오픈 톡방 운영 중이니 정보 공유 및 그 외 질문 등 많은 소통하러 오세요 ㅎㅎ
https://open.kakao.com/o/gffATvVf
서버/네트워크/인프라/클라우드 엔지니어 모임
#redhat #rhcsa #rhce #network #ccna #ccnp #devops #cloud #aws #server #서버엔지니어
open.kakao.com
다시 한 번 강조 들여쓰기 지키자
ansible-doc으로 봐야 할 모듈
yum_repository
yum
service
firewalld
template
lvol
filesystem
copy
file
get_url
lineinfile
group
user
cron
debug
wait_for
setype 잊지않기
/usr/share/ansible/roles/에 있는 selinux 참조하기
======================================ansible 설치======================================
yum install ansible*
ansible 설치
cd /home/admin
mkdir ansible
cd ansible
======================================인벤토리 설정======================================
vim /home/admin/ansible/inventory
[dev]
node1
[test]
node2
[prod]
node3
node4
[balancers]
node5
[webservers:children]
prod
:wq
======================================ansible config 파일 수정======================================
vim /etc/ansible/ansible.cfg
cd /home/admin/ansible
ansible-config init --disabled > ansible.cfg
vim ansible.cfg
inventory, roles_path, collections_path, remote_user 정보 입력
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
:wq
ansible은 따로 서비스 재시작 필요 없음
ansible all -m ping
ansible 테스트
======================================yum 설정======================================
ansible-doc yum_repository
위 명령어로 yum_repo.yml 파일 양식의 예시 확인 가능
vim /home/admin/ansible/yum_repo.yml
---
- name: create yum repository
hosts: all
tasks:
- name: Local_BaseOS
ansible.builtin.yum_repository:
name: Local_BaseOS
description: Local_BaseOS
file: external_repos
baseurl: file:///OS_IMAGE/BaseOS/
gpgcheck: no
enabled: yes
- name: Local_AppStream
ansible.builtin.yum_repository:
name: Local_AppStream
description: Local_AppStream
file: external_repos
baseurl: https://rhgl.domain1.example.com/AppStream
gpgcheck: yes
gpgkey: https://rhgls.domain1.example.com/RHEL/RPM-GPG-KEY-redhat-release
enabled: yes
:wq
ansible-playbook yum_repo.yml
위의 yml 파일은 2가지 방법을 적은 것으로 저렇게 작성하라는 것이 아님
======================================collection 설정======================================
su -admin
mkdir -p /home/admin/ansible/mycollections
cd /home/admin/ansible/mycollections
wget http://rhgls.domain1.example.com/materials/redhat-rhel_system_roles-1.16.2.tar.gz
wget http://rhgls.domain1.example.com/materials/ansible-posix-1.4.0.tar.gz
wget http://rhgls.domain1.example.com/materials/conmunity-general-4.3.0.tar.gz
방법1
ansible-galaxy collection install /home/admin/ansible/mycollections/redhat-rhel_system_roles-1.16.2.tar.gz -p /home/admin/ansible/mycollections
ansible-galaxy collection install [ 설치하고 싶은 파일 경로 ] -p [ 설치할 디렉토리 경로 ]
방법2
vim coltar.yml
---
collections:
- name: /home/admin/ansible/mycollections/redhat-rhel_system_roles-1.16.2.tar.gz
:wq
ansible-galaxy collection install -r coltar.yml -p /home/admin/ansible/mycollections
ansible-galaxy collection install -r [ 작성한 yml 파일 경로 ] -p [ 설치할 디렉토리 경로 ]
위의 2가지 방법 중 택 1
======================================패키지 설정======================================
vim /home/admin/ansible/packages.yml
---
- name: 1. install packages
hosts:
- dev
- test
- prod
become: true
tasks:
- name: STEP1-1. install php mariadb
yum:
name:
- php
- mariadb-server
state: present
- name: 2. install dev Packeges
hosts: dev
become: true
tasks:
- name: STEP2-1. install dev packeges
yum:
name: "@RPM Development Tools"
state: present
- name: STEP2-2. update all Packeges
yum:
name: '*'
state: latest
:wq
ansible-playbook packages.yml
======================================selinux 설정======================================
vim /home/admin/ansible/selinux.yml
---
- hosts: all
become: true
vars:
- selinux_policy: targeted
- selinux_state: enforcing
roles:
- rhel-system-roles.selinux
:wq
selinux 실행 안 되면
yum install rhel-system-roles
위 명령어 실행해 보기
ansible-playbook selinux.yml
