RHCE模拟测试
exam_start ehce
rht-vmctl start all
考前说明
• 请勿更改 IP 地址。DNS 解析完整主机名,同时也解析短名称。
• 所有系统的 root 密码都是 redhat
• Ansible 控制节点上已创建用户账户 devops。可以使用 ssh 访问
• 所需的所有镜像保存在镜像仓库 utility.lab.example.com
podman 可使用下述账号登录使用
用户:admin
密码:redhat
• 所有工作文件应保存在控制节点上的 /home/devops/ansible 目录中,且归devops 所有
• devops 的默认 ansible-navigator 配置: ~devops/.ansible-navigator.yml 参考讲师提供的文件
• 练习中的防火墙默认关闭,SELinux 处于强制模式 file 目录提供一些额外文件,考试会正常提供
• 产品文档位置 http://materials.example.com/docs/
• 模拟环境中提供的工具文件已经提供,、
连接地址:
http://materials.example.com/tools
通过 wget 下载即可
1.安装并配置 Ansible
在控制节点 workstation.lab.example.com 上安装和配置 Ansible:
– 安装所需的软件包
– 创建静态清单文件 /home/devops/ansible/ 要求如下:
– servera 是 dev 主机组的成员
– serverb 是 test 和 balancers
– serverc 和 serverd 是 prod 主机组的成员
– prod 组是 webservers 主机组的成员
创建名为 /home/devops/ansible/ansible.cfg 的配置文件,要求如下:
– 主机清单文件为 /home/devops/ansible/inventory
– 默认内容集合目录为 /home/devops/ansible/mycollections
– 默认角色目录为 /home/devops/ansible/roles
答:
下列存在考试时可以不做
#设置vim工作模式
vim ~/.vimrc
autocmd FileType yaml setlocal ai ts=2 sw=2 et
###############################
setlocal ##设定当前文件
ai ##自动退格对齐 auto indent
ts ##tab建长度为2空格 tabstop=2
sw ##缩进长度为2 shiftwidth=2
et ##把tab键变成空格 expandtab
###############################
#设置ansible-navigator运行环境
cd /home/devops/ansible/
vim ansible-navigator.yml
考试的时候内容自带,不过博主当前环境下需要自己打
---
ansible-navigator:
ansible:
config:
path: ./ansible.cfg
color:
osc4: false
execution-environment:
image: utility.lab.example.com/ee-supported-rhel8:latest
:wq
第一步:登录主控机
ssh -l devops workstation —— workstation 为他给的主机名,根据考试的情况来进行
#建立anisble工作目录
mkdir -p /home/devops/ansible/
mkdir -p /home/devops/ansible/mycollections
mkdir -p /home/devops/ansible/roles
cd ansible
#安装ansible所需软件
sudo dnf install ansible-navigator.noarch ansible rhel-system-roles.noarch -y ——安装三个包
#登录容器镜像仓库
podman login utility.lab.example.com —— 登录考试时所给的软件仓库
admin —— 考试给的用户名
redhat —— 考试给的密码
#查看ansible是否可以运行正常
ansible-navigator images
#配置ansible,编写ansible配置文件
cd /home/devops/ansible
#生成工作清单
vim inventory
[dev]
servera
[test]
serverb
[balancers]
serverb
[prod]
serverc
serverd
[webservers:children]
prod
#查看ansible配置模板
[devops@workstation ansible]$ ansible-config init --disabled | less
#根据模板内容生成配置文件
vim ansible.cfg
[defaults] #ansible基本信息
remote_user=devops ——发起ssh的用户
inventory=/home/devops/ansible/inventory ——指定清单
#host_key_checking=False ——不询问是否保存私钥,直接选择yes 考试时不用加
#ask_pass=False —— 进行一次密码输入后后续就不用加-k参数
collections_path=/home/devops/ansible/mycollections
roles_path=roles:/home/devops/ansible/roles
[privilege_escalation] #ansible提权信息
become=yes
become_ask_pass=False
become_method=sudo
become_user=root
考试时不用做,把主机用户私钥拷贝给虚拟机,让咱们远程进入主机时不用输密码
scp root@172.25.250.250:/root/.ssh/id_rsa ~/.ssh/id_rsa
#查看清单信息
ansible-navigator inventory -m stdout --graph
。。。 省略 。。。
@all:
|--@balancers:
| |--serverb
|--@dev:
| |--servera
|--@test:
| |--serverb
|--@ungrouped:
|--@webservers:
| |--@prod:
| | |--serverc
| | |--serverd
2.创建 yum 仓库
作为系统管理员,需在受管节点上安装软件。
• 创建 playbook /home/devops/ansible/yum_repo.yml,该 playbook 将在各个受管节点上
• 创建以下 yum 仓库:
– 仓库 1:
• 仓库的名称为 RH294_BASE
• 描述为 RH294 base software
• BaseURL 为:
http://content.example.com/rhel9.0/x86_64/dvd/BaseOS
• GPG 签名检查为启用状态
• GPG 密钥 URL 为:
http://content.example.com/rhel9.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
• 仓库为启用状态
– 仓库 2:
• 仓库的名称为 RH294_STREAM
• 描述为 RH294 stream software
• BaseURL 为:
http://content.example.com/rhel9.0/x86_64/dvd/AppStream
• GPG 签名检查为启用状态
• GPG 密钥 URL 为:
http://content.example.com/rhel9.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
