使用 Ansible Roles 实现 LNMP 的动静分离 详细示例

组网拓扑

相关 Ansible 博客链接

ANSIBLE 模块（Group、User、Copy、File、Fetch、Cron、Command、Yum、Script、Setup、Service等）和 ANISIBLE 三种变量的综合示例

运维自动化之 ANSIBLE 详解（重点：Template、Roles 详解）

运维自动化之 ANSIBLE 详解（重点：Ansible安装方法、程序文件、模块和变量详解）

Ansible Roles 详解示例

使用 Ansible Playbook 实现 LNMP 的动静分离详细示例

1、安装 Ansible

[root@Tang-0 ~]# yum install ansible -y
[root@Tang-0 ~]# ansible --version
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Oct 30 2018, 23:45:53) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

1.1 添加主机并进行登陆验证

[root@Tang-0 ~]# ssh-keygen -t rsa -P ""             
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+lqLxfVrx36h2ap8w7LMtHbo3qL7OgmA7auWr0OT5L0 root@Tang-0
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|    o            |
|   o o           |
|  o + . S .      |
|   = o + . .   . |
|  . o + = ..+.+ .|
|   + E = +==+Oo..|
|  .o=.o.o+X%O=+. |
+----[SHA256]-----+

1.1.1 添加主机 Tang-1 （192.168.1.61）并进行免密认证登陆

[root@Tang-0 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.61  
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.61 (192.168.1.61)' can't be established.
ECDSA key fingerprint is SHA256:b+SNKJf2grTF0wbVJvJiKxX5NI2dtQwmvBcX0/10SKA.
ECDSA key fingerprint is MD5:20:16:c2:57:96:a2:00:67:05:e8:d9:41:ff:3a:41:d1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.61's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@Tang-0 ~]# ssh root@192.168.1.61
Last login: Mon Oct 21 02:09:06 2019 from bogon
[root@Tang-1 ~]# exit
logout
Connection to 192.168.1.61 closed.

1.1.2 添加主机 Tang-2 （192.168.1.62）并进行免密认证登陆

[root@Tang-0 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.62
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.62 (192.168.1.62)' can't be established.
ECDSA key fingerprint is SHA256:b+SNKJf2grTF0wbVJvJiKxX5NI2dtQwmvBcX0/10SKA.
ECDSA key fingerprint is MD5:20:16:c2:57:96:a2:00:67:05:e8:d9:41:ff:3a:41:d1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.62's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@Tang-0 ~]# ssh root@192.168.1.62
Last login: Mon Oct 21 02:09:14 2019 from bogon
[root@Tang-2 ~]# exit
logout
Connection to 192.168.1.62 closed.

2.1.3 添加主机 Tang-3 （192.168.1.63）并进行免密认证登陆

[root@Tang-0 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.63
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.63 (192.168.1.63)' can't be established.
ECDSA key fingerprint is SHA256:b+SNKJf2grTF0wbVJvJiKxX5NI2dtQwmvBcX0/10SKA.
ECDSA key fingerprint is MD5:20:16:c2:57:96:a2:00:67:05:e8:d9:41:ff:3a:41:d1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.63's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@Tang-0 ~]# ssh root@192.168.1.63
Last login: Mon Oct 21 02:09:19 2019 from bogon
[root@Tang-3 ~]# exit
logout
Connection to 192.168.1.63 closed.

1.2 编辑 Ansible hosts 文件

[root@Tang-0 ~]# cat /etc/ansible/hosts | grep 192.168.1.6 -C 2

[NginxProxy]
192.168.1.61

[MariadbPhp]
192.168.1.62

[NginxServer]
192.168.1.63

1.3 查看主机列表并检测状态

[root@Tang-0 ~]# ansible all --list-hosts
  hosts (3):
    192.168.1.63
    192.168.1.62
    192.168.1.61
[root@Tang-0 ~]# ansible all -m ping 
192.168.1.62 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.1.61 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.1.63 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

2、创建各个角色所需的目录

2.1 角色 nginxproxy

[root@Tang-0 ~]# mkdir -pv /etc/ansible/roles/nginxproxy/{files,templates,tasks,vars,handlers,meta,default}
mkdir: created directory ‘/etc/ansible/roles/nginxproxy’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/files’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/templates’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/tasks’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/vars’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/handlers’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/meta’
mkdir: created directory ‘/etc/ansible/roles/nginxproxy/default’

2.2 角色 nginxserver

[root@Tang-0 ~]# mkdir -pv /etc/ansible/roles/nginxserver/{files,templates,tasks,vars,handlers,meta,default}
mkdir: created directory ‘/etc/ansible/roles/nginxserver’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/files’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/templates’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/tasks’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/vars’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/handlers’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/meta’
mkdir: created directory ‘/etc/ansible/roles/nginxserver/default’

