 php-fpm 角色的 handlers
[root@manager roles]# cat php-fpm/handlers/main.yml 
- name: Restart PHP Server
  systemd:
    name: php-fpm
    state: restarted
6. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
# php-fpm
php_ini_path: /etc/php.ini
php_fpm_path: /etc/php-fpm.d/www.conf
session_method: redis
session_redis_path: "tcp://172.16.1.41:6379?weight=1&timeout=2.5"
fpm_max_process: 200
fpm_start_process: 20
fpm_min_spare_servers: 10
fpm_max_spare_servers: 50
7. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── hosts
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 php-fpm roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm    
[root@manager roles]# ansible-playbook top.yml -t php-fpm
# 3.6 Haproxy 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir haproxy/{tasks,templates,handlers,files} -p
2. 准备 haproxy 角色的 tasks 任务
[root@manager roles]# cat haproxy/tasks/main.yml 
- name: Unarchive /tmp Directory
  unarchive:
    src: haproxy22.rpm.tar.gz
    dest: /tmp
    creates: /tmp/haproxy
- name: Installed Haproxy
  yum:
    name: ""
  vars:
    pack:
      - /tmp/haproxy/haproxy22-2.2.9-3.el7.ius.x86_64.rpm
      - /tmp/haproxy/lua53u-5.3.4-1.ius.el7.x86_64.rpm
      - /tmp/haproxy/lua53u-devel-5.3.4-1.ius.el7.x86_64.rpm
      - /tmp/haproxy/lua53u-libs-5.3.4-1.ius.el7.x86_64.rpm
      - /tmp/haproxy/lua53u-static-5.3.4-1.ius.el7.x86_64.rpm
    remote_src: no
- name: Configure Haproxy Server
  template:
    src: haproxy.cfg.j2
    dest: /etc/haproxy/haproxy.cfg
  notify: Restart Haproxy Server
- name: Create Haproxy Include Dir
  file:
    path: ""
    state: directory
- name: Change Service Configure Add
  lineinfile:
    path: /usr/lib/systemd/system/haproxy.service
    insertafter: '^\[Service\]'
    line: 'Environment="CONFIG_D="'
- name: Change Service Configure ExecStart
  lineinfile:
    path: /usr/lib/systemd/system/haproxy.service
    regexp: '^ExecStart='
    line: 'ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CONFIG_D -p $PIDFILE $OPTIONS'
- name: Change Service Configure ExecStartPre
  lineinfile:
    path: /usr/lib/systemd/system/haproxy.service
    regexp: '^ExecStartPre='
    line: 'ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CONFIG_D -c -q $OPTIONS'
- name: Start Haproxy Server
  systemd:
    name: haproxy
    state: started
    daemon_reload: yes
    enabled: yes
3. 准备 haproxy 角色的配置文件 haproxy.cfg.j2
[root@manager roles]# cat haproxy/templates/haproxy.cfg.j2 
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats level admin
    #nbproc 4
	nbthread 8
    cpu-map 1 0
    cpu-map 2 1
    cpu-map 3 2
    cpu-map 4 3
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
#----------------------------------------------------------------
# Listen settings
#----------------------------------------------------------------
##
listen haproxy-stats_2
        bind *:9999
        stats enable
	stats refresh 1s
        stats hide-version
        stats uri /haproxy?stats
        stats realm "HAProxy statistics"
        stats auth admin:123456
        stats admin if TRUE
4. 准备 haproxy 角色的安装包 haproxy22.rpm.tar.gz
[root@manager roles]# ll haproxy/files/haproxy22.rpm.tar.gz 
-rw-r--r-- 1 root root 2344836 Nov  3 17:25 haproxy/files/haproxy22.rpm.tar.gz
5. 准备 haproxy 角色的 handlers
[root@manager roles]# cat haproxy/handlers/main.yml 
- name: Restart Haproxy Server
  systemd:
    name: haproxy