• 仓库为启用状态
答:
1.编写指定Playbook
[devops@workstation ansible]$ vim /home/devops/ansible/yum_repo.yml
2.编写内容
#此题目用到的模块可以使用
# ansible-doc -l | grep 模块关键词 来过滤出模块名称
# ansible-doc 模块名称来查看帮助
# 在帮助中EXAMPLE下面就是应用示例
---
- name: install repo
hosts: all
tasks:
- name: add repo RH294_BASE (1/2)
ansible.builtin.yum_repository:
name: RH294_BASE
file: rhel
description: RH294 base software
baseurl: http://content.example.com/rhel9.0/x86_64/dvd/BaseOS
gpgcheck: yes
gpgkey: http://content.example.com/rhel9.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
- name: add repo RH294_STREAM (2/2)
ansible.builtin.yum_repository:
name: RH294_STREAM
file: rhel
description: RH294 base software
baseurl: http://content.example.com/rhel9.0/x86_64/dvd/AppStream
gpgcheck: yes
gpgkey: http://content.example.com/rhel9.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
ansible-navigator run yum_repo.yml -m stdout
3.测试
[devops@workstation
ansible]$ ansible all -m shell -a 'cat
/etc/yum.repos.d/rhel.repo'
[devops@workstation ansible]$ ansible all -m shell -a 'dnf clean all'
[devops@workstation ansible]$ ansible all -m shell -a 'dnf makecache'
[devops@workstation ansible]$ ansible all -m shell -a 'yum repolist'
[devops@workstation ansible]$ ansible all -m shell -a 'dnf install httpd -y'
3.安装 Collections
以 devops 身份,将以下 collections 从资源连接目录中安装到workstation.lab.example.com
• redhat-rhel_system_roles-1.16.2.tar.gz
• ansible-posix-1.4.0.tar.gz
• community-general-4.3.0.tar.gz
• 资源连接:
http://materials.example.com/tools
集合应安装到默认集合目录 /home/devops/ansible/mycollection
答:
#1.下载资源
[devops@workstation ansible]$ wget http://materials.example.com/tools/redhatrhel_system_roles-1.16.2.tar.gz
[devops@workstation ansible]$ wget http://materials.example.com/tools/ansibleposix-1.4.0.tar.gz
[devops@workstation ansible]$ wget http://materials.example.com/tools/redhatrhel_system_roles-1.16.2.tar.gz
#2.安装Collections
[devops@workstation
ansible]$ ansible-galaxy collection install ansible-posix1.4.0.tar.gz --force
[devops@workstation ansible]$ ansible-galaxy collection install communitygeneral-4.3.0.tar.gz --force
[devops@workstation ansible]$ ansible-galaxy collection install redhatrhel_system_roles-1.16.2.tar.gz --force
#3.查看collections
[devops@workstation ansible]$ ansible-galaxy collection list
以下是查看的内容
# /home/devops/ansible/mycollections/ansible_collections
Collection Version
------------------------ -------
ansible.posix 1.4.0
community.general 4.3.0
redhat.rhel_system_roles 1.16.2
4.安装软件包
• 创建名为 packages.yml 的 playbook:
– 将 php 和 mariadb 软件包安装到 dev、test 和 prod 组中的主机上
– 将 RPM Development Tools 包组安装到 dev 组中的主机上
– 将 dev 组中主机上的所有软件包更新为最新版本
答:
#1.编写packages.yml
[devops@workstation ansible]$ vim packages.yml
#2.packages.yml内容
---
- name: install php and mariadb
hosts: dev,test,prod
tasks:
- name: install php and mariadb
ansible.builtin.dnf:
name:
- php
- mariadb
state: latest
- name: install development and update software
hosts: dev
tasks:
- name: install development
ansible.builtin.dnf:
name: "@RPM Development Tools" ——@表示组
state: latest
- name: update software
ansible.builtin.dnf:
name: '*' ——*表示所有
state: latest
#3.运行playbook
[devops@workstation ansible]$ ansible-navigator run -m stdout packages.yml
#测试:
[devops@workstation ansible]$ ansible all -m shell -a 'rpm -qa | grep -E
"php|httpd|mariadb"'
[devops@workstation ansible]$ ansible all -m shell -a 'dnf history'
5.使用角色
根据以下要求创建名为 selinux.yml 的 playbook:
– 在所有受管节点上运行
– 使用 selinux 角色
– 将 SELinux 策略为 targeted
– 将 SELinux 状态为 enforcing
解释:
什么是角色?
