使用 ansible 角色在 Centos 和 Ubuntu 上编译安装 Nginx
1. 创建 Nginx 角色目录
[root@centos8 roles]#pwd
/data/ansible/roles
[root@centos8 roles]#mkdir -pv /data/ansible/roles/nginx/{tasks,handlers,files,templates,vars,meta}
mkdir: created directory '/data/ansible/roles/nginx'
mkdir: created directory '/data/ansible/roles/nginx/tasks'
mkdir: created directory '/data/ansible/roles/nginx/handlers'
mkdir: created directory '/data/ansible/roles/nginx/files'
mkdir: created directory '/data/ansible/roles/nginx/templates'
mkdir: created directory '/data/ansible/roles/nginx/vars'
mkdir: created directory '/data/ansible/roles/nginx/meta'
[root@centos8 roles]#tree -L 2 nginx
nginx
├── files
│ ├── GeoIP-1.6.12.tar.gz
│ ├── nginx-1.18.0.tar.gz
│ ├── openssl-1.1.1k.tar.gz
│ ├── pcre-8.44.tar.gz
│ └── zlib-1.2.11.tar.gz
├── handlers
│ └── main.yml
├── meta
│ ├── echo-nginx-module
│ └── ngx_cache_purge
├── tasks
│ ├── build.yml
│ ├── group_add.yml
│ ├── main.yml
│ ├── package.yml
│ ├── start.yml
│ └── user_add.yml
├── templates
│ ├── nginx.conf.j2
│ └── nginx.service
└── vars
└── main.yml
8 directories, 15 files
[root@centos8 roles]#
Nginx 第三方模块
第三模块是对 Nginx 的功能扩展,第三方模块需要在编译安装 Nginx 的时候使用参数 --add-module=PATH 指定路径添加,有的模块是由公司的开发人员针对业务需求定制开发的,有的模块是开源爱好者开发好之后上传到 github 进行开源的模块,Nginx的第三方模块需要从源码重新编译进行支持
比如:
echo模块:https://github.com/openresty/echo-nginx-module
缓存清理模块:https://github.com/FRiCKLE/ngx_cache_purge
[root@centos8 ~]#cd /data/ansible/roles/nginx/meta
[root@centos8 ~]#yum -y install git
[root@centos8 ~]#git clone https://github.com/openresty/echo-nginx-module.git
[root@centos8 ~]#git clone https://github.com/FRiCKLE/ngx_cache_purge.git
[root@centos8 ~]#ll /data/ansible/roles/nginx/meta
total 0
drwxr-xr-x 4 root root 54 Jun 10 11:30 ./
drwxr-xr-x 8 root root 89 Jun 10 11:28 ../
drwxr-xr-x 6 root root 186 Jun 10 11:22 echo-nginx-module/
drwxr-xr-x 4 root root 135 Jun 10 11:24 ngx_cache_purge/
[root@centos8 ~]#
pcre 为了重写rewrite
zlib 为了gzip压缩
openssl-1.1.1k 为了解决OpenSSL的安全漏洞
geoip 为了获取位置信息
cd /data/ansible/roles/nginx/files
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
wget http://zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
wget http://nginx.org/download/nginx-1.18.0.tar.gz
wget https://github.com/maxmind/geoip-api-c/releases/download/v1.6.12/GeoIP-1.6.12.tar.gz
2 编写yml文件
定义变量
[root@centos8 ~]#cat /data/ansible/roles/nginx/vars/main.yml
centos_package: ['make','gcc','gcc-c++','libtool','pcre','pcre-devel','zlib','zlib-devel','openssl','openssl-devel','perl-ExtUtils-Embed','expat-devel','bzip2','gzip']
ubuntu_package: ['g++','make','libapr1-dev','libaprutil1-dev','libpcre3','libpcre3-dev','libssl-dev','bzip2','gzip','openssl','zlib1g-dev','build-essential','libtool','openssl','libgeoip-dev']
prefix: /apps/nginx
dest_dir: /usr/local/src
nginx_version: nginx-1.18.0
openssl_version: openssl-1.1.1k
pcre_version: pcre-8.44
zlib_version: zlib-1.2.11
geoip_version: GeoIP-1.6.12
compression_type: .tar.gz
user: nginx
group: nginx
uid: 80
gid: 80
[root@centos8 ~]#
编写Nginx配置模板
[root@centos8 roles]#cat /data/ansible/roles/nginx/templates/nginx.conf.j2
user {
{ user }};
worker_processes auto;
error_log {
{ prefix }}/logs/error.log;
pid {
