ansible基于role 机器初始化脚本案例

脚本目录结构：







--[root@scsv01181 initialization_basic_ansible]# cat site.yml

hosts: test
roles:

install_zabbix_agent

install_java1.8

check_iptables

replace_yumrepo

install_check_sshd

install_maintainer_tools

selinux_stop

set_ulimit_maxfiles

set_timezone

set_kernel_args

install_ntp_or_chrony



每一个项目的目录结构



--[root@scsv01181 roles]# cat check_iptables/tasks/main.yml

name: check iptables status
shell: ps aux |grep iptables|grep -v grep|wc -l
register: iptables

name: if have iptables process to stop it
shell: systemctl stop iptables
when: iptables.stdout != "0"

name: check firewalld status
shell: ps aux |grep firewall|grep -v grep|wc -l
register: firewall

name: if have firewall process to stop it
shell: systemctl stop firewalld
when: firewall.stdout != "0"

name: disable iptables
shell: systemctl disable iptables
when: firewall.stdout != "0"

name: disable firewalld
shell: systemctl disable firewalld
when: firewall.stdout != "0"

name: print iptanles and firewalld info
debug:
msg: "iptables and firewalld is not running"
when: iptables.stdout == "0" and firewall.stdout == "0"

--[root@scsv01181 roles]# cat install_check_sshd/tasks/main.yml

name: check sshd is or not install
shell: rpm -qa|grep openssh-server|wc -l warn=False
register: sshd_count

name: print sshd install info
debug:
msg: "sshd is not install"
when: sshd_count.stdout == "0"

name: check sshd is or not running
shell: ps aux |grep /usr/sbin/sshd |grep -v grep|wc -l
register: ssh_process_count
when: sshd_count.stdout == "1"

name: print sshd is not running
debug:
msg: "sshd service is not running"
when: ssh_process_count.stdout == "0"

name: start sshd service
service: name=sshd state=started
when: ssh_process_count.stdout == "0"

name: make sshd servuice enabled of system started
service: name=sshd enabled=yes

when: ssh_process_count == "0"

--[root@scsv01181 roles]# cat install_java1.8/tasks/main.yml

name: check the java version
shell: java -version
ignore_errors: yes
register: javaversion

debug:
msg: "{{ javaversion.stderr_lines[0] }}"

name: print java version
debug:
msg: "java is installed and the version is 1.8"
when: javaversion.stderr_lines[0].count('1.8') == 1

name: find java 1.8 package name
shell: yum list|grep openjdk.x86_64|grep 1.8|cut -d " " -f1|uniq warn=False
register: java_version

debug:
msg: "{{ java_version.stdout }}"

name: install java 1.8 package
shell: yum install -y {{ java_version.stdout }}
when: javaversion.stderr_lines[0].count('1.8') != 1

--[root@scsv01181 roles]# cat install_maintainer_tools/tasks/main.yml

name: install telnet for system
yum: state=present name=telnet

name: install iftop for system
yum: state=present name=iftop

name: install sysstat for system
yum: state=present name=sysstat

name: install iotop for system
yum: state=present name=iotop

name: install vim for system
yum: state=present name=vim

name: install dstat for system
yum: state=present name=dstat

name: install openssl for system
yum: state=present name=openssl,openssl-devel

--[root@scsv01181 roles]# cat install_ntp_or_chrony/tasks/main.yml

name: check ntp is not install
shell: ps aux |grep ntp|grep -v grep|wc -l
register: count_ntp

name: check chrony is or not install
shell: ps aux |grep chrony|grep -v grep|wc -l
register: count_chrony

name: stop chrony
service: name=chronyd state=stoped
when: count_chrony.stdout == "1"

name: disable chronyd
service: name=chronyd enabled=no
when: count_chrony.stdout == "1"

name: install ntp client
yum: state=present name=ntp
when: count_ntp.stdout != "1"

name: copy local ntp config file to remote host
copy: src=ntp.conf dest=/etc/ntp.conf mode=644 owner=root group=root backup=yes force=yes
when: count_ntp.stdout != "1"