剧本是把所有东西放在一个文件里,角色是把各自的元素拆分开放在各自的目录里
$ansible-galaxy init apache #创建角色
$ansible-galaxy list #列出角色
以下是创建角色后的子目录,可将剧本所以东西都放在角色的子目录中,最后在剧本playbook直接使用roles引用即可
答:
如何使用系统角色
如何使用系统角色?实验要求使用selinux角色
$ rpm -qa | grep role #由于selinux是系统自带的角色,所以查看系统自带的角色模板 rhel-system-roles-1.23.0-2.21.el9.noarch
$ rpm -qd rhel-system-roles-1.23.0-2.21.el9.noarch | grep selinux-playbook #查看角色模板的说明信息查找例子模板
$ less /usr/share/doc/rhel-system-roles/selinux/exampleselinux-playbook.yml #查看模板来使用角色
~]$ ansible-galaxy list | grep selinux #在家目录下列出系统的角色,按照要求放入playbook中的roles引入
rhel-system-roles.selinux, (unknown version) #前面加redhat.并要把杠换成下 划线
linux-system-roles.selinux, (unknown version)
最后按照模板来编写playbook
#1.查看角色模板
[devops@workstation ansible]$ rpm -qa | grep role
rhel-system-roles-1.23.0-2.21.el9.noarch
[devops@workstation ansible]$ rpm -qd rhel-system-roles-1.23.0-2.21.el9.noarch | grep selinux-playbook
/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/docs/selinux/selinux-playbook.yml
/usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml
[devops@workstation ~]$ less /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml
#2.查看系统roles
[devops@workstation ~]$ ansible-galaxy list | grep selinux
- rhel-system-roles.selinux, (unknown version) #前面加redhat.并要把杠换成下划线
- linux-system-roles.selinux, (unknown version)
#3.编写playbook selinux.yml
[devops@workstation ansible]$ vim selinux.yml
---
- name: Manage SELinux policy example
hosts: all
vars:
selinux_policy: targeted
selinux_state: enforcing
roles:
- redhat.rhel_system_roles.selinux
#4.运行playbook
[devops@workstation ansible]$ ansible-navigator run -m stdout selinux.yml
#5.测试
[devops@workstation ansible]$ ansible servera -m shell -a 'cat /etc/sysconfig/selinux'6.使用 Ansible Galaxy 安装角色
• 创建 /home/devops/ansible/roles/requirements.yaml 文件用以下载并安装角
色到 /home/devops/ansible/roles/ 目录中
– 角色名:balancer,来自于 http://materials.example.com/tools/haproxy.tar
– 角色名:phpinfo,来自于 http://materials.example.com/tools/phpinfo.tar
答:
根据要求编辑 playbook requirements.yaml
#1.编辑playbook requirements.yaml
[devops@workstation ansible]$ vim roles/requirements.yaml
#2.playbook内容
- src: http://materials.example.com/tools/haproxy.tar
name: balancer
- src: http://materials.example.com/tools/phpinfo.tar
name: phpinfo
#3.运行安装命令
[devops@workstation ansible]$ ansible-galaxy install -r roles/requirements.yaml -p roles/
#4.测试
[devops@workstation ansible]$ ansible-galaxy list
# /home/devops/ansible/roles
- balancer, (unknown version)
- phpinfo, (unknown version)7.创建和使用角色
根据下列要求,在 /home/devops/ansible/roles 中创建名为 apache 的角色:
– 安装 httpd 软件包,开机启动并立即运行
• 开启防火墙并允许 web 服务通信
• 模板文件 index.html.j2 用于创建/var/www/html/index.html,含有以下内容:
Welcome to HOSTNAME on IPADDRESS,其中 HOSTNAME 和 IPADDRESS 来自于事实变量
• 创建名为 newrole.yml 的 playbook,并使用此角色
• 这个 playbook 运行于 webservers 主机组
答:
什么是事实变量?
ansible all -m setup | less #查看所有的事实变量,事实变量是主机中所有资源信息使用键值对的形式来表示的变量,引用事实变量子目录要用.隔开
ansible-playbook test.yml #运行playbook
什么是j2模板?