{ prefix }}/run/nginx.pid;
include {
{ prefix }}/conf.d/*.conf;
events {
worker_connections 65535;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log {
{ prefix }}/logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@centos8 roles]#
编写Nginx启动模板
[root@centos8 roles]#cat /data/ansible/roles/nginx/templates/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile={
{
prefix }}/run/nginx.pid
ExecStartPre=/bin/rm -f {
{
prefix }}/run/nginx.pid
ExecStartPre={
{
prefix }}/sbin/nginx -t
ExecStart={
{
prefix }}/sbin/nginx
ExecReload=/bin/kill -s HUP {
{
prefix }}/run/nginx.pid
ExecStop=/bin/kill -s TERM {
{
prefix }}/run/nginx.pid
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
LimitNOFILE=65535 # 具体可查看/etc/security/limits.conf开头的说明
[Install]
WantedBy=multi-user.target
[root@centos8 roles]#
编写 handler 文件
[root@centos8 roles]#cat /data/ansible/roles/nginx/handlers/main.yml
---
- name: restart nginx
service: name=nginx state=restarted
- debug: msg="nginx start successfull"
[root@centos8 roles]#
安装软件包
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/package.yml
---
- name: install packages for CentOS
yum: name={
{ centos_package }} state=installed
when: ansible_facts['distribution'] == "CentOS"
- name: install packages for Ubuntu
apt: name={
{ ubuntu_package }}
when: ansible_facts['distribution'] == "Ubuntu"
[root@centos8 roles]#
创建组
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/group_add.yml
---
- name: delete {
{ prefix }}
file: path={
{ prefix }} state=absent
ignore_errors: True
- name: create {
{ prefix }}
file: path={
{ prefix }} state=directory owner=root group=root mode=755
- name: create group
group: name={
{ group }} gid={
{ gid }} system=yes
ignore_errors: True
[root@centos8 roles]#
创建用户
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/user_add.yml
---
- name: create user
user: name={
{ user }} uid={
{ uid }} group={
{ group }} shell=/sbin/nologin system=yes create_home=no home={
{ prefix }}/conf/nginx
ignore_errors: True
[root@centos8 roles]#
编译nginx
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/build.yml
---
- name: delete {
{
dest_dir }}
file: path={
{
dest_dir }} state=absent
ignore_errors: True
- name: create {
{
dest_dir }}
file: path={
{
dest_dir }} state=directory owner=root group=root mode=755
- name: unarchive geoip file
unarchive: src="files/{
{
geoip_version }}{
{
compression_type }}" dest={
{
dest_dir }} owner=root remote_src=no
- name: unarchive pcre file
unarchive: src="files/{
{
pcre_version }}{
{
compression_type }}" dest={
{
dest_dir }} owner=root remote_src=no
- name: unarchive zlib file
unarchive: src="files/{
{
zlib_version }}{
{
compression_type }}" dest={
{
dest_dir }} owner=root remote_src=no
- name: unarchive openssl file
unarchive: src="files/{
{
openssl_version }}{
{
compression_type }}" dest={
{
dest_dir }} owner=root remote_src=no
- name: unarchive nginx file
unarchive: src="files/{
{
nginx_version }}{
{
compression_type }}" dest={
{
dest_dir }} owner=root remote_src=no
- name: build geoip
shell: chdir={
{
dest_dir }}/{
{
geoip_version }} ./configure && make -j {
{
ansible_processor_vcpus }} && make install
- name: configure nginx
shell:
chdir={
{