name: start ntp client
service: name=ntpd state=started

name: make the ntp clinet service enable
service: name=ntpd enabled=yes

--[root@scsv01181 roles]# cat install_zabbix_agent/tasks/main.yml

name: install zabbix-agent for zabbix-server
yum: state=present name=zabbix-agent

name: make the zabbix-agent enable
shell: systemctl enable zabbix-agent

name: copy base zabbix-agent configuration file
copy: src=zabbix_agentd.conf dest=/etc/zabbix/zabbix_agentd.conf mode=644 owner=root group=root backup=yes force=yes

name: get hostname daxie
shell: echo {{ ansible_hostname }}|tr 'a-z' 'A-Z'
register: hostname

debug:
msg: "{{ hostname.stdout }}"

name: configuration zabbix-agent file hostname
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^Hostname='
line: 'Hostname={{ hostname.stdout}}'

name: configuration zabbix-agent file hostname
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^HostMetadata='
line: 'HostMetadata={{ META_DATA}}'

name: start zabbix-agent
service: name=zabbix-agent state=started

debug:
msg: "now zabbix-agent is running and configuration complete"

name: configuration zabbix-agent server address
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: '^Server='
line: 'Server={{ SERVERIP }}'

name: configuration zabbix-agent server active address
lineinfile:
dest: /etc/zabbix/zabbix_agentd.conf
regexp: 'ServerActive='
line: 'ServerActive={{ SERVERIP }}'

--[root@scsv01181 roles]# cat replace_yumrepo/tasks/main.yml

name: copy current local yum repo to remote host
copy: src=SAIC-CentOS.repo dest=/etc/yum.repos.d/ mode=644 owner=root group=root backup=yes force=yes

name: clean yum repo
shell: yum clean all warn=False

- name: yum makecahce

shell: yum makecache warn=False

--[root@scsv01181 roles]# cat selinux_stop/tasks/main.yml

name: configuration SELINUX for system
lineinfile:
dest: /etc/selinux/config
regexp: '^SELINUX='
line: 'SELINUX=disabled'

name: get the status of selinux
shell: getenforce
register: selinux_num

name: temporary change for system
shell: setenforce 0
when: selinux_num.stdout == "1"

--[root@scsv01181 roles]# cat set_kernel_args/tasks/main.yml

name: 开启SYN Cookies
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_syncookies = 1'

name: TIME-WAIT sockets重新用于新的TCP连接
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_tw_reuse = 1'

name: 开启TCP连接中TIME-WAIT sockets的快速回收
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_tw_recycle = 1'

name: 当keepalive起用的时候，TCP发送keepalive消息的频度
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_keepalive_time = 600'

name: SYN队列长度
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_max_syn_backlog = 16384'

name: 表示系统同时保持TIME_WAIT套接字的最大数量
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_max_tw_buckets = 36000'

name: 设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_synack_retries = 3'

name: 套接字由本端要求关闭的保持时间
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.tcp_fin_timeout = 10'

name: 禁止IP转发
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.ip_forward = 0'

name: 禁止发送ICMP重定向
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.all.send_redirects = 0'

name: 禁止发送ICMP重定向,默认定向目录关闭
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.default.send_redirects = 0'

name: 记录可疑的包源地址
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.all.log_martians = 1'

name: 记录可疑的包源地址,默认地址
lineinfile:
dest: /etc/sysctl.conf
regexp: '^$'
line: 'net.ipv4.conf.default.log_martians = 1'

name: make the change effective
shell: sysctl -p

--[root@scsv01181 roles]# cat set_timezone/tasks/main.yml

name: set the time local
shell: timedatectl set-timezone Asia/Shanghai warn=False

--[root@scsv01181 roles]# cat set_ulimit_maxfiles/tasks/main.yml

name: configuration ulimit soft max files for system
lineinfile:
dest: /etc/security/limits.conf
regexp: '^$'
line: '* soft nofile 65536'

name: configuration ulimit hard max files for system
lineinfile:
dest: /etc/security/limits.conf
regexp: '^$'
line: '* hard nofile 65536'

name: temporary configuration ulimit max files
shell: ulimit -n 65536

引用的文件都会直接放在当前项目的files目录里面作为文件根目录