创建xxx.j2结尾的文件,能识别变量,里面使用{{}}引用键事实变量,然后再paybook中使用template参数,src表示j2文件的路径,dest表示生成的事实变量,输出的是事实变量的值
#1.设定角色目录
[devops@workstation ansible]$ mkdir roles
#2.在ansible配置中指定角色
[devops@workstation ansible]$ vim ansible.cfg
[defaults]
remote_user=devops
inventory=/home/devops/ansible/inventory
collections_path=/home/devops/ansible/mycollection
host_key_checking=False
roles_path=roles:/home/devops/ansible/roles #指定角色目录
[privilege_escalation]
become=True
become_method=sudo
become_ask_pass=False
become_user=root
#3.创建角色
[devops@workstation roles]$ ansible-galaxy init apache
- Role apache was created successfully
#4.查看角色创建信息
[devops@workstation ansible]$ cd ..
[devops@workstation ansible]$ ansible-galaxy list # /home/devops/ansible/roles
- apache, (unknown version)
- balancer, (unknown version)
- phpinfo, (unknown version)
# /home/devops/ansible/roles
- apache, (unknown version)
- balancer, (unknown version)
- phpinfo, (unknown version)
#5.建立模板index.html
[devops@workstation ansible]$ cd roles/apache/
[devops@workstation apache]$ vim templates/index.html.j2
Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4.address }}
#6.创建角色任务
[devops@workstation apache]$ vim tasks/main.yml
---
# tasks file for apache
- name: install httpd rpm
ansible.builtin.dnf:
name: httpd
state: present
- name: install firewalld
ansible.builtin.dnf:
name: firewalld
state: present
- name: Start service httpd, if not started
ansible.builtin.service:
name: httpd
state: started
enabled: true
- name: Start service firewalld, if not started
ansible.builtin.service:
name: firewalld
state: started
enabled: true
- name: firewall rule
ansible.posix.firewalld:
service: http
permanent: yes
state: enabled
immediate: yes
- name: Create a index.html
ansible.builtin.template:
src: index.html.j2
dest: /var/www/html/index.html
#7.编写roles的playbook newrole.yml
[devops@workstation apache]$ cd ~/ansible/
[devops@workstation ansible]$ vim newrole.yml
---
- name: create httpd service
hosts: webservers
roles:
- apache
#8.运行newrole.yml
[devops@workstation ansible]$ ansible-navigator run -m stdout newrole.yml
#9.帮助查看方式
[devops@workstation ansible]$ ansible-doc template
[devops@workstation ansible]$ ansible-doc service
[devops@workstation ansible]$ ansible-doc firewalld
[devops@workstation ansible]$ ansible all -m setup # 找事实变量
#10.测试
[devops@workstation ansible]$ curl serverc
Welcome to serverc.lab.example.com on 172.25.250.12
[devops@workstation ansible]$ curl serverd
Welcome to serverd.lab.example.com on 172.25.250.138.从 Ansible Galaxy 使用角色
创建名为 roles.yml 的 playbook,满足以下要求:
– Playbook 运行在 balancers 主机组上,并使用 balancer 角色。
– 这个角色为 webservers 主机组配置负载均衡 web 服务器配置完成后,
当访问 http://serverb.lab.example.com 将显示以下输出信息:
• Welcome to serverc.lab.example.com on 172.25.250.12
• Welcome to serverd.lab.example.com on 172.25.250.13
• 这个 playbook 中另一个 play 使用 phpinfo 角色在 webservers 主机组上执行完
毕后,访问主机组内每台主机的/hello.php 显示以下信息:
– Hello World from FQDN
• FQDN 来自于事实变量
• 页面同时显示每台受控主机的 PHP 配置
答:
#1.编写角色play文件 roles.yml
[devops@workstation ansible]$ vim roles.yml
---
- name: phpinfo
hosts: webservers
roles:
- phpinfo
- name: balancers
hosts: balancers
roles:
- balancer
tasks:
- name: permit port 80