    state: restarted
6. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
# php-fpm
php_ini_path: /etc/php.ini
php_fpm_path: /etc/php-fpm.d/www.conf
session_method: redis
session_redis_path: "tcp://172.16.1.41:6379?weight=1&timeout=2.5"
fpm_max_process: 200
fpm_start_process: 20
fpm_min_spare_servers: 10
fpm_max_spare_servers: 50
# haproxy
haproxy_include_path: /etc/haproxy/conf.d/
proxy_vip: 172.16.1.100
haproxy_port: 80
7. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 haproxy roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
[root@manager roles]# ansible-playbook top.yml -t haproxy
# 3.7 Keepalived 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir keepalived/{tasks,templates,handlers,files} -p
2. 准备 keepalived 角色的 tasks 任务
[root@manager roles]# cat keepalived/tasks/main.yml 
- name: Install Keepalived Server
  yum:
    name: keepalived
    state: present
- name: Configure Keepalived Server
  template:
    src: keepalived.conf.j2
    dest: /etc/keepalived/keepalived.conf
  notify: Restart Keepalived Server
- name: Started Keepalived Server
  systemd:
    name: keepalived
    state: started
    enabled: yes
3. 准备 keepalived 角色配置文件 keepalived.conf.j2
[root@manager roles]# cat keepalived/templates/keepalived.conf.j2 
global_defs {     
    router_id <!--swig56-->
}
vrrp_instance VI_1 {
<!--swig57-->
    interface  eth1            # 绑定当前虚拟路由使用的物理接口;
    virtual_router_id 49            # 当前虚拟路由标识,VRID;
    advert_int 3                    # vrrp 通告时间间隔,默认 1s;
    #nopreempt
    authentication {
        auth_type PASS              # 密码类型,简单密码;
        auth_pass 1111              # 密码不超过 8 位字符;
    }
    
    virtual_ipaddress {
       <!--swig58-->
    }
}
4. 准备 nginx 角色的 handlers
[root@manager roles]# cat keepalived/handlers/main.yml 
- name: Restart Keepalived Server
  systemd:
    name: keepalived
    state: restarted
5. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 keepalived roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
- hosts: proxyservers
  roles:
    - role: keepalived
      tags: keepalived
[root@manager roles]# ansible-playbook top.yml -t keepalived
#3. 测试验证
[root@proxy01 ~]# ip addr |grep 172.16.1.100
    inet 172.16.1.100/32 scope global eth1
# 3.8 LVS 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir lvs/{tasks,templates,handlers,files,meta} -p
2. 配置 lvs 角色依赖 keepalived 角色
[root@manager roles]# cat lvs/meta/main.yml 
dependencies:
 - { role: keepalived }
3. 准备 lvs 角色的 tasks 任务
[root@manager roles]# cat lvs/tasks/main.yml 
- name: Install Ipvsadm Packages
  yum:
    name: ipvsadm
    state: present
- name: Configure LVS Keepalived
  template:
    src: keepalived.conf.j2
    dest: /etc/keepalived/keepalived.conf
  notify: Restart Keepalived Server
- name: Start LVS Keepalived
  systemd:
    name: keepalived
    state: started
    enabled: yes
4. 准备 keepalived 配置文件 keepalived.conf.j2
[root@manager roles]# cat lvs/templates/keepalived.conf.j2 
global_defs {
    router_id <!--swig59-->
}
vrrp_instance VI_1 {
<!--swig60-->
    interface eth1
    virtual_router_id 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
 }
    virtual_ipaddress {
        <!--swig61-->
    }
}
#Http
virtual_server <!--swig62--> <!--swig63--> {
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol TCP
<!--swig64-->
}
#Https
virtual_server <!--swig65--> <!--swig66--> {
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol TCP
