考前說明:所有項目運行過程中出現紅色字體的報錯信息是正常的,運行完成後看 “failed=0” 就代表執行成功,如果在執行任務期間暫停並且報錯那麼代表項目內部書寫格式或者命令輸入錯誤,請認真檢查 此文檔為考前模擬不代表真實考試環境及內容。 環境說明: | system | IP Address | ...
考前說明:所有項目運行過程中出現紅色字體的報錯信息是正常的,運行完成後看 “failed=0” 就代表執行成功,如果在執行任務期間暫停並且報錯那麼代表項目內部書寫格式或者命令輸入錯誤,請認真檢查
此文檔為考前模擬不代表真實考試環境及內容。
環境說明:
| system | IP Address | Role |
|---|---|---|
| workstation.lab.example.com | 172.25.250.9 | Ansible control node |
| servera.lab.example.com | 172.25.250.10 | Ansible managed node |
| serverb.lab.example.com | 172.25.250.11 | Ansible managed node |
| serverc.lab.example.com | 172.25.250.12 | Ansible managed node |
| serverd.lab.example.com | 172.25.250.13 | Ansible managed node |
| bastion.lab.example.com | 172.25.250.254 | Ansible managed node |
帳戶信息:
這些系統的 IP 地址採用靜態設置,主機名稱解析已配置為解析上方列出的主機名。 請勿更改這些 設置。
foundation0 主機(以下簡稱 f0)的 root 密碼為 Asimov ,f0 上其他用戶的密碼均為 redhat
f0 裡面所有虛擬系統的 root 密碼是 redhat ,請勿更改 root 密碼。
所有系統上已預裝了 SSH 密 鑰,允許在不輸⼊密碼的前提下通過 SSH 進⾏ root 訪問。請勿對系 統上的 root SSH 配置文件進⾏ 任何修改。
Ansible 控制節點上已創建了用戶 student 。此帳戶預裝了 SSH 密鑰,允許在 Ansible 控制節點 和 各個 Ansible 受管節點之間進行 SSH 登錄。請勿對系統上的 student SSH 配置文件進行任何修改。 Ansible 被管理節點上已創建了用戶 devops 。用於控制節點連接使用,考試時 ssh 免密和 sudo 提權已 經全部配置好,請勿修改。
初始化虛擬機:
[root@foundation0 ~]# rht-vmctl all -y
[root@foundation0 ~]# rht-vmctl classroom -y
說明:考試需要通過圖形界面對虛擬機進行開機(start),關機(poweroff),重啟(reboot)和重置(rebuilt)操 作,重置虛擬機後,虛擬機所有的配置將會清空。
一、安裝和配置 ansible
按照下方所述,在控制節點 workstation.lab.example.com 上安裝和配置 Ansible:
1.安裝所需的軟體包
2.創建名為/home/student/ansible/inventory 的靜態清單文件, 以滿足以下需求:
servera 是 dev 主機組的成員
serverb 是 test 主機組的成員
serverc 和 serverd 是 prod 主機組的成員
bastion 是 balancers 主機組的成員
prod 組是 webservers 主機組的成員
3.創建名為/home/student/ansible/ansible.cfg 的配置文件, 以滿足以下要求:
主機清單文件為/home/student/ansible/inventory
playbook 中使用的角色的位置包括/home/student/ansible/roles
準備工作:
[root@foundation0 ~]# ssh root@workstation
Activate the web console with: systemctl enable --now cockpit.socket
[root@workstation ~]# ssh root@bastion "useradd devops; echo redhat |passwd --stdin
devops"
Warning: Permanently added 'bastion,172.25.250.254' (ECDSA) to the list of known hosts.
Changing password for user devops.
passwd: all authentication tokens updated successfully.
[root@workstation ~]# for i in server{a..d} bastion;do ssh root@$i "echo 'devops
ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/devops";done
Warning: Permanently added 'servera,172.25.250.10' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverb,172.25.250.11' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverc,172.25.250.12' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverd,172.25.250.13' (ECDSA) to the list of known hosts.
[root@workstation ~]# yum -y install ansible #若考試已經安裝好了,則不需要安裝了
[root@workstation ~]# su - student #考試要求所有的配置都⽤⼀個普通⽤戶進⾏配置
開始:
[student@workstation ~]$ mkdir ansible
[student@workstation ~]$ cd ansible/
[student@workstation ansible]$ vim inventory
[dev]
servera
[test]
serverb
[prod]
serverc
serverd
[balancers]
bastion
[webservers:children]
prod
[student@workstation ansible]$ cp /etc/ansible/ansible.cfg .