ansible.posix.firewalld:
service: http
permanent: yes
state: enabled
immediate: yes
#2.运行playbook
[devops@workstation ansible]$ ansible-navigator run roles.yml -m stdout
#3.测试
[devops@workstation ansible]$ curl http://serverb.lab.example.com
Welcome to serverc.lab.example.com on 172.25.250.12
[devops@workstation ansible]$ curl http://serverb.lab.example.com
Welcome to serverd.lab.example.com on 172.25.250.13
[devops@workstation ansible]$ curl http://serverb.lab.example.com
Welcome to serverc.lab.example.com on 172.25.250.12
[devops@workstation ansible]$ curl http://serverb.lab.example.com
Welcome to serverd.lab.example.com on 172.25.250.13
curl ttp://serverb.lab.example.com/hello.php9.创建和使用分区
根据下列要求,创建名为 partition.yml 的 playbook:
– playbook 中包含一个 play,该 play 在 balancers 主机组中的主机上运行
• 在设备 vdb 上创建单个主分区,编号为 1,大小为 1500 MiB
• 使用 ext4 文件系统格式化分区
• 将文件系统永久挂载到 /newpart
• 如果无法创建请求的分区大小,应显示错误消息
– Could not create partition of that size
- 并且应改为使用大小 800 MiB
• 如果设备 vdd 不存在,应显示错误消息
– Disk does not exist
前言:
做题用到的代码可以通过搜索进行复制
[devops@workstation ansible]$ ansible-doc debug | less #playbook中的echo
[devops@workstation ansible]$ ansible-doc parted | less #分区的模块
[devops@workstation ansible]$ ansible-doc filesystem |less #格式化的模块
[devops@workstation ansible]$ ansible-doc file | less #创建文件,目录等的模块
[devops@workstation ansible]$ ansible-doc mount | less #挂载的模块答:
#1.编写playbook
[devops@workstation ansible]$ vim partition.yml
---
- name: create partations and set filesystem
hosts: balancers
tasks:
- name: check device #这个子列表是为了检验vdd是否存在
ansible.builtin.debug:
msg: Disk does not exist
when: ansible_facts['devices']['vdb'] is not defined
- name: create partaion #创建1500MB的分区
block:
- name: create 1500M vdb1
community.general.parted:
device: /dev/vdb
number: 1
state: present
part_end: 1500MiB
when: ansible_facts['devices']['vdb'] is defined
rescue:
- name: create 800M vdb1 #1500MB不能创建时就会创建800MB的分区并输出信息
community.general.parted:
device: /dev/vdb
number: 1
state: present
part_end: 800MiB
when: ansible_facts['devices']['vdb'] is defined
always:
- name: format vdb1 #格式化分区
community.general.filesystem:
fstype: ext4
dev: /dev/vdb1
when: ansible_facts['devices']['vdb'] is defined
- name: create mount point #创建挂载点
ansible.builtin.file:
path: /newpart
state: directory
when: ansible_facts['devices']['vdb'] is defined
- name: mount vdb1 #挂载分区到挂载点上
ansible.posix.mount:
path: /newpart
src: /dev/vdb1
state: mounted
fstype: ext4
when: ansible_facts['devices']['vdb'] is defined
#2.运行playbook
[devops@workstation ansible]$ ansible-navigator run -m stdout partition.yml
#3.测试
[devops@workstation ansible]$ ansible all -m shell -a 'df -h /newpart'
servera | CHANGED | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/vdb1 733M 24K 680M 1% /newpart
serverb | FAILED | rc=1 >>
df: /newpart: No such file or directorynon-zero return code
serverd | CHANGED | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/vdb1 1.4G 24K 1.3G 1% /newpart
serverc | CHANGED | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/vdb1 733M 24K 680M 1% /newpart
拓展:
- name:
block: #等同于if/then,失败了就执行rescue
- name:
rescue: #else
- name:
always: #无论block与always是否正确都执行always
- name:
...
