實戰RHCA-DO407(1)

• 2020 年 1 月 14 日
• 筆記

1.安裝並且配置Ansible

1. 安裝和配置ansible以及ansible控制節點control.labx.example.com如下:
2. 創建一個名為/home/student/ansible/inventory的靜態庫存文件如下所示:

2.1 servera是dev主機組的成員

2.2 serverb是test主機組的成員

2.3 serverc和serverd是prod主機組的成員

2.4 serverb是balancers主機組的一員

2.5 prod組是webservers主機組的成員

3.創建一個名為/home/student/ansible/ansible.cfg的配置文件,如下所示:

3.1主機庫存文件/home/student/ansible/inventory

3.2劇本中角色的位置被定義為/home/student/ansible/roles

練習環境在workstation中登錄student用戶,考試環境中remote_user = matthew,這裡是devops

解答

1.切換到student用戶，創建ansible以及角色目錄

su - student  mkdir -p /home/student/ansible/roles  cd /home/student/ansible/roles

2.編輯inventory文件

[student@workstation ansible]$ cat inventory  [dev]  servera  [test]  serverb  [prod]  serverc  serverd  [balancers]  serverb  [webservers:children]  prod

3.編輯ansible配置文件

[student@workstation ansible]$ cat ansible.cfg  [defaults]  remote_user = devops  inventory   = /home/student/ansible/inventory  roles_path  = /home/student/ansible/roles  ask_pass   = Flase    [privilege_escalation]  become=True  become_method=sudo  become_user=root  become_ask_pass=False

4.ping測試

[student@workstation ansible]$ ansible all -m ping  serverd | SUCCESS => {    "changed": false,    "ping": "pong"  }    servera | SUCCESS => {    "changed": false,    "ping": "pong"  }    serverb | SUCCESS => {    "changed": false,    "ping": "pong"  }    serverc | SUCCESS => {    "changed": false,    "ping": "pong"  }

2.作為系統管理員，您需要在託管節點上安裝軟件

創建一個名為/home/student/ansible/adhoc.sh的shell腳本，該腳本運行一個ansible ad-hoc命令，在每個託管節點上創建一個yum存儲庫，如下所示:

1. 存儲庫的名稱是exam_rhel
2. 說明是EX407軟件
3. 基本URL是http://rhgls.labx.example.com/rhel
4. 啟用GPG簽名檢查
5. GPG密鑰URL是http://rhgls.lab.example.com/rhel/RPM-GPG-KEY-redhat-release6. 啟用了存儲庫

解答

1. 創建倉庫腳本,注意url這裡的url是練習環境的url,不是上面題目考試的url,自己的環境是rhel7.5

[student@workstation ansible]$ cat adhoc.sh  #!/bin/bash  ansible all -m yum_repository -a 'name=Exam_RHEL description="EX407 software" baseurl=http://content.example.com/rhel7.5/x86_64/dvd gpgcheck=yes gpgkey=http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'

2.更改腳本權限、執行腳本

sudo chmod 755 adhoc.sh && /adhoc.sh

3.檢查yum源是否配置好

ansible all -m shell -a 'cat /etc/yum.repos.d/Exam_RHEL.repo'    [student@workstation ansible]$ ansible all -m shell -a 'cat /etc/yum.repos.d/Exam_RHEL.repo'  serverc | SUCCESS | rc=0 >>  [Exam_RHEL]  baseurl = http://content.example.com/rhel7.5/x86_64/dvd  enabled = 1  gpgcheck = 1  gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release  name = EX407 software    serverb | SUCCESS | rc=0 >>  [Exam_RHEL]  baseurl = http://content.example.com/rhel7.5/x86_64/dvd  enabled = 1  gpgcheck = 1  gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release  name = EX407 software    servera | SUCCESS | rc=0 >>  [Exam_RHEL]  baseurl = http://content.example.com/rhel7.5/x86_64/dvd  enabled = 1  gpgcheck = 1  gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release  name = EX407 software    serverd | SUCCESS | rc=0 >>  [Exam_RHEL]  baseurl = http://content.example.com/rhel7.5/x86_64/dvd  enabled = 1  gpgcheck = 1  gpgkey = http://content.example.com/rhel7.5/x86_64/dvd/RPM-GPG-KEY-redhat-release  name = EX407 software