[student@workstation ansible]$ vim ansible.cfg
inventory = /home/student/ansible/inventory //取消註釋並更改路徑
roles_path = /home/student/ansible/roles //取消註釋並更改路徑
remote_user = devops //取消註釋並更改用戶
[privilege_escalation]
become=True //取消註釋即可
become_method=sudo //取消註釋即可
become_user=root //取消註釋即可
become_ask_pass=False //取消註釋即可
[student@workstation ansible]$ mkdir -p /home/student/ansible/roles
[student@workstation ansible]$ ansible all -m ping //執行後呈現綠色的“ping pong”即代表成功
二、創建和運行Ansible 臨時命令
請按照下方所述, 創建⼀個名為/home/student/ansible/adhoc.sh 的 shell 腳本, 該腳將使用
Ansible 臨時命令在各個受管節點上安裝 yum 存儲庫:
存儲庫 1:
存儲庫的名稱為:rh294_BASE
描述為:rh294 base software
基礎 URL 為 http://content.example.com/rhel8.0/x86_64/dvd/BaseOS
GPG 簽名檢查為啟用狀態
GPG 密鑰 URL 為 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
存儲庫為開啟狀態
存儲庫 2:
存儲庫的名稱為:rh294_STREAM
描述為:rh294 stream software
基礎 URL 為 http://content.example.com/rhel8.0/x86_64/dvd/AppStream
GPG 簽名檢查為啟⽤狀態
GPG 密鑰 URL 為 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
存儲庫為開啟狀態
準備工作:
[student@workstation ansible]$ for i in server{a..d} bastion; do ssh root@$i "rm -rf/etc/yum.repos.d/*"; done //因虛擬機自帶 yum 源, 需要先刪除, 考試時不需要操作
Warning: Permanently added 'servera,172.25.250.10' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverb,172.25.250.11' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverc,172.25.250.12' (ECDSA) to the list of known hosts.
Warning: Permanently added 'serverd,172.25.250.13' (ECDSA) to the list of known hosts.
Warning: Permanently added 'bastion,172.25.250.254' (ECDSA) to the list of known hosts.
開始:
[student@workstation ansible]$ vim adhoc.sh
#!/bin/bash
ansible all -m yum_repository -a "name=rh294_BASE description='rh294 base software' file=rhed_dvd gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS/ enabled=yes"
ansible all -m yum_repository -a "name=rh294_STREAM description='rh294 stream software' file=rhed_dvd gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release baseurl=http://content.example.com/rhel8.0/x86_64/dvd/AppStream/ enabled=yes"
[student@workstation ansible]$ chmod a+x adhoc.sh
[student@workstation ansible]$ ./adhoc.sh
三、安裝軟體包
創建⼀個名為 /home/student/ansible/packages.yml 的 playbook:
1.將 php 和 mariadb 軟體包安裝到 dev、test 和 prod 主機組中的主機上
2.將 Development Tools 軟體包組安裝到 dev 主機組中的主機上
3.將 dev 主機組中主機上的所有軟體包更新為最新版本
開始:
[student@workstation ansible]$ vim packages.yml
---
- hosts: dev,test,prod
tasks:
- name: install mariadb php
yum:
name:
- php
- mariadb
state: present
- hosts: dev
tasks:
- name: install Development Tools
yum:
name: "@Development Tools"
state: present
- name: update pkgs
yum:
name: '*'
state: latest
[student@workstation ansible]$ ansible-playbook packages.yml
四、使用 RHEL 系統角色
安裝 RHEL 系統角色軟體包,並創建符合以下條件的 playbook /home/student/ansible/timesync.yml:
1.在所有受管節點上運行
2.使用 timesync 角色
3.配置該角色,以使用當前有效的 NTP 提供
4.配置該角色,以使用時間伺服器 classroom.example.com
準備工作:
[root@foundation0 ~]# ssh root@workstation
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Wed Sep 21 07:51:44 2022 from 172.25.250.250
[root@workstation ~]# yum -y install rhel-system-roles
[root@workstation ~]# su - student
[student@workstation ~]$ cd ansible/
[student@workstation ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.timesync roles/timesync
開始:
[student@workstation ansible]$ vim timesync.yml
---
- hosts: all
vars:
timesync_ntp_servers:
- hostname: classroom.example.com
