角色 Role
一、什么是 Role?
Role 乍一看似乎与 RBAC 那一套东西扯上了关系,实际不然,我们不能按照其翻译过来的意思去理解,它其实是一套官方推行的 “标准化文件组织结构” ,采用这套标准化规范编写出的完成功能需求的文件集合,就叫做 “Role”
二、Role 规范
在实际工作中有很多不同业务需要编写很多 playbook 文件及辅助文件(如 vars、tasks 等),如果缺少标准化的手段以及规范的方案,是很那对这些 playbook 进行维护管理的,于是乎每个人、组织都开始摸索着适合自己的标准化规范
而 Role 就是由 Ansible 官方提出的方案,它是一种通用的规范,文件基本组织结构如下:
$ tree roles
roles
├── nginx
│ ├── defaults
│ │ └── main.yaml
│ ├── files
│ │ └── index.html
│ ├── handlers
│ │ └── main.yaml
│ ├── meta
│ │ └── main.yaml
│ ├── tasks
│ │ └── main.yaml
│ ├── templates
│ │ └── nginx.conf.j2
│ └── vars
│ └── main.yaml
└── site.yaml
8 directories, 8 filesroles/nginx:仅包含 nginx 目录说明它的主要工作就是配置部署 Nginx 服务site.yaml:role 引用的入口文件files:角色可能会用到的一些其他文件可以放置在此目录中,如 Nginx 部署中用到的 页面文件、SSL 证书等tasks:角色需要执行的主任务文件放置在此目录中,默认的主任务文件名为 main.yml,也可以将其他需要执行的任务文件通过 include 的方式包含在tasks/main.yml文件中handlers:存放一些 task 所用到的 handler 回调任务templates:角色相关的模板文件可以放置在此目录中,当使用角色相关的模板时,如果没有指定路径,会默认从此目录中查找对应名称的模板文件default:角色会使用到的变量可以写入到此目录中的 main.yml 文件中,主要用于设置默认值,定义在这的变量优先级是最低的vars:角色会使用到的变量可以写入到此目录中的 main.yml 文件中,主要用于确保别人在调用角色时使用指定值,定义在这的变量拥有高优先级meta:赋予角色一些元数据,例如 描述角色的相关属性,比如 作者信息、角色主要作用、及依赖其他角色等等library:保存用来满足角色功能的自定义扩展模块(脚本)filter_plugins:保存用来满足角色功能的自定义过滤器插件(脚本)group_var/<group_name>:如果<group_name>存在,那么该文件中定义的变量就会添加到对应的主机组中host_vars/<hostname>:如果<hostname>存在,那么该文件中定义的变量就会添加到对应的主机中group_var[s]、host_vars 在 ansible 2.9.25 版本中测试失败,暂时不清楚是我们这边配置的问题还是什么,当然也有可能是官方移除这个功能,至少官方文档中 Role 的章节没看到这两货
OK,了解完 Role 目录规范后,我们看下当执行流程
三、Role 执行流程
3.1 Role 规范处理
当我们通过 ansible-playbook 执行入口剧本文件时,它首先会按照 Role 规范进行文件处理:
- 如果
roles/nginx/tasks/main.yml存在, 那么其中包含的 tasks 将被添加到 play 中 - 如果
roles/nginx/handlers/main.yml存在, 那么其中包含的 handlers 将被添加到 play 中 - 如果
roles/nginx/vars/main.yml存在, 那么其中包含的 变量将被添加到 play 中 - 如果
roles/nginx/defaults/main.yml存在,那么其中包含的角色默认变量将被添加到play 中 - 如果
roles/nginx/meta/main.yml存在, 那么其中包含的 “角色依赖” 将被添加到 roles 列表中
需要补充几个点
copytasks 可以直接引用roles/nginx/files/中的文件,不需要指明文件的全路径scripttasks 可以直接引用roles/nginx/files/中的脚本,不需要指明文件的全路径templatetasks 可以直接引用roles/nginx/templates/中的文件,不需要指明文件的全路径includetasks 可以直接引用roles/nginx/tasks/中的文件,不需要指明文件的全路径,如果 roles 目录下有文件不存在,这些文件将被忽略
3.2 playbook 执行顺序
- 执行
pre_tasks定义的所有任务 - 执行到目前触发的
handlers任务(pre_tasks 产生) - 依次执行
roles中列出的角色 - 首先运行角色中
meta/main.yml定义的任何角色依赖关系 Role - 依次执行
tasks定义的所有任务 - 执行到目前触发的
handlers任务(tasks 产生) - 执行
post_tasks定义的所有任务 - 执行到目前触发的
handlers任务(post_tasks 产生)
四、Role 使用
3.1 一步步的开始上手 Role
3.1.1 从零开始
文件结构
$ tree test-role
test-role
└── tasks
└── main.yml模版定义 tasks/main.yml
- debug:
msg: "hello, role!"模版定义 test.yml
- hosts: ecs[0]
roles:
- test-role执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, role!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0这就是一个最最最基本的 Role,看起来我们似乎是将意见简单的事情复杂化了,任何参与过标准化实施的人都明白一个道理,“偷得一分懒,要拿十分还!”
这歌示例里最核心的指令是
roles:
- test-role这里我们只提供了 role 的文件名,并没有提供路径,ansible 默认会从以下几个路径查找
- 当前目录
./ - 当前目录下 roles:
./roles - 家目录下 roles:
~/.ansible/roles
不过,ansible 提供了自定义搜索路径的 path 参数,如下所示:
$ grep "roles_path" /etc/ansible/ansible.cfg
#roles_path = /etc/ansible/roles取消注释,逗号分隔多个路径即可
指定调用 roles 的写法还有以下几种
# 方式一
roles:
# 绝对目录
- role: "/dir/ansible/testrole/"
# 方式二
roles:
# 相对目录
- role: testrole
# todo3.1.2 引入变量
3.1.2.1 defaults 目录
上述示例中,我们没有使用任何变量,现在我们引入变量
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
└── tasks
└── main.yml
2 directories, 2 files模版定义 defaults/main.yml
username: 'Da'执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Da!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.1.2.2 vars 目录
之前我们提过 defaults 变量优先级比 vars 低,适用于为 Role 设置默认值,下面我们来验证以下
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── tasks
│ └── main.yml
└── vars
└── main.yml
3 directories, 3 files模版定义 vars/main.yml
username: 'Yo'执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.1.2.3 vars 指令
目录结构保持不变,修改剧本入口文件 test.yml
模版定义
- hosts: ecs[0]
roles:
- role: test-role
vars:
username: 'Dayo'执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0似乎没效果?
其实不然,这是因为 vars 目录定义的变量级别非常高,以致于 vars 指令都不生效了,我们注释掉 vars/main.yml 中的变量声明
模版定义:vars/main.yml
#username: 'Yo'再次执行
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Dayo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.1.2.4 -e 命令行
如果你强烈不想使用别人提供的,那么可以在执行入口剧本时用 -e 参数强行覆盖,取消 vars/main.yml 中的变量声明注释,执行下面内容:
$ ansible-playbook -e "username='Yooooo'" test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yooooo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0OK~ 基于上面几个小实验,我们基本可以得出结论,变量优先级:-e > vars/main.yml > vars: > defaults/main.yml
3.1.3 引入属性
默认情况下,角色只会运行一次,即便你显式的连续声明,如下所示:
- hosts: ecs[0]
roles:
- test-role
- test-role执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0如果想要多次调用同一个角色,有两种方法
- 设置角色的 allow_duplicates 属性 为 true,开启重复调用
- 调用角色时传入的不同参数值
allow_duplicates 启用重复调用
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
└── vars
└── main.yml
4 directories, 5 files模版定义 meta/main.yml
allow_duplicates: true执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0调用角色时传不同值
目录结构不变,注释 vars/main.yml 变量定义,以免变量传值不生效
模版定义 test.yml
- hosts: ecs[0]
roles:
- role: test-role
vars:
username: 'Dayo-1'
- role: test-role
vars:
username: 'Dayo-2'执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Dayo-1!"
}
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Dayo-2!"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.1.4 引入模版
假设我们现在有用到了模版,那么将其放入 templates 目录,template 模块渲染模版文件时以此作为 base,如下所示
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
│ └── test.j2
└── vars
└── main.yml
5 directories, 6 files模版定义 tasks/main.yml
- debug:
msg: "hello, {{ username }}!"
- name: generate config
template:
src: test.j2
dest: /tmp/test.conf执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : generate config] ******
changed: [ecs-1.aliyun.sz]
PLAY RECAP ******
ecs-1.aliyun.sz : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0查看文件
$ cat /tmp/test.conf
我的名字是 Yo3.1.5 引入回调
在某些场景下我们需要根据任务执行状态进行后续的回调处理,例如:模版渲染任务为 CHANGED 状态等,这时我们可以创建 handlers 目录并将对应的 回调 handler tasks 放入其中
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── handlers
│ └── main.yml
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
│ └── test.j2
└── vars
└── main.yml
6 directories, 7 files模板定义 handlers/main.yml
- name: test_handler
debug:
msg: "执行回调 handler [test_handler]"模版定义 tasks/main.yml
- debug:
msg: "hello, {{ username }}!"
- name: generate config
template:
src: test.j2
dest: /tmp/test.conf
notify: test_handler执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : generate config] ******
changed: [ecs-1.aliyun.sz]
RUNNING HANDLER [test-role : test_handler] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "执行回调 handler [test_handler]"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.1.6 引入文件
在部署角色时,有些时候我们需要使用自己提供的文件,例如 yum 镜像源、SSL 证书等,这时我们就需要用到 files 目录, copy 模块拷贝文件以此作为 base
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── files
│ ├── index.html
│ └── nginx.conf
├── handlers
│ └── main.yml
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
│ └── test.j2
└── vars
└── main.yml
7 directories, 9 files模版定义
- debug:
msg: "hello, {{ username }}!"