3.安裝軟件包

安裝包創建一個名為/home/student/ansible/packages.yml的劇本

1. 在dev、test和prod主機組的主機上安裝php和mariadb包
2. 將開發工具包組安裝到dev主機組中的主機上
3. 在dev主機組的主機上更新所有包到最新版本

解答

1.編輯package.yml文件

[student@workstation ansible]$ cat package.yml  ---  - hosts: dev,test,prod    tasks:    - name: install php mariadb      yum:       name: "{{ item }}"       state: present      with_items:      - php      - mariadb      - name: install group Dev      yum:       name: "@Development Tools"       state: present      when: ansible_hostname in groups["dev"]      - name: update      yum:       name: "*"       state: latest      when: ansible_hostname in groups["dev"]

2.檢查一下語法

ansible-playbook-2.7 --syntax-check package.yml

3.驗證一下裝好沒有

[student@workstation ansible]$ ansible dev,test,prod -m shell -a "rpm -qa|egrep 'php|mariadb'"  serverb | SUCCESS | rc=0 >>  mariadb-libs-5.5.56-2.el7.x86_64  php-cli-5.4.16-45.el7.x86_64  mariadb-5.5.56-2.el7.x86_64  php-common-5.4.16-45.el7.x86_64  php-5.4.16-45.el7.x86_64    serverd | SUCCESS | rc=0 >>  mariadb-libs-5.5.56-2.el7.x86_64  php-cli-5.4.16-45.el7.x86_64  mariadb-5.5.56-2.el7.x86_64  php-common-5.4.16-45.el7.x86_64  php-5.4.16-45.el7.x86_64    serverc | SUCCESS | rc=0 >>  mariadb-libs-5.5.56-2.el7.x86_64  php-cli-5.4.16-45.el7.x86_64  mariadb-5.5.56-2.el7.x86_64  php-common-5.4.16-45.el7.x86_64  php-5.4.16-45.el7.x86_64    servera | SUCCESS | rc=0 >>  mariadb-libs-5.5.56-2.el7.x86_64  php-cli-5.4.16-45.el7.x86_64  php-common-5.4.16-45.el7.x86_64  php-5.4.16-45.el7.x86_64  mariadb-5.5.56-2.el7.x86_64

4.使用RHEL系統角色

安裝timesync，角色包,下載地址http://materials/timesync-1.0.1.tar.gz

並創建一個名為/home/student/ansible/timesync.yml的劇本:

1. 在所有託管主機上運行
2. 使用timesync角色。
3. 配置角色以使用時間服務器172.24.1.254(在我們的實驗室中是172.25.254.254)
4. 將角色配置為將iburst參數設置為啟用

解答

1.安裝這個角色,這裡用yum安裝不了,只能用ansible-galaxy的方式來安裝

sudo yum install -y rhel-system-roles

2.編寫軟件源地址

cat get_timesync.yml  - src: http://materials/timesync-1.0.1.tar.gz   name: linux-system-timesync  

3.安裝timesync放到roles/目錄下

ansible-galaxy install -r get_timesync.yml -p roles/

4.編寫劇本文件

cat timesync.yml  - hosts: all    vars:     timesync_ntp_servers:      - hostname: 172.25.254.254        iburst: yes      roles:    - role: linux-system-timesync

5.檢測語法、真實執行、查看效果

ansible-playbook --syntax-check timesync.yml  ansible-playbook timesync.yml  ansible all -m shell -a 'chronyc sources'    servera | SUCCESS | rc=0 >>  210 Number of sources = 1  MS Name/IP address         Stratum Poll Reach LastRx Last sample  ===============================================================================  ^* classroom.example.com         8   6    77    46    -14ms[  -16ms] +/-   18ms

5.安裝並使用角色

使用Ansible Galaxy創建的名稱為/home/student/ansible/roles/requirememts.yml

下載以後並且安裝在/home/student/ansible/roles下

1.下載http://materials/haproxy.tar.gz, 這個角色名應該是balancer

2.下載http://materials/phpinfo.tar.gz, 這個角色名應該是phpinfo

解答

1.編寫requirements.yml劇本

cat requirements.yml  - src: http://materials/haproxy.tar.gz    name: balancer    - src: http://materials/phpinfo.tar.gz    name: phpinfo

