Ansible实战

1. 目标

本文，目标是使用ansible安装lnmp+haproxy。
共四台主机，都是ubuntu14 server版，一台作为ansible管理机，另外三台作为ansible客户机用来部署服务。
客户机A安装nginx+php+mysql，客户机B安装nginx+php，客户机C安装haproxy用来负载均衡。如下图：

2. 设计

项目结构参考最佳实践-Content Organization，如下图：

注意点：

• 角色分配简单明确。
• 在hosts中分组添加变量，指定安装软件。
• 二次执行脚本时不能影响已经安装的服务。

3. 安装流程

1、添加密钥
2、设置sudo免密
3、更新安装源
4、时间同步
5、安装nginx+php+mysql+haproxy
6、检查安装

4. 实践

4.1. 文件准备

1、创建项目lnmp
mkdir lnmp && cd lnmp

2、创建角色目录
mkdir roles
mkdir -p roles/{1_key,2_sudo,3_sources,4_chrony,5_software,6_check}/{tasks,handlers,vars,files,templates}

3、创建变量目录
mkdir group_vars host_vars

4、创建hosts文件，分配安装组，内容如下：

[base]
192.168.56.102
192.168.56.103
192.168.56.104

[nginx_php_mysql]
192.168.56.102

[nginx_php]
192.168.56.103

[haproxy]
192.168.56.104

[base:vars]
install_nginx=false
install_php=false
install_mysql=false
install_haproxy=false

[nginx_php_mysql:vars]
install_nginx=true
install_php=true
install_mysql=true
install_haproxy=false

[nginx_php:vars]
install_nginx=true
install_php=true
install_mysql=false
install_haproxy=false

[haproxy:vars]
install_nginx=false
install_php=false
install_mysql=false
install_haproxy=true

5、创建site.yml文件，内容为：

---
- hosts: all
  gather_facts: false
  roles:
    - 1_key
    - 2_sudo
    - 3_sources
    - 4_chrony
    - 5_software
    - 6_check

6、关闭第一次使用ansible连接客户端时命令提示
sudo vim /etc/ansible/ansible.cfg，如下修改

# line 62, uncomment
host_key_checking = False

4.2. 添加密钥

1、设置用户和密码
vim group_vars/base.yml，内容为：

---
ansible_ssh_user: voidking
ansible_ssh_pass: voidking
ansible_sudo: voidking
ansible_sudo_pass: voidking

2、vim test.yml，内容为：

---
- hosts: all
  vars_files:
    - group_vars/base.yml
  roles:
    - 1_key

3、vim roles/1_key/tasks/main.yml，内容为：

---
- name: copy public key
  copy:
    src: /home/voidking/.ssh/id_rsa.pub
    dest: /home/voidking/.ssh/id_rsa.pub.tmp
    owner: voidking
    group: voidking
    mode: 0600
    force: yes
- name: add public key
  shell: cd /home/voidking/.ssh && cat id_rsa.pub.tmp | tee >> authorized_keys

4、vim test_hosts，内容为：

[test]
192.168.56.102

5、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts

5、在客户端查看结果
ll .ssh

6、测试登录
ssh voidking@192.168.56.102

4.3. sudo免密

1、vim test.yml，内容为：

---
- hosts: all
  vars_files:
    - group_vars/base.yml
  roles:
    #- 1_key
    - 2_sudo

2、vim roles/2_sudo/tasks/main.yml，内容为：

---
- name: add sudo user
  shell: 'sudo sh -c "echo voidking ALL = NOPASSWD: ALL >> /etc/sudoers"'
  #shell: 'echo "voidking ALL = NOPASSWD: ALL" | sudo tee >> /etc/sudoers'

3、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts -s

4、在客户端查看结果
sudo ls

4.4. sudo免密2

上面的方法，虽然成功添加了sudo，但是从提示我们看出，在shell模块中sudo马上就不能使用了。

1、vim roles/2_sudo/tasks/main.yml，修改如下：

---
- name: add sudo user
  become_user: root
  become: true
  shell: "echo voidking ALL = NOPASSWD: ALL >> /etc/sudoers"

2、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts

4.5. 更新安装源

1、vim test.yml，内容为：

---
- hosts: all
  vars_files:
    - group_vars/base.yml
  roles:
    #- 1_key
    #- 2_sudo
    - 3_sources

2、vim roles/3_sources/files/sources.list，内容为：

deb http://cn.archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
##測試版源
deb http://cn.archive.ubuntu.com/ubuntu/ trusty-proposed main restricted universe multiverse
# 源碼
deb-src http://cn.archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
##測試版源
deb-src http://cn.archive.ubuntu.com/ubuntu/ trusty-proposed main restricted universe multiverse
# Canonical 合作夥伴和附加
# deb http://archive.canonical.com/ubuntu/ trusty partner
# deb http://extras.ubuntu.com/ubuntu/ trusty main

3、vim roles/3_sources/tasks/main.yml，内容为：

---
- name: replace sources.list
  copy:
    src: ../files/sources.list
    dest: /etc/apt/sources.list
    force: yes
- name: update
  become_user: root
  become: true
  shell: apt update
- name: upgrade
  become_user: root
  become: true
  apt:
    upgrade: yes

4、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts

4.6. 时间同步

4.6.1. 管理机准备

1、管理机安装chrony
apt -y install chrony

2、重启chrony
service chrony restart

3、拷贝chrony.conf
cp /etc/chrony/chrony.conf roles/4_chrony/files/

4、vim roles/4_chrony/files/chrony.conf，如下修改：

# line 20,comment
#server 0.debian.pool.ntp.org offline minpoll 8
#server 1.debian.pool.ntp.org offline minpoll 8
#server 2.debian.pool.ntp.org offline minpoll 8
#server 3.debian.pool.ntp.org offline minpoll 8
# line 24,add
server 192.168.56.101 iburst