- name: generate config
template:
src: test.j2
dest: /tmp/test.conf
notify: test_handler
- name: Copy HTML
copy:
src: index.html
dest: /tmp/index.html执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : generate config] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : Copy HTML] ******
changed: [ecs-1.aliyun.sz]
PLAY RECAP ******
ecs-1.aliyun.sz : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0文件内容
$ cat /tmp/index.html
Nginx Index HTML.3.1.7 引入扩展模块
有些时候,我们的角色在完成需求时或许用到了自定义的模块,这时我们可以创建一个 library 目录,并将模块脚本其中,然后直接使用即可,如下所示
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── files
│ ├── index.html
│ └── nginx.conf
├── handlers
│ └── main.yml
├── library
│ └── docker_sh
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
│ └── test.j2
└── vars
└── main.yml
8 directories, 10 files脚本定义
#!/bin/bash
set -e
source $1 $2 $3
IMAGE=$image
NAME=$name
TAG=$tag
if [ ! -z "$IMAGE" ] && [ ! -z "$NAME" ] && [ ! -z "$TAG" ]; then
container_id=$(/usr/bin/docker run -d --name ${NAME} ${IMAGE}:${TAG})
if [ -z "$id" ]; then
CHANGED="True"
echo {\"containerId\":\"$container_id\"}
exit 0
fi
else
echo {\"msg\": \"run docker container error.\"}
fi模版定义
- debug:
msg: "hello, {{ username }}!"
- name: generate config
template:
src: test.j2
dest: /tmp/test.conf
notify: test_handler
- name: Copy HTML
copy:
src: index.html
dest: /tmp/index.html
- name: Run Container
docker_sh:
name: "ansible-nginx-role-demo"
image: "nginx"
tag: "latest"执行命令
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : generate config] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : Copy HTML] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : Run Container] ******
ok: [ecs-1.aliyun.sz]
PLAY RECAP ******
ecs-1.aliyun.sz : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0查看容器
$ docker ps |grep role
270c2b9603c1 nginx:latest "/docker-entrypoint.…" 6 seconds ago Up 5 seconds 80/tcp ansible-nginx-role-demo3.1.8 引入自定义过滤器
同理,有些时候我们或许会用到自己编写的过滤器,这时我们只需要创建一个 filter_plugins 目录,把写好的过滤器脚本放进去即可,如下
目录结构
$ tree test-role
test-role
├── defaults
│ └── main.yml
├── files
│ ├── index.html
│ └── nginx.conf
├── filter_plugins
│ └── my_filters.py
├── handlers
│ └── main.yml
├── library
│ └── docker_sh
├── meta
│ ├── __init__.py
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
│ └── test.j2
└── vars
└── main.yml
9 directories, 11 files过滤器脚本 filter_plugins/my_filters.py
# coding: utf-8
class FilterModule(object):
# 实现 filters 方法,返回过滤器的名称及方法映射【必须】
# 所有过滤器必须注册到这里来,否则 ansible 调不到
def filters(self):
return {'a_filter': self.a_filter, 'b_filter': self.b_filter()}
# 过滤器方法:这就是后面我们使用时跟在 管道符 | 后面的
# 默认情况下 管道符前面的内容会作为 params 参数的值传递过来
def a_filter(self, params):
return '{} from a_filter.'.format(params)
# 还可以通过 可变参数及可变关键字参数接受所有参数
def b_filter(self, *args, **kwargs):
return 'args: {} --- '.format(args) + 'kwargs: {}'.format(kwargs)模版定义
---
- hosts: localhost
gather_facts: no
connection: local
tasks:
- name: Custom Filter Demo
debug:
msg: "{{ 'Da' | a_filter }}"
- name: Custom Filter Demo2
debug:
msg: "{{ 'Yo' | b_filter('Yo', 'like', 'Python', username='yo', gender='female') }}"执行效果
$ ansible-playbook test.yml
PLAY [ecs[0]] ******
TASK [Gathering Facts] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : debug] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "hello, Yo!"
}
TASK [test-role : generate config] ******
changed: [ecs-1.aliyun.sz]
TASK [test-role : Copy HTML] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : Run Container] ******
ok: [ecs-1.aliyun.sz]
TASK [test-role : Custom filter demo1] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "Da | a_filter"
}
TASK [test-role : Custom filter demo2] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "args: ('Yo', 'Yo', 'like', 'Python') --- kwargs: {'username': 'yo', 'gender': 'female'}"
}
RUNNING HANDLER [test-role : test_handler] ******
ok: [ecs-1.aliyun.sz] => {
"msg": "执行回调 handler [test_handler]"
}
PLAY RECAP ******
ecs-1.aliyun.sz : ok=8 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=03.2 使用角色的三种方式
roles 指令
roles: # 绝对目录 - role: "/dir/ansible/testrole/"include_role 指令
- include_role: # 包含 roles_path 所指定的目录中的 test-role 角色 name: test-roleimport_role 指令
- import_role: # 导入 roles_path 所指定的目录中的 test-role 角色 name: test-role角色依赖
五、Role 依赖
我们可以在 meta/main.yml 文件中定义当前 role 所依赖的 role,设置好了以后,在运行时 ansible 会自动导入所依赖的 role 运行,通过这个机制我们可以很好的实现解耦、复用
配置起来也非常简单,只需要在 meta/main.yml 中的 dependencies: [] 列表中声明下即可,不过为了巩固知识,我们这次我们写个有实际用处的 Role,主要围绕着两个需求
- 服务器配置使用 阿里云 yum 源配置(base、epel)
- 安装服务器常用的软件包
话不多说,直接开始,初始化两个 role
$ ansible-galaxy init common
- Role common was created successfully
$ ansible-galaxy init sa-tools-install
- Role common was created successfullycommon role
目录结构
$ tree common
common
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ ├── init_aliyun_yum_mirror.yml
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
8 directories, 9 files变量声明:vars/main.yml
---
# vars file for common
yum_base_repo_file: "/etc/yum.repos.d/CentOS-Base.repo"
yum_base_repo_backup_file: "{{ yum_base_repo_file }}.backup"
yum_epel_repo_file: "/etc/yum.repos.d/epel.repo"
yum_epel_repo_backup_file: "{{ yum_epel_repo_file }}.backup"任务定义:tasks/main.yml
- include_tasks: "init_aliyun_yum_mirror.yml"任务定义:tasks/init_aliyun_yum_mirror.yml
- name: "备份 Base 文件"
shell: "mv {{ yum_base_repo_file }} {{ yum_base_repo_backup_file }}"
# 确保是第一次运行
when: yum_epel_repo_file is exists and yum_epel_repo_backup_file is not exists
- name: "备份 EPEL 文件"
shell: "mv {{ yum_epel_repo_file }} {{ yum_epel_repo_backup_file }}"
# 确保是第一次运行
when: yum_epel_repo_file is exists and yum_epel_repo_backup_file is not exists
- name: "下载 CentOS {{ ansible_distribution_major_version }} Base 镜像库文件"
get_url:
url: "https://mirrors.aliyun.com/repo/Centos-{{ ansible_distribution_major_version }}.repo"
dest: "{{ yum_base_repo_file }}"
notify: makecache
- name: "下载 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件"
get_url:
url: "http://mirrors.aliyun.com/repo/epel-{{ ansible_distribution_major_version }}.repo"
dest: "{{ yum_epel_repo_file }}"
notify: makecache
# 判断系统版本为 CentOS 8 以下
when: ansible_distribution_major_version in ("5", "6", "7")
- name: "下载 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件"
shell: "yum -y install https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm"
register: yum_epel_pk_install_ret
when: ansible_distribution_major_version == "8"
- name: "配置 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件 "
shell: "sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel* && \
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*"
when: ansible_distribution_major_version == "8" and yum_epel_pk_install_ret.changed回调定义 handlers/main.yml
---
# handlers file for common
- name: "makecache"
shell: "yum makecache"执行命令
$ ansible-playbook common/tests/test.yml
PLAY [localhost] ******
TASK [Gathering Facts] ******
ok: [localhost]
TASK [common : include_tasks] ******
included: /prodata/scripts/ansibleLearn/roles-demo2/common/tasks/init_aliyun_yum_mirror.yml for localhost
TASK [common : 备份 Base 文件] ******
changed: [localhost]
TASK [common : 备份 EPEL 文件] ******
changed: [localhost]
TASK [common : 下载 CentOS 7 Base 镜像库文件] ******
changed: [localhost]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
changed: [localhost]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
skipping: [localhost]
TASK [common : 配置 CentOS 7 EPEL 镜像库文件] ******
skipping: [localhost]
RUNNING HANDLER [common : makecache] ******