2.安裝角色文件

ansible-galaxy install -r /home/stuednt/ansible/roles/requirements.yml -p /home/student/ansible/roles

6. 創建並使用一個角色

根據以下要求在/home/student/ansible/role中創建一個名為apache的角色

1. 複製默認模板目錄到/tmp/custom/,並添加templates目錄,創建角色時指定模板目錄為/tmp/custom
2. 安裝httpd包，在啟動時啟用，然後啟動
3. 防火牆已啟用並使用允許訪問web服務器的規則運行
4. 一個模板文件index.html.j2存在，用於創建文件/var/www/html/index.html，輸出如下:

Welcome to {{ FQDN }} on {{ IPADDRESS }}

創建一個名為/home/student/ansible/newrole.yml

1. 劇本在webservers主機組的主機上運行

解答

1.初始化apache角色目錄

ansible-galaxy init apache --init-path /home/student/ansible/roles

2.去到這個目錄,並創建一個templates目錄(沒有才自己創建的)

cd /home/student/ansible/roles/apache && mkdir templates

3.編輯任務腳本文件

[student@workstation apache]$ cat tasks/main.yml  ---  # tasks file for apache  - name: Install httpd    yum:     name: httpd     state: present    - name: Start httpd    service:     name: httpd     state: started     enabled: yes    - name: start firewalld    service:     name: firewalld     state: started     enabled: yes    - name: firewalld permits http service    firewalld:     service: http     state: enabled     permanent: true     immediate: yes    - name: create /var/www/html/index.html    template:     src: index.html.j2     dest: /var/www/html/index.html     setype: httpd_sys_content_t

4.編輯網頁模板文件

[student@workstation apache]$ cat templates/index.html.j2  Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4.address }}

5.編輯啟動角色腳本

[student@workstation ansible]$cat /home/student/ansible/newrole.yml  ---  - hosts: webservers    roles:     - apache

6.檢查語法,執行劇本,查看效果

ansible-playbook --syntax-check newrole.yml  ansible-playbook  newrole.yml    curl http://serverc  Welcome to serverc.lab.example.com on 172.25.250.12    curl http://serverd  Welcome to serverd.lab.example.com on 172.25.250.13

7.使Ansible Galaxy創建的角色

創建一個roles.yml劇本文件

在balancers主機上部署balancer角色

在webservers主機上部署phpinfo角色

解答

1.編輯劇本文件

cat roles.yml  - hosts: balancers,webservers    roles:    - { role: balancer,when: "ansible_hostname in groups['balancers']" }    - hosts: webservers    roles:    - phpinfo

2.測試，真實執行劇本

ansible-playbook -C roles.yml  ansible-playbook roles.yml

3.檢測運行結果

[student@workstation ansible]$ curl http://serverb  Welcome to serverc.lab.example.com on 172.25.250.12    [student@workstation ansible]$ curl http://serverc  Welcome to serverc.lab.example.com on 172.25.250.12    [student@workstation ansible]$ curl http://serverb/hello.php  Hello PHP World form serverd.lab.example.com    [student@workstation ansible]$ curl http://serverc/hello.php  Hello PHP World form serverc.lab.example.com

8.創建一個分區

編寫一個劇本位置在/home/student/ansible/partition.yml,在所有主機上運行,需求如下:

1. 在vdb中,創建一個主分區,編號是1,大小1500MiB
2. 格式化成ext4文件系統,掛在到/newpart
3. 如果無法創建請求的分區大小，則應使用錯誤消息「無法創建該大小的分區」, 應該顯示，而應該使用大小為800Mib的
4. 如果設備vdb不存在，則錯誤消息磁盤不存在應該顯示

偽代碼邏輯

if vdb is exist   try:    fdisk vdb size=1500Mbib && mkfs.ext4 mount /dev/vdb1 /newpart   rescue:    fdisk vdb size=800Mbib && mkfs.ext4 	mount /dev/vdb1 /newpart  else   echo does exist partion vdb