10.生成主机文件
将 http://materials.example.com/tools/hosts.j2 模板文件拷贝到/home/devops/ansible 目录中完善此模板文件,用以生成受控节点的 /etc/myhosts 文件创建名为 hosts.yml 的playbook 对 dev 主机组使用此模板文件/etc/myhosts 文件内容最终如下:
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 servera.lab.example.com serverd
前言:
什么是魔法变量?hostvars
魔法变量是ansible的内建变量,ansible主机上的变量,组
事实变量是所有受控节点干活的信息例如主机名,IP等等
使用ad-hoc形式查看魔法变量
ansible all -m debug -a 'var=hostvars'使用playbook形式查看魔法变量
对魔法变量取值
j2模板的for语句写法
{{for i in groups.all}}
{{hostvars[i]\['']['']}} {{hostvars[i]\['']}} {{hostvars[i]\['']}}
{{endfor}}
答:
[devops@workstation ansible]$ wget http://materials.example.com/tools/hosts.j2编辑j2文件
编辑playbook
运行并测试
[devops@workstation ansible]$ ansible-navigator run hosts.yml -m stdout
[devops@workstation ansible]$ ansible dev -m shell -a 'cat /etc/myhosts' 
#1.建立j2模板
[devops@workstation ansible]$ wget http://materials.example.com/tools/hosts.j2
[devops@workstation ansible]$ vim hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for item in groups.all %}
{{ hostvars[item]['ansible_default_ipv4']['address'] }} {{ hostvars[item]['ansible_fqdn'] }} {{ hostvars[item]['ansible_hostname'] }}
{%endfor%}
#2.建立playbook hosts.yml
---
- name: update /etc/myhosts on dev
hosts: all
tasks:
- name: setup files
ansible.builtin.template:
src: hosts.j2
dest: /etc/myhosts
when: inventory_hostname in groups.dev
#3.运行playbook
[devops@workstation ansible]$ ansible-navigator run -m stdout hosts.yml
#4.测试:
[devops@workstation ansible]$ ansible all -m shell -a 'cat /etc/myhosts'
servera | CHANGED | rc=0 >>
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd11.修改文件内容
创建名为 issue.yml 的 playbook,要求如下:
– 此 playbook 运行到所有受控节点
• 此 playbook 覆盖/etc/issue 文件中的内容:
• 在 dev 主机组的主机中,内容是:Development 在 test 主机组的主机中,内容是:Test
• 在 prod 主机组的主机中,内容是:Production
答:
#1.编写playbook issue.yml
[devops@workstation ansible]$ vim issue.yml
---
- name: update /etc/issue
hosts: all
tasks:
- name: update /etc/issue for dev
ansible.builtin.copy:
content: Development
dest: /etc/issue
when: inventory_hostname in groups.dev
- name: update /etc/issue for test
ansible.builtin.copy:
content: Test
dest: /etc/issue
when: inventory_hostname in groups.test
- name: update /etc/issue for prod
ansible.builtin.copy:
content: Production
dest: /etc/issue
when: inventory_hostname in groups.prod
#2.运行playbook
[devops@workstation ansible]$ ansible-navigator run -m stdout issue.yml
#3.测试
[devops@workstation ansible]$ ansible-navigator inventory -m stdout --graph
@all:
|--@balancers:
| |--serverb
|--@dev:
| |--servera
|--@test:
| |--serverb
|--@ungrouped:
|--@webservers:
| |--@prod:
| | |--serverc
| | |--serverd
[devops@workstation ansible]$ ansible all -m shell -a "cat /etc/issue"
serverc | CHANGED | rc=0 >>
Production
serverd | CHANGED | rc=0 >>
Production
servera | CHANGED | rc=0 >>
Development
serverb | CHANGED | rc=0 >>
Test
12.创建 Web 内容目录
按照下方所述,创建名为 webcontent.yml 的 playbook:
– 该 playbook 在 dev 主机组中的受管节点上运行
– 创建目录 /webdev 所有者为 webdev 组为 root
– 具有常规权限:owner=read+write+execute,
group=read+write+execute,other=read+execute
– 具有特殊权限:set group ID
– 用软链接将 /var/www/html/webdev 链接到 /webdev
– 创建文件 /webdev/index.html,内容为:Red Hat Ansible
– 在 dev 主机组中主机上浏览此目录(例如
http://servera.lab.example.com/webdev/index.html )将生成以下输出:
Red Hat Ansible
答:
#1.
[devops@workstation ansible]$ vim webcontent.yml
---
- name: create webdev
hosts: dev
tasks:
- name: create user
ansible.builtin.user:
name: webdev
- name: install web server
ansible.builtin.dnf:
name: httpd
state: latest
- name: start web server
ansible.builtin.service:
name: httpd
enabled: yes
state: started
- name: create webdev file
ansible.builtin.file:
path: /webdev
owner: webdev
group: root
mode: '2775'
state: directory
setype: httpd_sys_content_t
- name: create link for webdev
ansible.builtin.file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: write message for webdev/index.html
ansible.builtin.copy:
dest: /var/www/html/webdev/index.html
content: "Red Hat Ansible"
setype: httpd_sys_content_t
- name: set firewalld for web
ansible.posix.firewalld:
service: http
permanent: yes
state: enabled
immediate: yes
#2
[devops@workstation ansible]$ ansible-navigator run -m stdout webcontent.yml
#3
[devops@workstation ansible]$ curl http://servera.lab.example.com/webdev/index.html
Red Hat Ansible
#4.