iburst: yes
timesync_ntp_provider: chrony
roles:
- timesync
post_tasks:
- name: set timezone
timezone:
name: Asia/Shanghai
notify: restart crond
handlers:
- name: restart crond
service:
name: crond
state: restarted
[student@workstation ansible]$ ansible-playbook timesync.yml
//說明:若考試沒有要求設置時區,post_tasks 和 handlers 部分可以不⽤配置;如果重新設置了時區,建議重啟⼀下
crond 定時器,確保計劃任務運⾏的時間是對的。
五、使用 RHEL 系統角色
安裝 RHEL 系統角色軟體包,並使用 SeLinux 角色,要求在所有節點運行,將 SELINUX 設置為強制模式。
準備工作:
[student@workstation ansible]$ sudo yum -y install rhel-system-roles
[sudo] password for student: student
[student@workstation ansible]$ ls
adhoc.sh ansible.cfg inventory packages.yml roles timesync.yml
[student@workstation ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.selinux
roles/selinux
開始:
[student@workstation ansible]$ vim selinux.yml //看題目要求的文件名是什麼
---
- hosts: all
vars:
selinux_policy: targeted
selinux_state: enforcing
roles:
- role: selinux
become: true
[student@workstation ansible]$ ansible-playbook selinux.yml
六、使用 Ansible Galaxy 安裝角色
使用 Ansible Galaxy 和要求文件 /home/student/ansible/roles/requirements.yml,從以下 URL
下載角色並安裝到 /home/student/ansible/roles:
1.http://classroom.example.com/content/haproxy.tar.gz 此角色的名稱應當為 balancer
2.http://classroom.example.com/content/phpinfo.tar.gz 此角色的名稱應當為 phpinfo
準備工作:
將 haproxy.tar.gz 和 phpinfo.tar.gz 下載下來放入 foundation0 下麵的/content 目錄下。
起一個新的終端:
[root@foundation0 ~]# cd /content/
[root@foundation0 content]# wget
http://classroom.example.com/content/ansible2.8/haproxy.tar.gz
[root@foundation0 content]# wget
http://classroom.example.com/content/ansible2.8/phpinfo.tar.gz
開始:
[root@foundation0 content]# ssh workstation
[student@workstation ~]$ cd ansible/
[student@workstation ansible]$ ls
adhoc.sh ansible.cfg inventory packages.yml roles selinux.yml timesync.yml
[student@workstation ansible]$ vim roles/requirements.yml
- name: balancer
src: http://content.example.com/haproxy.tar.gz
- name: phpinfo
src: http://content.example.com/phpinfo.tar.gz
[student@workstation ansible]$ ansible-galaxy install -r roles/requirements.yml -p
roles/
七、創建和使用角色
根據下列要求,在 /home/student/ansible/roles 中創建名為 apache 的角色:
1.httpd 軟體包已安裝,設為在系統啟動時啟用
2.防⽕牆已啟用並正在運行,並使用允許訪問 Web 伺服器的規則
3.模板文件 index.html.j2 已存在,用於創建具有以下輸出的文件 /var/www/html/index.html:
Welcome to HOSTNAME on IPADDRESS
其中,HOSTNAME 是受管節點的完全限定功能變數名稱,IPADDRESS 則是受管節點的 IP 地址。
4.按照下方所述,創建⼀個使用此角色的 playbook /home/student/ansible/newrole.yml:
該 playbook 在 webservers 主機組中的主機上運行
開始:
[student@workstation ansible]$ ls
adhoc.sh ansible.cfg inventory packages.yml roles selinux.yml timesync.yml
[student@workstation ansible]$ cd roles/
[student@workstation roles]$ ansible-galaxy init apache
- apache was created successfully
[student@workstation roles]$ vim apache/tasks/main.yml
---
# tasks file for apache
- name: install http
yum:
name: "{{ item }}"
state: present
loop:
- httpd
- firewalld
- name: system service
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- httpd
- firewalld
- name: firewalld service
firewalld:
service: http
zone: public
permanent: yes
immediate: yes
state: enabled
- name: user templates
template:
src: index.html.j2
dest: /var/www/html/index.html
[student@workstation roles]$ vim apache/templates/index.html.j2
Welcome to {{ ansible_facts['fqdn'] }} on {{ ansible_facts['default_ipv4']['address'] }}
[student@workstation roles]$ cd ..