[WARNING]: Consider using the yum module rather than running 'yum'. If you need to use command because yum is insufficient you can add 'warn:
false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [localhost]
PLAY RECAP ******
localhost : ok=7 changed=5 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0查看仓库列表
$ yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cloud.aliyuncs.com
* extras: mirrors.cloud.aliyuncs.com
* rpmfusion-free-updates: mirror.netsite.dk
* updates: mirrors.cloud.aliyuncs.com
repo id repo name status
base/7/x86_64 CentOS-7 - Base - mirrors.aliyun.com 10,072
docker-ce-stable/7/x86_64 Docker CE Stable - x86_64 131
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 13,688
extras/7/x86_64 CentOS-7 - Extras - mirrors.aliyun.com 500
rpmfusion-free-updates/x86_64 RPM Fusion for EL 7 - Free - Updates 245
updates/7/x86_64 CentOS-7 - Updates - mirrors.aliyun.com 2,902
repolist: 27,538sa-tools-install
目录结构
$ tree sa-tools-install
sa-tools-install
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
8 directories, 8 files变量定义:vars/main.yml
---
# vars file for sa-tools-install
# 声明要安装的调优工具列表
tuning_tool_list: ["iotop", "iftop", "dstat", "sysstat"]任务定义:tasks/main.yml
---
# tasks file for sa-tools-install
- name: "安装调优工具"
yum:
name: "{{ item }}"
state: present
# 循环列表,逐个安装软件包
# 之所不使用 shell 模块 yum -y ... 主要原因是每次执行会都会尝试安装,很耗时
# 采用 yum 模块的方式执行效率更高
loop: "{{ tuning_tool_list }}"Role 元数据定义:meta/main.yml
galaxy_info:
author: your name
description: your role description
company: your company (optional)
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.9
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# 声明 Role 依赖
dependencies: ['common']执行效果
$ ansible-playbook sa-tools-install/tests/test.yml
PLAY [localhost] ******
TASK [Gathering Facts] ******
ok: [localhost]
TASK [common : include_tasks] ******
included: /prodata/scripts/ansibleLearn/roles-demo2/common/tasks/init_aliyun_yum_mirror.yml for localhost
TASK [common : 备份 Base 文件] ******
skipping: [localhost]
TASK [common : 备份 EPEL 文件] ******
skipping: [localhost]
TASK [common : 下载 CentOS 7 Base 镜像库文件] ******
ok: [localhost]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
ok: [localhost]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
skipping: [localhost]
TASK [common : 配置 CentOS 7 EPEL 镜像库文件] ******
skipping: [localhost]
TASK [sa-tools-install : 安装调优工具] ******
ok: [localhost] => (item=iotop)
ok: [localhost] => (item=iftop)
ok: [localhost] => (item=dstat)
ok: [localhost] => (item=sysstat)
PLAY RECAP ******
localhost : ok=5 changed=0 unreachable=0 failed=0 skipped=4 rescued=0 ignored=0OK,搞定啦~
后续,完善功能
增加角色统一执行入口
增加 docker 服务安装
当前目录结构
$ tree roles-demo2
roles-demo2
├── common
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── README.md
│ ├── tasks
│ │ ├── init_aliyun_yum_mirror.yml
│ │ └── main.yml
│ ├── templates
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ └── main.yml
├── runsetup.yml
└── sa-tools-install
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ ├── docker_install.yml
│ ├── main.yml
│ └── tuning_tools_install.yml
├── templates
│ ├── daemon.json.j2
│ ├── test.j2
│ └── test.yml
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
18 directories, 23 files入口调整,
roles-demo2/runsetup.yml- hosts: ecs[2] gather_facts: yes roles: // sa-tools-install 依赖 common 角色 - role: sa-tools-install增加 docker-ce repo 路径变量,
roles-demo2/common/vars/main.yml--- # vars file for common yum_base_repo_file: "/etc/yum.repos.d/CentOS-Base.repo" yum_base_repo_backup_file: "{{ yum_base_repo_file }}.backup" yum_epel_repo_file: "/etc/yum.repos.d/epel.repo" yum_epel_repo_backup_file: "{{ yum_epel_repo_file }}.backup" yum_docker_repo_file: "/etc/yum.repos.d/docker-ce.repo"common 调整添加阿里云 Docker Yum 仓库,
roles-demo2/common/tasks/init_aliyun_yum_mirror.yml- name: "备份 Base 文件" shell: "mv {{ yum_base_repo_file }} {{ yum_base_repo_backup_file }}" # 确保是第一次运行 when: yum_epel_repo_file is exists and yum_epel_repo_backup_file is not exists - name: "备份 EPEL 文件" shell: "mv {{ yum_epel_repo_file }} {{ yum_epel_repo_backup_file }}" # 确保是第一次运行 when: yum_epel_repo_file is exists and yum_epel_repo_backup_file is not exists - name: "下载 CentOS {{ ansible_distribution_major_version }} Base 镜像库文件" get_url: url: "https://mirrors.aliyun.com/repo/Centos-{{ ansible_distribution_major_version }}.repo" dest: "{{ yum_base_repo_file }}" notify: makecache - name: "下载 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件" get_url: url: "http://mirrors.aliyun.com/repo/epel-{{ ansible_distribution_major_version }}.repo" dest: "{{ yum_epel_repo_file }}" notify: makecache # 判断系统版本为 CentOS 8 以下 when: ansible_distribution_major_version in ("5", "6", "7") - name: "下载 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件" shell: "yum -y install https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm" register: yum_epel_pk_install_ret when: ansible_distribution_major_version == "8" - name: "配置 CentOS {{ ansible_distribution_major_version }} EPEL 镜像库文件 " shell: "sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel* && \ sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*" when: ansible_distribution_major_version == "8" and yum_epel_pk_install_ret.changed - name: "下载 Docker 镜像库文件" get_url: url: "http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo" dest: "{{ yum_docker_repo_file }}" notify: makecache增加 docker 相关包变量,
roles-demo2/sa-tools-install/vars/main.yml--- # vars file for sa-tools-install tuning_tool_list: ["iotop", "iftop", "dstat", "sysstat"] docker_package_list: ["yum-utils", "device-mapper-persistent-data", "lvm2", "docker-ce"]增加 docker 服务安装 tasks,
roles-demo2/sa-tools-install/tasks/docker_install.yml- name: "安装 Docker 容器服务" yum: name: "{{ pkg_item }}" state: present loop: "{{ docker_package_list }}" loop_control: loop_var: pkg_item - name: "确认 Docker 目录存在" file: dest: /etc/docker mode: 755 state: directory - name: "配置 Docker 镜像加速" template: src: "daemon.json.j2" dest: "/etc/docker/daemon.json" # 配置 CHANGED 时触发调用 docker-restart 重启服务 notify: docker-restart - name: "启动 Docker 服务" service: name: docker state: started enabled: true增加 加速器配置模版,
roles-demo2/sa-tools-install/templates/daemon.json.j2{ {% if 'huawei' in ansible_hostname %} "registry-mirrors": ["https://0d58621c0b80f58e0f11c00e67903380.mirror.swr.myhuaweicloud.com"] {% elif 'aliyun' in ansible_hostname %} "registry-mirrors": ["https://hz6lwzkb.mirror.aliyuncs.com"] {% elif 'tencent' in ansible_hostname %} "registry-mirrors": ["https://mirror.ccs.tencentyun.com"] {% else %} "registry-mirrors": ["https://mirror.ccs.tencentyun.com"] {% endif %} }增加 服务重启 handlers,
roles-demo2/sa-tools-install/handlers/main.yml--- # handlers file for sa-tools-install - name: docker-restart service: name: docker state: restarted
执行效果
$ roles-demo2 ansible-playbook runsetup.yml
PLAY [ecs[2]] ******
TASK [Gathering Facts] ******
ok: [tencent]
TASK [common : include_tasks] ******
included: /prodata/scripts/ansibleLearn/roles-demo2/common/tasks/init_aliyun_yum_mirror.yml for tencent
TASK [common : 备份 Base 文件] ******
skipping: [tencent]
TASK [common : 备份 EPEL 文件] ******
skipping: [tencent]
TASK [common : 下载 CentOS 7 Base 镜像库文件] ******
ok: [tencent]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
ok: [tencent]
TASK [common : 下载 CentOS 7 EPEL 镜像库文件] ******
skipping: [tencent]
TASK [common : 配置 CentOS 7 EPEL 镜像库文件] ******
skipping: [tencent]
TASK [common : 下载 Docker 镜像库文件] ******
ok: [tencent]
TASK [sa-tools-install : include_tasks] ******