======================================역할 설정======================================
mkdir -p /home/admin/ansible/roles
cd /home/admin/ansible
vim roles/requirements.yml
---
- name: balancer
src: http://rhgls.domain1.example.com/materials/haproxy.tar
- name: phpinfo
src: http://rhgls.domain1.example.com/materials/phpinfo.tar
:wq
ansible-galaxy install -r roles/requirements.yml -p roles/
======================================역할 생성 및 사용======================================
ansible-galaxy init roles/apache
위 명령어로 apache 기본 구조 생성
vim /home/admin/ansible/roles/apache/templates/index.html.j2
Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4.address }}
:wq
ansible localhost -m setup -a 'filter=ansible_hostname'
ansible localhost -m setup -a 'filter=ansible_default_ipv4'
위 명령어로 정보 확인 가능한지 확인
vim /home/admin/ansible/roles/apache/tasks/main.yml
---
# tasks file for apache
- name: STEP1. install httpd
yum:
name: httpd
state: present
- name: STEP2. Start service httpd
service:
name: httpd
enabled: yes
state: started
- name: STEP3. Start service firewalld
service:
name: firewalld
enabled: yes
state: started
- name: STEP4. Add service firewalld
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
- name: Create index.html
template:
src: index.html.j2
dest: /var/www/html/index.html
:wq
vim /home/admin/ansible/newrole.yml
---
- hosts: webservers
become: true
roles:
- apache
:wq
ansible-playbook newrole.yml
curl node3
curl node4
위 명령어로 yml 파일 정상 작동 확인
ansible의 firewalld 모듈이 없을 때 설치 방법
yum install pip
pip install --upgrade ansible
ansible-galaxy collection install community.general
======================================부하 분산======================================
vim /home/admin/ansible/roles.yml
---
- hosts: webservers
become: true
roles:
- phpinfo
- hosts: balancers
become: true
roles:
- balancer
:wq
ansible-playbook roles.yml
curl http://node5.domain1.example.com
위 명령어 입력 할 때 마다 응답 서버 바뀌는 것 확인
curl http://node3.domain1.example.com/hello.php/hello.php
curl http://node4.domain1.example.com/hello.php/hello.php
응답 확인
======================================LVM( LV 생성 ) 설정======================================
vim /home/admin/ansible/lv.yml
---
- hosts: all
tasks:
- block:
- name: Create a logical volume of 1500m
lvol:
vg: research
lv: data
size: 1500m
- name: Create a ext4
filesystem:
fstype: ext4
dev: /dev/research/data
rescue:
- debug:
msg: Could not create logical volume of that size
- name: Create a logical volume of 800m
lvol:
vg: research
lv: data
size: 800m
when: ansible_lvm.vgs.research is defined
ignore_errors: yes
- debug:
msg: Volume group does not exist
when: ansible_lvm.vgs.research is undefined
:wq
ansible-playbook lv.yml
위 yml 파일을 실행하기 위해서는 vg까지는 만들어져 있어야 하므로 미리 만들어 두어야함.
======================================hosts 파일 생성======================================
vim hosts.yml
---
- hosts: all
become: true
tasks:
- name: template hosts file
template:
src: /home/admin/ansible/hosts.j2
dest: /etc/myhosts
when: ansible_hostname in groups['dev']
:wq
vim hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups['all'] %}
{{hostvars[host]['ansible_facts']['fqdn']}} {{hostvars[host]['ansible_facts']['default_ipv4']['address']}} {{hostvars[host]['ansible_facts']['hostname']}}
{% endfor %}
:wq
ansible-playbook hosts.yml
dev 그룹의 node1 서버에서 /etc/myhosts 파일 확인
======================================issue 파일 수정======================================
vim issue.yml
---
- name: all
hosts: all
tasks:
- name: Copy using Development
copy:
content: 'Development'
dest: /etc/issue
when: ansible_hostname in groups['dev']
- name: Copy using Test
copy:
content: 'Test'
dest: /etc/issue
when: ansible_hostname in groups['test']
- name: Copy using Production
copy:
content: 'Production'
dest: /etc/issue
when: ansible_hostname in groups['prod']
