微信号:david-share

介绍:乐于分享,才有进步.

Ansible Tower标准化管理案例

2018-04-11 17:38 黑建龙

1.  配置sudo

1.  修改文件权限

[root@localhost]#  cat mod-sudo-1.yml

---

-  hosts: all

  tasks:

    - name: chmod u+w

      file:

        path: /etc/sudoers

        mode: u+w

2.  修改文件,在特定行下面插入一行

[root@localhost]#  cat mod-sudo-2.yml

---

-  hosts: all

  tasks:

    - name: change file context

      lineinfile:

        path: /etc/sudoers

        state: present

        insertafter: 'root\tALL'

        line: 'osmaster    ALL=(ALL)       ALL'

3.  修改回原来文件权限

[root@localhost]#  cat mod-sudo-3.yml

---

-  include: mod-sudo-1.yml

-  include: mod-sudo-2.yml

-  hosts: all

  tasks:

    - name: chmod u-w

      file:

        path: /etc/sudoers

        mode: u-w

 2     编辑seLinux关闭

[root@localhost]#  cat selinux-off.yml

---

 

-  hosts: all

  tasks:

     - name: selinux off

       selinux:

         state: disabled

       notify:

        - selinux-off

  handlers:

    - name: selinux-off

      shell: setenforce 0

 3     关闭防火墙

[root@localhost]#  cat firewalld-off.yml

---

 

-  hosts: all

  tasks:

    - name: firewalld off

      service:

        name: firewalld

        state: stopped

        enabled: false

      register: result

      ignore_errors: true

 

    - name: phase1

      service: name=firewalld state=stopped

      when: (result|failed) and  (result.msg.find("Could not find the requested service") != 0)

 4     编辑无响应注销

[root@localhost]#  cat timeout.yml

---

 

-  hosts: all

 

  tasks:

    - name: remove former define

      lineinfile:

        path: /etc/profile

        state: absent

        line: 'export TMOUT'

 

    - name: change file context

      lineinfile:

        path: /etc/profile

        state: present

        line: 'export TMOUT=3600'

 5     编辑history时间戳

[root@localhost]#  cat 0307-history-format.yml

---

 

-  hosts: all

 

  tasks:

    - name: remove former define

      lineinfile:

        path: /etc/bashrc

        state: absent

        line: 'export HISTTIMEFORMAT'

 

    - name: change file context

      lineinfile:

        path: /etc/bashrc

        state: present

        line: 'export HISTTIMEFORMAT="%F  %T"'

 6     修改SNMP默认团体名public为snmp_ciitc

[root@localhost]#  cat0308-snmp.yml

---

 

-  hosts: all

 

  tasks:

    - name: if the file is there

      file:

        path: /etc/snmp/snmpd.conf

        state: file

      register: result

      ignore_errors: true

 

    - name: change file context

      lineinfile:

        path: /etc/snmp/snmpd.conf

        state: present

        backrefs: yes

        regexp: 'com2sec notConfigUser  default       public'

        line: 'com2sec notConfigUser  default       snmp_ciitc'

      when: result|success

 7     编辑访问控制

[root@localhost]#  cat 0309-access-control.yml

---

-  hosts: all

 

  tasks:

    - name: change /etc/bashrc

      lineinfile:

        path: /etc/bashrc

        state: present

        insertafter:

        line: 'umask 027'

 

    - name: change /etc/profile

      lineinfile:

        path: /etc/profile

        state: present

        backrefs: yes

        regexp: '    umask 022'

        line: '    umask 027'

 8     编辑登录失败用户锁定策略

[root@localhost]#  cat 0310-user-lock.yml

---

 

-  hosts: all

  tasks:

    - name: add /etc/pam.d/system-auth

      lineinfile:

        path: /etc/pam.d/system-auth

        state: present

        insertafter:

        line: 'auth required  pam_tally2.so onerr=fail deny=10  unlock_time=180  root_unlock_time=1'

9     编辑口令策略

[root@localhost]#  cat password-policy.yml

---

 

-  hosts: all

  tasks:

    - name: add /etc/pam.d/system-auth

      lineinfile:

        path: /etc/pam.d/system-auth

        state: present

        backrefs: yes

        regexp: 'password    requisite'

        line: 'password    requisite     pam_cracklib.so dcredit=-1 ucredit=-1  ocredit=-1 lcredit=0 minlen=8 retry=3'