included: /prodata/scripts/ansibleLearn/roles-demo2/sa-tools-install/tasks/tuning_tools_install.yml for tencent
included: /prodata/scripts/ansibleLearn/roles-demo2/sa-tools-install/tasks/docker_install.yml for tencent
TASK [sa-tools-install : 安装调优工具] ******
ok: [tencent] => (item=iotop)
ok: [tencent] => (item=iftop)
ok: [tencent] => (item=dstat)
ok: [tencent] => (item=sysstat)
TASK [sa-tools-install : 安装 Docker 容器服务] ******
ok: [tencent] => (item=yum-utils)
ok: [tencent] => (item=device-mapper-persistent-data)
ok: [tencent] => (item=lvm2)
ok: [tencent] => (item=docker-ce)
TASK [sa-tools-install : 确认 Docker 目录存在] ******
changed: [tencent]
TASK [sa-tools-install : 配置 Docker 镜像加速] ******
changed: [tencent]
TASK [sa-tools-install : 启动 Docker 服务] ******
changed: [tencent]
RUNNING HANDLER [sa-tools-install : docker-restart] ******
changed: [tencent]
PLAY RECAP ******
tencent : ok=13 changed=4 unreachable=0 failed=0 skipped=4 rescued=0 ignored=0 ci-tools-install
ci-tools-install 角色主要用来安装 Jenkins 相关的集成工具,以下是工具列表:
- JDK 安装
- Ansible 安装
- Maven 安装
- Ant 安装
- Gradle 安装
- Node JS 安装
- Jenkins 安装
目录结构
$ tree ci-tools-install|grep -v "pyc"
ci-tools-install
├── defaults
│ └── main.yml
├── files
│ ├── jenkins.yaml
│ └── settings.xml
├── filter_plugins
│ ├── my_filters.py
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ ├── ansible_install.yml
│ ├── ant_install.yml
│ ├── gradle_install.yml
│ ├── jdk_config.yml
│ ├── jdk_install.yml
│ ├── jenkins_install.yml
│ ├── main.yml
│ ├── maven_install.yml
│ ├── nodejs_install.yml
│ ├── test_jpi.yml
│ └── yum_install.yml
├── templates
│ ├── basic-security.groovy.j2
│ ├── jenkins.j2
│ ├── jenkins.yml
│ └── jenkins.yml.j2
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
9 directories, 26 files入口文件
roles-demo2/ci-tools-install/tests/test.yml
---
- hosts: 'ecs[2]'
remote_user: root
roles:
- ci-tools-installroles-demo2/ci-tools-install/tasks/main.yml
---
# tasks file for ci-tools-install
- include_tasks: "{{ item }}"
loop:
- "jdk_install.yml"
- "ansible_install.yml"
- "maven_install.yml"
- "ant_install.yml"
- "gradle_install.yml"
- "nodejs_install.yml"
- "jenkins_install.yml"任务文件
roles-demo2/ci-tools-install/tasks/jdk_install.yml
- name: "安装 JDK 软件包"
yum:
name: "{{ JDK_VERSION }}-devel"
state: present
- name: "获取 JDK 安装目录"
shell: 'rpm -ql {{ JDK_VERSION }}-devel | grep "bin/javac" | sed -r s"/\/bin\/javac//"'
register: jdk_path_ret
- name: "配置 JDK 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} JDK Config"
insertafter: EOF
block: |
export JAVA_HOME={{ jdk_path_ret.stdout }}
- name: "确认 JDK 安装情况"
shell: ". /etc/profile && java -version 2>&1"
register: jdk_version_ret
- name: "输出 JDK 版本号"
debug:
msg: "{{ jdk_version_ret.stdout_lines | join('\n') }}"roles-demo2/ci-tools-install/tasks/ansible_install.yml
- name: "安装 Ansible 软件包"
yum:
name: "ansible-{{ ANSIBLE_VERSION }}.el7"
state: present
- name: "确认 Ansible 安装情况"
shell: "ansible --version 2>&1"
register: ansible_version_ret
- name: "输出 Ansible 版本号"
debug:
msg: "{{ ansible_version_ret.stdout_lines | join('\n') }}"roles-demo2/ci-tools-install/tasks/maven_install.yml
- name: "下载 Maven 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/apache/maven/maven-{{ MAVEN_VERSION | split('.') | first }}/{{ MAVEN_VERSION }}/binaries/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
dest: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
validate_certs: no
- name: "解压 Maven 安装目录"
unarchive:
src: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
dest: /usr/local/
remote_src: yes
- name: "配置 Maven 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Maven Config"
insertafter: EOF
block: |
export M2_HOME=/usr/local/apache-maven-{{ MAVEN_VERSION }}
export PATH=$PATH:$M2_HOME/bin
- name: "确认 Maven 安装情况"
shell: ". /etc/profile && mvn -version 2>&1"
register: mvn_version_ret
- name: "输出 Maven 版本号"
debug:
msg: "{{ mvn_version_ret.stdout_lines | join('\n') }}"
- name: "配置 Maven 镜像加速库"
copy:
src: "settings.xml"
dest: "/usr/local/apache-maven-{{ MAVEN_VERSION }}/conf/settings.xml"
- name: "清理 Maven 压缩包"
file:
path: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
state: absentroles-demo2/ci-tools-install/tasks/ant_install.yml
- name: "下载 Ant 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/apache/ant/binaries/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
dest: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
validate_certs: no
- name: "解压 Ant 安装目录"
unarchive:
src: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
dest: /usr/local/
remote_src: yes
- name: "配置 Ant 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Ant Config"
insertafter: EOF
block: |
export ANT_HOME=/usr/local/apache-ant-{{ ANT_VERSION }}
export PATH=$PATH:$ANT_HOME/bin
- name: "确认 Ant 安装情况"
shell: ". /etc/profile && ant -version 2>&1"
register: ant_version_ret
- name: "输出 Ant 版本号"
debug:
msg: "{{ ant_version_ret.stdout_lines | join('\n') }}"
- name: "清理 Ant 压缩包"
file:
path: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
state: absentroles-demo2/ci-tools-install/tasks/gradle_install.yml
- name: "下载 Gradle 软件包"
get_url:
url: "https://services.gradle.org/distributions/gradle-{{ GRADLE_VERSION }}-bin.zip"
dest: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
validate_certs: no
- name: "解压 Gradle 安装目录"
unarchive:
src: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
dest: /usr/local/
remote_src: yes
- name: "配置 Gradle 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Gradle Config"
insertafter: EOF
block: |
export GRADLE_HOME=/usr/local/gradle-{{ GRADLE_VERSION }}
export PATH=$PATH:$GRADLE_HOME/bin
- name: "确认 Gradle 安装情况"
shell: ". /etc/profile && gradle -v 2>&1"
register: gradle_version_ret
- name: "输出 Gradle 版本号"
debug:
msg: "{{ gradle_version_ret.stdout_lines | join('\n') }}"
- name: "清理 Gradle 压缩包"
file:
path: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
state: absentroles-demo2/ci-tools-install/tasks/nodejs_install.yml
- name: "下载 NodeJS 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/nodejs-release/v{{ NODEJS_VERSION }}/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
dest: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
validate_certs: no
- name: "解压 NodeJS 安装目录"
unarchive:
src: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
dest: "/usr/local"
remote_src: yes
- name: "重命名 NodeJS 软件目录"
shell: "mv /usr/local/node-v{{ NODEJS_VERSION }}-linux-x64 /usr/local/node-v{{ NODEJS_VERSION }}"
when: nodejs_path is exists
vars:
nodejs_path: "/usr/local/node-v{{ NODEJS_VERSION }}-linux-x64"
- name: "配置 NodeJS 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} NodeJS Config"
insertafter: EOF
block: |
export NODE_HOME=/usr/local/node-v{{ NODEJS_VERSION }}
export PATH=$PATH:$NODE_HOME/bin
- name: "确认 NodeJS 安装情况"
shell: ". /etc/profile && node -v 2>&1"
register: nodejs_version_ret
- name: "输出 NodeJS 版本号"
debug:
msg: "{{ nodejs_version_ret.stdout_lines | join('\n') }}"
- name: "配置 NPM 镜像加速"
shell: ". /etc/profile && npm config set registry=http://registry.npm.taobao.org"
- name: "清理 NodeJS 压缩包"
file:
path: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
state: absentroles-demo2/ci-tools-install/tasks/jenkins_install.yml
- name: "安装 Jenkins 软件包"
yum:
name: "https://mirrors.tuna.tsinghua.edu.cn/jenkins/redhat/jenkins-{{ JENKINS_VERSION }}.noarch.rpm"
state: present
validate_certs: no
notify: create-admin-user
- name: "创建 Jenkins 脚本初始化目录"
file:
path: "{{ JENKINS_HOME }}/init.groovy.d"
state: directory
mode: 0775
- name: "渲染 Jenkins 配置"
template:
src: "jenkins.j2"
dest: "{{ JENKINS_CONFIG_LOCATION }}"
backup: true
notify: jenkins-restart
- name: "立即执行 Jenkins 配置相关 handlers"
meta: flush_handlers
- name: "启动 Jenkins 服务"
service:
name: "jenkins"
state: started
enabled: true
- name: "等待 Jenkins 服务启动"
uri:
url: "{{ JENKINS_URL }}/cli/"
method: GET
return_content: "yes"
timeout: 5
body_format: raw
follow_redirects: "no"
status_code: 200,403
register: result
until: (result.status == 403 or result.status == 200) and (result.content.find("Please wait while") == -1)
retries: 120
delay: 3
# 任务状态永远谁知为 非 changed
changed_when: false
# 检查模式时跳过该任务
check_mode: false
- name: "下载 jenkins-cli Jar 包"
get_url:
url: "{{ JENKINS_URL }}/jnlpJars/jenkins-cli.jar"
dest: "{{ JENKINS_CLI_JAR_LOCATION }}"
register: jenkins_cli_jar_get
# 失败重试,直到下载成功 或 文件已存在
until: "'OK' in jenkins_cli_jar_get.msg or '304' in jenkins_cli_jar_get.msg or 'file already exists' in jenkins_cli_jar_get.msg"
retries: 5
delay: 5
check_mode: false
- name: "确保 updates 目录存在"
file:
path: "{{ JENKINS_HOME }}/updates/"
state: directory
- name: "下载 Jenkins 插件中心配置"
get_url:
url: "{{ JENKINS_PLUGIN_UPDATES_URL }}/update-center.json"
dest: "{{ JENKINS_HOME }}/updates/default.json"
mode: 0440
validate_certs: no
register: get_plugin_json_result
# 失败重试,直到下载成功
until: get_plugin_json_result is success
# 重试 5 次
retries: 5
# 重试间隔 3 秒
delay: 3
- name: "处理 Jenkins 插件配置"
# 删除首行 "updateCenter.post("、尾行 ");"
replace:
path: "{{ JENKINS_HOME }}/updates/default.json"
regexp: "1d;$d"
- name: "配置 Jenkins 国内插件库"
xml:
path: "{{ JENKINS_HOME }}/hudson.model.UpdateCenter.xml"
xpath: "/sites/site/url"
value: "{{ JENKINS_PLUGIN_UPDATES_URL }}/update-center.json"
- name: "安装 Jenkins 插件"
jenkins_plugin:
name: "{{ plugin_item.name | default(plugin_item) }}"
# omit 意为 如果 plugin_item 有 前面的 version 属性存在,那就用。没有的话那就告诉模块省略该参数
version: "{{ plugin_item.version | default(omit) }}"
jenkins_home: "{{ JENKINS_HOME }}"
url_username: "{{ JENKINS_ADMIN_USERNAME }}"
url_password: "{{ JENKINS_ADMIN_PASSWORD }}"
# state 'present' 安装插件
state: present
# 安装超时时间
timeout: "{{ JENKINS_PLUGIN_INSTALL_TIMEOUT }}"
# update-center.json 过期时间
updates_expiration: "{{ JENKINS_PLUGIN_UPDATES_EXPIRATION }}"
# Jenkins 更新中心 地址
updates_url: "{{ JENKINS_PLUGIN_UPDATES_URL }}"
# Jenkins 服务地址
url: "{{ JENKINS_URL }}"
# 是否同时安装依赖插件
with_dependencies: "{{ JENKINS_PLUGIN_INSTALL_DEPENDENCIES }}"
loop: "{{ JENKINS_PLUGIN_INSTALL_LIST }}"
loop_control:
loop_var: plugin_item
register: plugin_install_result
until: plugin_install_result is success
retries: 5
delay: 30
- name: "检查 jpi 插件文件,不存在则重新下载"
vars:
# 2. 拼接插件实际路径
plugin_filename: "{{ JENKINS_HOME }}/plugins/{{ plugin_item }}.jpi"
jenkins_plugin:
name: "{{ plugin_item.name | default(plugin_item) }}"
# omit 意为 如果 plugin_item 有 前面的 version 属性存在,那就用。没有的话那就告诉模块省略该参数
version: "{{ plugin_item.version | default(omit) }}"
jenkins_home: "{{ JENKINS_HOME }}"
url_username: "{{ JENKINS_ADMIN_USERNAME }}"
url_password: "{{ JENKINS_ADMIN_PASSWORD }}"
# 安装插件
state: present
# 安装超时时间
timeout: "{{ JENKINS_PLUGIN_INSTALL_TIMEOUT }}"
# update-center.json 过期时间
updates_expiration: "{{ JENKINS_PLUGIN_UPDATES_EXPIRATION }}"
# Jenkins 更新中心 地址
updates_url: "{{ JENKINS_PLUGIN_UPDATES_URL }}"
# Jenkins 服务地址
url: "{{ JENKINS_URL }}"
# 是否同时安装依赖插件
with_dependencies: "{{ JENKINS_PLUGIN_INSTALL_DEPENDENCIES }}"
# 3. 当插件不存在时,执行 jenkins_plugin 模块
when: plugin_filename is not exists
# 1. 遍历插件列表
loop: "{{ JENKINS_PLUGIN_INSTALL_LIST }}"
loop_control:
loop_var: plugin_item
# 4. 任务停止条件为:列表中的所有插件都已下载到 插件目录 {{ JENKINS_HOME }}/plugins/
until: JENKINS_PLUGIN_INSTALL_LIST | all_file_exists == 1
# 单个插件下载重试次数
# todo: 不太清楚为什么 until 重试次数
retries: 1
# 每隔 5 秒尝试一次
delay: 5
# failed_when:当条件满足时(true),执行状态设为 failed
# 设为永远返回 ok,忽略部分插件不存在的错误
failed_when: false
- name: "创建 CasC 目录"
file:
path: "{{ JENKINS_HOME }}/casc_configs"
state: directory
mode: 0775
# 渲染 Configure as Code 配置
# 重启 Jenkins 服务,应用 CasC 配置
- name: "渲染 CasC 配置"
template:
src: "jenkins.yml.j2"
dest: "{{ JENKINS_HOME }}/casc_configs/jenkins.yml"
notify: jenkins-restart
- name: "立即执行 Jenkins 配置相关 handlers"
meta: flush_handlers
- name: "移除 Jenkins 创建用户脚本"
file:
path: "{{ JENKINS_HOME }}/init.groovy.d/basic-security.groovy"
state: absent变量文件
roles-demo2/ci-tools-install/vars/main.yml
---
# vars file for ci-tools-install
JDK_VERSION: java-11-openjdk
ANSIBLE_VERSION: 2.9.25-1
MAVEN_VERSION: 3.8.3
ANT_VERSION: 1.10.12
GRADLE_VERSION: 7.3
NODEJS_VERSION: 16.9.1
JENKINS_VERSION: 2.318-1.1
# Jenkins 配置项
### 服务配置
JENKINS_SERVICE_USER: "root"
JENKINS_LISTEN_ADDRESS: "0.0.0.0"
JENKINS_SERVICE_PORT: "9008"
JENKINS_HOME: "/var/lib/jenkins"
JENKINS_CONFIG_LOCATION: "/etc/sysconfig/jenkins"
JENKINS_URL: "http://192.144.227.61:9008"
### 管理员认证信息
JENKINS_ADMIN_USERNAME: "admin"
JENKINS_ADMIN_PASSWORD: "admin0admin"
### 插件相关配置
JENKINS_PLUGIN_UPDATES_URL: "https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates"
JENKINS_PLUGIN_UPDATES_EXPIRATION: 86400
JENKINS_PLUGIN_INSTALL_TIMEOUT: 600
JENKINS_PLUGIN_INSTALL_DEPENDENCIES: yes
JENKINS_CLI_JAR_LOCATION: "{{ JENKINS_HOME }}/jenkins-cli.jar"
JENKINS_JAVA_OPTIONS: "-Djava.awt.headless=true -Djenkins.install.runSetupWizard=false -Dcasc.jenkins.config={{ JENKINS_HOME }}/casc_configs"
# todo: Jenkins Plugin 安装不全
JENKINS_PLUGIN_INSTALL_LIST: [
"git",
"badge",
"ansible",
"configuration-as-code",
"role-strategy",
"periodicbackup",
"build-user-vars-plugin",
"workflow-aggregator",
"pipeline-utility-steps",
"pipeline-maven",
"pipeline-npm",
"workflow-cps-global-lib-http",
"pipeline-model-declarative-agent",
"docker-workflow",
"blueocean",
"blueocean-core-js",
"blueocean-git-pipeline",
"blueocean-pipeline-editor",
"blueocean-web",
"blueocean-pipeline-scm-api",
"blueocean-dashboard",
"docker-plugin",
"ssh-steps",
"docker-slaves",
"docker-compose-build-step",
"http_request",
"timestamper",
"build-timestamp",
"ldap",
"ldapemail",
"ant",
"gradle",
"nodejs",
"maven-plugin",
"ansiColor",
"build-timeout",
"ws-cleanup",
"view-job-filters",
"build-user-vars-plugin",
"scriptler",
"cloudbees-folder",
"groovy",
"lockable-resources",
]
### LDAP 相关配置
JENKINS_LDAP_SERVER: "ldap://47.115.121.119:389"
JENKINS_LDAP_ROOT_DN: ""
JENKINS_LDAP_MANAGER_DN: "cn=admin,dc=lotusching,dc=com"
JENKINS_LDAP_MANAGER_PASSWORD: "admin_passwd_4_ldap"
JENKINS_LDAP_USER_SEARCH_BASE: "ou=Beijing,dc=lotusching,dc=com"
JENKINS_LDAP_USER_SEARCH: "cn={0}"
JENKINS_LDAP_GROUP_SEARCH_BASE: "ou=Beijing,dc=lotusching,dc=com"
### Master/Node 配置
JENKINS_SLAVE_AGENT_PORT: 9182模版文件
Jenkins 服务配置:roles-demo2/ci-tools-install/templates/jenkins.j2
JENKINS_HOME="{{ JENKINS_HOME }}"
JENKINS_JAVA_CMD=""
JENKINS_USER="{{ JENKINS_SERVICE_USER }}"
JENKINS_JAVA_OPTIONS="{{ JENKINS_JAVA_OPTIONS }}"
JENKINS_PORT="{{ JENKINS_SERVICE_PORT }}"
JENKINS_LISTEN_ADDRESS="{{ JENKINS_LISTEN_ADDRESS }}"
JENKINS_HTTPS_PORT=""
JENKINS_HTTPS_KEYSTORE=""
JENKINS_HTTPS_KEYSTORE_PASSWORD=""
JENKINS_HTTPS_LISTEN_ADDRESS=""
JENKINS_HTTP2_PORT=""
JENKINS_HTTP2_LISTEN_ADDRESS=""
JENKINS_DEBUG_LEVEL="5"
JENKINS_ENABLE_ACCESS_LOG="no"
JENKINS_HANDLER_MAX="100"
JENKINS_HANDLER_IDLE="20"
JENKINS_EXTRA_LIB_FOLDER=""
JENKINS_ARGS=""Jekins 创建管理员用户脚本:roles-demo2/ci-tools-install/templates/basic-security.groovy.j2
#!groovy
import hudson.security.*
import jenkins.model.*
def instance = Jenkins.getInstance()
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
def users = hudsonRealm.getAllUsers()
users_s = users.collect { it.toString() }
// Create the admin user account if it doesn't already exist.
