实战RHCA-DO407(1)
原创
1.安装并且配置Ansible
- 安装和配置ansible以及ansible控制节点control.labx.example.com如下:
- 创建一个名为/home/student/ansible/inventory的静态库存文件如下所示:
2.1 servera是dev主机组的成员
2.2 serverb是test主机组的成员
2.3 serverc和serverd是prod主机组的成员
2.4 serverb是balancers主机组的一员
2.5 prod组是webservers主机组的成员
3.创建一个名为/home/student/ansible/ansible.cfg的配置文件,如下所示:
3.1主机库存文件/home/student/ansible/inventory3.2剧本中角色的位置被定义为/home/student/ansible/roles练习环境在workstation中登录student用户,考试环境中remote_user = matthew,这里是devops
解答
1.切换到student用户,创建ansible以及角色目录
su - student
mkdir -p /home/student/ansible/roles
cd /home/student/ansible/roles2.编辑inventory文件
[student@workstation ansible]$ cat inventory
[dev]
servera
[test]
serverb
[prod]
serverc
serverd
[balancers]
serverb
[webservers:children]
prod3.编辑ansible配置文件
[student@workstation ansible]$ cat ansible.cfg
[defaults]
remote_user = devops
inventory = /home/student/ansible/inventory
roles_path = /home/student/ansible/roles
ask_pass = Flase
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False4.ping测试
[student@workstation ansible]$ ansible all -m ping
serverd | SUCCESS => {
"changed": false,
"ping": "pong"
}
servera | SUCCESS => {
"changed": false,
"ping": "pong"
}
serverb | SUCCESS => {
"changed": false,
"ping": "pong"
}
serverc | SUCCESS => {
"changed": false,
"ping": "pong"
}2.作为系统管理员,您需要在托管节点上安装软件
创建一个名为/home/student/ansible/adhoc.sh的shell脚本,该脚本运行一个ansible ad-hoc命令,在每个托管节点上创建一个yum存储库,如下所示:
- 存储库的名称是exam_rhel
- 说明是EX407软件
- 基本URL是
http://rhgls.labx.example.com/rhel - 启用GPG签名检查
- GPG密钥URL是
http://rhgls.lab.example.com/rhel/RPM-GPG-KEY-redhat-release6. 启用了存储库
解答
1. 创建仓库脚本,注意url这里的url是练习环境的url,不是上面题目考试的url,自己的环境是rhel7.5
[student@workstation ansible]$ cat adhoc.sh
#!/bin/bash
ansible all -m yum_repository -a 'name=Exam_RHEL description="EX407 software" baseurl=http://content.example.com/rhel7.5/x86_64/dvd gpgcheck=yes gpgkey=http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'2.更改脚本权限、执行脚本
sudo chmod 755 adhoc.sh && /adhoc.sh3.检查yum源是否配置好
ansible all -m shell -a 'cat /etc/yum.repos.d/Exam_RHEL.repo'
[student@workstation ansible]$ ansible all -m shell -a 'cat /etc/yum.repos.d/Exam_RHEL.repo'
serverc | SUCCESS | rc=0 >>
[Exam_RHEL]
baseurl = http://content.example.com/rhel7.5/x86_64/dvd
enabled = 1
gpgcheck = 1
gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release
name = EX407 software
serverb | SUCCESS | rc=0 >>
[Exam_RHEL]
baseurl = http://content.example.com/rhel7.5/x86_64/dvd
enabled = 1
gpgcheck = 1
gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release
name = EX407 software
servera | SUCCESS | rc=0 >>
[Exam_RHEL]
baseurl = http://content.example.com/rhel7.5/x86_64/dvd
enabled = 1
gpgcheck = 1
gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release
name = EX407 software
serverd | SUCCESS | rc=0 >>
[Exam_RHEL]
baseurl = http://content.example.com/rhel7.5/x86_64/dvd
enabled = 1
gpgcheck = 1
gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release
name = EX407 software3.安装软件包
