1ansible role introduction
The ansible role provides a function that allows users to easily reuse ansible code in a general way. You can package all environment, files, variables, templates and other resources in the traditional directory structure. You only need to copy a directory and call the roles role.
The ansible role can pass variables to adjust its behavior from the playbook and set the relevant host name. ip address. User name and other details. Other parameters customized by the database are to set reasonable default values under the default directory.
To put it simply: roles is a mechanism by which variables, files, modules and processors are placed in separate directories according to the directory hierarchy.
1.2ansible role advantages
- Roles can group content to share code with others
- You can write the basic elements of role definition system type, web server, database server, git repository, etc
- Large projects are easy to manage
- Role items can be created by different people
Many roles supported by the community can be obtained from the Ansible Galaxy website
Address: https://galaxy.ansible.com/
List all installed galaxy: ansible galaxy list
1.3 official role directory structure
site.yml
webservers.yml
fooservers.yml
roles/
common/
tasks/ #Define the task list of the role. This file can call include. The play contains a main yml
handlers/ #Defines the action to be performed when triggering a condition in a role, including a main yml
files/ #Store the file called by copy module or script module
templates/ #When storing jinjia2 module, template module will automatically find j2 module in this directory
vars/ #Variables used to define roles, including a main yml
defaults/ #The default variable set by the current role. When no variable is defined, this default variable is used, including a main,yml
meta/ #Define the special settings (author, license, platform information) and dependencies of the role, including a main.yml
tests/ #This directory contains the manifest or the play of the test, which is used to test the role
webservers/
tasks/
defaults/
meta/
1.4 defining variables and default values
The role variable file is usually / vars / main As defined in the yml file, the role variable is referenced in the yml file: {{VAR_NAME}}. It has higher priority and is used internally by the role.
The default variable is to set the default variable for play through default / main YML file definition has the lowest priority. These variables can enable roles to accurately customize or control and correctly configure corresponding tasks.
Use the default variable for those that cannot be changed, and use the role variable for those that can be changed
be careful:
1. Roles are freely shared and called. Irrelevant useless information should not be written
2. The role should not contain any secrets, passwords or private keys
3. The play role variable can provide confidentiality
1.5 simple use of roles
---
- hosts: examplte.com
remote_user: root
roles:
- mysql
- nginx
- memcached
For each role, role tasks, role handlers, role variables, etc. will be imported into the playbook in order. copy modules, script scripts, template modules in the role, or import_tasks include_tasks can be imported into the role without absolute and relative paths
The variables used in the role will be vars / main YML and defaults / main YML overlay
Note: do not reuse the names of any role variables set anywhere else in the play
1.6 transfer variable role
---
- hosts: examplte.com
remote_user: root
roles:
- role: mysql
- role: apache
username: username
package: package
2. System role
RHEL7. After 4, the operating system has multiple ansible roles, which can be obtained from AppStream as part of the RHEL system roles package.
2.1 RHEL system role description
Name | status | role description|
| rhel-system-roles.kdump | Full support | Configure kdump crash recovery service |
|---|---|---|
| rhel-system-roles.timesync | Full support | Configure time synchronization using network time protocol or precise time protocol |
| rhel-system-roles.selinux | Full support | Configure and manage SELinux customizations, including SELinux mode, file and port context, Boolean settings, and SELinux users |
| rhel-system-roles.firewall | Under development | Configure firewall for host |
| rhel-system-roles.network | Full support | Configure network interface |
| rhel-system-roles.tuned | Under development | Configure the tuned service to tune system performance. The purpose of the system role is to standardize the configuration of the Red Hat Enterprise Linux subsystem among multiple versions. Use system roles to configure any Red Hat Enterprise Linux host version 6.10 and above. |
| rhel-system-roles.postfix | Technical Preview | Configure each host as a mail transfer agent using the Postfix service |
| rhel-system-roles.storage | Technical Preview | Virtual hard disk |
RHEL6 recommends ntpd service and RHEL7 recommends time synchronization chronyd service. After using the system role, the administrator does not need to maintain the service configuration file. The administrator can use the timesync role to synchronize time.