if ("{{ JENKINS_ADMIN_USERNAME }}" in users_s) {
println "Admin user already exists - updating password"
def user = hudson.model.User.get('{{ JENKINS_ADMIN_USERNAME }}');
def password = hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword('{{ JENKINS_ADMIN_PASSWORD }}')
user.addProperty(password)
user.save()
}
else {
println "--> creating local admin user"
hudsonRealm.createAccount('{{ JENKINS_ADMIN_USERNAME }}', '{{ JENKINS_ADMIN_PASSWORD }}')
instance.setSecurityRealm(hudsonRealm)
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
instance.setAuthorizationStrategy(strategy)
instance.save()
}Jenkins 代码即配置文件:roles-demo2/ci-tools-install/templates/jenkins.yml.j2
通过另一节点导出,访问路径:配置中心 → Configuration as Code → Download Configuration/View Configuration
credentials:
system:
domainCredentials:
- credentials:
- usernamePassword:
description: "jenkins-admin-user"
id: "jenkins-admin-userAQAAABAAAAAQRDJJqnO6hkJ94piU64QWFvSn4hjP1ZzNZBKc43pozJg"
password: "{=}"
scope: GLOBAL
username: "admin"
- string:
description: "my-secret"
id: "my-secret"
scope: GLOBAL
secret: "隐藏"
- usernamePassword:
id: "gitee-account"
password: "隐藏"
scope: GLOBAL
username: "L0tusCh1ng"
- basicSSHUserPrivateKey:
id: "gitee"
privateKeySource:
directEntry:
privateKey: "隐藏"
scope: GLOBAL
username: "SZ-Aliyun-SSH"
- basicSSHUserPrivateKey:
id: "sz-aliyun-root-pk"
privateKeySource:
directEntry:
privateKey: "隐藏"
scope: GLOBAL
username: "root"
jenkins:
agentProtocols:
- "JNLP4-connect"
- "Ping"
authorizationStrategy:
roleBased:
roles:
global:
- assignments:
- "lotusching"
name: "admin"
pattern: ".*"
permissions:
- "Job/Move"
- "Job/Build"
- "Lockable Resources/View"
- "Credentials/Delete"
- "Credentials/ManageDomains"
- "Lockable Resources/Unlock"
- "View/Create"
- "Agent/Configure"
- "Job/Read"
- "Scriptler/Configure"
- "Scriptler/RunScripts"
- "Credentials/Update"
- "Agent/Create"
- "Job/Delete"
- "Agent/Build"
- "View/Configure"
- "Lockable Resources/Reserve"
- "Agent/Provision"
- "SCM/Tag"
- "Job/Create"
- "Job/Discover"
- "Credentials/View"
- "Agent/Connect"
- "Agent/Delete"
- "Run/Replay"
- "Agent/Disconnect"
- "Run/Delete"
- "Job/Cancel"
- "Overall/Read"
- "Run/Update"
- "Credentials/Create"
- "Overall/Administer"
- "View/Delete"
- "Job/Configure"
- "Job/Workspace"
- "View/Read"
- assignments:
- "dayo"
name: "reader"
pattern: ".*"
permissions:
- "Overall/Read"
- "Lockable Resources/View"
- "Job/Build"
- "Job/Read"
- "Agent/Build"
- "View/Read"
crumbIssuer:
standard:
excludeClientIPFromCrumb: false
disableRememberMe: false
disabledAdministrativeMonitors:
- "hudson.diagnosis.TooManyJobsButNoView"
- "jenkins.security.QueueItemAuthenticatorMonitor"
- "jenkins.diagnostics.ControllerExecutorsAgents"
- "jenkins.security.s2m.MasterKillSwitchWarning"
labelAtoms:
- name: "build-server-aliyun-ecs-01"
- name: "built-in"
labelString: "built-in"
markupFormatter: "plainText"
mode: NORMAL
myViewsTabBar: "standard"
nodes:
- permanent:
launcher:
jnlp:
workDirSettings:
disabled: false
failIfWorkDirIsMissing: false
internalDir: "remoting"
workDirPath: "/opt/jenkins"
name: "build-server-aliyun-ecs-01"
numExecutors: 5
remoteFS: "/opt/jenkins"
retentionStrategy: "always"
numExecutors: 2
primaryView:
all:
name: "all"
projectNamingStrategy: "standard"
quietPeriod: 5
remotingSecurity:
enabled: false
scmCheckoutRetryCount: 0
securityRealm:
# LDAP 配置
ldap:
configurations:
- groupSearchBase: "{{ JENKINS_LDAP_GROUP_SEARCH_BASE }}"
rootDN: "{{ JENKINS_LDAP_ROOT_DN }}"
inhibitInferRootDN: false
managerDN: "{{ JENKINS_LDAP_MANAGER_DN }}"
managerPasswordSecret: "{{ JENKINS_LDAP_MANAGER_PASSWORD }}"
server: "{{ JENKINS_LDAP_SERVER }}"
userSearch: "{{ JENKINS_LDAP_USER_SEARCH }}"
userSearchBase: "{{ JENKINS_LDAP_USER_SEARCH_BASE }}"
disableMailAddressResolver: false
disableRolePrefixing: true
groupIdStrategy: "caseInsensitive"
userIdStrategy: "caseInsensitive"
slaveAgentPort: "{{ JENKINS_SLAVE_AGENT_PORT }}"
systemMessage: |+
Jenkins configured automatically by Jenkins Configuration as Code plugin, HAHAHA~
updateCenter:
sites:
- id: "default"
# 更新中心配置使用 国内镜像源
url: "{{ JENKINS_PLUGIN_UPDATES_URL }}/update-center.json"
views:
- all:
name: "all"
- list:
columns:
- "status"
- "weather"
- "jobName"
- "lastSuccess"
- "lastFailure"
- "lastDuration"
- "buildButton"
- "favoriteColumn"
jobFilters:
- buildDurationFilter:
amount: "1.0"
amountTypeString: "Hours"
buildCountTypeString: "Latest"
buildDurationMinutes: "60"
includeExcludeTypeString: "includeMatched"
lessThan: true
name: "latestView"
viewsTabBar: "standard"
globalCredentialsConfiguration:
configuration:
providerFilter: "none"
typeFilter: "none"
security:
apiToken:
creationOfLegacyTokenEnabled: false
tokenGenerationOnCreationEnabled: false
usageStatisticsEnabled: true
sSHD:
port: -1
unclassified:
ansiColorBuildWrapper:
colorMaps:
- # 省略
badgePlugin:
disableFormatHTML: false
bitbucketEndpointConfiguration:
endpoints:
- bitbucketCloudEndpoint:
enableCache: false
manageHooks: false
repositoriesCacheDuration: 0
teamCacheDuration: 0
buildDiscarders:
configuredBuildDiscarders:
- "jobBuildDiscarder"
buildTimestamp:
enableBuildTimestamp: true
pattern: "yyyy-MM-dd HH:mm:ss z"
timezone: "Asia/Shanghai"
buildUserVars:
allBuilds: false
fingerprints:
fingerprintCleanupDisabled: false
storage: "file"
gitHubConfiguration:
apiRateLimitChecker: ThrottleForNormalize
gitHubPluginConfig:
hookUrl: ""
gitSCM:
addGitTagAction: false
allowSecondFetch: false
createAccountBasedOnEmail: false
disableGitToolChooser: false
hideCredentials: false
showEntireCommitSummaryInChanges: false
useExistingAccountWithSameEmail: false
globalLibraries:
libraries:
- defaultVersion: "master"
name: "shareLibraryDemo"
retriever:
modernSCM:
scm:
git:
credentialsId: "gitee-account"
id: "98b2fee5-46b6-4021-b150-5ac24a9a0472"
remote: "git@gitee.com:l0tusch1ng/shareLibraryDemo.git"
traits:
- "gitBranchDiscovery"
junitTestResultStorage:
storage: "file"
location:
adminAddress: "address not configured yet <nobody@nowhere>"
url: "{{ JENKINS_URL }}"
mailer:
charset: "UTF-8"
useSsl: false
useTls: false
mavenModuleSet:
localRepository: "default"
pollSCM:
pollingThreadCount: 10
timestamper:
allPipelines: false
elapsedTimeFormat: "'<b>'HH:mm:ss.S'</b> '"
systemTimeFormat: "'<b>'HH:mm:ss'</b> '"
tool:
ansibleInstallation:
installations:
- home: "/usr/bin/"
name: "ansible 2.9.25"
ant:
installations:
- home: "/usr/local/apache-ant-1.10.12"
name: "ANT"
dockerTool:
installations:
- name: "docker 20.10.5"
git:
installations:
- home: "/usr/bin/git"
name: "Git"
gradle:
installations:
- home: "/usr/local/gradle-7.3"
name: "GRADLE"
jdk:
installations:
- home: "/usr/lib/jvm/java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64"
name: "Openjdk 11.0.13"
- home: "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64"
name: "Openjdk 1.8.0_312"
maven:
installations:
- home: "/usr/local/apache-maven-3.8.3"
name: "M2"
mavenGlobalConfig:
globalSettingsProvider: "standard"
settingsProvider: "standard"
nodejs:
installations:
- home: "/usr/local/node-v16.9.1"
name: "NODEJS"
pipelineMaven:
triggerDownstreamUponResultAborted: false
triggerDownstreamUponResultFailure: false
triggerDownstreamUponResultNotBuilt: false
triggerDownstreamUponResultSuccess: true
triggerDownstreamUponResultUnstable: falsehandler 文件
roles-demo2/ci-tools-install/handlers/main.yml
---
# handlers file for ci-tools-install
- name: jenkins-restart
service: name=jenkins state=restarted
- name: create-admin-user
template:
src: basic-security.groovy.j2
dest: "{{ JENKINS_HOME }}/init.groovy.d/basic-security.groovy"
mode: 0775
register: jenkins_users_config自定义过滤器
roles-demo2/ci-tools-install/filter_plugins/my_filters.py
# coding: utf-8
import os
class FilterModule(object):
# 实现 filters 方法,返回过滤器的名称及方法映射【必须】
# 所有过滤器必须注册到这里来,否则 ansible 调不到
def filters(self):
return {'split': self.str_split, 'all_file_exists': self.all_file_exists}