[devops@workstation ansible]$ ansible-doc file
[devops@workstation ansible]$ ansible-doc copy
[devops@workstation ansible]$ ansible-doc firewalld
[devops@workstation ansible]$ ansible-doc user13.生成硬件报告
创建名为 hwreport.yml 的 playbook,在所有受控主机上生成
/root/hwreport.txt 文件,内容包含:
– 清单主机名称以 MB 表示的总内存大小 BIOS 版本
• 磁盘设备 vda 的大小
• 磁盘设备 vdb 的大小
• 输出文件中的每一行含有一个 key=value 对 playbook 应当来自
files/13/hwreport.empty 模板文件,并将它保存为 /root/hwreport.txt
• 使用正确的值修改 /root/hwreport.txt
• 如果硬件项不存在,相关的值应设为 NONE
答:
#1
[devops@workstation ansible]$ wget http://materials.example.com/tools/hwreport.empty
#2
[devops@workstation ansible]$ vim hwreport.yml
---
- name: update hwinfo
hosts: all
tasks:
- name: create hwreport file
ansible.builtin.copy:
src: /home/devops/ansible/hwreport.empty
dest: /root/hwreport.txt
- name: update hostname
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: '^HOST='
line: 'HOST={{ inventory_hostname }}'
- name: update memory
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: '^MEMORY='
line: 'MEMOYR={{ ansible_memtotal_mb }} MB'
- name: update BIOS version
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: '^BIOS='
line: 'BIOS={{ ansible_bios_version }}'
- name: update vda info
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: "^DISK_SIZE_VDA="
line: "DISK_SIZE_VDA={{ ansible_devices.vda.size | @ }}"
- name: update vdb info
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: "^DISK_SIZE_VDB="
line: "DISK_SIZE_VDB={{ ansible_devices.vdb.size | default('NONE') }}"
- name: update vdc info
ansible.builtin.lineinfile:
path: /root/hwreport.txt
regexp: "^DISK_SIZE_VDC="
line: "DISK_SIZE_VDC={{ ansible_devices.vdc.size | default('NONE') }}"
#3.
[devops@workstation ansible]$ ansible-navigator run -m stdout hwreport.yml
#4.
[devops@workstation ansible]$ ansible all -m shell -a 'cat /root/hwreport.txt'
serverd | CHANGED | rc=0 >>
# Hardware report
HOST=serverd
MEMOYR=960 MB
BIOS=1.16.3-2.el9
DISK_SIZE_VDA=10.00 GB
DISK_SIZE_VDB=2.00 GB
DISK_SIZE_VDC=NONE
serverc | CHANGED | rc=0 >>
# Hardware report
HOST=serverc
MEMOYR=960 MB
BIOS=1.16.3-2.el9
DISK_SIZE_VDA=10.00 GB
DISK_SIZE_VDB=1.00 GB
DISK_SIZE_VDC=NONE
serverb | CHANGED | rc=0 >>
# Hardware report
HOST=serverb
MEMOYR=960 MB
BIOS=1.16.3-2.el9
DISK_SIZE_VDA=1.00 GB
DISK_SIZE_VDB=10.00 GB
DISK_SIZE_VDC=NONE
servera | CHANGED | rc=0 >>
# Hardware report
HOST=servera
MEMOYR=960 MB
BIOS=1.16.3-2.el9
DISK_SIZE_VDA=10.00 GB
DISK_SIZE_VDB=1.00 GB
DISK_SIZE_VDC=NONE
#
[devops@workstation ansible]$ ansible-doc lineinfile14.创建 password vault
创建一个名为 locker.yml 的 ansible vault 文件存储用户密码:
• Vault 文件中含有两个变量,名称如下:
– pw_developer: Imadev
• pw_manager: Imamgr 加解密密码为 redhat
• 密码存储在 /home/devops/ansible/secret.txt 中。
答:
[devops@workstation ansible]$ echo redhat > secret.txt
[devops@workstation ansible]$ chmod 600 secret.txt
[devops@workstation ansible]$ vim ansible.cfg
[defaults]
remote_user=devops
inventory=/home/devops/ansible/inventory
collections_path=/home/devops/ansible/mycollection
host_key_checking=False
roles_path=roles:/home/devops/ansible/roles
vault_password_file=/home/devops/ansible/secret.txt #新加内容
[privilege_escalation]
become=True
become_method=sudo
become_ask_pass=False
become_user=root
[devops@workstation ansible]$ ansible-vault create locker.yml
pw_developer: Imadev
pw_manager: Imamgr
[devops@workstation ansible]$ cat locker.yml
$ANSIBLE_VAULT;1.1;AES256
30303762626134373335623831383633386562353261613339363163323761346435623832623133
6638636262356664623036653130623139653332323234330a366631666666383935636134366466
33386365633062636366313537643963346138336439646666333434663531393337366337643333
3865623966333136360a623537623637623335363739383635386164323063313762303334646637
35343037653464326166336233636237396361306163346431323763353263633134366464386134
3861346561623131336361353864313836363733363830316165
[devops@workstation ansible]$ ansible-vault view locker.yml
pw_developer: Imadev
pw_manager: Imamgr15.创建用户帐户
需要创建的用户账户清单来自于 http://materials.example.com/tools/user_list.yml,请拷贝到/home/devops/ansible/中
• 配合上一题的 locker.yml,创建名为 users.yml 的 playbook,要求如下:
– 用户的 job description 为 developer 的用户,创建到 dev 和 test 主机组
• 中,用户密码来自于 pw_developer 变量,用户的附属组是 devops
• 用户的 job description 为 manager 的用户,创建到 prod 主机组中,用户密
• 码来自于 pw_manager 变量,用户的附属组是 opsmgr
• 用户密码使用 SHA512 hash
答:
#1.