安装包创建一个名为/home/student/ansible/packages.yml的剧本
- 在dev、test和prod主机组的主机上安装php和mariadb包
- 将开发工具包组安装到dev主机组中的主机上
- 在dev主机组的主机上更新所有包到最新版本
解答
1.编辑package.yml文件
[student@workstation ansible]$ cat package.yml
---
- hosts: dev,test,prod
tasks:
- name: install php mariadb
yum:
name: "{{ item }}"
state: present
with_items:
- php
- mariadb
- name: install group Dev
yum:
name: "@Development Tools"
state: present
when: ansible_hostname in groups["dev"]
- name: update
yum:
name: "*"
state: latest
when: ansible_hostname in groups["dev"]2.检查一下语法
ansible-playbook-2.7 --syntax-check package.yml3.验证一下装好没有
[student@workstation ansible]$ ansible dev,test,prod -m shell -a "rpm -qa|egrep 'php|mariadb'"
serverb | SUCCESS | rc=0 >>
mariadb-libs-5.5.56-2.el7.x86_64
php-cli-5.4.16-45.el7.x86_64
mariadb-5.5.56-2.el7.x86_64
php-common-5.4.16-45.el7.x86_64
php-5.4.16-45.el7.x86_64
serverd | SUCCESS | rc=0 >>
mariadb-libs-5.5.56-2.el7.x86_64
php-cli-5.4.16-45.el7.x86_64
mariadb-5.5.56-2.el7.x86_64
php-common-5.4.16-45.el7.x86_64
php-5.4.16-45.el7.x86_64
serverc | SUCCESS | rc=0 >>
mariadb-libs-5.5.56-2.el7.x86_64
php-cli-5.4.16-45.el7.x86_64
mariadb-5.5.56-2.el7.x86_64
php-common-5.4.16-45.el7.x86_64
php-5.4.16-45.el7.x86_64
servera | SUCCESS | rc=0 >>
mariadb-libs-5.5.56-2.el7.x86_64
php-cli-5.4.16-45.el7.x86_64
php-common-5.4.16-45.el7.x86_64
php-5.4.16-45.el7.x86_64
mariadb-5.5.56-2.el7.x86_644.使用RHEL系统角色
安装timesync,角色包,下载地址http://materials/timesync-1.0.1.tar.gz
并创建一个名为/home/student/ansible/timesync.yml的剧本:
- 在所有托管主机上运行
- 使用timesync角色。
- 配置角色以使用时间服务器172.24.1.254(在我们的实验室中是172.25.254.254)
- 将角色配置为将iburst参数设置为启用
解答
1.安装这个角色,这里用yum安装不了,只能用ansible-galaxy的方式来安装
sudo yum install -y rhel-system-roles2.编写软件源地址
cat get_timesync.yml
- src: http://materials/timesync-1.0.1.tar.gz name: linux-system-timesync 3.安装timesync放到roles/目录下
ansible-galaxy install -r get_timesync.yml -p roles/4.编写剧本文件
cat timesync.yml
- hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- role: linux-system-timesync5.检测语法、真实执行、查看效果
ansible-playbook --syntax-check timesync.yml
ansible-playbook timesync.yml
ansible all -m shell -a 'chronyc sources'
servera | SUCCESS | rc=0 >>
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* classroom.example.com 8 6 77 46 -14ms[ -16ms] +/- 18ms5.安装并使用角色
使用Ansible Galaxy创建的名称为/home/student/ansible/roles/requirememts.yml
下载以后并且安装在/home/student/ansible/roles下
1.下载http://materials/haproxy.tar.gz, 这个角色名应该是balancer
2.下载http://materials/phpinfo.tar.gz, 这个角色名应该是phpinfo
解答
1.编写requirements.yml剧本
cat requirements.yml
- src: http://materials/haproxy.tar.gz
name: balancer
- src: http://materials/phpinfo.tar.gz
name: phpinfo2.安装角色文件
ansible-galaxy install -r /home/stuednt/ansible/roles/requirements.yml -p /home/student/ansible/roles6. 创建并使用一个角色
根据以下要求在/home/student/ansible/role中创建一个名为apache的角色
- 复制默认模板目录到/tmp/custom/,并添加templates目录,创建角色时指定模板目录为/tmp/custom
- 安装httpd包,在启动时启用,然后启动
- 防火墙已启用并使用允许访问web服务器的规则运行
- 一个模板文件index.html.j2存在,用于创建文件/var/www/html/index.html,输出如下:
Welcome to {{ FQDN }} on {{ IPADDRESS }}
创建一个名为/home/student/ansible/newrole.yml
- 剧本在webservers主机组的主机上运行
解答
1.初始化apache角色目录
ansible-galaxy init apache --init-path /home/student/ansible/roles2.去到这个目录,并创建一个templates目录(没有才自己创建的)
cd /home/student/ansible/roles/apache && mkdir templates3.编辑任务脚本文件
[student@workstation apache]$ cat tasks/main.yml
---
# tasks file for apache
- name: Install httpd
yum:
name: httpd
state: present
- name: Start httpd
service:
name: httpd
state: started
enabled: yes
- name: start firewalld
service:
name: firewalld
state: started
enabled: yes
- name: firewalld permits http service
firewalld:
service: http
state: enabled
permanent: true
immediate: yes
- name: create /var/www/html/index.html
template:
src: index.html.j2
dest: /var/www/html/index.html
setype: httpd_sys_content_t4.编辑网页模板文件
[student@workstation apache]$ cat templates/index.html.j2
Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4.address }}5.编辑启动角色脚本
[student@workstation ansible]$cat /home/student/ansible/newrole.yml
---
- hosts: webservers
roles:
- apache6.检查语法,执行剧本,查看效果
ansible-playbook --syntax-check newrole.yml
ansible-playbook newrole.yml
curl http://serverc
Welcome to serverc.lab.example.com on 172.25.250.12
curl http://serverd
Welcome to serverd.lab.example.com on 172.25.250.137.使Ansible Galaxy创建的角色
创建一个roles.yml剧本文件
在balancers主机上部署balancer角色
在webservers主机上部署phpinfo角色
解答
1.编辑剧本文件
cat roles.yml
- hosts: balancers,webservers
roles:
- { role: balancer,when: "ansible_hostname in groups['balancers']" }
- hosts: webservers
roles:
- phpinfo2.测试,真实执行剧本
ansible-playbook -C roles.yml
ansible-playbook roles.yml3.检测运行结果
[student@workstation ansible]$ curl http://serverb
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://serverc
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://serverb/hello.php
Hello PHP World form serverd.lab.example.com
[student@workstation ansible]$ curl http://serverc/hello.php
Hello PHP World form serverc.lab.example.com8.创建一个分区
编写一个剧本位置在/home/student/ansible/partition.yml,在所有主机上运行,需求如下:
- 在vdb中,创建一个主分区,编号是1,大小1500MiB
- 格式化成ext4文件系统,挂在到/newpart
- 如果无法创建请求的分区大小,则应使用错误消息“无法创建该大小的分区”, 应该显示,而应该使用大小为800Mib的
- 如果设备vdb不存在,则错误消息磁盘不存在应该显示
伪代码逻辑
if vdb is exist
try:
fdisk vdb size=1500Mbib && mkfs.ext4 mount /dev/vdb1 /newpart
rescue:
fdisk vdb size=800Mbib && mkfs.ext4 mount /dev/vdb1 /newpart
else
echo does exist partion vdb解答
1.编写分区剧本
[student@workstation ansible]$ cat partition.yml
- hosts: all
tasks:
- name: "1. test vdb is exist"
shell: ls /dev/vdb
register: msg
ignore_errors: yes
- name: "2.if vdb not exist output error msg"
debug:
msg: "vdb is not exist"
when: msg is failed
failed_when: msg is failed
- name: "3.create partition size of the 1500MiB"
block:
- name: "3-1.create a vdb1"
parted:
number: 1
device: /dev/vdb
part_start: 1MiB
part_end: 1500MiB
state: present
rescue:
- name: "3-2.show error msg"
debug:
msg: "clound not create partition of that size"