def str_split(self, *params):
data, split_char = params
return data.split(split_char)
def all_file_exists(self, file_list):
all_exist = 1
for jpi in file_list:
if not os.path.exists('/var/lib/jenkins/plugins/{}'.format(jpi)):
all_exist = 0
break
return all_exist静态文件
Maven 配置文件:roles-demo2/ci-tools-install/files/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">
<pluginGroups>
</pluginGroups>
<proxies>
</proxies>
<servers>
</servers>
<mirrors>
// 阿里云镜像加速
<mirror>
<id>alimaven</id>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
<profiles>
</profiles>
</settings>执行效果
JDK 安装
roles-demo2/ci-tools-install/tasks/jdk_install.yml
- name: "安装 JDK 软件包"
yum:
name: "{{ JDK_VERSION }}-devel"
state: present
- name: "获取 JDK 安装目录"
shell: 'rpm -ql {{ JDK_VERSION }}-devel | grep "bin/javac" | sed -r s"/\/bin\/javac//"'
register: jdk_path_ret
- name: "配置 JDK 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} JDK Config"
insertafter: EOF
block: |
export JAVA_HOME={{ jdk_path_ret.stdout }}
- name: "确认 JDK 安装情况"
shell: ". /etc/profile && java -version 2>&1"
register: jdk_version_ret
- name: "输出 JDK 版本号"
debug:
msg: "{{ jdk_version_ret.stdout_lines | join('\n') }}"
Ansible 安装
roles-demo2/ci-tools-install/tasks/ansible_install.yml
- name: "安装 Ansible 软件包"
yum:
name: "ansible-{{ ANSIBLE_VERSION }}.el7"
state: present
- name: "确认 Ansible 安装情况"
shell: "ansible --version 2>&1"
register: ansible_version_ret
- name: "输出 Ansible 版本号"
debug:
msg: "{{ ansible_version_ret.stdout_lines | join('\n') }}"Maven 安装
roles-demo2/ci-tools-install/tasks/ansible_install.yml
- name: "下载 Maven 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/apache/maven/maven-{{ MAVEN_VERSION | split('.') | first }}/{{ MAVEN_VERSION }}/binaries/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
dest: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
validate_certs: no
- name: "解压 Maven 安装目录"
unarchive:
src: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
dest: /usr/local/
remote_src: yes
- name: "配置 Maven 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Maven Config"
insertafter: EOF
block: |
export M2_HOME=/usr/local/apache-maven-{{ MAVEN_VERSION }}
export PATH=$PATH:$M2_HOME/bin
- name: "确认 Maven 安装情况"
shell: ". /etc/profile && mvn -version 2>&1"
register: mvn_version_ret
- name: "输出 Maven 版本号"
debug:
msg: "{{ mvn_version_ret.stdout_lines | join('\n') }}"
- name: "配置 Maven 镜像加速库"
copy:
src: "settings.xml"
dest: "/usr/local/apache-maven-{{ MAVEN_VERSION }}/conf/settings.xml"
- name: "清理 Maven 压缩包"
file:
path: "/tmp/apache-maven-{{ MAVEN_VERSION }}-bin.tar.gz"
state: absentAnt 安装
roles-demo2/ci-tools-install/tasks/ant_install.yml
- name: "下载 Ant 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/apache/ant/binaries/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
dest: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
validate_certs: no
- name: "解压 Ant 安装目录"
unarchive:
src: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
dest: /usr/local/
remote_src: yes
- name: "配置 Ant 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Ant Config"
insertafter: EOF
block: |
export ANT_HOME=/usr/local/apache-ant-{{ ANT_VERSION }}
export PATH=$PATH:$ANT_HOME/bin
- name: "确认 Ant 安装情况"
shell: ". /etc/profile && ant -version 2>&1"
register: ant_version_ret
- name: "输出 Ant 版本号"
debug:
msg: "{{ ant_version_ret.stdout_lines | join('\n') }}"
- name: "清理 Ant 压缩包"
file:
path: "/tmp/apache-ant-{{ ANT_VERSION }}-bin.tar.gz"
state: absentGradle 安装
roles-demo2/ci-tools-install/tasks/gradle_install.yml
- name: "下载 Gradle 软件包"
get_url:
url: "https://services.gradle.org/distributions/gradle-{{ GRADLE_VERSION }}-bin.zip"
dest: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
validate_certs: no
- name: "解压 Gradle 安装目录"
unarchive:
src: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
dest: /usr/local/
remote_src: yes
- name: "配置 Gradle 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} Gradle Config"
insertafter: EOF
block: |
export GRADLE_HOME=/usr/local/gradle-{{ GRADLE_VERSION }}
export PATH=$PATH:$GRADLE_HOME/bin
- name: "确认 Gradle 安装情况"
shell: ". /etc/profile && gradle -v 2>&1"
register: gradle_version_ret
- name: "输出 Gradle 版本号"
debug:
msg: "{{ gradle_version_ret.stdout_lines | join('\n') }}"
- name: "清理 Gradle 压缩包"
file:
path: "/tmp/gradle-{{ GRADLE_VERSION }}-bin.zip"
state: absentNode JS 安装
roles-demo2/ci-tools-install/tasks/nodejs_install.yml
- name: "下载 NodeJS 软件包"
get_url:
url: "https://mirrors.tuna.tsinghua.edu.cn/nodejs-release/v{{ NODEJS_VERSION }}/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
dest: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
validate_certs: no
- name: "解压 NodeJS 安装目录"
unarchive:
src: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
dest: "/usr/local"
remote_src: yes
- name: "重命名 NodeJS 软件目录"
shell: "mv /usr/local/node-v{{ NODEJS_VERSION }}-linux-x64 /usr/local/node-v{{ NODEJS_VERSION }}"
when: nodejs_path is exists
vars:
nodejs_path: "/usr/local/node-v{{ NODEJS_VERSION }}-linux-x64"
- name: "配置 NodeJS 系统环境"
blockinfile:
path: /etc/profile
marker: "#{mark} NodeJS Config"
insertafter: EOF
block: |
export NODE_HOME=/usr/local/node-v{{ NODEJS_VERSION }}
export PATH=$PATH:$NODE_HOME/bin
- name: "确认 NodeJS 安装情况"
shell: ". /etc/profile && node -v 2>&1"
register: nodejs_version_ret
- name: "输出 NodeJS 版本号"
debug:
msg: "{{ nodejs_version_ret.stdout_lines | join('\n') }}"
- name: "配置 NPM 镜像加速"
shell: ". /etc/profile && npm config set registry=http://registry.npm.taobao.org"
- name: "清理 NodeJS 压缩包"
file:
path: "/tmp/node-v{{ NODEJS_VERSION }}-linux-x64.tar.gz"
state: absentjenkins 安装
- name: "安装 Jenkins 软件包"
yum:
name: "https://mirrors.tuna.tsinghua.edu.cn/jenkins/redhat/jenkins-{{ JENKINS_VERSION }}.noarch.rpm"
state: present
validate_certs: no
notify: create-admin-user
- name: "创建 Jenkins 脚本初始化目录"
file:
path: "{{ JENKINS_HOME }}/init.groovy.d"
state: directory
mode: 0775
- name: "渲染 Jenkins 配置"
template:
src: "jenkins.j2"
dest: "{{ JENKINS_CONFIG_LOCATION }}"
backup: true
notify: jenkins-restart
- name: "立即执行 Jenkins 配置相关 handlers"
meta: flush_handlers
- name: "启动 Jenkins 服务"
service:
name: "jenkins"
state: started
enabled: true
- name: "等待 Jenkins 服务启动"
uri:
url: "{{ JENKINS_URL }}/cli/"
method: GET
return_content: "yes"
timeout: 5
body_format: raw
follow_redirects: "no"
status_code: 200,403
register: result
until: (result.status == 403 or result.status == 200) and (result.content.find("Please wait while") == -1)
retries: 120
delay: 3
# 任务状态永远谁知为 非 changed
changed_when: false
# 检查模式时跳过该任务
check_mode: false
- name: "下载 jenkins-cli Jar 包"
get_url:
url: "{{ JENKINS_URL }}/jnlpJars/jenkins-cli.jar"
dest: "{{ JENKINS_CLI_JAR_LOCATION }}"
register: jenkins_cli_jar_get
# 失败重试,直到下载成功 或 文件已存在
until: "'OK' in jenkins_cli_jar_get.msg or '304' in jenkins_cli_jar_get.msg or 'file already exists' in jenkins_cli_jar_get.msg"
retries: 5
delay: 5
check_mode: false
- name: "确保 updates 目录存在"
file:
path: "{{ JENKINS_HOME }}/updates/"
state: directory
- name: "下载 Jenkins 插件中心配置"
get_url:
url: "{{ JENKINS_PLUGIN_UPDATES_URL }}/update-center.json"
dest: "{{ JENKINS_HOME }}/updates/default.json"
mode: 0440
validate_certs: no
register: get_plugin_json_result
# 失败重试,直到下载成功
until: get_plugin_json_result is success
# 重试 5 次
retries: 5
# 重试间隔 3 秒
delay: 3
- name: "处理 Jenkins 插件配置"
# 删除首行 "updateCenter.post("、尾行 ");"
replace:
path: "{{ JENKINS_HOME }}/updates/default.json"
regexp: "1d;$d"
- name: "配置 Jenkins 国内插件库"
xml:
path: "{{ JENKINS_HOME }}/hudson.model.UpdateCenter.xml"
xpath: "/sites/site/url"
value: "{{ JENKINS_PLUGIN_UPDATES_URL }}/update-center.json"
- name: "安装 Jenkins 插件"
jenkins_plugin:
name: "{{ plugin_item.name | default(plugin_item) }}"
# omit 意为 如果 plugin_item 有 前面的 version 属性存在,那就用。没有的话那就告诉模块省略该参数
version: "{{ plugin_item.version | default(omit) }}"
jenkins_home: "{{ JENKINS_HOME }}"