<!--swig67-->
}
5. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
# php-fpm
php_ini_path: /etc/php.ini
php_fpm_path: /etc/php-fpm.d/www.conf
session_method: redis
session_redis_path: "tcp://172.16.1.41:6379?weight=1&timeout=2.5"
fpm_max_process: 200
fpm_start_process: 20
fpm_min_spare_servers: 10
fpm_max_spare_servers: 50
# haproxy
haproxy_include_path: /etc/haproxy/conf.d/
proxy_vip: 172.16.1.100
haproxy_port: 80
# lvs
lvs_vip: 172.16.1.100
lvs_port_http: 80
lvs_port_https: 443
lvs_rs_network: lo:0
6. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 lvs roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
- hosts: proxyservers
  roles:
    - role: keepalived
      tags: keepalived
- hosts: lbservers
  roles:
    - role: lvs
      tags: lvs
[root@manager roles]# ansible-playbook top.yml -t lvs
#3. 测试验证
[root@lb02 ~]# ipvsadm -L -n 
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.16.1.100:80 rr
TCP  172.16.1.100:443 rr
# 3.9 LVS devel 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir lvs-devel/{tasks,templates,handlers,files} -p
2. 准备 lvs devel 角色的 tasks 任务
[root@manager roles]# cat lvs-devel/tasks/main.yml 
- name: Configure VIP lo:0
  template:
    src: ifcfg-lo:0.j2
    dest: /etc/sysconfig/network-scripts/ifcfg-<!--swig68-->
  notify: Restart Network
- name: Configure Arp_Ignore
  sysctl:
    name: ""
    value: '1'
    sysctl_set: yes
  loop:
    - net.ipv4.conf.default.arp_ignore
    - net.ipv4.conf.all.arp_ignore
    - net.ipv4.conf.lo.arp_ignore
- name: Configure Arp_Announce 
  sysctl:
    name: ""
    value: '2'
    sysctl_set: yes
  loop:
    - net.ipv4.conf.default.arp_announce
    - net.ipv4.conf.all.arp_announce
    - net.ipv4.conf.lo.arp_announce
3. 准备 lvs devel 角色配置文件 ifcfg-lo:0.j2
[root@manager roles]# cat lvs-devel/templates/ifcfg-lo:0.j2 
DEVICE=<!--swig71-->
IPADDR=<!--swig72-->
NETMASK=255.0.0.0
ONBOOT=yes
NAME=loopback
4. 准备 lvs devel 角色 handlers
[root@manager roles]# cat lvs-devel/handlers/main.yml 
- name: Restart Network
  shell: ifdown lo:0 && ifup lo:0
5. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
└── top.yml
#2. 执行 lvs devel roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
- hosts: proxyservers
  roles:
    - role: keepalived
      tags: keepalived
      
- hosts: proxyservers
  roles:
    - role: lvs-devel
      tags: lvs-devel
- hosts: lbservers
  roles:
    - role: lvs
      tags: lvs
#3. 验证测试
[root@manager roles]# ansible-playbook top.yml -t lvs-devel
[root@proxy01 ~]# ifconfig | grep lo:0
lo:0: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@proxy02 ~]#  ifconfig | grep lo:0
lo:0: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
# 3.10 Route 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir route/{tasks,templates,handlers,files} -p
2. 准备 route 角色的 tasks 任务
[root@manager roles]# cat route/tasks/main.yml 
- name: Iptables SNAT Share Network
  iptables:
    table: nat 
    chain: POSTROUTING 
    source: 172.16.1.0/24 
    jump: SNAT 
    to_source: ""
- name: Iptables DNAT Http 80 Port
  iptables:
    table: nat 
    chain: PREROUTING
    protocol: tcp 
    destination: ""
    destination_port: ''
    jump: DNAT 
    to_destination: ":"
- name: Iptables DNAT Http 443 Port
  iptables:
    table: nat 
    chain: PREROUTING
    protocol: tcp 
    destination: "" 
    destination_port: '' 
    jump: DNAT 
    to_destination: ":"
3. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
├── route
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   └── templates
└── top.yml
#2. 执行 route roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
- hosts: proxyservers
  roles:
    - role: keepalived
    - role: lvs-devel
      tags: keepalived
- hosts: lbservers
  roles:
    - role: lvs
      tags: lvs
- hosts: routes
  roles:
    - role: route
      tags: route
#3. 测试验证
[root@manager roles]# ansible-playbook top.yml -t route
[root@routes ~]# iptables  -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            192.168.40.200       tcp dpt:80 to:172.16.1.100:80
DNAT       tcp  --  0.0.0.0/0            192.168.40.200       tcp dpt:443 to:172.16.1.100:443
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:192.168.40.200
# 3.11 DNS 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir dns/{tasks,templates,handlers,files} -p
2. 准备 dns 角色的 tasks 任务
[root@manager roles]#  cat dns/tasks/main.yml 
- name: Install Bind Server
  yum:
    name: ""
    state: present
  loop:
    - bind-utils
    - bind
- name: Configure named.conf
  template:
    src: named.conf.j2
    dest: /etc/named.conf
    owner: root
    group: named
    mode: '0640'
  notify: Restart Bind Server
- name: Configure "" zone
  template:
    src: hmallleasing.com.zone.j2
    dest: "/.zone"
  when: ( ansible_hostname == "dns-master" )
  notify: Restart Bind Server
- name: Start BIND Server
  systemd:
    name: named
    state: started
    enabled: yes
3. 准备 dns 角色配置文件 named.conf.j2
[root@manager roles]# cat dns/templates/named.conf.j2 
options {
	listen-on port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
<!--swig86-->
	recursion yes;
	dnssec-enable yes;
	dnssec-validation yes;
	bindkeys-file "/etc/named.root.key";
	managed-keys-directory "/var/named/dynamic";
	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
    zone "." IN {
        type hint;
        file "named.ca";
    };
<!--swig87-->
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
4. 准备 dns 角色区域数据库文件 named.conf.j2
[root@manager roles]# cat dns/templates/hmallleasing.com.zone.j2 
$TTL 600;
<!--swig88-->.	IN	SOA	ns.<!--swig89-->.	xuyong.<!--swig90-->. (
	202501016
	1800
	900
	604800
	86400
)
<!--swig91-->.	IN	NS	ns1.<!--swig92-->.
<!--swig93-->.	IN	NS	ns2.<!--swig94-->.
ns1.<!--swig95-->.	IN	A	<!--swig96-->
ns2.<!--swig97-->.	IN	A	<!--swig98-->
www.<!--swig99-->.	IN	A	1.1.1.1
blog.<!--swig100-->.	IN	A	192.168.40.200
4. 准备 dns 角色 handlers
[root@manager roles]# cat dns/handlers/main.yml 
- name: Restart Bind Server
  systemd:
    name: named
    state: restarted
5. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
# php-fpm
php_ini_path: /etc/php.ini
php_fpm_path: /etc/php-fpm.d/www.conf
session_method: redis
session_redis_path: "tcp://172.16.1.41:6379?weight=1&timeout=2.5"
fpm_max_process: 200
fpm_start_process: 20
fpm_min_spare_servers: 10
fpm_max_spare_servers: 50
# haproxy
haproxy_include_path: /etc/haproxy/conf.d/
proxy_vip: 172.16.1.100
haproxy_port: 80
# lvs
lvs_vip: 172.16.1.100
lvs_port_http: 80
lvs_port_https: 443
lvs_rs_network: lo:0
# dns       
dns_master_ip: 172.16.1.91
dns_slave_ip: 172.16.1.92
dns_zone_path: /var/named  
dns_domain: hmallleasing.com
6. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── dns
│   ├── files
│   ├── handlers
│   │   └── main.ym
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── hmallleasing.com.zone.j2
