星期日, 11月 15, 2015

Ansible 小記 - 用 playbook 安裝 nginx

上次介紹 playbook
接下來要在沒有很了解 playbook 以及 module 的情況下, 來實驗書上的第一個 playbook - nginx 安裝.

接下來的筆記就會規劃 不同 module 的指令還有 playbook 的實作

Lab: 安裝 nginx without TLS

在 playbook 目錄下
$ vi   web-notls.yml
- name: Configure webserver with nginx
 hosts: webservers
 sudo: True
 tasks:
   - name: install nginx
     apt: name=nginx update_cache=yes

   - name: copy nginx config file
     copy: src=files/nginx.conf  dest=/etc/nginx/sites-available/default

   - name: enable configuration
     file: >
       dest=/etc/nginx/sites-enabled/default
       src=/etc/nginx/sites-available/default
       state=link

   - name: copy index.html
     template: src=templates/index.html.j2 dest=/usr/share/nginx/html/index.html
       mode=0644

   - name: restart nginx
     service: name=nginx state=restarted


建立 預設的 conf 檔案( 對應上方的設定 )
在 playbook 目錄下
$ mkdir  files

建立設定檔
$ vi  files/nginx.conf
server {
       listen 80 default_server;
       listen [::]:80 default_server ipv6only=on;

       root /usr/share/nginx/html;
       index index.html index.htm;

       server_name localhost;

       location / {
                try_files $uri $uri/ =404;
       }
}

建立 templates 目錄
在 playbook 目錄下
$ mkdir  templates

建立首頁的範本
$ vi   templates/index.html.j2
<html>
<head>
   <title>Welcome to ansible</title>
</head>
<body>
<h1>nginx, configured by Ansible</h1>
<p>If you can see this, Ansible successfully installed nginx.</p>

<p>{{ ansible_managed }}</p>
</body>
</html>

修改 hosts 檔案( 因為上面的 web-notls.yml 對象是 webservers 群組  )
在 playbook 目錄下
新增 webservers 群組
$ vi  hosts
ubuntu_utah ansible_ssh_host=pcvm2-13.utah.geniracks.net

ubuntu_cenic ansible_ssh_host=pcvm2-28.instageni.cenic.net

[geni]
ubuntu_utah
ubuntu_cenic

[webservers]
ubuntu_utah

測試群組
$ ansible   webservers   -m ping
ubuntu_utah | success >> {
   "changed": false,
   "ping": "pong"
}



觀察目前目錄下物件
$ ls -R
ansible.cfg   files         hosts         templates     web-notls.yml

./files:
nginx.conf

./templates:
index.html.j2

執行  playbook

$ ansible-playbook   web-notls.yml

驗證 webservers 主機的 port 80

成功之後來進行另外一個 Lab

Lab: 使用 TLS support 的 nginx

在 playbooks 目錄下
$ vi   web-tls.yml

- name: Configure webserver with nginx and tls
 hosts: webservers
 sudo: True
 vars:
   key_file: /etc/nginx/ssl/nginx.key
   cert_file: /etc/nginx/ssl/nginx.crt
   conf_file: /etc/nginx/sites-available/default
   server_name: localhost
 tasks:
   - name: Install nginx
     apt: name=nginx update_cache=yes cache_valid_time=3600

   - name: create directories for ssl certificates
     file: path=/etc/nginx/ssl state=directory

   - name: copy TLS key
     copy: src=files/nginx.key dest={{ key_file }} owner=root mode=0600
     notify: restart nginx

   - name: copy TLS certificate
     copy: src=files/nginx.crt dest={{ cert_file }}
     notify: restart nginx

   - name: copy nginx config file
     template: src=templates/nginx.conf.j2 dest={{ conf_file }}
     notify: restart nginx

   - name: enable configuration
     file: dest=/etc/nginx/sites-enabled/default src={{ conf_file }} state=link
     notify: restart nginx

   - name: copy index.html
     template: src=templates/index.html.j2 dest=/usr/share/nginx/html/index.html mode=0644

 handlers:
   - name: restart nginx
     service: name=nginx state=restarted

手動建立憑證
在 playbooks 目錄下
使用 openssl 指令建立憑證
$ openssl  req  -x509  -nodes  -days 3650 -newkey rsa:2048 -subj /CN=localhost -keyout files/nginx.key -out files/nginx.crt
Generating a 2048 bit RSA private key
........................................+++
...............................................+++
writing new private key to 'files/nginx.key'
-----

驗證輸出
$ ls   files/
nginx.conf nginx.crt  nginx.key

建立 nginx.conf.j2  給支援 tls 設定檔使用 ( 跟沒有 TLS 的差異為紅色部分 )

在 playbooks 目錄下

$ vi  templatess/nginx.conf.j2

server {
       listen 80 default_server;
       listen [::]:80 default_server ipv6only=on;

       listen 443 ssl;

       root /usr/share/nginx/html;
       index index.html index.htm;

       server_name {{ server_name }};
       ssl_certificate {{ cert_file }};
       ssl_certificate_key {{ key_file }};

       location / {
                try_files $uri $uri/ =404;
       }
}

使用之前已經安裝過的主機測試  playbook
$ ansible-playbook   web-tls.yml
PLAY [Configure webserver with nginx and tls] *********************************

GATHERING FACTS ***************************************************************
ok: [ubuntu_utah]

TASK: [Install nginx] *********************************************************
ok: [ubuntu_utah]

TASK: [create directories for ssl certificates] *******************************
ok: [ubuntu_utah]

TASK: [copy TLS key] **********************************************************
ok: [ubuntu_utah]

TASK: [copy TLS certificate] **************************************************
ok: [ubuntu_utah]

TASK: [copy nginx config file] ************************************************
changed: [ubuntu_utah]

TASK: [enable configuration] **************************************************
ok: [ubuntu_utah]

TASK: [copy index.html] *******************************************************
changed: [ubuntu_utah]

NOTIFIED: [restart nginx] *****************************************************
changed: [ubuntu_utah]

PLAY RECAP ********************************************************************
ubuntu_utah                : ok=9    changed=3    unreachable=0    failed=0

測試完全新的 ubuntu_cenic 也okay

今天先到這邊

~ enjoy it



1 則留言:

Radha Sai 提到...

Nice post. Keep updating Devops Online Course