 

    - name: add /etc/pam.d/passwd

      lineinfile:

        path: /etc/pam.d/passwd

        state: present

        insertafter:

        line: 'password    required    pam_unix.so    remember=5    use_authtok    md5'

 

10   编辑口令规则

 [root@localhost]# cat password-rule.yml

---

 

-  hosts: all

  tasks:

    - name: change /etc/login.defs

      lineinfile:

        path: /etc/login.defs

        state: present

        backrefs: yes

        regexp: 'PASS_MIN_LEN\t5'

        line: 'PASS_MIN_LEN\t8'

11   解决通过SCP传输提示输密码慢问题

[root@localhost]#  cat 0313-tcp-trans.yml

---

 

-  hosts: all

 

  tasks:

    - name: change SCP

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: 'GSSAPIAuthentication yes'

        backrefs: yes

        line: 'GSSAPIAuthentication no'

    - name: change SSH Rhosts

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#IgnoreRhosts yes'

        backrefs: yes

        line: 'IgnoreRhosts yes'

    - name: change SSH empty password

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#PermitEmptyPasswords no'

        backrefs: yes

        line: 'PermitEmptyPasswords no'

    - name: change SSH Rhosts RSA Auth

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#RhostsRSAAuthentication no'

        backrefs: yes

        line: 'RhostsRSAAuthentication no'

    - name: change SSH Rhosts

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#HostbasedAuthentication no'

        backrefs: yes

        line: 'HostbasedAuthentication no'

12   解决SSH登录慢问题,关闭DNS验证

[root@localhost]#  cat tcp-dns.yml

---

-  hosts: all

  tasks:

    - name: change SSH DNS

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#UseDNS yes'

        backrefs: yes

        line: 'UseDNS no'

13   编辑SSH登录

[root@localhost]#  cat ssh-login.yml

---

-  hosts: all

  tasks:

    - name: change SSH empty password

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        regexp: '#PermitEmptyPasswords no'

        backrefs: yes

        line: 'PermitEmptyPasswords no'

    - name: change SSH banner

      lineinfile:

        path: /etc/ssh/sshd_config

        state: present

        insertafter: "#Banner none"

        line: 'Banner /etc/motd'

14   配置关键目录权限控制

[root@localhost]#  cat 0314-directory-access.yml

---

-  hosts: all

  tasks:

    - name: /etc/passwd 644

      file:

        path: /etc/passwd

        mode: 0644

    - name: /etc/shadow 600

      file:

        path: /etc/shadow

        mode: 0600

    - name: /etc/group 644

      file:

        path: /etc/group

        mode: 0644

15   修改Linux系统TCP连接数

[root@localhost]#  cat 0316-tcp-connections.yml

---

 

-  hosts: all

  tasks:

    - name: soft nofile

      lineinfile:

        path: /etc/security/limits.conf

        state: present

        insertafter:

        line: '*               soft    nofile           65536'

    - name: hard nofile

      lineinfile:

        path: /etc/security/limits.conf

        state: present

        insertafter:

        line: '*               hard    nofile           65536'

    - name: soft nproc

      lineinfile:

        path: /etc/security/limits.conf

        state: present

        insertafter:

        line: '*               soft    nproc           65536'

    - name: hard nproc

      lineinfile:

        path: /etc/security/limits.conf

        state: present

        insertafter:

        line: '*               hard    nproc           65536'

16   Linux系统内核参数调优

[root@localhost]#  cat 0317-kernel-param.yml

---

 

-  hosts: all

  tasks:

    - name: kernel panic

      lineinfile:

        path: /etc/sysctl.conf

        state: present

        insertafter:

        line: 'kernel.panic_on_oops=1'

    - name: vm.min

      lineinfile:

        path: /etc/sysctl.conf

        state: present

        insertafter:

        line: 'vm.min_free_kbytes=819200'

    - name: vm.max

      lineinfile:

        path: /etc/sysctl.conf

        state: present

        insertafter:

        line: 'vm.max_map_count=131060'

    - name: fs.file-max

      lineinfile:

        path: /etc/sysctl.conf

        state: present

        insertafter:

        line: 'fs.file-max = 6815744'

    - name: fs.aio-max-nr

      lineinfile:

        path: /etc/sysctl.conf

        state: present

        insertafter:

        line: 'fs.aio-max-nr = 1048576'