:wq
ansible-playbook issue.yml
dev 그룹, test 그룹, prod 그룹에서 /etc/issue 파일 확인
======================================디렉토리 생성======================================
vim webcontent.yml
---
- name: webcontent
hosts: dev
tasks:
- name: Create a directory
file:
path: /webdev
state: directory
group: webdev
mode: '2775'
- name: Create a symbolic link
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: Copy using Content
copy:
content: 'Development'
dest: /webdev/index.html
setype: httpd_sys_content_t
:wq
ansible-playbook webcontent.yml
dev 서버에서 /webdev 디렉토리 확인 밑 /var/www/html/wevdev 링크 확인
control 서버에서
curl http://node1_ip/webdev/
Development 나오는거 확인
======================================하드웨어 보고서 생성======================================
vim hwreport.yml
---
- name: Make hwreport
hosts: all
vars:
hw_all:
- hw_name: HOST
hw_cont: "{{ inventory_hostname | default('NONE',true) }}"
- hw_name: MEMORY
hw_cont: "{{ ansible_memtotal_mb | default('NONE',true) }}"
- hw_name: BIOS
hw_cont: "{{ ansible_bios_version | default('NONE',true) }}"
- hw_name: SDA
hw_cont: "{{ ansible_devices.sda.size | default('NONE',true) }}"
- hw_name: SDB
hw_cont: "{{ ansible_devices.sdb.size | default('NONE',true) }}"
tasks:
- name: download hwreport
get_url:
url: http://rhgls.domain1.example.com/material/hwreport.empty
dest: /root/hwreport.txt
- name: hwreport
lineinfile:
path: /root/hwreport.txt
regexp: '^{{item.hw_name}}='
line: "{{ item.hw_name }}={{ item.hw_cont }}"
loop: "{{hw_all}}"
:wq
ansible-playbook hwreport.yml
각 node에서 /root/hwreport.txt 확인
출력 했을경우 한쌍으로 나와야 하기 때문에 hwreport 내 이름에 HOST , MEMORY , BIOS , SDA , SDB 부분 이름을 똑같게 수정 후 해줘야 한다.
======================================비밀번호 보관소 생성======================================
echo 'whenyouwishuponastar' > /home/admin/ansible/secret.txt
vim /home/admin/ansible/ansible.cfg
vault_password_file = /home/admin/ansible/secret.txt
위 옵션 활성화하면 이후에 생성하는 vault파일은 위 파일로 암호화된다.
다른 비밀번호로 암호화하려면 위 옵션을 비활성화하고 생성해야 한다.
위 파일로 암호화된 파일을 볼 때 --ask-vault-pass 옵션을 넣어도 이미 위 파일로 복호화가 된 상태기 때문에 아무거나 입력해도 볼 수 있고, 따로 비밀번호를 지정해서 만든 파일은 올바른 비밀번호를 입력해야 볼 수 있다.
vim locker.yml
pw_developer: imadev
pw_manager: imamgr
ansible-vault encrypt locker.yml
======================================사용자 계정 생성======================================
vim users.yml
---
- name: create user
hosts: all
become: true
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group in dev and test
group:
name: devops
state: present
when: inventory_hostname in groups['dev']
- name: create group in prod
group:
name: opsmgr
state: present
when: inventory_hostname in groups['prod']
- name: create user in dev and test
user:
name: "{{item.name}}"
password: "{{pw_developer|password_hash('sha512')}}"
groups: devops
append: yes
password_expire_max: 30
when: item.job == "developers"
loop: "{{users}}"
ignore_errors: yes
- name: create user in prod
user:
name: "{{item.name}}"
password: "{{pw_manager|password_hash('sha512')}}"
groups: opsmgr
append: yes
password_expire_max: 30
when: item.job == "manager"
loop: "{{users}}"
ignore_errors: yes
:wq
ansible all -m shell -a 'id node1'
위 명령어로 만들어진 사용자 확인
들여쓰기 주의
======================================비밀번호 보관소 재생성======================================
wget http://rhgls.domain1.example.com/materials/salaries.yml
ansible-vault rekey --ask-vault-pass salaries.yml
현재 비밀번호
새 비밀번호
새 비밀번호
위에서 vault_password_file 옵션을 활성화 했기 때문에 비밀번호 재설정하기 위해서는 --ask-vault-pass 옵션이 필수적이다.
======================================cron 설정======================================
vim cron.yml
---
- name: cron
hosts: all
tasks:
- name: add cron
cron:
name: add cron natasha
minute: "*/2"
user: natasha
job: logger "EX294 in progress"
:wq
ansible-playbook cron.yml
각 서버에서 crontab -u natasha -l 명령어로 cron 생성 확인
정해진 시간 마다 cron 동작하는 거 확인