2.3 角色 nmariadbphp

[root@Tang-0 ~]# mkdir -pv /etc/ansible/roles/mariadbphp/{files,templates,tasks,vars,handlers,meta,default}
mkdir: created directory ‘/etc/ansible/roles/mariadbphp’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/files’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/templates’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/tasks’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/vars’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/handlers’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/meta’
mkdir: created directory ‘/etc/ansible/roles/mariadbphp/default’

3、各个角色所需的文件

3.1 角色 nginxproxy

[root@Tang-0 ~]# tree /etc/ansible/roles/nginxproxy/
/etc/ansible/roles/nginxproxy/
├── default
├── files
│   └── neotang.conf
├── handlers
│   └── main.yml
├── meta
├── tasks
│   └── main.yml
├── templates
└── vars

7 directories, 3 files

3.1.1 角色 nginxproxy 的 tasks

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxproxy/tasks/main.yml 
- name: setenforce
  command: setenforce 0

- name: install epel repo
  yum: name=epel-release state=latest

- name: install nginx
  yum: name=nginx state=latest

- name: install nginxproxy config
  copy: src=neotang.conf dest=/etc/nginx/conf.d/neotang.conf
  tags: nginxproxyconf
  notify: restart nginx

- name: start nginxproxy
  service: name=nginx state=started

3.1.2 角色 nginxproxy 的 handlers

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxproxy/handlers/main.yml 
- name : restart nginx
  service: name=nginx state=restarted

3.1.3 角色 nginxproxy 的 files

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxproxy/files/neotang.conf
server {
	listen 8080;
	server_name www.neotang.com;              
	index index.php index.html;

	location / {                                 
		proxy_pass http://192.168.1.63:8080;  
	}

	location ~* \.php$ {
		fastcgi_pass 192.168.1.62:9000;       
		fastcgi_index index.php;               
		include fastcgi_params;
		fastcgi_param	SCRIPT_FILENAME	/data/apps$fastcgi_script_name; 
		fastcgi_keep_conn on; 											
	}

	location ~* ^/(status|ping)$ {     
		include fastcgi_params;
		fastcgi_pass 192.168.1.62:9000;
		fastcgi_param   SCRIPT_FILENAME /data/apps$fastcgi_script_name;
	}
}

3.2 角色 nginxserver

[root@Tang-0 ~]# tree /etc/ansible/roles/nginxserver/
/etc/ansible/roles/nginxserver/
├── default
├── files
│   ├── index.html
│   └── nginxserver.conf
├── handlers
│   └── main.yml
├── meta
├── tasks
│   └── main.yml
├── templates
└── vars

7 directories, 4 files

3.2.1 角色 nginxserver 的 tasks

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxserver/tasks/main.yml 
- name: setenforce
  command: setenforce 0

- name: install epel repo
  yum: name=epel-release state=latest

- name: install nginx
  yum: name=nginx state=latest

- name: install nginxserver index page directory
  file: path=/data/nginx/ state=directory

- name: install nginxserver index page
  copy: src=index.html dest=/data/nginx/index.html

- name: install nginxserver config
  copy: src=nginxserver.conf dest=/etc/nginx/conf.d/nginxserver.conf
  tags: nginxserverconf
  notify: restart nginx

- name: start nginxserver
  service: name=nginx state=started 

3.2.2 角色 nginxserver 的 handlers

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxserver/handlers/main.yml 
- name : restart nginx
  service: name=nginx state=restarted

3.2.3 角色 nginxserver 的 files

[root@Tang-0 ~]# cat /etc/ansible/roles/nginxserver/files/index.html 
<h1>Nginx-Server 192.168.1.63 Static-Sources</h1>
[root@Tang-0 ~]# cat /etc/ansible/roles/nginxserver/files/nginxserver.conf 
server {
	listen 8080;
	root /data/nginx/;         
}

3.3 角色 mariadbphp

/etc/ansible/roles/mariadbphp/
├── default
├── files
│   ├── index.php
│   ├── server.cnf
│   └── www.conf
├── handlers
│   └── main.yml
├── meta
├── tasks
│   └── main.yml
├── templates
└── vars

7 directories, 5 files

3.3.1 角色 mariadbphp 的 tasks

[root@Tang-0 ~]# cat /etc/ansible/roles/mariadbphp/tasks/main.yml
- name: setenforce
  command: setenforce 0

- name: install epel repo
  yum: name=epel-release state=latest

- name: install php 
  yum: name={{ item }} state=installed
  with_items:
    - php-fpm
    - php-mysql
    - php-mbstring
    - php-mcrypt
    - mariadb-server

- name: install php index page directory
  file: path=/data/apps/ state=directory
  
- name: install php index page 
  copy: src=index.php dest=/data/apps/index.php

- name: install php config
  copy: src=www.conf dest=/etc/php-fpm.d/www.conf 
  tags: phpconf
  notify: restart php-fpm