    - name: session

      lineinfile:

        path: /etc/pam.d/login

        state: present

        insertafter:

        line: 'session    required     /lib64/security/pam_limits.so'

 

17   关闭Linux服务

[root@localhost]#  cat 0318-service-close.yml

---

-  hosts: all

  tasks:

    - name: service off

      service: name=avahi-daemon  state=stopped enabled=no

      register: result

      ignore_errors: true

    - name: phase1

      service: name=avahi-daemon  state=stopped enabled=no

      when: (result|failed) and  (result.msg.find("Could not find the requested service") != 0)

 

    - name: service off

      service: name=bluetooth state=stopped  enabled=no

      register: result

      ignore_errors: true

    - name: phase1

      service: name=bluetooth state=stopped  enabled=no

      when: (result|failed) and  (result.msg.find("Could not find the requested service") != 0)

 

18   配置网卡DNS信息

[root@localhost]#  cat config-dns.yml

---

 

-  hosts: all

  tasks:

    - name: config DNS

      lineinfile:

        path: /etc/resolv.conf

        state: present

        insertafter:

        line: 'nameserver 10.19.249.104'

 

    - name: config DNS2

      lineinfile:

        path: /etc/resolv.conf

        state: present

        insertafter:

        line: 'nameserver 10.19.249.105'

 

 

 

19   配置服务器时间同步

[root@localhost]#  cat 0322-config-ntp.yml

---

-  hosts: all

  tasks:

    - name: copy files

      become: true

      copy:

        src:  /var/lib/awx/projects/0322-config-ntp/example.conf

        dest: /etc/ntp.conf

        backup: yes

具体配置文件如下:

[root@localhost]#  cat /var/lib/awx/projects/0322-config-ntp/example.conf

server  ntp.ciitc.com.cn prefer

server  10.19.250.1

driftfile  /var/lib/ntp/drift

logfile  /var/log/ntp.log

keys  /etc/ntp/keys

includefile  /etc/ntp/crypto/pw

 

20   把系统时间写入到硬件时间

[root@localhost]#  cat 0323-hwclock.yml

---

 

-  hosts: all

  tasks:

    - name: hwclock

      lineinfile:

        path: /etc/sysconfig/ntpd

        state: present

        insertafter:

        line: 'SYNC_HWCLOCK=yes'

21    配置yum源

[root@localhost]#  cat repo-create.yml

---

 

-  hosts: all

  tasks:

     - name: test connection

       ping:

 

     - name: Add repository

       yum_repository:

         name: rhel

         description: RHEL YUM repo

         file: rhel

         baseurl:  http://172.20.16.227:8090/rhel/

         gpgcheck: no

         enabled: yes

 

22    升级特定版本补丁

[root@localhost]#  cat check-rpm-info.yml

---

-  hosts: all

  tasks:

    - name: install ntp

      package:

        name: ntp-4.2.6p5

        state: present  

      when:  ansible_distribution_major_version == "7"

      notify:

        - restart ntpd

       

    - name: install openssh

      package:

        name: openssh-7.4p1

        state: present  

      when:  ansible_distribution_major_version == "7"

      notify:

        - restart sshd

  handlers:

    - name: restart ntpd

      service: name=ntpd state=restarted

    - name: restart sshd

      service: name=sshd state=restarted





大魏分享:

魏新宇

"大魏分享"运营者、红帽资深解决方案架构师

专注开源云计算、容器及自动化运维在金融行业的推广

拥有红帽RHCE/RHCA、VMware VCP-DCV、VCP-DT、VCP-Network、VCP-Cloud、ITIL V3、Cobit5、C-STAR、AIX、HPUX等相关认证。


文章打赏随意(收入50%会转给原作者):


 
大卫分享 更多文章 深度理解:Openshift端口方式全解析 Openshift3.7完整安装手册+容器化Harbor Ansible Tower的安装与基本功能测试 容器编排界的“三皇会战”,Kubernetes的奥斯特里茨! Ansible配置管理vCenter及相关虚拟机
猜您喜欢 女儿和她的图画书 再再再再次送书之《深入React技术栈》 如何改善既有 JS 代码:修复常见的 ESLint 报警(一) 如何线程安全的使用 HashMap 如何在SSH通道中隐藏OpenVPN流量?