[student@workstation ansible]$ vim newrole.yml
---
- hosts: webservers
roles:
- apache
[student@workstation ansible]$ ansible-playbook newrole.yml
[student@workstation ansible]$ curl serverc //驗證
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl serverd //驗證
Welcome to serverd.lab.example.com on 172.25.250.13
八、從 Ansible Galaxy 使用角色
根據下列要求,創建⼀個名為 /home/student/ansible/roles.yml 的 playbook:
1.playbook 中包含⼀個 play,該 play 在 balancers 主機組中的主機上運⾏並將使用 balancer
角色。
此角色配置⼀項服務,以在 webservers 主機組中的主機之間平衡 Web 伺服器請求的負載。
瀏覽到 balancers 主機組中的主機(例如 http:/bastion.lab.example.com/ )將生成以下輸
出:
Welcome to serverc.example.com on 172.25.250.12
重新載入瀏覽器將從另⼀ Web 伺服器生成輸出:
Welcome to serverd.example.com on 172.25.250.13
2.playbook 中包含⼀個 play,該 play 在 webservers 主機組中的主機上運⾏並將使用 phpinfo
角色。
通過 URL /hello.php 瀏覽到 webservers 主機組中的主機將生成以下輸出:
Hello PHP World from FQDN
其中,FQDN 是主機的完全限定名稱。
例如,瀏覽到 http://serverc.lab.example.com/hello.php 會生成以下輸出:
Hello PHP World from serverc.lab.example.com
另外還有 PHP 配置的各種詳細信息,如安裝的 PHP 版本等。
同樣,瀏覽到 http://serverd.lab.example.com/hello.php 會生成以下輸出:
Hello PHP World from serverd.lab.example.com
另外還有 PHP 配置的各種詳細信息,如安裝的 PHP 版本等。
準備工作:
[student@workstation ansible]$ ssh root@bastion 'systemctl stop httpd && systemctl
disable httpd' //關閉 bastion 主機上的 httpd 服務,以免衝突,考試不需要做
Removed /etc/systemd/system/multi-user.target.wants/httpd.service.
開始:
[student@workstation ansible]$ vim roles.yml
---
- hosts: webservers
gather_facts: false
tasks:
- name: test facts
setup:
- hosts: balancers
roles:
- balancer
- hosts: webservers
roles:
- phpinfo
[student@workstation ansible]$ ansible-playbook roles.yml
[student@workstation ansible]$ curl http://bastion.lab.example.com/ //驗證
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://bastion.lab.example.com/ //驗證
Welcome to serverd.lab.example.com on 172.25.250.13
[student@workstation ansible]$ curl http://serverc.lab.example.com/hello.php //驗證
Hello PHP World form serverc.lab.example.com
[student@workstation ansible]$ curl http://serverd.lab.example.com/hello.php //驗證
Hello PHP World form serverd.lab.example.com
九、 創建和使用邏輯捲
將創建一個名為/home/student/ansible/lv.yml 的 playbook,它將在所有受管節點上運行以執行下
列任務
1.創建符合以下要求的邏輯捲:
邏輯捲創建在 research 捲組中
邏輯捲名稱為 data
邏輯捲大小為 1500MiB
2.使用 ext4 文件系統格式化邏輯捲
3.如果無法創建請求的邏輯捲大小,應顯示錯誤消息
Could not create logical volume of that size,並且應改為使用大小 800MiB。
4.如果捲組 research 不存在 ,應顯示錯誤消息
Volume group does not exist。
5.不要以任何方式掛載邏輯捲。
準備工作:
[student@workstation ansible]$ vim lvm_pre.yml
---
- hosts: dev,test
tasks:
- name: crteam 2G
parted:
device: /dev/vdb
number: 1
flags: [ lvm ]
state: present
part_start: 1MiB
part_end: 2GiB
- name: create vg
lvg:
vg: research
pvs: /dev/vdb1
- hosts: prod
tasks:
- name: crteam 1G
parted:
device: /dev/vdb
number: 1
flags: [ lvm ]
state: present
part_start: 1MiB
part_end: 1GiB
- name: create vg
lvg:
vg: research
pvs: /dev/vdb1
[student@workstation ansible]$ ansible-playbook lvm_pre.yml
[student@workstation ansible]$ for i in server{a..d};do ssh root@$i 'vgs';done //驗證
VG #PV #LV #SN Attr VSize VFree
research 1 0 0 wz--n- <2.00g <2.00g
VG #PV #LV #SN Attr VSize VFree
research 1 0 0 wz--n- <2.00g <2.00g
VG #PV #LV #SN Attr VSize VFree
research 1 0 0 wz--n- 1020.00m 1020.00m
VG #PV #LV #SN Attr VSize VFree
research 1 0 0 wz--n- 1020.00m 1020.00m
開始:
[student@workstation ansible]$ vim lv.yml
---
- hosts: all