│       └── named.conf.j2
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
├── route
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   └── templates
└── top.yml
#2. 执行 lvs devel roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: nginx
      tags: nginx
- hosts: webservers
  roles:
    - role: php-fpm
      tags: php-fpm
- hosts: proxyservers
  roles:
    - role: haproxy
      tags: haproxy
- hosts: proxyservers
  roles:
    - role: keepalived
    - role: lvs-devel
      tags: keepalived
- hosts: lbservers
  roles:
    - role: lvs
      tags: lvs
- hosts: routes
  roles:
    - role: route
      tags: route
- hosts: dnsservers
  roles:
    - role: dns
      tags: dns
#3. 测试并验证
[root@manager roles]# ansible-playbook top.yml -t dns
[root@manager roles]# dig www.hmallleasing.com @172.16.1.91 +short
1.1.1.1
[root@manager roles]# dig www.hmallleasing.com @172.16.1.92 +short
1.1.1.1
[root@manager ~]# dig blog.hmallleasing.com @172.16.1.91 +short
192.168.40.200
[root@manager ~]# dig blog.hmallleasing.com @172.16.1.92 +short
192.168.40.200
# 3.12 接入 wordpress-web 服务
1. 创建 Roles 目录结构
[root@manager roles]# mkdir wordpress-web/{tasks,templates,handlers,files,meta} -p
2. 准备 wordpress-web 角色的依赖
[root@manager roles]# cat wordpress-web/meta/main.yml 
dependencies:
 - { role: nginx }
 - { role: php-fpm }
3. 准备 wordpress-web 角色的 tasks 任务
[root@manager roles]# cat wordpress-web/tasks/main.yml 
- name: Create Wordpress Configure
  template:
    src: blog.hmallleasing.com.conf.j2
    dest: "/"
    owner: root
    group: root
    mode: '0644'
  notify: Restart Nginx Server
- name: Create Code Directory
  file:
    path: ""
    state: directory
    owner: ""
    group: ""
    recurse: yes
- name: Import Wordpress Code
  unarchive:
    src: wordpress.tar.gz
    dest: ""
    owner: ""
    group: ""
    creates: "/wp-config.php"
- name: Copy Wordpress Connection MySQL FIle
  template:
    src: wp-config.php.j2
    dest: "/wp-config.php"
4. 准备 wordpress-web 角色配置文件 blog.hmallleasing.com.conf.j2
[root@manager roles]# cat wordpress-web/templates/blog.hmallleasing.com.conf.j2
server {
	listen <!--swig111-->;
	server_name <!--swig112-->;
	root <!--swig113-->;
	location / {
		index index.php;
	}
	location ~ \.php$ {
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		#fastcgi_param HTTPS ;
		include fastcgi_params;
	
	}
}
5. 准备 wordpress-web 角色配置文件 blog.hmallleasing.com.conf.j2
[root@manager roles]# cat wordpress-web/templates/wp-config.php.j2 
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', '<!--swig115-->' );
/** MySQL database password */
define( 'DB_PASSWORD', '<!--swig116-->' );
/** MySQL hostname */
define( 'DB_HOST', '<!--swig117-->' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         './w>#r7VS2g|Npy[8K@DV,..I55N6`WUe3KlHuu>Mw,rh*y/7zyh+#-s tH{H`=3' );
define( 'SECURE_AUTH_KEY',  '^di8c$=^N@3-~5EcjAU2{8*Kjg)0_E8b0:aR]{mFQKAf=3!0II{b+SI|Z8myd(.h' );
define( 'LOGGED_IN_KEY',    '[30w[|*($S0-EOY*fNWUj_ne$I={kQw}6PgT-cm59y!ZnJ7boS6&?5_k0%JO2S.d' );
define( 'NONCE_KEY',        'xLm$z=+m^IQy PLYoXVT_bLQ7q`14%mT5!Fd{)(cLID+}j.O9)$+j,rebHm2y_!H' );
define( 'AUTH_SALT',        'dG#2`gaHSutER umN7`s%gIDC&U`VZtR<4Ds38)pTkHd|O!9=2i;0qv4lsl:mU!N' );
define( 'SECURE_AUTH_SALT', 'p9CLMtl01&P>OX:(sZg2_Z0rGUM/wIE=d[_}$R|q]}y=w*Z1~q~3sDOp1[|hbvXx' );
define( 'LOGGED_IN_SALT',   '`#t{9~u$W@[@%g?r4oTnh&!okeRDZ)X <xkL_{s1L}v0Csejz7x=PPUmAI1HJjTU' );
