准备工作
创建roles目录
# mkdir -pv /data/apps/ansible/roles/ubuntu/{tasks,handlers,templates,vars,files}
hosts
[ubuntu]
172.16.18.31 ansible_ssh_port=22 ansible_ssh_user=ubuntu hostname=app-01
测试连通性
# ansible ubuntu -m ping
172.16.18.247 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
创建角色相关文件
main.yaml
- include: install_software.yaml
- include: init_ubuntu.yaml
- include: configs.yaml
- include: reboot.yaml
configs.yaml
- name: 内核优化参数
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: 设置文件限制数
copy: src=limits.conf dest=/etc/security/limits.conf
- name: 修改rsylog记录格式
copy: src=50-default.conf dest=/etc/rsyslog.d/50-default.conf
- name: 设置用户密码复杂度
copy: src=pwquality.conf dest=/etc/security/pwquality.conf
- name: 设置faillock
copy: src=faillock.conf dest=/etc/security/faillock.conf
init_ubuntu.yaml
- name: 系统时间12小时转为24小时制
shell: "echo LC_TIME=en_DK.UTF-8 >> /etc/default/locale"
- name: 设置主机名称
hostname:
name: "{{ hostname }}"
- name: 修改密码过期时间
lineinfile:
path: /etc/login.defs
regexp: '^{{ item.name }}'
line: "{{ item.name }} {{ item.value }}"
with_items:
- { name: PASS_MAX_DAYS, value: 90 }
- { name: PASS_MIN_DAYS, value: 7 }
- { name: PASS_WARN_AGE, value: 14 }
- name: 设置sshd_config
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^{{ item.name }}'
line: "{{ item.value }}"
with_items:
- { name: '#ClientAliveInterval', value: ClientAliveInterval 3600 }
- { name: '#MaxAuthTries', value: MaxAuthTries 3 }
- { name: '#Port', value: Port 50202 }
- name: 设置登录失败策略 /etc/pam.d/common-auth
blockinfile:
path: /etc/pam.d/common-auth
insertafter: "auth [success=1 default=ignore] pam_unix.so nullok"
block: |
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsuc
- name: 设置登录失败策略 /etc/pam.d/common-account
lineinfile:
path: /etc/pam.d/common-account
insertafter: 'account required pam_permit.so'
line: account required pam_faillock.so
- name: history fromt
blockinfile:
path: /etc/profile
block: |
export HISTTIMEFORMAT="[%F %T] [`whoami`] [`who -u am i | awk '{print $1,$2,$3,$4,$7}'`] [`pwd`]"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; } );logger "$msg"; }'
export TMOUT=3600
install_software.yaml
- name: upgrade os software
apt: upgrade=yes update_cache=yes cache_valid_time=3600
- name: install chrony
apt: name=chrony,linux-image-5.15.0-69-generic,libpam-pwquality
reboot.yaml
- name: reboot ubuntu22.04
reboot:
reboot_timeout: 100
查看相关文件
# tree /data/apps/ansible/roles/ubuntu/
/data/apps/ansible/roles/ubuntu/
├── files
│ ├── 50-default.conf
│ ├── faillock.conf
│ ├── limits.conf
│ ├── pwquality.conf
│ └── sysctl.conf
├── handlers
├── tasks
│ ├── configs.yaml
│ ├── init_ubuntu.yaml
│ ├── install_software.yaml
│ ├── main.yaml
│ ├── reboot.yaml
│ └── upgrade_os.yaml
├── templates
└── vars
playbook调用角色
role-ubuntu.yaml
- hosts: ubuntu
remote_user: ubuntu
become: yes
roles:
- ubuntu
运行playbook
# ansible-playbook role_ubuntu.yaml
PLAY [ubuntu] ***********************************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************************************************************************
ok: [172.16.18.31]
TASK [ubuntu : upgrade os software] *************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : install chrony] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 系统时间12小时转为24小时制] *****************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置主机名称] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 修改密码过期时间] ************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'PASS_MAX_DAYS', u'value': 90})
changed: [172.16.18.31] => (item={u'name': u'PASS_MIN_DAYS', u'value': 7})
changed: [172.16.18.31] => (item={u'name': u'PASS_WARN_AGE', u'value': 14})
TASK [ubuntu : 设置登录空闲超时时间] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'#ClientAliveInterval', u'value': u'ClientAliveInterval 3600'})
changed: [172.16.18.31] => (item={u'name': u'#MaxAuthTries', u'value': u'MaxAuthTries 3'})
changed: [172.16.18.31] => (item={u'name': u'#Port', u'value': u'Port 32323'})
TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-auth] *************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-account] **********************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : history fromt] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 内核优化参数] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置文件限制数] *************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 修改rsylog记录格式] ********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置用户密码复杂度] ***********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置faillock] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [reboot ubuntu22.04] ***********************************************************************************************************************************************************************************************************************************************************************
fatal: [172.16.18.31]: FAILED! => {"msg": "Failed to connect to the host via ssh: ssh: connect to host 172.16.18.31 port 22: Connection refused"}
PLAY RECAP **************************************************************************************************************************************************************************************************************************************************************************************
172.16.18.31 : ok=14 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
更新hosts文件
[ubuntu]
172.16.18.31 ansible_ssh_port=50202 ansible_ssh_user=ubuntu hostname=app-01