tasks:
- name: create logical volume
block:
- name: create lvm 1500m
lvol:
vg: research
lv: data
size: 1500m
rescue:
- debug:
msg: Could not create logical volume of that size
- name: create lvm 800m
lvol:
vg: research
lv: data
size: 800m
always:
- name: format lvm
filesystem:
fstype: ext4
dev: /dev/research/data
when: "'research' in ansible_facts['lvm']['vgs']"
- name: serche not
debug:
msg: Volume group does not exist
when: "'research' not in ansible_facts['lvm']['vgs']"
[student@workstation ansible]$ ansible-playbook lv.yml
[student@workstation ansible]$ for i in server{a..d}; do ssh root@$i 'lvs'; done //驗證
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 1.46g
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 1.46g
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 800.00m
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 800.00m
十、創建分區
說明:由於只有一塊可用磁碟,與上一道題衝突,需要重置磁碟後再做
創建一個名為/home/student/ansible/parted.yml 的 playbook,它將在 dev 主機組上運行下列任務
1.如果磁碟/dev/vdd 存在,則創建 1500m 分區
2.如果無法創建請求的分區大小,應顯示錯誤消息
Could not create partition of that size,並且應改為使用大小 800m。
3.如果磁碟/dev/vdd 不存在 ,應顯示錯誤消息
disk /dev/vdd does not exist。
4.如果磁碟/dev/vdb 存在,則創建 1500m 分區
5.如果無法創建請求的分區大小,應顯示錯誤消息
Could not create partition of that size,並且應改為使用大小 800m。
6.最後分區都要格式化為 ext4 文件系統,並掛載在/mnt/fs01 上
準備工作:
//先將 dev 環境主機 servera 的/dev/vdb 硬碟分區刪除,即題目所說重置磁碟。
[student@workstation ansible]$ ssh root@servera
[root@servera ~]# lvremove /dev/research/data
[root@servera ~]# vgremove research
[root@servera ~]# pvremove /dev/vdb1
[root@servera ~]# pvs
[root@servera ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 10G 0 disk
└─vda1 252:1 0 10G 0 part /
vdb 252:16 0 5G 0 disk
└─vdb1 252:17 0 2G 0 part
└─research-data 253:0 0 1.5G 0 lvm
[root@servera ~]# fdisk /dev/vdb
輸入: d
輸入: w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
如果以上命令執行後提示需要重啟則先執行 reboot 命令,然後再次進行刪除分區動作,待 servera 主機重啟完成
後執行以下命令
[root@servera ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 10G 0 disk
└─vda1 252:1 0 10G 0 part /
vdb 252:16 0 5G 0 disk
[root@servera ~]# exit
開始:
[student@workstation ansible]$ vim parted.yml
---
- hosts: dev
tasks:
- name: create partition
block:
- name: create 1500m vdd
parted:
device: /dev/vdd
number: 1
state: present
part_end: 1501MiB
rescue:
- debug:
msg: Could not create partition of that size
- name: create 800m vdd
parted:
device: /dev/vdd
number: 1
state: present
part_end: 801MiB
always:
- name: format partition
filesystem:
fstype: ext4
dev: /dev/vdd1
- name: mount device
mount:
path: /mnt/fs01
src: /dev/vdd1
fstype: ext4
opts: defaults
state: mounted
when: "'vdd' in ansible_facts['devices']"
- debug:
msg: disk /dev/vdd does not exist
when: "'vdd' not in ansible_facts['devices']"
- name: create partition
block:
- name: create 1500m vdb
parted:
device: /dev/vdb
number: 1
state: present
part_end: 1501MiB
rescue:
- debug:
msg: Could not create partition of that size
- name: create 800m vdb
parted:
device: /dev/vdb
number: 1
state: present
part_end: 801MiB
always:
- name: format partition
filesystem:
fstype: ext4
dev: /dev/vdb1
- name: mount device
mount:
path: /mnt/fs01
src: /dev/vdb1
fstype: ext4
opts: defaults
state: mounted
when:
- "'vdb' in ansible_facts['devices']"
- "'vdd' not in ansible_facts['devices']"
- debug:
msg: disk /dev/vdb does not exist
when: "'vdb' not in ansible_facts['devices']"
