526互联

ansible init 系统

发布时间 2023-03-30 17:34:18作者: 小吉猫

准备工作

创建roles目录

# mkdir -pv  /data/apps/ansible/roles/ubuntu/{tasks,handlers,templates,vars,files}

hosts

[ubuntu]
172.16.18.31 ansible_ssh_port=22  ansible_ssh_user=ubuntu hostname=app-01

测试连通性

# ansible ubuntu -m ping
172.16.18.247 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    }, 
    "changed": false, 
    "ping": "pong"
}

创建角色相关文件

main.yaml

- include: install_software.yaml 
- include: init_ubuntu.yaml
- include: configs.yaml
- include: reboot.yaml

configs.yaml

- name: 内核优化参数
  copy: src=sysctl.conf  dest=/etc/sysctl.conf
- name: 设置文件限制数
  copy: src=limits.conf  dest=/etc/security/limits.conf
- name: 修改rsylog记录格式
  copy: src=50-default.conf  dest=/etc/rsyslog.d/50-default.conf
- name: 设置用户密码复杂度
  copy: src=pwquality.conf dest=/etc/security/pwquality.conf
- name: 设置faillock
  copy: src=faillock.conf  dest=/etc/security/faillock.conf

init_ubuntu.yaml

- name: 系统时间12小时转为24小时制
  shell: "echo LC_TIME=en_DK.UTF-8 >>  /etc/default/locale"

- name: 设置主机名称
  hostname:
    name: "{{ hostname }}"

- name: 修改密码过期时间
  lineinfile: 
    path: /etc/login.defs
    regexp: '^{{ item.name }}'
    line:  "{{ item.name }}  {{ item.value }}"
  with_items:
    - { name: PASS_MAX_DAYS, value: 90 }
    - { name: PASS_MIN_DAYS, value: 7 }
    - { name: PASS_WARN_AGE, value: 14 }

- name: 设置sshd_config
  lineinfile: 
    path: /etc/ssh/sshd_config
    regexp: '^{{ item.name }}'
    line:  "{{ item.value }}"
  with_items:
    - { name: '#ClientAliveInterval', value: ClientAliveInterval 3600 }
    - { name: '#MaxAuthTries', value: MaxAuthTries 3 }
    - { name: '#Port', value: Port 50202 }
  
- name: 设置登录失败策略 /etc/pam.d/common-auth
  blockinfile: 
    path: /etc/pam.d/common-auth
    insertafter: "auth    [success=1 default=ignore]      pam_unix.so nullok"
    block: |
      auth     [default=die]  pam_faillock.so authfail
      auth     sufficient     pam_faillock.so authsuc
  
- name: 设置登录失败策略 /etc/pam.d/common-account
  lineinfile: 
    path: /etc/pam.d/common-account
    insertafter: 'account required                        pam_permit.so'
    line:  account required      pam_faillock.so

- name: history  fromt
  blockinfile: 
    path: /etc/profile
    block: |
      export HISTTIMEFORMAT="[%F %T] [`whoami`] [`who -u am i | awk '{print $1,$2,$3,$4,$7}'`] [`pwd`]"
      export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; } );logger "$msg"; }' 
      export TMOUT=3600

install_software.yaml

- name: upgrade os software
  apt: upgrade=yes update_cache=yes cache_valid_time=3600
- name: install chrony
  apt: name=chrony,linux-image-5.15.0-69-generic,libpam-pwquality

reboot.yaml

- name: reboot ubuntu22.04
  reboot:
    reboot_timeout: 100

查看相关文件

# tree /data/apps/ansible/roles/ubuntu/
/data/apps/ansible/roles/ubuntu/
├── files
│   ├── 50-default.conf
│   ├── faillock.conf
│   ├── limits.conf
│   ├── pwquality.conf
│   └── sysctl.conf
├── handlers
├── tasks
│   ├── configs.yaml
│   ├── init_ubuntu.yaml
│   ├── install_software.yaml
│   ├── main.yaml
│   ├── reboot.yaml
│   └── upgrade_os.yaml
├── templates
└── vars

playbook调用角色

role-ubuntu.yaml

- hosts: ubuntu
  remote_user: ubuntu
  become: yes
  roles:
    - ubuntu

运行playbook

# ansible-playbook role_ubuntu.yaml
PLAY [ubuntu] ***********************************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************************************************************************
ok: [172.16.18.31]

TASK [ubuntu : upgrade os software] *************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : install chrony] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 系统时间12小时转为24小时制] *****************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 设置主机名称] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 修改密码过期时间] ************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'PASS_MAX_DAYS', u'value': 90})
changed: [172.16.18.31] => (item={u'name': u'PASS_MIN_DAYS', u'value': 7})
changed: [172.16.18.31] => (item={u'name': u'PASS_WARN_AGE', u'value': 14})

TASK [ubuntu : 设置登录空闲超时时间] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'#ClientAliveInterval', u'value': u'ClientAliveInterval 3600'})
changed: [172.16.18.31] => (item={u'name': u'#MaxAuthTries', u'value': u'MaxAuthTries 3'})
changed: [172.16.18.31] => (item={u'name': u'#Port', u'value': u'Port 32323'})

TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-auth] *************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-account] **********************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : history  fromt] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 内核优化参数] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 设置文件限制数] *************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 修改rsylog记录格式] ********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 设置用户密码复杂度] ***********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [ubuntu : 设置faillock] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]

TASK [reboot ubuntu22.04] ***********************************************************************************************************************************************************************************************************************************************************************
fatal: [172.16.18.31]: FAILED! => {"msg": "Failed to connect to the host via ssh: ssh: connect to host 172.16.18.31 port 22: Connection refused"}

PLAY RECAP **************************************************************************************************************************************************************************************************************************************************************************************
172.16.18.31               : ok=14   changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

更新hosts文件

[ubuntu]
172.16.18.31 ansible_ssh_port=50202  ansible_ssh_user=ubuntu hostname=app-01