解答

1.編寫分區劇本

[student@workstation ansible]$ cat partition.yml  - hosts: all    tasks:    - name: "1. test vdb is exist"      shell: ls /dev/vdb      register: msg      ignore_errors: yes      - name: "2.if vdb not exist output error msg"      debug:       msg: "vdb is not exist"      when: msg is failed      failed_when: msg is failed      - name: "3.create partition size of the 1500MiB"      block:       - name: "3-1.create a vdb1"         parted:          number: 1          device: /dev/vdb          part_start: 1MiB          part_end: 1500MiB          state: present        rescue:       - name: "3-2.show error msg"         debug:          msg: "clound not create partition of that size"         - name: "3-3.create a 800MiB"         parted:          number: 1          device: /dev/vdb          part_start: 1MiB          part_end: 800MiB          state: present      - name: "4.create filesystem"      filesystem:       dev: /dev/vdb1       fstype: ext4      - name: "5.create directory"      file:       path: /newpart       state: directory       mode: '0755'      - name: "6.mount device"  	mount:  	 src: /dev/vdb1       path: /newpart       fstype: ext4       state: mounted

3.查看效果

[student@workstation ansible]$ ansible all -m shell -a "lsblk"  serverb | SUCCESS | rc=0 >>  NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT  vda    253:0    0   40G  0 disk  └─vda1 253:1    0   40G  0 part /  vdb    253:16   0    1G  0 disk  └─vdb1 253:17   0  799M  0 part    serverd | SUCCESS | rc=0 >>  NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT  vda    253:0    0   40G  0 disk  └─vda1 253:1    0   40G  0 part /  vdb    253:16   0    1G  0 disk  └─vdb1 253:17   0  799M  0 part    serverc | SUCCESS | rc=0 >>  NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT  vda    253:0    0   40G  0 disk  └─vda1 253:1    0   40G  0 part /  vdb    253:16   0    1G  0 disk  └─vdb1 253:17   0  799M  0 part    servera | SUCCESS | rc=0 >>  NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT  vda    252:0    0   40G  0 disk  └─vda1 252:1    0   40G  0 part /  vdb    252:16   0    1G  0 disk  └─vdb1 252:17   0  799M  0 part 

8.1創建並應用一個邏輯卷

在/home/student/ansible/創建一個lv.yml文件,讓它在所有主機上跑,要求如下:

1. 創建一個邏輯卷大小1500MiB,從research卷組中來
2. 使用ext4格式化這個邏輯卷
3. 實現開機自動掛載到/data目錄下,只有主機是qa才可以
4. 如果這個邏輯卷的大小不能夠創建,則輸出錯誤信息

Could not create logical volume of that size

並使用800MiB大小來創建邏輯卷

1. 如果research這個卷組不存在,則輸出錯誤消息:不存在

解答

1.創建一個research的卷組,默認不存在,需要自己去創建的

一個一個去所有主機上去創建

2.編寫劇本文件

[student@workstation ansible]$ cat lv.yml  - hosts: all    tasks:     - name: 1. check research is exist       shell: vgdisplay research       register: res       ignore_errors: yes       - name: 2. output error msg if research vgroup not exist       debug:        msg: "research volume is not exist"       when: res is failed       failed_when: res is failed       - name: 3. create 1500MiB logical volume       block:        - name: 3.1 create lvx          lvol:           vg: research           lv: lvx           size: 1500m         rescue:        - debug:           msg: "3.2 Could not create logical volume of that size"          - name: 4. create 800MiB size logical volume          lvol:           lv: lvx           vg: research           sieze: 800m       - name: 5. format logical volume       filesystem:        dev: /dev/research/lvx        fstype: ext4       - name: 6. create directory       file:        path: /data        state: directory       ignore_errors: yes       - name: 7. mount to /data       mount:        path: /data        src: /dev/research/lvx        fstype: ext4        state: mounted       when: ansible_hostname in groups['qa']

9.生成一個主機文件

1. 下載http://rhgls.labx.example.com/materials/hosts.j2 到/home/student/ansible (考試環境沒有可以下載模板文件,需要自己去寫)
2. 完成模板，以便可以使用它為每個庫存主機生成與/etc/hosts格式相同的一行文件。
3. 創建一個名為/home/student/ansible/host.yml的劇本,使用此模板在dev主機組的主機上生成文件/etc/myhosts.yml
4. 完成後，dev host組主機上的/etc/myhosts文件應該為下方所示

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.25.250.11 serverb.lab.example.com serverb

172.25.250.10 servera.lab.example.com servera

172.25.250.12 serverc.lab.example.com serverc

172.25.250.13 serverd.lab.example.com serverd

解答

1.首先複製hosts到hosts.j2

[student@workstation ansible]$ sed '3,$d' /etc/hosts > /home/student/ansible/hosts.j2