dest_dir }}/{
{
nginx_version }} \
./configure \
--prefix={
{
prefix }} \
--user={
{
user }} \
--group={
{
group }} \
--sbin-path={
{
prefix }}/sbin/nginx \
--conf-path={
{
prefix }}/conf/nginx.conf \
--pid-path={
{
prefix }}/run/nginx.pid \
--with-http_auth_request_module \
--with-http_realip_module \
--with-http_v2_module \
--with-debug \
--with-http_random_index_module \
--with-http_sub_module \
--with-http_addition_module \
--with-http_secure_link_module \
--with-http_geoip_module \
--with-http_ssl_module \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-stream \
--with-http_slice_module \
--with-threads \
--with-http_gzip_static_module \
--with-http_gunzip_module \
--with-http_stub_status_module \
--add-module=/data/ansible/roles/nginx/meta/echo-nginx-module \ # 指定模块源代码路径
--add-module=/data/ansible/roles/nginx/meta/ngx_cache_purge \ # 同上
--with-file-aio \ # 是否启用asynchronous file I/O(AIO)功能
--with-pcre={
{
dest_dir }}/{
{
pcre_version }} \ # 指定模块源代码路径
--with-zlib={
{
dest_dir }}/{
{
zlib_version }} \ # 同上
--with-openssl={
{
dest_dir }}/{
{
openssl_version }} # 同上
- name: build nginx
shell:
chdir={
{
dest_dir }}/{
{
nginx_version }} make -j {
{
ansible_processor_vcpus }} && make install
- debug: msg="nginx build successfull"
[root@centos8 roles]#
编写启动 nginx 服务的 yml 文件
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/start.yml
---
- name: set lib
shell: echo "/usr/local/lib" >> /etc/ld.so.conf && ldconfig
- name: set variable PATH
shell: echo PATH={
{ prefix }}/sbin:'$PATH' > /etc/profile.d/nginx.sh
- name: source environment variable
shell: source /etc/profile.d/nginx.sh
- name: prepare service file
template: src=nginx.service dest=/lib/systemd/system/nginx.service
notify: restart nginx
- name: prepare conf file
template: src=nginx.conf.j2 dest={
{ prefix }}/conf/nginx.conf
notify: restart nginx
- name: start service
service: name=nginx state=started enabled=yes
- debug: msg="nginx start succesfull"
[root@centos8 roles]#
编写入口文件,定义任务的执行顺序
[root@centos8 roles]#cat /data/ansible/roles/nginx/tasks/main.yml
- include: package.yml
- include: group_add.yml
- include: user_add.yml
- include: build.yml
- include: start.yml
[root@centos8 roles]#
3 运行playbook,检查nginx环境
[root@centos8 ~]#cat /data/ansible/roles/nginx.yml
---
- hosts: web
serial: 2
remote_user: root
roles:
- role: nginx
[root@centos8 ~]#
# 试运行
[root@centos8 ~]#ansible-playbook -C /data/ansible/roles/nginx.yml
# 运行playbook
[root@centos8 ~]#ansible-playbook /data/ansible/roles/nginx.yml
# 检查
[root@centos8 roles]#ansible web -m shell -a 'ss -tnlp|grep 80'
10.0.0.11 | CHANGED | rc=0 >>
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=149194,fd=8),("nginx",pid=149193,fd=8))
LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=149194,fd=9),("nginx",pid=149193,fd=9))
[root@centos8 roles]#ansible web -m shell -a 'ps aux|grep nginx|grep -v grep'
10.0.0.11 | CHANGED | rc=0 >>
root 149193 0.0 0.0 35796 832 ? Ss 14:25 0:00 nginx: master process /apps/nginx/sbin/nginx
nginx 149194 0.0 1.7 97224 31796 ? S 14:25 0:00 nginx: worker process
[root@centos8 roles]#
查看资源限制
systemctl daemon-reload
systemctl restart nginx
pidof nginx
cat /prot/nginx_masterPID/limits