2.2 installation system role
The installed system roles are placed under / usr/share/ansible/roles by default
[root@clq ~]# yum -y install rhel-system-roles [root@clq roles]# pwd /usr/share/ansible/roles [root@clq roles]# ls linux-system-roles.certificate linux-system-roles.ssh rhel-system-roles.metrics linux-system-roles.crypto_policies linux-system-roles.sshd rhel-system-roles.nbde_client linux-system-roles.ha_cluster linux-system-roles.storage rhel-system-roles.nbde_server linux-system-roles.kdump linux-system-roles.timesync rhel-system-roles.network linux-system-roles.kernel_settings linux-system-roles.tlog rhel-system-roles.postfix linux-system-roles.logging linux-system-roles.vpn rhel-system-roles.selinux linux-system-roles.metrics rhel-system-roles.certificate rhel-system-roles.ssh linux-system-roles.nbde_client rhel-system-roles.crypto_policies rhel-system-roles.sshd linux-system-roles.nbde_server rhel-system-roles.ha_cluster rhel-system-roles.storage linux-system-roles.network rhel-system-roles.kdump rhel-system-roles.timesync linux-system-roles.postfix rhel-system-roles.kernel_settings rhel-system-roles.tlog linux-system-roles.selinux rhel-system-roles.logging rhel-system-roles.vpn
2.3 role documents
Each role contains a document, including the description of the role and the usage description of the role.
[root@clq rhel-system-roles.timesync]# pwd
/usr/share/ansible/roles/rhel-system-roles.timesync
[root@clq rhel-system-roles.timesync]# less README.md
``yaml
- hosts: targets
vars:
timesync_ntp_servers:
- hostname: foo.example.com
iburst: yes #A help instance in the document
- hostname: bar.example.com
iburst: yes
- hostname: baz.example.com
iburst: yes
roles:
- rhel-system-roles.timesync
2.4 TimeSync system role instance
General time synchronization settings
Configuration file: / etc / Chrony conf
server example.com iburst
#Install system roles
[root@clq ~]# yum -y install rhel-system-roles
#Copy the timesync role in the directory to / etc/ansible / and name it timesync
[root@clq ansible]# cp /usr/share/ansible/roles/rhel-system-roles.timesync/ . timesync -r
[root@clq ansible]# mv rhel-system-roles.timesync/ timesync
#Configure time play
[root@clq ansible]# cat time.yml
---
- hosts: "web" #Peer host
vars:
timesync_ntp_servers: #Reference variable readme You can view it in MD
- hostname: time1.aliyum.com #The host name of the NTP server being synchronized
iburst: yes #Boolean value used to enable or disable quick initial synchronization. The default is no in the role
roles:
- timesync #Reference system role
2.5 control execution sequence
A pre can be defined before the role is executed_ Tasks: execute specific tasks first, and then perform roles. There is post_tasks will be executed later, and finally the handlers task notification task will be executed
You can also add common tasks to roles, including_ Role dynamic import (added in version 2.3) import_roles static import (added in version 2.4)
2.6 SELinux role function
Tasks that this role can perform:
- Set enforcing or permission
- Run restorecon on parts of the file system hierarchy
- Set SELINUX Boolean
- Set selinux context
- Set selinux user mapping
3.6 SELinux system role examples:
#First, check the managed selinux file and the displayed status
[root@mysql01 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@mysql01 ~]# getenforce 0
Permissive
#Put the selinux system role under / etc/ansible / and name it selinux
[root@clq ansible]# cp /usr/share/ansible/roles/rhel-system-roles.selinux/ -r .
[root@clq ansible]# mv rhel-system-roles.selinux selinux
#Configure selinux role tasks
[root@clq ansible]# cat selinux.yml
---
- hosts: web
vars:
selinux_policy: targeted
selinux_state: disabled
roles:
- selinux
#Review the managed host selinux status again
[root@mysql01 ~]# getenforce 0
Disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Note: permission -------- > disabled needs to be restarted
Allow --------- > enabling no restart required
2.7 hard disk partition by storage system role
#Prepare a 10G hard disk for the managed host
[root@mysql01 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 19G 0 part
├─cs-root 253:0 0 17G 0 lvm /
└─cs-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 20G 0 disk
sr0 11:0 1 9.1G 0 rom
#Control host configuration
[root@clq ansible]# cp /usr/share/ansible/roles/rhel-system-roles.storage/README.md .
[root@clq ansible]# mv README.md storage.yml
[root@clq ansible]# vim storage.yml #Delete all the first 1-192 lines
roles:
- name: rhel-system-roles.storage
storage_pools: #Storage pool
- name: APP
disks: #Disk task type
- sdb
volumes: #Volume contains {size, name, mount point, format type}
- name: sdb01
size: "8 GiB"
mount_point: "/mnt/APP/sdb01"
fs_type: xfs
state: present
- name: vdb02
size: "8 GiB"
mount_point: "/mnt/APP/sdb02"
fs_type: ext4
state: present
#Running the storage role
[root@clq ansible]# ansible-playbook storage.yml
#Managed host viewing partitions
[root@mysql01 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 19G 0 part
├─cs-root 253:0 0 17G 0 lvm /
└─cs-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 20G 0 disk
├─APP-vdb02 253:2 0 8G 0 lvm /mnt/APP/sdb02
└─APP-sdb01 253:3 0 8G 0 lvm /mnt/APP/sdb01
sr0 11:0 1 9.1G 0 rom