创建剧本
构建思路, 生成目录树
- [[email protected] ansible]# tree
- .
├── ansible.cfg
├── hostname.YAML
├── hosts
├── mariadb.YAML
├── role_mariadb.retry
├── role_mariadb_threng.YAML
├── role_mariadb.YAML
└── roles
├── mariadb
│?? ├── files
│?? │?? └── mariadb.tar.gz
│?? └── tasks
│?? ├── config1.YAML
│?? ├── config2.YAML
│?? ├── config3.YAML
│?? ├── data.YAML
│?? ├── dir.YAML
│?? ├── early.YAML
│?? ├── group.YAML
│?? ├── link.YAML
│?? ├── main.YAML
│?? ├── owner.YAML
│?? ├── path.YAML
│?? ├── source.YAML
│?? ├── start1.YAML
│?? ├── start2.YAML
│?? ├── start3.YAML
│?? ├── unpack.YAML
│?? └── user.YAML
└── mariadb_streng
├── files
│?? └── mariadb.exp
└── tasks
├── main.YAML
├── streng.YAML
└── thening.YAML
7 directories, 29 files
初期准备
1, 创建好目录文件
[[email protected] ansible]# mkdir roles/{mariadb/{files,tasks},mariadb_streng{files,tasks}}
2, 将下载好的 mariadb 压缩包放在角色目录 files 下, 以便 ansible 服务器可以通过 copy 模块拷贝到客户端
安装必要的包, 避免出错: early.YAML
- [[email protected] mariadb]# cat tasks/early.YAML
- - name: on the early
- yum: name=expect,libaio
创建组: group.YAML
- [[email protected] mariadb]# cat tasks/group.YAML
- ---
- # Group MySQL
- - name: Group
- group: name=MySQL gid=336 system=yes
创建用户: user.YAML
- [[email protected] mariadb]# cat tasks/user.YAML
- ---
- # User
- - name: User
- user: name=MySQL uid=336 group=MySQL system=yes home=/data/MySQL shell=/sbin/nologin
解压: unpack.YAML
- [[email protected] mariadb]# cat tasks/unpack.YAML
- ---
- # Unpack
- - name: Unpack mariadb
- unarchive: src=/etc/ansible/roles/mariadb/files/mariadb.tar.gz dest=/usr/local copy=yes
创建硬链接: link.YAML
- [[email protected] mariadb]# cat tasks/link.YAML
- ---
- # Link
- - name: create link
- file: src=/usr/local/mariadb-10.2.23-Linux-x86_64/ dest=/usr/local/MySQL state=link
给目录以及子文件添加属主属组: owner.YAML
- [[email protected] mariadb]# cat tasks/owner.YAML
- ---
- # owner group
- - name: owner group
- file: path=/usr/local/MySQL owner=root group=root recurse=yes state=directory
添加 PATH 变量: path.YAML
- [[email protected] mariadb]# cat tasks/path.YAML
- - name: PATH
- shell: echo PATH=/usr/local/MySQL/bin:$PATH>/etc/profile.d/MySQL.sh
PATH 变量生成: source.YAML
- [[email protected] mariadb]# cat tasks/source.YAML
- - name: source
- shell: source /etc/profile.d/MySQL.sh
准备数据库数据目录: dir.YAML
- [[email protected] mariadb]# cat tasks/dir.YAML
- - name: directory
- file: path=/data/MySQL state=directory owner=MySQL group=MySQL
生成数据目录: data.YAML
- [[email protected] mariadb]# cat tasks/data.YAML
- - name: data
- shell: /usr/local/MySQL/scripts/mysql_install_db --datadir=/data/MySQL --user=MySQL
生成配置文件: config{1,2,3}.YAML
- [[email protected] mariadb]# cat tasks/config1.YAML
- - name: config
- file: path=/etc/MySQL state=directory
- [[email protected] mariadb]# cat tasks/config2.YAML
- - name: config2
- copy: src=/usr/local/MySQL/support-files/my-huge.cnf dest=/etc/MySQL/my.cnf remote_src=yes
- [[email protected] mariadb]# cat tasks/config3.YAML
- - name: config3
- lineinfile: dest=/etc/MySQL/my.cnf insertafter="^\[mysqld\]" line="datadir=/data/mysql"
启动剧本: start{1,2,3}.YAML
- [[email protected] mariadb]# cat tasks/start1.YAML
- - name: start1