2.在下方添加如下代碼,注意下方循環裏面的代碼是一行寫完

[student@workstation ansible]$ cat /home/student/ansible/hosts.j2  127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4  ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6    {% for host in groups['all'] %}  {{ hostvars[host]['ansible_default_ipv4']['address'] }} {{ hostvars[host]['ansible_fqdn'] }} {{ hostvars[host]['ansible_hostname'] }}  {% endfor %}

3.編寫劇本文件

[student@workstation ansible]$ cat /home/student/ansible/hosts.yml  ---  - hosts: all    tasks:    - name: copy j2      template:       src: hosts.j2       dest: /etc/myhosts      when: ansible_hostname in groups["dev"]

4.檢測語法,模擬執行測試,真實執行

ansible-playbook --syntax hosts.yml  ansible-playbook -C hosts.yml  ansible-playbook hosts.yml

5.驗證結果

[student@workstation ansible]$ ansible dev -m shell -a 'cat /etc/myhosts'  servera | SUCCESS | rc=0 >>  127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4  ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6    172.25.250.11 serverb.lab.example.com serverb  172.25.250.10 servera.lab.example.com servera  172.25.250.12 serverc.lab.example.com serverc  172.25.250.13 serverd.lab.example.com serverd

10.修改文件內容

創建一個名為/home/student/ansible/issure.yml的劇本如下:

1. 劇本運行在所有主機
2. playbook將/etc/issue的內容替換為一行文本，如下所示:

2.1在dev主機組的主機上，內容:Development

2.2在測試主機組的主機上，內容:test

2.3在prod主機組的主機上，內容:Production

解答

1.編寫劇本

[student@workstation ansible]$ cat /home/student/ansible/issue.yml  ---  - hosts: all    tasks:    - name: replace content1      copy:       content: "Development"       dest: /etc/issue      when: ansible_hostname in groups["dev"]      - name: replace content2      copy:       content: "Test"       dest: /etc/issue      when: ansible_hostname in groups["test"]      - name: replace content3      copy:       content: "Production"       dest: /etc/issue      when: ansible_hostname in groups["prod"]

2.檢測語法,模擬執行,真實執行

ansible-playbook --syntax-check issue.yml  ansible-playbook -C issue.yml  ansible-playbook issue.yml

3.查看運行結果

[student@workstation ansible]$ ansible all -m shell -a 'cat /etc/issue'  serverd | SUCCESS | rc=0 >>  Production    servera | SUCCESS | rc=0 >>  Development    serverc | SUCCESS | rc=0 >>  Production    serverb | SUCCESS | rc=0 >>  Test

11.創建一個web內容目錄

創建一個名為/home/student/ansible/webcontent.yml的劇本。yml如下:

1. playbook在dev主機組的託管節點上運行
2. 創建目錄/webdev與以下要求:

2.1 webdev組成員

2.2 權限:owner=read+write+excute、group=read+write+excute,other=read+excute

2.3 特殊權限:設置組ID

1. 創建文件/webdev/index.html，它的內容是:Development,將/webdev鏈接到/var/www/html/webdev

解答

1.編輯劇本文件

[student@workstation ansible]$ cat /home/student/ansible/webcontent.yml  - hosts: dev    become: true    tasks:     - name: 1.Install httpd       yum:        name: "{{ item }}"        state: present       with_items:[ httpd,firewalld ]       - name: 2.Start httpd       service:        name: httpd        state: started        enabled: yes       - name: 3.start firewalld       service:        name: firewalld        state: started        enabled: yes       - name: 4.firewall permits http service       firewalld:        service: http        state: enabled        permanent: true        immediate: yes       - name: 5.create a group       group:        name: webdev        state: present       - name: 6.create a directory       file:        path: /webdev        state: directory        group: webdev        mode: '2775'        setype: httpd_sys_content_t       - name: 7.create a link       file:        src: /webdev        dest: /var/www/html/webdev        state: link       - name: 8.copy content       copy:        content: "Development"        dest: /webdev/index.html        setype: httpd_sys_content_t