- name: "3-3.create a 800MiB"
parted:
number: 1
device: /dev/vdb
part_start: 1MiB
part_end: 800MiB
state: present
- name: "4.create filesystem"
filesystem:
dev: /dev/vdb1
fstype: ext4
- name: "5.create directory"
file:
path: /newpart
state: directory
mode: '0755'
- name: "6.mount device"
mount:
src: /dev/vdb1
path: /newpart
fstype: ext4
state: mounted3.查看效果
[student@workstation ansible]$ ansible all -m shell -a "lsblk"
serverb | SUCCESS | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 40G 0 disk
└─vda1 253:1 0 40G 0 part /
vdb 253:16 0 1G 0 disk
└─vdb1 253:17 0 799M 0 part
serverd | SUCCESS | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 40G 0 disk
└─vda1 253:1 0 40G 0 part /
vdb 253:16 0 1G 0 disk
└─vdb1 253:17 0 799M 0 part
serverc | SUCCESS | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 40G 0 disk
└─vda1 253:1 0 40G 0 part /
vdb 253:16 0 1G 0 disk
└─vdb1 253:17 0 799M 0 part
servera | SUCCESS | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 40G 0 disk
└─vda1 252:1 0 40G 0 part /
vdb 252:16 0 1G 0 disk
└─vdb1 252:17 0 799M 0 part 8.1创建并应用一个逻辑卷
在/home/student/ansible/创建一个lv.yml文件,让它在所有主机上跑,要求如下:
- 创建一个逻辑卷大小1500MiB,从research卷组中来
- 使用ext4格式化这个逻辑卷
- 实现开机自动挂载到/data目录下,只有主机是qa才可以
- 如果这个逻辑卷的大小不能够创建,则输出错误信息
Could not create logical volume of that size
并使用800MiB大小来创建逻辑卷
- 如果research这个卷组不存在,则输出错误消息:不存在
解答
1.创建一个research的卷组,默认不存在,需要自己去创建的
一个一个去所有主机上去创建
2.编写剧本文件
[student@workstation ansible]$ cat lv.yml
- hosts: all
tasks:
- name: 1. check research is exist
shell: vgdisplay research
register: res
ignore_errors: yes
- name: 2. output error msg if research vgroup not exist
debug:
msg: "research volume is not exist"
when: res is failed
failed_when: res is failed
- name: 3. create 1500MiB logical volume
block:
- name: 3.1 create lvx
lvol:
vg: research
lv: lvx
size: 1500m
rescue:
- debug:
msg: "3.2 Could not create logical volume of that size"
- name: 4. create 800MiB size logical volume
lvol:
lv: lvx
vg: research
sieze: 800m
- name: 5. format logical volume
filesystem:
dev: /dev/research/lvx
fstype: ext4
- name: 6. create directory
file:
path: /data
state: directory
ignore_errors: yes
- name: 7. mount to /data
mount:
path: /data
src: /dev/research/lvx
fstype: ext4
state: mounted
when: ansible_hostname in groups['qa']9.生成一个主机文件
- 下载
http://rhgls.labx.example.com/materials/hosts.j2到/home/student/ansible (考试环境没有可以下载模板文件,需要自己去写) - 完成模板,以便可以使用它为每个库存主机生成与/etc/hosts格式相同的一行文件。
- 创建一个名为/home/student/ansible/host.yml的剧本,使用此模板在dev主机组的主机上生成文件/etc/myhosts.yml
- 完成后,dev host组主机上的/etc/myhosts文件应该为下方所示
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.11 serverb.lab.example.com serverb
172.25.250.10 servera.lab.example.com servera
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
解答
1.首先复制hosts到hosts.j2
[student@workstation ansible]$ sed '3,$d' /etc/hosts > /home/student/ansible/hosts.j22.在下方添加如下代码,注意下方循环里面的代码是一行写完
[student@workstation ansible]$ cat /home/student/ansible/hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups['all'] %}