- copy: src=/usr/local/MySQL/support-files/MySQL.server dest=/etc/init.d/mysqld remote_src=yes
- [[email protected] mariadb]# cat tasks/start2.YAML
- - name: start2
- shell: chkconfig --add mysqld
- [[email protected] mariadb]# cat tasks/start3.YAML
- - name: service
- service: name=mysqld state=started
主文件 main.YAML, 对剧本任务进行排序
- [[email protected] ansible]# cat roles/mariadb/tasks/main.YAML
- - include: early.YAML
- - include: group.YAML
- - include: user.YAML
- - include: unpack.YAML
- - include: link.YAML
- - include: owner.YAML
- - include: path.YAML
- - include: source.YAML
- - include: dir.YAML
- - include: data.YAML
- - include: config1.YAML
- - include: config2.YAML
- - include: config3.YAML
- - include: start1.YAML
- - include: start2.YAML
- - include: start3.YAML
角色剧本
- [[email protected] ansible]# cat role_mariadb.YAML
- ---
- - hosts: all
- roles:
- - role: mariadb
执行角色剧本, 开始剧本表演
[[email protected] ansible]# ansible-playbook role_mariadb.YAML
编写 MySQL 安全加固剧本
编写 expect 脚本, 实现一键安全加固
- [[email protected] ~]# VIM /etc/ansible/roles/mariadb_streng/files/mariadb.exp
- #!/usr/bin/expect
- set timeout 60
- #set password [lindex $argv 0]
- spawn mysql_secure_installation
- expect {
- "enter for none" { send "\r"; exp_continue}
- "Change the root password" { send "\r"; exp_continue}
- "New password" { send "123456\r"; exp_continue}
- "Re-enter new password" { send "123456\r"; exp_continue}
- "Remove anonymous users" { send "\r"; exp_continue}
- "Disallow root login remotely" { send "\r"; exp_continue}
- "Remove test database and access to it" { send "\r"; exp_continue}
- "Reload privilege tables now" { send "\r"; exp_continue}
- "Cleaning up" { send "\r"}
- }
- interact '> mysql_secure_installation.exp
部署剧本任务
- [[email protected] ansible]# cat roles/mariadb_streng/tasks/streng.YAML
- ---
- # strengthening
- - name: streng
- copy: src=mariadb.exp dest=/root mode=u+x
- [[email protected] ansible]# cat roles/mariadb_streng/tasks/thening.YAML
- ---
- # strengthening
- - name: thening
- shell: /root/mariadb.exp
对剧本任务进行排序
- [[email protected] ansible]# cat roles/mariadb_streng/tasks/main.YAML
- - include: streng.YAML
- - include: thening.YAML
剧本主程序
- [[email protected] ansible]# cat role_mariadb_threng.YAML
- - hosts: 192.168.36.101
- roles:
- - role: mariadb_streng
执行剧本主程序, 实现安全加固
- [[email protected] ansible]# ansible-playbook role_mariadb_threng.YAML
- PLAY [192.168.36.101] *********************************************************************************************
- TASK [Gathering Facts] ********************************************************************************************
- ok: [192.168.36.101]
- TASK [mariadb_streng : streng] ************************************************************************************
- changed: [192.168.36.101]
- TASK [mariadb_streng : thening] ***********************************************************************************
- changed: [192.168.36.101]
- PLAY RECAP ********************************************************************************************************
- 192.168.36.101 : ok=3 changed=2 unreachable=0 failed=0
来源: http://www.bubuko.com/infodetail-3038426.html