define( 'NONCE_SALT',       'czEr-n:.NclG?Z:;Fg5k+ZANyYP&&Q+cU% mU~Dz1}r/5b(I&@3z$,{6MO+3-=}<' );
/**#@-*/
/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
5. 准备 wordpress-web 角色的项目代码
[root@manager roles]# ll wordpress-web/files/wordpress.tar.gz 
-rw-r--r-- 1 root root 17299333 Nov  6 20:39 wordpress-web/files/wordpress.tar.gz
6. 配置变量参数
[root@manager roles]# cat group_vars/all 
#base
all_group: www
all_user: www
all_uid: 666
all_gid: 666
# nfs
nfs_share_zrlog: /data/zrlog
nfs_share_blog: /data/blog
nfs_allow_ip: 172.16.1.0/24
# mysql
mysql_super_user: app
mysql_super_pass: Superman*2025
mysql_super_user_priv: '*.*:ALL'
mysql_allow_ip: '172.16.1.%'
mysql_server_ip: 172.16.1.51
mysql_root_password: "Superman*2025"
mysql_version: "5.7"
# nginx
nginx_conf_path: /etc/nginx/nginx.conf
nginx_include_dir: /etc/nginx/conf.d
nginx_include_path: /etc/nginx/conf.d/*.conf
# php-fpm
php_ini_path: /etc/php.ini
php_fpm_path: /etc/php-fpm.d/www.conf
session_method: redis
session_redis_path: "tcp://172.16.1.41:6379?weight=1&timeout=2.5"
fpm_max_process: 200
fpm_start_process: 20
fpm_min_spare_servers: 10
fpm_max_spare_servers: 50
# haproxy
haproxy_include_path: /etc/haproxy/conf.d/
proxy_vip: 172.16.1.100
haproxy_port: 80
# lvs
lvs_vip: 172.16.1.100
lvs_port_http: 80
lvs_port_https: 443
lvs_rs_network: lo:0
# dns       
dns_master_ip: 172.16.1.91
dns_slave_ip: 172.16.1.92
dns_zone_path: /var/named  
dns_domain: hmallleasing.com
# wordpress
word_domain: blog.hmallleasing.com 
word_http_port: 80
word_code_path: /code/wordpress
word_nginx_name: blog.hmallleasing.com.conf
fastcgi_https: off
7. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── dns
│   ├── files
│   ├── handlers
│   │   ├── main.ym
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── hmallleasing.com.zone.j2
│       └── named.conf.j2
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
├── route
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   └── templates
├── top.yml
└── wordpress-web
    ├── files
    │   └── wordpress.tar.gz
    ├── handlers
    ├── meta
    │   └── main.yml
    ├── tasks
    │   └── main.yml
    └── templates
        ├── blog.hmallleasing.com.conf.j2
        └── wp-config.php.j2
#2. 执行 wordpress-web roles
[root@manager roles]# cat top.yml 
- hosts: all
  roles:
    - role: base
      tags: base 
- hosts: nfsservers
  roles:
    - role: nfs-server
      tags: nfs
- hosts: dbservers
  roles:
    - role: mysql-server
      tags: mysql
- hosts: redisservers
  roles:
    - role: redis
      tags: redis
- hosts: webservers
  roles:
    - role: wordpress-web
      tags: wordpress
[root@manager roles]# ansible-playbook top.yml -t wordpress
# 3.13 接入 wordpress-proxy 服务
七层负载均衡使用 Haproxy
1. 创建 Roles 目录结构
[root@manager roles]# mkdir wordpress-proxy/{tasks,templates,handlers,files,meta} -p
2. 准备 wordpress-proxy 角色的依赖
[root@manager roles]# cat wordpress-proxy/meta/main.yml 
dependencies:
 - { role: haproxy }
3. 准备 wordpress-proxy 角色的 tasks 任务
[root@manager roles]# cat wordpress-proxy/tasks/main.yml 
- name: Wordpress Haproxy Configure
  template:
    src: wordpress.cfg.j2
    dest: "/wordpress.cfg"
  notify: Restart Haproxy Server
4. 准备 wordpress-proxy 角色配置文件 wordpress.cfg.j2
[root@manager roles]# cat wordpress-proxy/templates/wordpress.cfg.j2 
frontend blog
  bind *:80
  mode http
#
  acl blog_domain hdr_reg(host) -i <!--swig119-->
