diff --git a/nano_install/README.md b/nano_install/README.md new file mode 100644 index 0000000..3099d19 --- /dev/null +++ b/nano_install/README.md @@ -0,0 +1,32 @@ +# 作用 +这个role的作用是部署nano集群。 + +nano 分为 core, cell, frontend 三个组件。 + +* core 是主控端。 +* cell 是被控端。 +* frontend 是前端进程。 + +这里可以为host指定 `nano_role` 的变量来决定其部署为哪种角色。(还没有实现) +目前主要是部署cell. + +## examples + +```yaml +# group_vars/nano_cell.yml + +## nano core 的实际ip地址 +nano_core_ph_ip: 10.111.32.182 +## nano core 的vxlan ip +nano_core_vxlan_ip: 172.16.5.182 +## nano 通信时的组播地址 +nano_multicast_address: 224.0.0.226 +nano_packet: /data/apps/soft/ansible/nano/nano-cell-1.3.0.tgz +nano_confs: + - domain.cfg + +- hosts: nano_cell + roles: + - {role: nano_install} + +``` diff --git a/nano_install/defaults/main.yml b/nano_install/defaults/main.yml new file mode 100644 index 0000000..02fffe7 --- /dev/null +++ b/nano_install/defaults/main.yml @@ -0,0 +1,26 @@ +nano_packet: +nano_run_user: nano +app_base_dir: /data/apps/opt +nano_install_dir: '{{app_base_dir}}' +nano_app_name: 'nano-cell' +nano_base_dir: "{{nano_install_dir}}/{{nano_app_name}}" +nano_data_dir: /data/apps/data/{{nano_app_name}} +nano_conf_dir: /data/apps/config/{{nano_app_name}} +nano_log_dir: /data/apps/log/{{nano_app_name}} +nano_var_dir: /data/apps/var/{{nano_app_name}} +nano_install_method: local +nano_confs: + - domain.cfg +nano_env_file: nano.sh +nano_boot_file: '{{nano_app_name}}.{{ansible_service_mgr |default("systmed", true)}}' +nano_dependence_packets: + - libvirt + - policycoreutils-python + - genisoimage + - qemu-system-x86 + - seabios + - seabios-bin +# 下面这两个包,如果系统是 latest 的话,是需要安装的 +# - centos-release-qemu-ev +# - qemu-kvm-ev + diff --git a/nano_install/handlers/main.yml b/nano_install/handlers/main.yml new file mode 100644 index 0000000..6bae24c --- /dev/null +++ b/nano_install/handlers/main.yml @@ -0,0 +1,10 @@ +- name: restart_nano_for_systemd + systemd: + name: '{{nano_app_name}}' + state: restarted + daemon_reload: yes + +- name: systemctl_daemon_reload + systemd: + daemon_reload: yes + diff --git a/nano_install/tasks/copy_nano_conf.yml b/nano_install/tasks/copy_nano_conf.yml new file mode 100644 index 0000000..ab31534 --- /dev/null +++ b/nano_install/tasks/copy_nano_conf.yml @@ -0,0 +1,27 @@ +- name: set cell vxlan ip + set_fact: + nano_cell_vxlan_ip: '{{(iansible_default_ipv4.address.split(".")[-2:] | join(".") |float) * 1000 % 254 }}' + +- name: copy nano vxlan script + template: + src: nano_vxlan.sh + dest: '{{ nano_var_dir }}' + owner: '{{nano_run_user}}' + group: '{{nano_run_user}}' + mode: "0644" + backup: yes + +- name: copy nano conf file + template: + src: '{{ nano_conf }}' + dest: '{{ nano_conf_dir }}' + owner: '{{nano_run_user}}' + group: '{{nano_run_user }}' + mode: "0644" + backup: yes + #loop: '{{nano_conf}}' + tags: + - copy_nano_conf + notify: + - reload_nano_for_{{ansible_service_mgr}} + diff --git a/nano_install/tasks/create_nano_dir.yml b/nano_install/tasks/create_nano_dir.yml new file mode 100644 index 0000000..32428d0 --- /dev/null +++ b/nano_install/tasks/create_nano_dir.yml @@ -0,0 +1,47 @@ +# editor: haifengsss@163.com +# create date: 2021/01/15 +# + +- name: create nano user + user: + name: '{{ nano_run_user }}' + state: present + local: yes + system: yes + +- name: set nano sudo privilege + lineinfile: + line: '{{nano_run_user}} ALL=(root) NOPASSWD: /bin/bash' + state: present + path: /etc/sudoers + backup: 'yes' + validate: '/usr/sbin/visudo -cf %s' + + +- name: link /data to /data1 dir + file: + src: /data1 + dest: /data + owner: root + group: root + mode: "0777" + state: link + when: + - '"/data1" in ansible_mounts | json_query("[*].mount")' + tags: + - create_data_soft_link + +- name: create nano dir + file: + path: '{{ item.path }}' + owner: '{{ item.owner | default("root", true) }}' + group: '{{ item.group | default("root", true) }}' + mode: "0755" + state: 'directory' + loop: + - path: "{{app_base_dir}}" + - path: "{{nano_install_dir}}" + owner: '{{nano_run_user}}' + - path: "{{nano_var_dir}}" + owner: '{{nano_run_user}}' + diff --git a/nano_install/tasks/install_nano.yml b/nano_install/tasks/install_nano.yml new file mode 100644 index 0000000..8c26dd8 --- /dev/null +++ b/nano_install/tasks/install_nano.yml @@ -0,0 +1,33 @@ + + +- name: get nano packet dir name + local_action: + module: shell + cmd: tar tf {{nano_packet}} |head -n 1 |awk -F'/' '{print $1}' + warn: false + register: nano_dir_name + run_once: true + +- name: cp and unarchive nano to remote host + unarchive: + src: '{{ nano_packet }}' + dest: '{{ nano_install_dir }}' + owner: '{{ nano_run_user }}' + group: '{{ nano_run_user }}' + creates: '{{ nano_install_dir }}/{{nano_dir_name.stdout }}' + mode: "0755" + +- name: create nano link dir + file: + src: '{{ nano_install_dir }}/{{nano_dir_name.stdout }}' + dest: '{{nano_base_dir}}' + state: link + when: nano_dir_name.stdout != nano_app_name + +#- name: create nano conf link dir +# file: +# src: '{{ nano_conf_dir }}' +# dest: '/etc/{{nano_app_name}}' +# state: link +# ignore_errors: true + diff --git a/nano_install/tasks/install_nano_dependence_packet.yml b/nano_install/tasks/install_nano_dependence_packet.yml new file mode 100644 index 0000000..19837ae --- /dev/null +++ b/nano_install/tasks/install_nano_dependence_packet.yml @@ -0,0 +1,4 @@ +- name: install nano dependence packet + yum: + name: '{{nano_dependence_packets}}' + state: present diff --git a/nano_install/tasks/main.yml b/nano_install/tasks/main.yml new file mode 100644 index 0000000..ad90446 --- /dev/null +++ b/nano_install/tasks/main.yml @@ -0,0 +1,29 @@ +# editor: haifengsss@163.com +# update date: 2021/01/18 + +- import_tasks: create_nano_dir.yml + tags: + - nano_create_dir + +- import_tasks: install_nano.yml + tags: + - nano_install + +- import_tasks: copy_nano_conf.yml + tags: + - nano_copy_conf + +- import_tasks: install_nano_dependence_packet.yml + tags: + - nano_install_dependence_packet + +- import_tasks: nano_boot.yml + tags: + - nano_boot + + +#- include: install_dependence_packet.yml +# when: nano_install_method == "net" + + +#- include: core_argument.yml diff --git a/nano_install/tasks/nano_boot.yml b/nano_install/tasks/nano_boot.yml new file mode 100644 index 0000000..c118a5c --- /dev/null +++ b/nano_install/tasks/nano_boot.yml @@ -0,0 +1,4 @@ + +- include_tasks: nano_{{ansible_service_mgr}}_service.yml + name: nano_service_boot + when: ansible_os_family == "RedHat" diff --git a/nano_install/tasks/nano_systemd_service.yml b/nano_install/tasks/nano_systemd_service.yml new file mode 100644 index 0000000..1cb0ae1 --- /dev/null +++ b/nano_install/tasks/nano_systemd_service.yml @@ -0,0 +1,16 @@ +- name: copy nano systemd boot file + template: + src: '{{nano_boot_file}}' + dest: '/usr/lib/systemd/system/{{nano_app_name}}.service' + owner: root + group: root + mode: "0644" + backup: yes + notify: + - systemctl_daemon_reload + +- name: set nano boot and starting up + systemd: + name: '{{nano_app_name}}' + enabled: yes + state: started diff --git a/nano_install/templates/domain.cfg b/nano_install/templates/domain.cfg new file mode 100644 index 0000000..e5aba2b --- /dev/null +++ b/nano_install/templates/domain.cfg @@ -0,0 +1,5 @@ +{ + "domain": "nano", + "group_address": "{{nano_multicast_address}}", + "group_port": 5599 +} diff --git a/nano_install/templates/nano-cell.systemd b/nano_install/templates/nano-cell.systemd new file mode 100644 index 0000000..28e7125 --- /dev/null +++ b/nano_install/templates/nano-cell.systemd @@ -0,0 +1,17 @@ +[Unit] +Description=nano-cell + +[Service] +Type=forking +PIDFile={{nano_base_dir}}/cell.pid +WorkingDirectory={{nano_log_dir}} +ExecStartPre=-/bin/sudo -u root /bin/bash {{nano_var_dir}}/nano_vxlan.sh +User={{nano_run_user}} +ExecStart={{nano_base_dir}}/cell start +ExecStop={{nano_base_dir}}/cell stop +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target + diff --git a/nano_install/templates/nano-vxlan.systemd b/nano_install/templates/nano-vxlan.systemd new file mode 100644 index 0000000..25f8e6c --- /dev/null +++ b/nano_install/templates/nano-vxlan.systemd @@ -0,0 +1,17 @@ +[Unit] +Description=nano-cell + +[Service] +Type=forking +PIDFile={{nano_base_dir}}/cell.pid +WorkingDirectory={{nano_log_dir}} +#ExecStartPre=-/bin/bash {{nano_var_dir}}/nano_vxlan.sh +User={{nano_run_user}} +ExecStart={{nano_base_dir}}/cell start +ExecStop={{nano_base_dir}}/cell stop +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target + diff --git a/nano_install/templates/nano.systemd.bak b/nano_install/templates/nano.systemd.bak new file mode 100644 index 0000000..70b015b --- /dev/null +++ b/nano_install/templates/nano.systemd.bak @@ -0,0 +1,14 @@ +[Unit] +Description=LVS and VRRP High Availability Monitor +After=syslog.target network-online.target + +[Service] +Type=forking +PIDFile={{keepalived_var_dir}}/keepalived.pid +KillMode=process +EnvironmentFile=-{{keepalived_conf_dir}}/keepalived.env +ExecStart={{keepalived_bin_dir}}/keepalived $KEEPALIVED_OPTIONS +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/nano_install/templates/nano_vxlan.sh b/nano_install/templates/nano_vxlan.sh new file mode 100644 index 0000000..1a417f6 --- /dev/null +++ b/nano_install/templates/nano_vxlan.sh @@ -0,0 +1,154 @@ +#!/bin/bash +# editor: wanghaifeng@idstaff.com +# create date: 2020/01/14 +# 作用:当nano需要跨网段部署时,而物理网络又不支持组播转发,那么为各主机建立 vxlan 的通道 +# 使 core 与 cell 可以正常的用组播进行通信。 +# 目前来看,不需要 cell 与 cell 间通信。 + +# core 的实际ip地址,vxlan设备会基于这个网卡进行通信 +nano_core_ph_ip={{nano_core_ph_ip}} +nano_core_vxlan_ip={{nano_core_vxlan_ip}} +nano_core_vxlan_netmask=24 + +# cell 的实际的网卡名称,默认的话,使用有默认路由的网卡 +nano_cell_ph_link= +nano_cell_default_link=$(ip rou sh | \ + awk '/^default/{for(i=1;i++;i<=NF){if($i=="dev"){print $(i+1); break}}}') +nano_cell_ph_link=${nano_cell_ph_link:-${nano_cell_default_link}} +# cell 上的 vxlan ip +nano_cell_vxlan_ip={{nano_cell_vxlan_ip}} +nano_cell_vxlan_netmask=${nano_core_vxlan_netmask} + +# nano 使用的 vxlan 设备信息 +nano_vxlan_id={{nano_vxlan_id | default(1)}} +nano_vxlan_name={{nano_vxlan_name | default("nano")}} +nano_vxlan_dstport={{nano_vxlan_dstport | default(0)}} +# nano 组播用的组播地址,用来设置路由 +nano_multicast_address={{nano_multicast_address}} +#nano_hosts=(10.8.98.108 10.8.98.109 10.8.104.23) + +{%raw%} +lock_file=/tmp/.nano_vxlan.lock +check_lock(){ + exec 3<> ${lock_file} + if flock -n 3;then + #echo "get ${lock_file} lock file." + : + else + echo "get lock file failed. now exit." + exit 5 + fi +} + + +check_link_exist(){ + # 这里声明两个 + local vxlan_ip=$1 + local vxlan_netmask=$2 + # nano 节点类型,默认是 cell + local nano_node_type=$3 + nano_node_type=${nano_node_type:-cell} + # 先检查 vxlan 设备是否存在 + ip li sh ${nano_vxlan_name} &> /dev/null + local sh_ret=$? + if [ ${sh_ret} == 0 ];then + # 如果 link 设备存在的情况。 + check_ip_exist ${vxlan_ip} ${vxlan_netmask} + else + # 如果 link 不存在, 先添加 link + # 这里 core 与 cell 在命令参数上稍有不同 + # 判断 nano 的节点类型,执行不同的命令 + #if [ "${nano_node_type}" == "cell" ];then + # ip link add ${nano_vxlan_name} type vxlan \ + # id ${nano_vxlan_id} remote ${nano_core_ph_ip} \ + # dstport ${nano_vxlan_dstport} dev ${nano_cell_ph_link} + # local link_add_ret=$? + #elif [ "${nano_node_type}" == "core" ];then + # ip link add ${nano_vxlan_name} type vxlan \ + # id ${nano_vxlan_id} local ${nano_core_ph_ip} \ + # dstport ${nano_vxlan_dstport} dev ${nano_cell_ph_link} + # local link_add_ret=$? + #else + # return 30 + #fi + ip link add ${nano_vxlan_name} type vxlan \ + id ${nano_vxlan_id} dstport ${nano_vxlan_dstport} \ + dev ${nano_cell_ph_link} group 239.1.1.1 + local link_add_ret=$? + ip link set ${nano_vxlan_name} up + if [ ${link_add_ret} == 0 ];then + # 添加 link 成功后,调用自己,添加ip + check_link_exist ${vxlan_ip} ${vxlan_netmask} ${nano_node_type} + else + return ${link_add_ret} + fi + fi + ip link set ${nano_vxlan_name} up + bridge fdb append 00:00:00:00:00:00 dst ${nano_core_ph_ip} dev ${nano_vxlan_name} + # 这里不 ping 一下,跟 nano_core 的 vxlan ip 是无法通信的 + # 但是却可以收到对端发往组播地址的包 + ping -c 1 ${nano_core_vxlan_ip} +} + + +check_ip_exist(){ + local vxlan_ip=$1 + local vxlan_netmask=$2 +# 这一部分的逻辑 core 与 cell 都相同 + local now_vxlan_ip=$(ip a sh dev ${nano_vxlan_name} type vxlan | \ + awk '/\/{print $2}') + if [ -n "${now_vxlan_ip}" ];then + if [ "${now_vxlan_ip}" == "${vxlan_ip}/${vxlan_netmask}" ];then + # 如果 ip 地址相符 + return 0 + else + # 这里说明是 ip 地址不相符 + ip addr del ${now_vxlan_ip} dev ${nano_vxlan_name} + local del_ret=$? + if [ ${del_ret} != 0 ];then + # 删除失败后,退出 + return 10 + fi + fi + fi + # ip 为空的情况下,直接添加ip + ip addr add ${vxlan_ip}/${vxlan_netmask} \ + dev ${nano_vxlan_name} + +} + +check_route_exist(){ + # 获取 + local route_addr=$(ip rou sh dev ${nano_vxlan_name} via ${nano_cell_vxlan_ip}) + route_addr=${route_addr% } + if [[ -n "${route_addr}" && "${route_addr}" == ${nano_multicast_address} ]];then + # 如果结果不为空的话 + : + else + ip rou add ${nano_multicast_address} dev ${nano_vxlan_name}\ + via ${nano_cell_vxlan_ip} + fi +} + +main(){ + check_lock + if ip a |grep ${nano_core_ph_ip} &> /dev/null; then + # 如果是 core 节点 + check_link_exist ${nano_core_vxlan_ip} ${nano_core_vxlan_netmask} core + else + check_link_exist ${nano_cell_vxlan_ip} ${nano_cell_vxlan_netmask} + fi + check_route_exist +} + +main + +#for h in ${nano_hosts[@]};do +# if ip a |grep ${h} &> /dev/null; then +# : +# else +# bridge fdb append 00:00:00:00:00:00 dst ${h} dev vxlan1 +# fi +#done + +{%endraw%} diff --git a/scripts/gitlab/gitlab_backup_7.sh b/scripts/gitlab/gitlab_backup_7.sh index d9c4da1..f04c2b9 100644 --- a/scripts/gitlab/gitlab_backup_7.sh +++ b/scripts/gitlab/gitlab_backup_7.sh @@ -13,7 +13,7 @@ #gitlab_backup_dir=/var/opt/gitlab/backup gitlab_backup_dir=/home/backup gitlab_repo_data_dir=/var/opt/gitlab/git-data/repositories -gitlab_backup_remote_dir=/home/bak +gitlab_backup_remote_dir=/home/bak/gitlab gitlab_backup_keep_one_dir=/data/apps/data/backup/gitlab gitlab_full_backup_day=0 backup_file_delete_day=$((gitlab_full_backup_day+1)) diff --git a/system_init/README.md b/system_init/README.md index 74b9d88..804961b 100644 --- a/system_init/README.md +++ b/system_init/README.md @@ -1,12 +1,14 @@ 此 role 的用途如下: +* 同步/etc/hosts 文件,默认以控制节点的为准 + * 同时根据 /etc/hosts 中的第一个名字,将其置为新的 hostname, 如 192.168.1.1 hadoop1.test.com hadoop1, 那么 192.168.1.1 的hostname 会成为 hadoop1.test.com * 安装基础包,如 epel-release, htop, sysstat 等等 * 修改基础的内核参数 * 关闭ipv6 * 修改 limit 参数 * 添加 profile * 关闭 selinux -* 添加同步时间的计划任务 +* 添加同步时间的计划任务,改为使用ntp或者 chrony * 打开 rc-local service * 关闭透明大页 diff --git a/system_init/defaults/main.yml b/system_init/defaults/main.yml index 60c5689..6acfcb2 100644 --- a/system_init/defaults/main.yml +++ b/system_init/defaults/main.yml @@ -2,7 +2,11 @@ system_dns_conf: resolv.conf system_dns_servers: +system_is_hadoop: false system_ntp_servers: [] - +system_update_hosts: true +system_hosts_file: /etc/hosts +system_hosts_dest_dir: /etc +system_hosts_dest_name: hosts system_limit_confs: - 90-nproc.conf diff --git a/system_init/tasks/limits/limit_conf.yml b/system_init/tasks/limits/limit_conf.yml index 7d59363..5a7ea91 100644 --- a/system_init/tasks/limits/limit_conf.yml +++ b/system_init/tasks/limits/limit_conf.yml @@ -7,5 +7,5 @@ mode: "0644" backup: yes loop: '{{ system_limit_confs }}' - when: item is exists + #when: item is exists diff --git a/system_init/tasks/main.yml b/system_init/tasks/main.yml index 4a7b046..2672860 100644 --- a/system_init/tasks/main.yml +++ b/system_init/tasks/main.yml @@ -1,4 +1,9 @@ --- +- import_tasks: update_hostname.yml + tags: + - system_udpate_hosts + when: system_update_hosts == true + - import_tasks: install_packet.yml tags: - install_base_packet @@ -36,15 +41,16 @@ #when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int == 7 when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int >= 7 tags: - - set_rc-local_enable -#- import_tasks: close_THP.yml -# when: "'hadoop' in group_names or hadoop_yes == true" -# tags: -# - close_THP + - set_rc_local_enable + +- import_tasks: close_THP.yml + when: "'hadoop' in group_names or system_is_hadoop == true" + tags: + - close_THP - import_tasks: close_pre-install_service.yml tags: - - close_pre-install_service + - close_pre_install_service when: ansible_os_family == "RedHat" diff --git a/system_init/tasks/update_hostname.yml b/system_init/tasks/update_hostname.yml new file mode 100644 index 0000000..02aef5d --- /dev/null +++ b/system_init/tasks/update_hostname.yml @@ -0,0 +1,35 @@ +#- name: backup old hosts file +# shell: test -e /etc/hosts_v0 || /bin/cp /etc/hosts /etc/hosts_v0 + +- name: copy hosts file + copy: + src: '{{system_hosts_file}}' + dest: '{{system_hosts_dest_dir}}/{{system_hosts_dest_name}}' + owner: root + group: root + mode: "0644" + backup: yes + +# 修改主机名 +# +- name: get hostname + shell: + cmd: grep '{{ ansible_default_ipv4.address }}' {{system_hosts_dest_dir}}/{{system_hosts_dest_name}} | awk "{print \$2}" + register: hname + +- name: modify hostname + hostname: + name: '{{ hname.stdout }}' + when: + - hname is defined + - hname is not none + - hname != '' + +- name: delete tmp hosts file + file: + path: '{{system_hosts_dest_dir}}/{{system_hosts_dest_name}}' + state: absent + when: + - system_hosts_dest_dir != '/etc' + - system_hosts_dest_name != 'hosts' + diff --git a/system_user_init/README.md b/system_user_init/README.md index 53aabb4..2300860 100644 --- a/system_user_init/README.md +++ b/system_user_init/README.md @@ -3,6 +3,8 @@ * 创建一个普通用户,为其配置 sudo 权限 * 将 ansible 控制节点的公钥添加至用户的 `authorized_keys` 文件中 * 更新root的默认密码,如果提供新密码的话(这个密码不需要太复杂,比如 e3B1bEeAb0E9Ld8wV2Uf7GfE9Z6FfM1B, 因为 root 会被禁止ssh登录,密码会用来登录控制台) + * `ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512', 'mysecretsalt') }}"` + * `mkpasswd --method=sha-512` * ssh 配置中禁止root登录,重启 sshd @@ -32,14 +34,15 @@ system_users: - user: grafana password: 'grafana_encrypted_password' +system_root_password: "The_simple_PASS" system_admin_user: admin # 在禁止root用户登录的时候会用到这个用户,默认是 system_users 中的第一个用户 #system_ansible_pub_key: 'ansible_control_host_public_key' -system_ansible_pub_key: '{{ lookup('file', '/path/to/id_rsa.pub') }}' +system_ansible_pub_key: '{{ lookup("file", "/path/to/id_rsa.pub") }}' # playbook -hosts: myhosts -roles: - - {role: system_user_init} +- hosts: myhosts + roles: + - {role: system_user_init} ``` diff --git a/system_user_init/tasks/system_disable_root_login.yml b/system_user_init/tasks/system_disable_root_login.yml index 8be523e..8ce63bb 100644 --- a/system_user_init/tasks/system_disable_root_login.yml +++ b/system_user_init/tasks/system_disable_root_login.yml @@ -19,4 +19,6 @@ name: root password: '{{system_root_password}}' update_password: always - when: system_root_password is not none and system_root_password != '' + when: + - system_root_password is not none + - system_root_password != ''