[devops@workstation ansible]$ vim user_list.yml
users:
- name: bob
job: developer
uid: 3000
- name: sally
job: manager
uid: 3001
- name: fred
job: developer
uid: 3002
[devops@workstation ansible]$ vim users.yml
---
- name: create developer users
hosts: dev test
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: create devops group
ansible.builtin.group:
name: devops
state: present
- name: create users
ansible.builtin.user:
name: "{{item.name}}"
uid: "{{item.uid}}"
groups: devops
append: yes
password: "{{pw_developer | password_hash('sha512')}}"
loop: "{{users}}"
when: item.job == "developer"
- name: create manager users
hosts: prod
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: create opsmgr group
ansible.builtin.group:
name: opsmgr
state: present
- name: create users
ansible.builtin.user:
name: "{{item.name}}"
uid: "{{item.uid}}"
groups: opsmgr
append: yes
password: "{{pw_manager | password_hash('sha512')}}"
loop: "{{users}}"
when: item.job == "manager"
#2
[devops@workstation ansible]$ ansible-navigator run -m stdout users.yml
16.更新 Ansible 库的密钥
• 请为 expense.yml 文件修改 vault 密码,要求如下:
– 请将 http://materials.example.com/tools/expense.yml 文件保存到
/home/devops/ansible/expense.yml
• 当前密码为 ibmibm
• 新密码为 redhatredhat
答:
#1
[devops@workstation ansible]$ ansible-vault view expense.yml --ask-vault-pass
#2
[devops@workstation ansible]$ ansible-vault rekey expense.yml --ask-vault-pass
Vault password: <====输入原密码
New Vault password: <====输入新密码
Confirm New Vault password: <====再次输入原密码
Rekey successful
#3
[devops@workstation ansible]$ ansible-vault view expense.yml --ask-vault-pass17.配置 cron 作业
在所有受管节点上创建名为 /home/devops/ansible/cron.yml 的 Playbook,为natasha 用户创建 cron 作业:
• 用户 natasha 每隔 2 分钟执行 logger “RH294 in progress”
答:
#1
[devops@workstation ansible]$ vim cron.yml
---
- name: create cron for natasha
hosts: all
tasks:
- name: create user natasha
ansible.builtin.user:
name: natasha
- name: create cron for natasha
ansible.builtin.cron:
name: "natasha cronjob"
weekday: "*"
minute: "*/2"
hour: "*"
month: "*"
day: "*"
user: natasha
job: '/bin/logger "RH294 in progress"'
#2
[devops@workstation ansible]$ ansible-navigator run -m stdout cron.yml
#3
[devops@workstation ansible]$ ansible all -m shell -a 'cat /var/spool/cron/natasha'
serverd | CHANGED | rc=0 >>
#Ansible: natasha cronjob
*/2 * * * * /bin/logger "RH294 in progress"
servera | CHANGED | rc=0 >>
#Ansible: natasha cronjob
*/2 * * * * /bin/logger "RH294 in progress"
serverb | CHANGED | rc=0 >>
#Ansible: natasha cronjob
*/2 * * * * /bin/logger "RH294 in progress"
serverc | CHANGED | rc=0 >>
#Ansible: natasha cronjob
*/2 * * * * /bin/logger "RH294 in progress"