4.6.2. playbook配置

1、vim test.yml，内容为：

---
- hosts: all
  vars_files:
    - group_vars/base.yml
  roles:
    #- 1_key
    #- 2_sudo
    #- 3_sources
    - 4_chrony

2、vim group_vars/base.yml，内容为：

---
ansible_ssh_user: voidking
ansible_ssh_pass: voidking
ansible_sudo: voidking
ansible_sudo_pass: voidking
ansible_become_user: root
ansible_become_pass: voidking
ansible_become: true

3、vim roles/4_chrony/tasks/main.yml，内容为：

---
- name: install chrony
  apt:
    name: chrony
    state: latest
- name: change config
  copy: 
    src: ../files/chrony.conf 
    dest: /etc/chrony/chrony.conf
    owner: root
    group: root
    mode: 0644
    force: yes
- name: restart chrony
  service:
    name: chrony
    state: restarted

4、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts

5、在客户机验证chrony
chronyc sources

4.7. 安装核心软件

1、vim test_hosts，内容为：

[test]
192.168.56.102

[test:vars]
install_nginx=true
install_php=true
install_mysql=true
install_haproxy=true

2、vim test.yml，内容为：

---
- hosts: all
  vars_files:
    - group_vars/base.yml
  roles:
    #- 1_key
    #- 2_sudo
    #- 3_sources
    #- 4_chrony
    - 5_software

3、vim roles/5_software/tasks/main.yml，内容为：

---
- name: install nginx
  apt:
    name: nginx
    state: latest
  when: install_nginx
- name: install php
  apt:
    name: "{{item}}"
    state: latest
    update_cache: yes
  with_items:
    - php5
    - libapache2-mod-php5
    - php5-mcrypt
    - php5-curl
    - php5-imagick
    - php5-cli
    - php5-json
    - php5-fpm
    - php5-mysql
  when: install_php
- name: install mysql
  apt:
    name: "{{item}}"
    state: latest
  with_items:
    - mysql-common
    - mysql-server
    - mysql-client
    - python-mysqldb
  when: install_mysql
- name: config mysql passwd
  mysql_user:
    login_user: root
    login_password: "\n"
    name: root
    password: "voidking"
    host: "{{item}}"
    priv: '*.*:ALL,GRANT'
    state: present
    check_implicit_admin: yes
  with_items:
    - "localhost"
    - "%"
  when: install_mysql
- name: comment bind-address
  shell: sed -i 's/^bind-address/#bind-address/g' /etc/mysql/my.cnf
  when: install_mysql
- name: restart mysql service
  service: 
    name: mysql 
    state: restarted
    enabled: true
  when: install_mysql
- name: install haproxy
  apt:
    name: haproxy
    state: latest
  environment:
    RUNLEVEL: 1
  when: install_haproxy
- name: config haproxy
  shell: sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/haproxy
  when: install_haproxy
- name: config haproxy port
  copy: 
    src: ../files/haproxy.cfg
    dest: /etc/haproxy/haproxy.cfg
    force: yes
  when: install_haproxy
- name: restart haproxy
  service:
    name: haproxy
    state: restarted
  when: install_haproxy

4、vim roles/5_software/files/haproxy.cfg，内容为

global
  log /dev/log    local0
  log /dev/log    local1 notice
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  daemon

defaults
  log     global
  mode    http
  option  httplog
  option  dontlognull
  contimeout 5000
  clitimeout 50000
  srvtimeout 50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
  bind *:8080
  stats uri /haproxy?stats
  default_backend http_back

backend http_back
  balance roundrobin
  option httpchk GET /index.html
  option forwardfor header X-Forwarded-For
  server node1 192.168.56.102:80 check inter 2000 rise 3 fall 3 weight 30
  server node2 192.168.56.103:80 check inter 2000 rise 3 fall 3 weight 30

5、执行脚本

ansible-playbook test.yml -i test_hosts --syntax-check
ansible-playbook test.yml -i test_hosts

6、在客户机测试
mysql -uroot -p -h 192.168.56.102

curl localhost

curl localhost:8080

4.8. 整合所有步骤

1、执行脚本

ansible-playbook site.yml -i hosts --syntax-check
ansible-playbook site.yml -i hosts

2、查看安装

curl 192.168.56.102
curl 192.168.56.103
curl 192.168.56.104:8080

4.9. 检查安装

1、vim site.yml，修改为：

---
- hosts: all
  gather_facts: false
  roles:
    #- 1_key
    #- 2_sudo
    #- 3_sources
    #- 4_chrony
    #- 5_software
    - 6_check

2、vim roles/6_check/tasks/main.yml，内容为：

---
- name: copy index.html
  template:
    src: ../templates/index.j2
    dest: /usr/share/nginx/html/index.html
    force: yes
  when: install_nginx

3、vim roles/6_check/templates/index.j2，内容为：

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Home Page</title>
</head>
<body>
    {{ ansible_eth0.ipv4.address }}
</body>
</html>

PS：查看变量ansible 192.168.56.102 -m setup > var.txt

4、执行脚本

ansible-playbook site.yml -i hosts --syntax-check
ansible-playbook site.yml -i hosts

5、测试访问
curl 192.168.56.104:8080

多次执行，可以看到两个不同的IP会来回切换。

5. 源码分享

项目地址：https://github.com/voidking/lnmp.git

6. 书签

Ansible Documentation

Ansible中文权威指南

Ansible精讲

烂泥：高负载均衡学习haproxy之安装与配置

HAproxy 配置参数详解