2.檢查語法,真實執行

ansible-playbook --syntax-check webcontent.yml  ansible-playbook webcontent.yml

3.訪問測試

curl http://servera/webdev/index.html  Development

12.生成硬件報告

創建一個名為/home/student/ansible/hwreport.yml的劇本。

在所有託管節點上生成一個名為/root/hwreport.txt的輸出文件，並提供以下信息:

1. inventory host name
2. total memory (MB)
3. BIOS version
4. device vda size
5. device vdb size
6. 輸出文件的每一行都包含一個鍵值對你的劇本應該:

1). 下載文件hwreport。在url http://rhgls.labx.example.com/materials中為空，並將其保存為/root/hwreport.txt

2). 使用正確的值修改/root/hwreport.txt

3). 如果硬件項不存在，則應將相關值設置為NONE

解答

1.編寫hwreport劇本

[student@workstation ansible]$ cat hwreport.yml  - hosts: all    tasks:    - lineinfile:       path: /root/hwreport.txt       line: "{{ item }}"       create: yes      with_items:       - "host_name = {{ ansible_hostname | default(none) }}"       - "mem_total = {{ ansible_memtotal_mb | default(none) }}m"       - "bios_ver = {{ ansible_bios_version | default(none) }}"       - "vda_size = {{ ansible_devices.vda.size | default(none) }}"       - "vdb_size = {{ ansible_devices.vdb.size | default(none) }}"

2.檢測語法、真實執行

ansible-playbook --syntax-check hwreport.yml  ansible-playbook hwreport.yml

3.檢測一下執行結果

[student@workstation ansible]$ ansible all -m shell -a "cat /root/hwreport.txt"  serverb | SUCCESS | rc=0 >>  inventory_name =  total_mem = 488  bios_version = 0.5.1  vda_size = 40.00 GB  vdb_size = 1.00 GB    serverc | SUCCESS | rc=0 >>  inventory_name =  total_mem = 488  bios_version = 0.5.1  vda_size = 40.00 GB  vdb_size = 1.00 GB    serverd | SUCCESS | rc=0 >>  inventory_name =  total_mem = 488  bios_version = 0.5.1  vda_size = 40.00 GB  vdb_size = 1.00 GB    servera | SUCCESS | rc=0 >>  inventory_name =  total_mem = 487  bios_version = 0.5.1  vda_size = 40.00 GB  vdb_size = 1.00 GB

13.創建密碼庫

創建一個Ansible存儲庫用戶密碼如下

1. 保險庫的名稱是/home/student/ansible/locker.yml
2. 保險庫包含以下兩個變量:

2.1 pw_developer 的值是Imadev

2.2 pw_manager的值是 Imamgr

1. 加密和解密的密碼是:whenyouwishuponastar
2. 密碼存儲在/home/student/ansible/secret.txt文件中

解答

1.創建密碼文件

[student@workstation ansible]$ cat /home/student/ansible/secret.txt  whenyouwishuponastar

2.根據密碼文件創建一個加密的yml劇本文件

ansible-vault --vault-password-file=secret.txt create /home/student/ansible/locker.yml  #進入編輯模式輸入下面內容  pw_developer: Imadev  pw_manager: Imamgr

3.使用密碼,查看被加密的locker.yml文件

ansible-vault view locker.yml --vault-password-file=/home/student/ansible/secret.txt

拓展:使用ansible-vault加密/解密已經存在的文件

ansible-vault --vault-password-file=secret.txt encrypt issue.yml  ansible-vault --vault-password-file=secret.txt decrypt issue.yml

14.創建用戶帳戶

1. 下載http://rhgls.labx.example.com/materials/user_list.yml文件並保存到/home/student/ansible/user_list.yml
2. 使用/home/student/ansible/locker.yml里的密碼(上方題目已經創建過)，創建一個名為/home/student/ansible/users.yml來保存這些賬戶:

2.1具有開發人員工作描述的用戶應:

2.1.1在dev和test主機組上創建託管節點上

2.1.2從pw_developer變量中分配密碼

2.1.3都是屬於devops組的成員

2.2具有管理者職務描述的用戶為:

2.2.1在prod主機組的託管節點上創建

2.2.2從pw_manager變量中分配密碼

2.2.3都是屬於opsmgr組成員

1. 密碼應該使用SHA512哈希格式
2. 你的劇本應該使用保險庫密碼文件在其他地方創建的這個考試。

解答

1.編寫用戶列表文件(這個文件在環境中下載不到)