[student@workstation ansible]$ ansible-playbook parted.yml
十一、生成主機文件
將⼀個初始模板文件從 http://172.25.254.254/content/hosts.j2 下載到/home/student/ansible
1.完成該模板,以便用它生成以下文件:針對每個清單主機包含⼀⾏內容,其格式與 /etc/hosts
相同。
2.創建名為 /home/student/ansible/hosts.yml 的 playbook,它將使用此模板在 dev 主機組中的
主機上生成文件 /etc/myhosts。
3.該 playbook 運行後,dev 主機組中主機上的文件/etc/myhosts 應針對每個受管主機包含一行內
容。
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.10 servera.lab.example.com servera
172.25.254.11 serverb.lab.example.com serverb
172.25.254.12 serverc.lab.example.com serverc
172.25.254.13 serverd.lab.example.com serverd
172.25.250.254 bastion.lab.example.com bastion
註意:清單主機名稱的顯示順序不重要。
準備工作:
[student@workstation ~]$ exit
[root@foundation0 ~]# cd /content/
[root@foundation0 content]# vim hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups.all %}
{{ hostvars[host].ansible_enp1s0.ipv4.address }} {{ hostvars[host].ansible_fqdn }}
{{ hostvars[host].ansible_hostname }}
{% endfor %}
[root@foundation0 ~]# ssh workstation
[student@workstation ~]$ cd ansible/
開始:
[student@workstation ansible]$ wget http://172.25.254.254/content/hosts.j2
[student@workstation ansible]$ vim hosts.yml
---
- hosts: all
- hosts: dev
tasks:
- name: copy hosts.j2 to dev
template:
src: hosts.j2
dest: /etc/myhosts
[student@workstation ansible]$ ansible-playbook hosts.yml
[student@workstation ansible]$ ssh root@servera 'cat /etc/myhosts' //驗證
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.254 bastion.lab.example.com bastion
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
//註意:清單主機名稱的顯示順序不重要。
十二、修改文件內容
按照下方所述,創建一個名為 /home/student/ansible/issue.yml 的 playbook:
1.該 playbook 將在所有清單主機上運行
2.該 playbook 會將 /etc/issue 的內容替換為下方所示的一行文本:
在 dev 主機組中的主機上,這行文本顯示為:Development
在 test 主機組中的主機上,這行文本顯示為:Test
在 prod 主機組中的主機上,這行文本顯示為:Production
開始:
[student@workstation ansible]$ vim issue.yml
---
- hosts: all
tasks:
- name: write something to /etc/issue
copy:
content: |
{% if 'dev' in group_names %}
Development
{% elif 'test' in group_names %}
Test
{% elif 'prod' in group_names %}
Production
{% endif %}
dest: /etc/issue
[student@workstation ansible]$ ansible-playbook issue.yml
[student@workstation ansible]$ for i in server{a..d} bastion ; do ssh root@$i "cat
/etc/issue" ; done //驗證
Development
Test
Production
Production
十三、創建 web 內容目錄
按照下方所述,創建一個名為 /home/student/ansible/webcontent.yml 的 playbook:
1.該 playbook 在 dev 主機組中的受管節點上運行
2.創建符合下列要求的目錄 /webdev:
擁有組為 devops 組
具有常規許可權:owner=read+write+execute,group=read+write+execute,other=read+execute
具有特殊許可權: set group ID
3.用符號鏈接將 /var/www/html/webdev 鏈接到 /webdev
4.創建文件 /webdev/index.html,其中包含如下所示的單行文本:Development
5.在 dev 主機組中主機上瀏覽此目錄(例如 http://servera.lab.example.com/webdev/ )將生成
以 下輸出:
Development
開始:
[student@workstation ansible]$ vim webcontent.yml
---
- hosts: dev
tasks:
- name: install httpd
yum:
name: httpd
state: present
- name: enabled httpd
service:
name: httpd
enabled: yes
state: started
- name: enabled 80/tcp
firewalld:
service: http
zone: public
permanent: yes
immediate: yes
state: enabled
- name: create /webdev
file:
path: /webdev
state: directory
owner: root
group: devops
mode: '2775'
- name: create file
copy:
content: "Devlopment\n"
dest: /webdev/index.html
- name: create soft link
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: modify sefcontext
sefcontext:
target: '/webdev(/.*)?'
