创建剧本 构建思路,生成目录树 [[emailprotected] ansible]# tree.├── ansible.cfg├── hostname.yml├── hosts├── mariadb.yml├── role_mariadb.retry├── role_mariadb_threng.yml├── role_mariadb.
创建剧本
构建思路,生成目录树
[[email protected] ansible]# tree
.
├── ansible.cfg
├── hostname.yml
├── hosts
├── mariadb.yml
├── role_mariadb.retry
├── role_mariadb_threng.yml
├── role_mariadb.yml
└── roles
├── mariadb
│?? ├── files
│?? │?? └── mariadb.tar.gz
│?? └── tasks
│?? ├── config1.yml
│?? ├── config2.yml
│?? ├── config3.yml
│?? ├── data.yml
│?? ├── dir.yml
│?? ├── early.yml
│?? ├── group.yml
│?? ├── link.yml
│?? ├── main.yml
│?? ├── owner.yml
│?? ├── path.yml
│?? ├── source.yml
│?? ├── start1.yml
│?? ├── start2.yml
│?? ├── start3.yml
│?? ├── unpack.yml
│?? └── user.yml
└── mariadb_streng
├── files
│?? └── mariadb.exp
└── tasks
├── main.yml
├── streng.yml
└── thening.yml
7 directories, 29 files
初期准备
1、创建好目录文件
[[email protected] ansible]# mkdir roles/{mariadb/{files,tasks},mariadb_streng{files,tasks}}
2、将下载好的mariadb压缩包放在角色目录files下,以便ansible服务器可以通过copy模块拷贝到客户端
安装必要的包,避免出错:early.yml
[[email protected] mariadb]# cat tasks/early.yml - name: on the early yum: name=expect,libaio
创建组:group.yml
[[email protected] mariadb]# cat tasks/group.yml --- # Group mysql - name: Group group: name=mysql gid=336 system=yes
创建用户:user.yml
[[email protected] mariadb]# cat tasks/user.yml --- # User - name: User user: name=mysql uid=336 group=mysql system=yes home=/data/mysql shell=/sbin/nologin
解压:unpack.yml
[[email protected] mariadb]# cat tasks/unpack.yml --- # Unpack - name: Unpack mariadb unarchive: src=/etc/ansible/roles/mariadb/files/mariadb.tar.gz dest=/usr/local copy=yes
创建硬链接:link.yml
[[email protected] mariadb]# cat tasks/link.yml --- # Link - name: create link file: src=/usr/local/mariadb-10.2.23-linux-x86_64/ dest=/usr/local/mysql state=link
给目录以及子文件添加属主属组:owner.yml
[[email protected] mariadb]# cat tasks/owner.yml --- # owner group - name: owner group file: path=/usr/local/mysql owner=root group=root recurse=yes state=directory
添加PATH变量:path.yml
[[email protected] mariadb]# cat tasks/path.yml - name: PATH shell: echo PATH=/usr/local/mysql/bin:$PATH >/etc/profile.d/mysql.sh
PATH变量生成:source.yml
[[email protected] mariadb]# cat tasks/source.yml - name: source shell: source /etc/profile.d/mysql.sh
准备数据库数据目录:dir.yml
[[email protected] mariadb]# cat tasks/dir.yml - name: directory file: path=/data/mysql state=directory owner=mysql group=mysql
生成数据目录:data.yml
[[email protected] mariadb]# cat tasks/data.yml - name: data shell: /usr/local/mysql/scripts/mysql_install_db --datadir=/data/mysql --user=mysql
生成配置文件:config{1,2,3}.yml
[[email protected] mariadb]# cat tasks/config1.yml - name: config file: path=/etc/mysql state=directory [[email protected] mariadb]# cat tasks/config2.yml - name: config2 copy: src=/usr/local/mysql/support-files/my-huge.cnf dest=/etc/mysql/my.cnf remote_src=yes [[email protected] mariadb]# cat tasks/config3.yml - name: config3 lineinfile: dest=/etc/mysql/my.cnf insertafter="^\[mysqld\]" line="datadir=/data/mysql"
启动剧本:start{1,2,3}.yml
[[email protected] mariadb]# cat tasks/start1.yml - name: start1 copy: src=/usr/local/mysql/support-files/mysql.server dest=/etc/init.d/mysqld remote_src=yes [[email protected] mariadb]# cat tasks/start2.yml - name: start2 shell: chkconfig --add mysqld [[email protected] mariadb]# cat tasks/start3.yml - name: service service: name=mysqld state=started
主文件main.yml,对剧本任务进行排序
[[email protected] ansible]# cat roles/mariadb/tasks/main.yml - include: early.yml - include: group.yml - include: user.yml - include: unpack.yml - include: link.yml - include: owner.yml - include: path.yml - include: source.yml - include: dir.yml - include: data.yml - include: config1.yml - include: config2.yml - include: config3.yml - include: start1.yml - include: start2.yml - include: start3.yml
角色剧本
[[email protected] ansible]# cat role_mariadb.yml
---
- hosts: all
roles:
- role: mariadb
执行角色剧本,开始剧本表演
[[email protected] ansible]# ansible-playbook role_mariadb.yml
编写mysql安全加固剧本
编写expect脚本,实现一键安全加固
[[email protected] ~]# vim /etc/ansible/roles/mariadb_streng/files/mariadb.exp
#!/usr/bin/expect
set timeout 60
#set password [lindex $argv 0]
spawn mysql_secure_installation
expect {
"enter for none" { send "\r"; exp_continue}
"Change the root password" { send "\r"; exp_continue}
"New password" { send "123456\r"; exp_continue}
"Re-enter new password" { send "123456\r"; exp_continue}
"Remove anonymous users" { send "\r"; exp_continue}
"Disallow root login remotely" { send "\r"; exp_continue}
"Remove test database and access to it" { send "\r"; exp_continue}
"Reload privilege tables now" { send "\r"; exp_continue}
"Cleaning up" { send "\r"}
}
interact ‘ > mysql_secure_installation.exp
部署剧本任务
[[email protected] ansible]# cat roles/mariadb_streng/tasks/streng.yml --- # strengthening - name: streng copy: src=mariadb.exp dest=/root mode=u+x [[email protected] ansible]# cat roles/mariadb_streng/tasks/thening.yml --- # strengthening - name: thening shell: /root/mariadb.exp
对剧本任务进行排序
[[email protected] ansible]# cat roles/mariadb_streng/tasks/main.yml - include: streng.yml - include: thening.yml
剧本主程序
[[email protected] ansible]# cat role_mariadb_threng.yml
- hosts: 192.168.36.101
roles:
- role: mariadb_streng
执行剧本主程序,实现安全加固
[[email protected] ansible]# ansible-playbook role_mariadb_threng.yml PLAY [192.168.36.101] ********************************************************************************************* TASK [Gathering Facts] ******************************************************************************************** ok: [192.168.36.101] TASK [mariadb_streng : streng] ************************************************************************************ changed: [192.168.36.101] TASK [mariadb_streng : thening] *********************************************************************************** changed: [192.168.36.101] PLAY RECAP ******************************************************************************************************** 192.168.36.101 : ok=3 changed=2 unreachable=0 failed=0