[student@workstation ansible]$ cat user_list.yml  ---  users:   - name: node1     job: developers   - name: node2     job: developers   - name: node3     job: manager

2.編寫創建用戶劇本

[student@workstation ansible]$ cat users.yml  - hosts: all    vars_files:     - locker.yml     - user_list.yml    tasks:    - name: create developer ops mgr    block:    #1.創建兩個組     - group:        name: devops        state: present     - group:        name: opsmgr        state: present      #2.創建developer組的用戶     - user:        name: "{{ item.name }}"        password: "{{ pw_developer | password_hash('sha512') }}"        state: present        groups: devops       with_items: "{{ users }}"       when: ( ansible_hostname in groups['dev'] or ansible_hostname in groups['test'] ) and item.job == "developers"      #3.創建opsmgr組的用戶       - user:          name: "{{ item.name }}"          password: "{{ pw_manager | password_hash('sha512') }}"          state: present          groups: opsmgr         with_items: "{{ users }}"         when: ansible_hostname in groups['prod'] and item.job == "manager"

4.檢測語法、模擬執行、檢測結果

ansible-playbook  --syntax-check users.yml  --vault-password-file=secret.txt  ansible-playbook  -C users.yml  --vault-password-file=secret.txt  ansible-playbook  users.yml  --vault-password-file=secret.txt

5.檢測結果

ansible all -m shell -a 'id nodeX'  X=1~3

15.Ansible的vault與Rekey

Rekey一個現有的Ansible vault如下:

1. 下載http://rhgls.labx.example.com/materials/salaries.yml，並保存為/home/student/ansible/salaries.yml;
2. 當前保險庫密碼為insecure4sure;
3. 新金庫密碼為bbe2de98389b;
4. 保險庫仍然處於使用新密碼的加密狀態;

解答

1.salaries.yml下載不了,需要自己創建

[student@workstation ansible]$ ansible-vault create salaries.yml  #提示輸入密碼並確認  New Vault password: insecure4sure  Confirm New Vault password: insecure4sure    #出現編輯界面,並添加如下內容  RED HAT ANSIBLE 2.7 EXAM  GOOD LUCK

2.設置新的密碼

[student@workstation ansible]$ ansible-vault rekey salaries.yml  Vault password: insecure4sure  New Vault password: bbe2de98389b  Confirm New Vault password: bbe2de98389b  Rekey successful

3.使用新的密碼查看加密的文件

[student@workstation ansible]$ ansible-vault view salaries.yml  Vault password: bbe2de98389b  RED HAT ANSIBLE 2.7 EXAM  GOOD LUCK

16.更新內核

編寫update_kernel.yml

1.安裝最新版本內核

2.所有主機內核更新完畢後,重啟

3.等待重啟好以後,把內核版本信息寫到/root/update.txt中

解答

1.編寫劇本文件

[student@workstation ansible]$ cat update_kernel.yml  - hosts: all    tasks:    - name: 1. update kernel      yum:       name: "kernel"       state: latest      register: msg      ignore_errors: true      - name: 2. if kernel is update over      debug:       msg: "kernel is update over"      when: msg is failed      failed_when: msg is failed      - name: 3. reboot host      #直接重啟將無法執行後面的任務，所以這裡先sleep一下，再執行      shell: "sleep 1 && shutdown -r now"      async: 1      poll: 0      ignore_errors: true      - name: 4. wait host start      wait_for:       host: "{{ inventory_hostname }}"       state: started       delay: 30       timeout: 300       port: 22  	   #因為遠程的主機已經關機了, 所以這條任務只能在本機來執行      delegate_to: localhost      - name: 5. write udpate info to file      shell: "uname -r > /root/update.txt"      delegate_to: "{{ inventory_hostname }}"

2.執行劇本

[student@workstation ansible]$ ansible-playbook update_kernel.yml 

3.查看更新文件

[student@workstation ansible]$ ansible  all -m shell -a 'cat /root/update.txt'  servera | SUCCESS | rc=0 >>  3.10.0-862.el7.x86_64    serverc | SUCCESS | rc=0 >>  3.10.0-862.el7.x86_64    serverd | SUCCESS | rc=0 >>  3.10.0-862.el7.x86_64    serverb | SUCCESS | rc=0 >>  3.10.0-862.el7.x86_64