  use_backend  blog_cluster if blog_domain
backend blog_cluster
	balance roundrobin
<!--swig120-->
5. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── dns
│   ├── files
│   ├── handlers
│   │   ├── main.ym
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── hmallleasing.com.zone.j2
│       └── named.conf.j2
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
├── route
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   └── templates
├── top.yml
├── wordpress-proxy
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── wordpress.cfg.j2
└── wordpress-web
    ├── files
    │   └── wordpress.tar.gz
    ├── handlers
    ├── meta
    │   └── main.yml
    ├── tasks
    │   └── main.yml
    └── templates
        ├── blog.hmallleasing.com.conf.j2
        └── wp-config.php.j2
#2. 执行 wordpress-proxy roles
[root@manager roles]# cat top.yml 
- hosts: routes
  roles:
    - role: route
- hosts: all
  roles:
    - role: base
- hosts: nfsservers
  roles:
    - role: nfs-server
- hosts: dbservers
  roles:
    - role: mysql-server
- hosts: redisservers
  roles:
    - role: redis
- hosts: webservers
  roles:
    - role: wordpress-web
- hosts: proxyservers
  roles:
    - role: lvs-devel
    - role: wordpress-proxy
- hosts: lbservers
  roles:
    - role: lvs
- hosts: dnsservers
  roles:
    - role: dns
[root@manager roles]# ansible-playbook top.yml
# 3.14 接入 wordpress-proxy-nginx 服务
七层负载均衡使用 Nginx
1. 创建 Roles 目录结构
[root@manager roles]# mkdir wordpress-proxy-nginx/{tasks,templates,handlers,files,meta} -p
2. 准备 wordpress-proxy-nginx 角色的依赖
[root@manager roles]# cat wordpress-proxy-nginx/meta/main.yml 
dependencies:
 - { role: nginx }
3. 准备 wordpress-proxy-nginx 角色的 tasks 任务
[root@manager roles]# cat wordpress-proxy-nginx/tasks/main.yml 
- name: Wordpress Nginx Configure
  template:
    src: "blog.hmallleasing.com.conf.j2"
    dest: "/"
  notify: Restart Nginx Server
  
- name: Nginx Proxy_params Configure
  template:
    src: "proxy_params.j2"
    dest: "/etc/nginx/proxy_params"
  notify: Restart Nginx Server
- name: Unarchive SSLKEY.zip
  unarchive:
    src: SSLKEY.zip
    dest: /etc/nginx
    creates: /etc/nginx/SSLKEY
4. 准备 wordpress-proxy-nginx 角色配置文件 wordpress.cfg.j2
[root@manager roles]# cat wordpress-proxy-nginx/templates/blog.hmallleasing.com.conf.j2
upstream blog {
    <!--swig123-->
}
server {
        listen 443 ssl;
        server_name <!--swig124-->;
        ssl_prefer_server_ciphers on;
        ssl_certificate  /etc/nginx/SSLKEY/hmallleasing.com.pem;
        ssl_certificate_key  /etc/nginx/SSLKEY/hmallleasing.com.key;
        location / {
                proxy_pass http://blog;
                include proxy_params;
        }
}
server {
    listen 80;
    server_name <!--swig125-->;
    return 302 https://$server_name$request_uri;
}
5. 准备 wordpress-proxy-nginx 角色配置文件 proxy_params.j2
[root@manager roles]# cat wordpress-proxy-nginx/templates/proxy_params.j2
proxy_http_version 1.1;
proxy_set_header Connectin "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 120;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
proxy_temp_file_write_size 10240k;
proxy_max_temp_file_size 10240k;
6. 准备 wordpress-proxy-nginx 角色证书文件
[root@manager roles]# ll wordpress-proxy-nginx/files/SSLKEY.zip 
-rw-r--r-- 1 root root 4993 Oct 26 21:20 wordpress-proxy-nginx/files/SSLKEY.zip
7. 整体模块测试
#1. 目录结构
[root@manager roles]# tree
.