setype: httpd_sys_content_t
state: present
- name: Apply new SELinux file context to filesystem
command: restorecon -irv /webdev
[student@workstation ansible]$ ansible-playbook webcontent.yml
[student@workstation ansible]$ curl http://servera.lab.example.com/webdev/ //驗證
Devlopment
十四、生成硬體報告
創建一個名為 /home/student/ansible/hwreport.yml 的 playbook,它將在所有受管節點上生成含
有以 下信息的輸出文件 /root/hwreport.txt:
清單主機名稱
以 MB 表示的總記憶體大小
BIOS 版本
磁碟設備 vda 的大小
磁碟設備 vdb 的大小
輸出文件中的每一行含有一個 key=value 對。
您的 playbook 應當:
1.從 http://172.25.254.254/content/hwreport.empty 下載文件,並將它保存為
/root/hwreport.txt
2.使用正確的值修改 /root/hwreport.txt
3.如果硬體項不存在,相關的值應設為 NONE
準備工作:
[student@workstation ansible]$ exit
[root@foundation0 ~]# cd /content/
[root@foundation0 content]# vim hwreport.empty
hostname = inventoryhostname
memory = memory_in_MB
bios_version = BIOS_version
vda_size = disk_vda_size
vdb_size = disk_vdb_size
開始:
[root@foundation0 ~]# ssh workstation
[student@workstation ~]$ cd ansible/
[student@workstation ansible]$ vim hwreport.yml
---
- hosts: all
tasks:
- name: create report file
get_url:
url: http://content.example.com/hwreport.empty
dest: /root/hwreport.txt
- name: get inventory
replace:
path: /root/hwreport.txt
regexp: 'inventoryhostname'
replace: '{{ inventory_hostname }}'
- name: get memory
replace:
path: /root/hwreport.txt
regexp: 'memory_in_MB'
replace: '{{ ansible_facts["memtotal_mb"] | string }}'
- name: get bios
replace:
path: /root/hwreport.txt
regexp: 'BIOS_version'
replace: '{{ ansible_facts["bios_version"] }}'
- name: get vda
replace:
path: /root/hwreport.txt
regexp: 'disk_vda_size'
replace: '{{ ansible_facts["devices"]["vda"]["size"] | default("NONE") }}'
- name: get vdb
replace:
path: /root/hwreport.txt
regexp: 'disk_vdb_size'
replace: '{{ ansible_facts["devices"]["vdb"]["size"] | default("NONE") }}'
[student@workstation ansible]$ ansible-playbook hwreport.yml
[student@workstation ansible]$ for i in server{a..d} bastion;do ssh root@$i 'cat
/root/hwreport.txt';done //驗證
hostname = servera
memory = 821
bios_version = 1.11.1-4.module+el8.1.0+4066+0f1aadab
vda_size = 10.00 GB
vdb_size = 5.00 GB
hostname = serverb
memory = 821
bios_version = 1.11.1-4.module+el8.1.0+4066+0f1aadab
vda_size = 10.00 GB
vdb_size = 5.00 GB
hostname = serverc
memory = 821
bios_version = 1.11.1-4.module+el8.1.0+4066+0f1aadab
vda_size = 10.00 GB
vdb_size = 5.00 GB
hostname = serverd
memory = 821
bios_version = 1.11.1-4.module+el8.1.0+4066+0f1aadab
vda_size = 10.00 GB
vdb_size = 5.00 GB
hostname = bastion
memory = 821
bios_version = 1.11.1-4.module+el8.1.0+4066+0f1aadab
vda_size = 10.00 GB
vdb_size = NONE
十五、創建密碼庫
按照下方所述,創建一個 Ansible 庫來存儲用戶密碼:
1.庫名稱為 /home/student/ansible/locker.yml
2.庫中含有兩個變數,名稱如下:
pw_developer,值為 Imadev
pw_manager,值為 Imamgr
3.用於加密和解密該庫的密碼為 whenyouwishuponastar
4.密碼存儲在文件 /home/student/ansible/secret.txt 中
開始:
[student@workstation ansible]$ vim locker.yml
pw_developer: Imadev
pw_manager: Imamgr
[student@workstation ansible]$ echo whenyouwishuponastar > secret.txt
[student@workstation ansible]$ ansible-vault --vault-password-file=secret.txt encrypt
locker.yml