{{ hostvars[host]['ansible_default_ipv4']['address'] }} {{ hostvars[host]['ansible_fqdn'] }} {{ hostvars[host]['ansible_hostname'] }}
{% endfor %}3.编写剧本文件
[student@workstation ansible]$ cat /home/student/ansible/hosts.yml
---
- hosts: all
tasks:
- name: copy j2
template:
src: hosts.j2
dest: /etc/myhosts
when: ansible_hostname in groups["dev"]4.检测语法,模拟执行测试,真实执行
ansible-playbook --syntax hosts.yml
ansible-playbook -C hosts.yml
ansible-playbook hosts.yml5.验证结果
[student@workstation ansible]$ ansible dev -m shell -a 'cat /etc/myhosts'
servera | SUCCESS | rc=0 >>
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.11 serverb.lab.example.com serverb
172.25.250.10 servera.lab.example.com servera
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd10.修改文件内容
创建一个名为/home/student/ansible/issure.yml的剧本如下:
- 剧本运行在所有主机
- playbook将/etc/issue的内容替换为一行文本,如下所示:
2.1在dev主机组的主机上,内容:Development
2.2在测试主机组的主机上,内容:test
2.3在prod主机组的主机上,内容:Production
解答
1.编写剧本
[student@workstation ansible]$ cat /home/student/ansible/issue.yml
---
- hosts: all
tasks:
- name: replace content1
copy:
content: "Development"
dest: /etc/issue
when: ansible_hostname in groups["dev"]
- name: replace content2
copy:
content: "Test"
dest: /etc/issue
when: ansible_hostname in groups["test"]
- name: replace content3
copy:
content: "Production"
dest: /etc/issue
when: ansible_hostname in groups["prod"]2.检测语法,模拟执行,真实执行
ansible-playbook --syntax-check issue.yml
ansible-playbook -C issue.yml
ansible-playbook issue.yml3.查看运行结果
[student@workstation ansible]$ ansible all -m shell -a 'cat /etc/issue'
serverd | SUCCESS | rc=0 >>
Production
servera | SUCCESS | rc=0 >>
Development
serverc | SUCCESS | rc=0 >>
Production
serverb | SUCCESS | rc=0 >>
Test11.创建一个web内容目录
创建一个名为/home/student/ansible/webcontent.yml的剧本。yml如下:
- playbook在dev主机组的托管节点上运行
- 创建目录/webdev与以下要求:
2.1 webdev组成员
2.2 权限:owner=read+write+excute、group=read+write+excute,other=read+excute
2.3 特殊权限:设置组ID
- 创建文件/webdev/index.html,它的内容是:Development,将/webdev链接到/var/www/html/webdev
解答
1.编辑剧本文件
[student@workstation ansible]$ cat /home/student/ansible/webcontent.yml
- hosts: dev
become: true
tasks:
- name: 1.Install httpd
yum:
name: "{{ item }}"
state: present
with_items:[ httpd,firewalld ]
- name: 2.Start httpd
service:
name: httpd
state: started
enabled: yes
- name: 3.start firewalld
service:
name: firewalld
state: started
enabled: yes
- name: 4.firewall permits http service
firewalld:
service: http
state: enabled
permanent: true
immediate: yes
- name: 5.create a group
group:
name: webdev
state: present
- name: 6.create a directory
file:
path: /webdev
state: directory
group: webdev
mode: '2775'
setype: httpd_sys_content_t
- name: 7.create a link
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: 8.copy content
copy:
content: "Development"
dest: /webdev/index.html
setype: httpd_sys_content_t2.检查语法,真实执行
ansible-playbook --syntax-check webcontent.yml
ansible-playbook webcontent.yml3.访问测试