├── ansible.cfg
├── base
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   ├── firewall.yml
│   │   ├── kernel.yml
│   │   ├── limits.yml
│   │   ├── main.yml
│   │   ├── rsyn_time.yml
│   │   ├── user.yml
│   │   ├── yum_pkg.yml
│   │   └── yum_repository.yml
│   ├── templates
│   └── vars
├── dns
│   ├── files
│   ├── handlers
│   │   ├── main.ym
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── hmallleasing.com.zone.j2
│       └── named.conf.j2
├── group_vars
│   └── all
├── haproxy
│   ├── files
│   │   └── haproxy22.rpm.tar.gz
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── haproxy.cfg.j2
├── hosts
├── keepalived
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── keepalived.conf.j2
├── lvs-devel
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── ifcfg-lo:0.j2
├── mysql-server
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   └── vars
├── network_init.yml
├── nfs-server
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── expots.j2
│   └── vars
├── nginx
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── nginx.conf.j2
├── php-fpm
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── fpm-www.conf.j2
│       └── php.ini.j2
├── redis
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── redis.conf.j2
├── route
│   ├── files
│   ├── handlers
│   ├── tasks
│   │   └── main.yml
│   └── templates
├── top.yml
├── wordpress-proxy
│   ├── files
│   ├── handlers
│   ├── meta
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       └── wordpress.cfg.j2
├── wordpress-proxy-nginx
│   ├── files
│   │   └── SSLKEY.zip
│   ├── handlers
│   ├── meta
│   ├── tasks
│   │   └── main.yml
│   └── templates
│       ├── blog.hmallleasing.com.conf.j2
│       └── proxy_params.j2
└── wordpress-web
    ├── files
    │   └── wordpress.tar.gz
    ├── handlers
    ├── meta
    │   └── main.yml
    ├── tasks
    │   └── main.yml
    └── templates
        ├── blog.hmallleasing.com.conf.j2
        └── wp-config.php.j2
#2. 执行 wordpress-proxy roles
[root@manager roles]# cat top.yml
- hosts: routes
  roles:
    - role: route
- hosts: all
  roles:
    - role: base
- hosts: nfsservers
  roles:
    - role: nfs-server
- hosts: dbservers
  roles:
    - role: mysql-server
- hosts: redisservers
  roles:
    - role: redis
- hosts: webservers
  roles:
    - role: wordpress-web
- hosts: proxyservers
  roles:
    - role: lvs-devel
    - role: wordpress-proxy-nginx
- hosts: lbservers
  roles:
    - role: lvs
- hosts: dnsservers
  roles:
    - role: dns
[root@manager roles]# ansible-playbook top.yml
此文章已被阅读次数:正在加载...更新于
请我喝[茶]~( ̄▽ ̄)~*
Xu Yong 微信支付
微信支付
Xu Yong 支付宝
支付宝