- name: start php-fpm 
  service: name=php-fpm state=started

- name: install mariadb config
  copy: src=server.cnf dest=/etc/my.cnf.d/server.cnf
  tags: mariadbconf
  notify: restart mariadb

- name: start mariadb
  service: name=mariadb state=started

3.3.2 角色 mariadbphp 的 handlers

[root@Tang-0 ~]# cat /etc/ansible/roles/mariadbphp/handlers/main.yml 
- name : restart php-fpm
  service: name=php-fpm state=restarted
  
- name : restart mariadb
  service: name=mariadb state=restarted

3.3.3 角色 mariadbphp 的 files

[root@Tang-0 ~]# cat /etc/ansible/roles/mariadbphp/files/index.php 
<?php
    phpinfo();
?>

[root@Tang-0 ~]# cat /etc/ansible/roles/mariadbphp/files/www.conf 
listen = 0.0.0.0:9000

listen.allowed_clients = 0.0.0.0

group = apache

pm = dynamic

pm.max_children = 50

pm.start_servers = 5

pm.min_spare_servers = 5

pm.max_spare_servers = 35

pm.status_path = /status

ping.path = /ping

ping.response = pong

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on

php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session

[root@Tang-0 ~]# cat /etc/ansible/roles/mariadbphp/files/server.cnf 
[mysqld]
skip_name_resolve=ON
innodb_file_per_table=ON

4、ansible-playbook 创建、语法检查和执行

4.1 ansible-playbook 创建

[root@Tang-0 ~]# cat lnmp-roles.yml 
- hosts: NginxProxy
  remote_user: root
  roles:
    - nginxproxy

- hosts: NginxServer
  remote_user: root
  roles:
    - nginxserver

- hosts: MariadbPhp
  remote_user: root
  roles:
    - mariadbphp

4.2 ansible-playbook 语法检查

[root@Tang-0 ~]# ansible-playbook --syntax-check lnmp-roles.yml 

playbook: lnmp-roles.yml
[root@Tang-0 ~]# cat lnmp-roles.yml
- hosts: NginxProxy
  remote_user: root
  roles:
    - nginxproxy

- hosts: NginxServer
  remote_user: root
  roles:
    - nginxserver

- hosts: MariadbPhp
  remote_user: root
  roles:
    - mariadbphp

4.3 ansible-playbook 执行

[root@Tang-0 ~]# ansible-playbook lnmp-roles.yml 

PLAY [NginxProxy] *************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [192.168.1.61]

TASK [nginxproxy : setenforce] ************************************************************************************************
skipping: [192.168.1.61]

TASK [nginxproxy : install epel repo] *****************************************************************************************
ok: [192.168.1.61]

TASK [nginxproxy : install nginx] *********************************************************************************************
ok: [192.168.1.61]

TASK [nginxproxy : install nginxproxy config] *********************************************************************************
changed: [192.168.1.61]

TASK [nginxproxy : start nginxproxy] ******************************************************************************************
ok: [192.168.1.61]

RUNNING HANDLER [nginxproxy : restart nginx] **********************************************************************************
changed: [192.168.1.61]

PLAY [NginxServer] ************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [192.168.1.63]

TASK [nginxserver : setenforce] ***********************************************************************************************
skipping: [192.168.1.63]

TASK [nginxserver : install epel repo] ****************************************************************************************
ok: [192.168.1.63]

TASK [nginxserver : install nginx] ********************************************************************************************
ok: [192.168.1.63]

TASK [nginxserver : install nginxserver index page directory] *****************************************************************
ok: [192.168.1.63]

TASK [nginxserver : install nginxserver index page] ***************************************************************************
ok: [192.168.1.63]

TASK [nginxserver : install nginxserver config] *******************************************************************************
ok: [192.168.1.63]

TASK [nginxserver : start nginxserver] ****************************************************************************************
ok: [192.168.1.63]

PLAY [MariadbPhp] *************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : setenforce] ************************************************************************************************
skipping: [192.168.1.62]

TASK [mariadbphp : install epel repo] *****************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : install php] ***********************************************************************************************
ok: [192.168.1.62] => (item=[u'php-fpm', u'php-mysql', u'php-mbstring', u'php-mcrypt', u'mariadb-server'])

TASK [mariadbphp : install php index page directory] **************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : install php index page] ************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : install php config] ****************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : start php-fpm] *********************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : install mariadb config] ************************************************************************************
ok: [192.168.1.62]

TASK [mariadbphp : start mariadb] *********************************************************************************************
ok: [192.168.1.62]

PLAY RECAP ********************************************************************************************************************
192.168.1.61               : ok=6    changed=2    unreachable=0    failed=0   
192.168.1.62               : ok=9    changed=0    unreachable=0    failed=0   
192.168.1.63               : ok=7    changed=0    unreachable=0    failed=0   

5、进行验证