curl http://servera/webdev/index.html
Development12.生成硬件报告
创建一个名为/home/student/ansible/hwreport.yml的剧本。
在所有托管节点上生成一个名为/root/hwreport.txt的输出文件,并提供以下信息:
- inventory host name
- total memory (MB)
- BIOS version
- device vda size
- device vdb size
- 输出文件的每一行都包含一个键值对你的剧本应该:
1). 下载文件hwreport。在url http://rhgls.labx.example.com/materials中为空,并将其保存为/root/hwreport.txt
2). 使用正确的值修改/root/hwreport.txt
3). 如果硬件项不存在,则应将相关值设置为NONE
解答
1.编写hwreport剧本
[student@workstation ansible]$ cat hwreport.yml
- hosts: all
tasks:
- lineinfile:
path: /root/hwreport.txt
line: "{{ item }}"
create: yes
with_items:
- "host_name = {{ ansible_hostname | default(none) }}"
- "mem_total = {{ ansible_memtotal_mb | default(none) }}m"
- "bios_ver = {{ ansible_bios_version | default(none) }}"
- "vda_size = {{ ansible_devices.vda.size | default(none) }}"
- "vdb_size = {{ ansible_devices.vdb.size | default(none) }}"2.检测语法、真实执行
ansible-playbook --syntax-check hwreport.yml
ansible-playbook hwreport.yml3.检测一下执行结果
[student@workstation ansible]$ ansible all -m shell -a "cat /root/hwreport.txt"
serverb | SUCCESS | rc=0 >>
inventory_name =
total_mem = 488
bios_version = 0.5.1
vda_size = 40.00 GB
vdb_size = 1.00 GB
serverc | SUCCESS | rc=0 >>
inventory_name =
total_mem = 488
bios_version = 0.5.1
vda_size = 40.00 GB
vdb_size = 1.00 GB
serverd | SUCCESS | rc=0 >>
inventory_name =
total_mem = 488
bios_version = 0.5.1
vda_size = 40.00 GB
vdb_size = 1.00 GB
servera | SUCCESS | rc=0 >>
inventory_name =
total_mem = 487
bios_version = 0.5.1
vda_size = 40.00 GB
vdb_size = 1.00 GB13.创建密码库
创建一个Ansible存储库用户密码如下
- 保险库的名称是/home/student/ansible/locker.yml
- 保险库包含以下两个变量:
2.1 pw_developer 的值是Imadev
2.2 pw_manager的值是 Imamgr
- 加密和解密的密码是:whenyouwishuponastar
- 密码存储在/home/student/ansible/secret.txt文件中
解答
1.创建密码文件
[student@workstation ansible]$ cat /home/student/ansible/secret.txt
whenyouwishuponastar2.根据密码文件创建一个加密的yml剧本文件
ansible-vault --vault-password-file=secret.txt create /home/student/ansible/locker.yml
#进入编辑模式输入下面内容
pw_developer: Imadev
pw_manager: Imamgr3.使用密码,查看被加密的locker.yml文件
ansible-vault view locker.yml --vault-password-file=/home/student/ansible/secret.txt拓展:使用ansible-vault加密/解密已经存在的文件
ansible-vault --vault-password-file=secret.txt encrypt issue.yml
ansible-vault --vault-password-file=secret.txt decrypt issue.yml14.创建用户帐户
- 下载http://rhgls.labx.example.com/materials/user_list.yml文件并保存到/home/student/ansible/user_list.yml
- 使用/home/student/ansible/locker.yml里的密码(上方题目已经创建过),创建一个名为/home/student/ansible/users.yml来保存这些账户:
2.1具有开发人员工作描述的用户应:
2.1.1在dev和test主机组上创建托管节点上
2.1.2从pw_developer变量中分配密码
2.1.3都是属于devops组的成员
2.2具有管理者职务描述的用户为:
2.2.1在prod主机组的托管节点上创建
2.2.2从pw_manager变量中分配密码
2.2.3都是属于opsmgr组成员
- 密码应该使用SHA512哈希格式
- 你的剧本应该使用保险库密码文件在其他地方创建的这个考试。
解答
1.编写用户列表文件(这个文件在环境中下载不到)
[student@workstation ansible]$ cat user_list.yml
---
users:
- name: node1
job: developers
- name: node2
job: developers
- name: node3
job: manager2.编写创建用户剧本
[student@workstation ansible]$ cat users.yml