[student@workstation ansible]$ ansible-vault view locker.yml
Vault password: # 輸入密碼
pw_developer: Imadev
pw_manager: Imamgr
十六、創建用戶帳戶
1.從 http://172.25.254.254/content/user_list.yml 下載要創建的用戶的列表,並將它保存到
/home/student/ansible,用戶密碼來自於/home/student/ansible/locker.yml 文件。
2.創建名為/home/student/ansible/users.yml 的 playbook,從而按以下所述創建用戶帳戶:
職位描述為 developer 的用戶應當:
在 dev 和 test 主機組中的受管節點上創建
從 pw_developer 變數分配密碼
是附加組 student 的成員
職位描述為 manager 的用戶應當:
在 prod 主機組中的受管節點上創建
從 pw_manager 變數分配密碼
是附加組 opsmgr 的成員
3.密碼應採用 SHA512 哈希格式。
4.您的 playbook 應能夠在本次考試中使用在其他位置創建的庫密碼文件
/home/student/ansible/secret.txt 正常運行。
準備工作:
[student@workstation ansible]$ exit
[root@foundation0 ~]# cd /content/
[root@foundation0 content]# vim user_list.yml
users:
- name: bob
job: developer
- name: sally
job: manager
- name: fred
job: developer
[root@foundation0 content]# ssh workstation
[student@workstation ~]$ cd ansible/
開始:
[student@workstation ansible]$ wget http://172.25.254.254/content/user_list.yml
[student@workstation ansible]$ vim users.yml
---
- hosts: dev,test
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: student group
group:
name: student
state: present
- name: create user in developer
user:
name: "{{ item.name }}"
groups: student
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "developer"
- hosts: prod
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: group
group:
name: opsmgr
state: present
- name: create user
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "manager"
[student@workstation ansible]$ ansible-playbook --vault-password-file=secret.txt users.yml
十七、更新 ansible 庫的密鑰
按照下方所述,更新現有 Ansible 庫的密鑰:
1.從 http://172.25.254.254/content/salaries.yml 下載 Ansible 庫到 /home/student/ansible
2.當前的庫密碼為 insecure4sure
3.新的庫密碼為 bbe2de98389b
4.庫使用新密碼保持加密狀態
準備工作:
[student@workstation ansible]$ ansible-vault create salaries.yml
New Vault password: # 輸入密碼 insecure4sure
Confirm New Vault password: # 輸入密碼 insecure4sure
this is a test file # 內容任意
[student@workstation ansible]$ exit
[root@foundation0 ~]# cd /content/
[root@foundation0 content]# scp workstation:/home/student/ansible/salaries.yml salaries.yml
[root@foundation0 content]# chmod 644 salaries.yml
[root@foundation0 content]# ssh workstation
[student@workstation ~]$ cd ansible/
[student@workstation ansible]$ rm -f salaries.yml
開始:
[student@workstation ansible]$ wget http://172.25.254.254/content/salaries.yml
[student@workstation ansible]$ ansible-vault rekey salaries.yml
Vault password: # 輸入舊密碼 insecure4sure
New Vault password: # 輸入新密碼 bbe2de98389b
Confirm New Vault password: # 輸入新密碼 bbe2de98389b
Rekey successful
十八、創建計劃任務
為 natasha 創建一個計劃任務,要求每隔 2 分鐘執行一次 echo hello,playbook 文件名為
cron.yml,該 playbook 在 dev 主機組上運行。
開始:
[student@workstation ansible]$ vim cron.yml
---
- hosts: dev
tasks:
- name: create user
user:
name: natasha
state: present
- name: create cron
cron:
minute: "*/2"
user: natasha
job: "echo hello" //複製題目給的任務即可
[student@workstation ansible]$ ansible-playbook cron.yml
[student@workstation ansible]$ ssh root@servera //驗證
[root@servera ~]# crontab -l -u natasha
#Ansible: exec tasks every 2 minute
*/2 * * * * echo hello