- hosts: all
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create developer ops mgr
block:
#1.创建两个组
- group:
name: devops
state: present
- group:
name: opsmgr
state: present
#2.创建developer组的用户
- user:
name: "{{ item.name }}"
password: "{{ pw_developer | password_hash('sha512') }}"
state: present
groups: devops
with_items: "{{ users }}"
when: ( ansible_hostname in groups['dev'] or ansible_hostname in groups['test'] ) and item.job == "developers"
#3.创建opsmgr组的用户
- user:
name: "{{ item.name }}"
password: "{{ pw_manager | password_hash('sha512') }}"
state: present
groups: opsmgr
with_items: "{{ users }}"
when: ansible_hostname in groups['prod'] and item.job == "manager"4.检测语法、模拟执行、检测结果
ansible-playbook --syntax-check users.yml --vault-password-file=secret.txt
ansible-playbook -C users.yml --vault-password-file=secret.txt
ansible-playbook users.yml --vault-password-file=secret.txt5.检测结果
ansible all -m shell -a 'id nodeX'
X=1~315.Ansible的vault与Rekey
Rekey一个现有的Ansible vault如下:
- 下载http://rhgls.labx.example.com/materials/salaries.yml,并保存为/home/student/ansible/salaries.yml;
- 当前保险库密码为insecure4sure;
- 新金库密码为bbe2de98389b;
- 保险库仍然处于使用新密码的加密状态;
解答
1.salaries.yml下载不了,需要自己创建
[student@workstation ansible]$ ansible-vault create salaries.yml
#提示输入密码并确认
New Vault password: insecure4sure
Confirm New Vault password: insecure4sure
#出现编辑界面,并添加如下内容
RED HAT ANSIBLE 2.7 EXAM
GOOD LUCK2.设置新的密码
[student@workstation ansible]$ ansible-vault rekey salaries.yml
Vault password: insecure4sure
New Vault password: bbe2de98389b
Confirm New Vault password: bbe2de98389b
Rekey successful3.使用新的密码查看加密的文件
[student@workstation ansible]$ ansible-vault view salaries.yml
Vault password: bbe2de98389b
RED HAT ANSIBLE 2.7 EXAM
GOOD LUCK16.更新内核
编写update_kernel.yml
1.安装最新版本内核
2.所有主机内核更新完毕后,重启
3.等待重启好以后,把内核版本信息写到/root/update.txt中
解答
1.编写剧本文件
[student@workstation ansible]$ cat update_kernel.yml
- hosts: all
tasks:
- name: 1. update kernel
yum:
name: "kernel"
state: latest
register: msg
ignore_errors: true
- name: 2. if kernel is update over
debug:
msg: "kernel is update over"
when: msg is failed
failed_when: msg is failed
- name: 3. reboot host
#直接重启将无法执行后面的任务,所以这里先sleep一下,再执行
shell: "sleep 1 && shutdown -r now"
async: 1
poll: 0
ignore_errors: true
- name: 4. wait host start
wait_for:
host: "{{ inventory_hostname }}"
state: started
delay: 30
timeout: 300
port: 22
#因为远程的主机已经关机了, 所以这条任务只能在本机来执行
delegate_to: localhost
- name: 5. write udpate info to file
shell: "uname -r > /root/update.txt"
delegate_to: "{{ inventory_hostname }}"2.执行剧本
[student@workstation ansible]$ ansible-playbook update_kernel.yml 3.查看更新文件
[student@workstation ansible]$ ansible all -m shell -a 'cat /root/update.txt'
servera | SUCCESS | rc=0 >>
3.10.0-862.el7.x86_64
serverc | SUCCESS | rc=0 >>
3.10.0-862.el7.x86_64
serverd | SUCCESS | rc=0 >>
3.10.0-862.el7.x86_64
serverb | SUCCESS | rc=0 >>
3.10.0-862.el7.x86_64原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录