url_username: "{{ JENKINS_ADMIN_USERNAME }}"
url_password: "{{ JENKINS_ADMIN_PASSWORD }}"
# state 'present' 安装插件
state: present
# 安装超时时间
timeout: "{{ JENKINS_PLUGIN_INSTALL_TIMEOUT }}"
# update-center.json 过期时间
updates_expiration: "{{ JENKINS_PLUGIN_UPDATES_EXPIRATION }}"
# Jenkins 更新中心 地址
updates_url: "{{ JENKINS_PLUGIN_UPDATES_URL }}"
# Jenkins 服务地址
url: "{{ JENKINS_URL }}"
# 是否同时安装依赖插件
with_dependencies: "{{ JENKINS_PLUGIN_INSTALL_DEPENDENCIES }}"
loop: "{{ JENKINS_PLUGIN_INSTALL_LIST }}"
loop_control:
loop_var: plugin_item
register: plugin_install_result
until: plugin_install_result is success
retries: 5
delay: 30
- name: "检查 jpi 插件文件,不存在则重新下载"
vars:
# 2. 拼接插件实际路径
plugin_filename: "{{ JENKINS_HOME }}/plugins/{{ plugin_item }}.jpi"
jenkins_plugin:
name: "{{ plugin_item.name | default(plugin_item) }}"
# omit 意为 如果 plugin_item 有 前面的 version 属性存在,那就用。没有的话那就告诉模块省略该参数
version: "{{ plugin_item.version | default(omit) }}"
jenkins_home: "{{ JENKINS_HOME }}"
url_username: "{{ JENKINS_ADMIN_USERNAME }}"
url_password: "{{ JENKINS_ADMIN_PASSWORD }}"
# 安装插件
state: present
# 安装超时时间
timeout: "{{ JENKINS_PLUGIN_INSTALL_TIMEOUT }}"
# update-center.json 过期时间
updates_expiration: "{{ JENKINS_PLUGIN_UPDATES_EXPIRATION }}"
# Jenkins 更新中心 地址
updates_url: "{{ JENKINS_PLUGIN_UPDATES_URL }}"
# Jenkins 服务地址
url: "{{ JENKINS_URL }}"
# 是否同时安装依赖插件
with_dependencies: "{{ JENKINS_PLUGIN_INSTALL_DEPENDENCIES }}"
# 3. 当插件不存在时,执行 jenkins_plugin 模块
when: plugin_filename is not exists
# 1. 遍历插件列表
loop: "{{ JENKINS_PLUGIN_INSTALL_LIST }}"
loop_control:
loop_var: plugin_item
# 4. 任务停止条件为:列表中的所有插件都已下载到 插件目录 {{ JENKINS_HOME }}/plugins/
until: JENKINS_PLUGIN_INSTALL_LIST | all_file_exists == 1
# 单个插件下载重试次数
# todo: 不太清楚为什么 until 重试次数
retries: 1
# 每隔 5 秒尝试一次
delay: 5
# failed_when:当条件满足时(true),执行状态设为 failed
# 设为永远返回 ok,忽略部分插件不存在的错误
failed_when: false
- name: "创建 CasC 目录"
file:
path: "{{ JENKINS_HOME }}/casc_configs"
state: directory
mode: 0775
# 渲染 Configure as Code 配置
# 重启 Jenkins 服务,应用 CasC 配置
- name: "渲染 CasC 配置"
template:
src: "jenkins.yml.j2"
dest: "{{ JENKINS_HOME }}/casc_configs/jenkins.yml"
notify: jenkins-restart
- name: "立即执行 Jenkins 配置相关 handlers"
meta: flush_handlers
- name: "移除 Jenkins 创建用户脚本"
file:
path: "{{ JENKINS_HOME }}/init.groovy.d/basic-security.groovy"
state: absent安装 Jenkins
$ ansible-playbook ci-tools-install/tests/test.yml
PLAY [ecs[2]] ******
TASK [Gathering Facts] ******
ok: [tencent]
TASK [ci-tools-install : include_tasks] ******
included: /prodata/scripts/ansibleLearn/roles-demo2/ci-tools-install/tasks/jenkins_install.yml for tencent
TASK [ci-tools-install : 安装 Jenkins 软件包] ******
changed: [tencent]
TASK [ci-tools-install : 创建 Jenkins 脚本初始化目录] ******
changed: [tencent]
TASK [ci-tools-install : 渲染 Jenkins 配置] ******
changed: [tencent]
RUNNING HANDLER [ci-tools-install : jenkins-restart] ******
changed: [tencent]
RUNNING HANDLER [ci-tools-install : create-admin-user] ******
changed: [tencent]
TASK [ci-tools-install : 启动 Jenkins 服务] ******
ok: [tencent]
TASK [ci-tools-install : 等待 Jenkins 服务启动] ******
FAILED - RETRYING: 等待 Jenkins 服务启动 (120 retries left).
ok: [tencent]
TASK [ci-tools-install : 下载 jenkins-cli Jar 包] ******
changed: [tencent]
TASK [ci-tools-install : 确保 updates 目录存在] ******
ok: [tencent]
TASK [ci-tools-install : 下载 Jenkins 插件中心配置] ******
changed: [tencent]
TASK [ci-tools-install : 处理 Jenkins 插件配置] ******
ok: [tencent]
TASK [ci-tools-install : 配置 Jenkins 国内插件库] ******
changed: [tencent]
TASK [ci-tools-install : 安装 Jenkins 插件] ******
changed: [tencent] => (item=git)
changed: [tencent] => (item=badge)
changed: [tencent] => (item=ansible)
changed: [tencent] => (item=configuration-as-code)
changed: [tencent] => (item=role-strategy)
changed: [tencent] => (item=periodicbackup)
changed: [tencent] => (item=build-user-vars-plugin)
changed: [tencent] => (item=workflow-aggregator)
changed: [tencent] => (item=pipeline-utility-steps)
changed: [tencent] => (item=pipeline-maven)
changed: [tencent] => (item=pipeline-npm)
changed: [tencent] => (item=workflow-cps-global-lib-http)
changed: [tencent] => (item=pipeline-model-declarative-agent)
changed: [tencent] => (item=docker-workflow)
changed: [tencent] => (item=blueocean)
changed: [tencent] => (item=blueocean-core-js)
changed: [tencent] => (item=blueocean-git-pipeline)
changed: [tencent] => (item=blueocean-pipeline-editor)
changed: [tencent] => (item=blueocean-web)
changed: [tencent] => (item=blueocean-pipeline-scm-api)
changed: [tencent] => (item=blueocean-dashboard)
changed: [tencent] => (item=docker-plugin)
changed: [tencent] => (item=ssh-steps)
changed: [tencent] => (item=docker-slaves)
changed: [tencent] => (item=docker-compose-build-step)
changed: [tencent] => (item=http_request)
changed: [tencent] => (item=timestamper)
changed: [tencent] => (item=build-timestamp)
changed: [tencent] => (item=ldap)
changed: [tencent] => (item=ldapemail)
changed: [tencent] => (item=ant)
changed: [tencent] => (item=gradle)
changed: [tencent] => (item=nodejs)
changed: [tencent] => (item=maven-plugin)
changed: [tencent] => (item=ansiColor)
changed: [tencent] => (item=build-timeout)
changed: [tencent] => (item=ws-cleanup)
changed: [tencent] => (item=view-job-filters)
changed: [tencent] => (item=build-user-vars-plugin)
changed: [tencent] => (item=scriptler)
changed: [tencent] => (item=cloudbees-folder)
changed: [tencent] => (item=groovy)
changed: [tencent] => (item=lockable-resources)
TASK [ci-tools-install : 检查 jpi 插件文件,不存在则重新下载] ******
skipping: [tencent] => (item=git)
skipping: [tencent] => (item=badge)
skipping: [tencent] => (item=ansible)
skipping: [tencent] => (item=configuration-as-code)
skipping: [tencent] => (item=role-strategy)
skipping: [tencent] => (item=periodicbackup)
skipping: [tencent] => (item=build-user-vars-plugin)
skipping: [tencent] => (item=workflow-aggregator)
skipping: [tencent] => (item=pipeline-utility-steps)
skipping: [tencent] => (item=pipeline-maven)
skipping: [tencent] => (item=pipeline-npm)
skipping: [tencent] => (item=workflow-cps-global-lib-http)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=pipeline-model-declarative-agent)
skipping: [tencent] => (item=docker-workflow)
skipping: [tencent] => (item=blueocean)
skipping: [tencent] => (item=blueocean-core-js)
skipping: [tencent] => (item=blueocean-git-pipeline)
skipping: [tencent] => (item=blueocean-pipeline-editor)
skipping: [tencent] => (item=blueocean-web)
skipping: [tencent] => (item=blueocean-pipeline-scm-api)
skipping: [tencent] => (item=blueocean-dashboard)
skipping: [tencent] => (item=docker-plugin)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=ssh-steps)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=docker-slaves)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=docker-compose-build-step)
skipping: [tencent] => (item=http_request)
skipping: [tencent] => (item=timestamper)
skipping: [tencent] => (item=build-timestamp)
skipping: [tencent] => (item=ldap)
skipping: [tencent] => (item=ldapemail)
skipping: [tencent] => (item=ant)
skipping: [tencent] => (item=gradle)
skipping: [tencent] => (item=nodejs)
skipping: [tencent] => (item=maven-plugin)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=ansiColor)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=build-timeout)
FAILED - RETRYING: 检查 jpi 插件文件,不存在则重新下载 (1 retries left).
changed: [tencent] => (item=ws-cleanup)
skipping: [tencent] => (item=view-job-filters)
skipping: [tencent] => (item=build-user-vars-plugin)
skipping: [tencent] => (item=scriptler)
skipping: [tencent] => (item=cloudbees-folder)
skipping: [tencent] => (item=groovy)
skipping: [tencent] => (item=lockable-resources)
TASK [ci-tools-install : 创建 CasC 目录] ******
changed: [tencent]
TASK [ci-tools-install : 渲染 CasC 配置] ******
changed: [tencent]
RUNNING HANDLER [ci-tools-install : jenkins-restart] ******
changed: [tencent]
TASK [ci-tools-install : 移除 Jenkins 创建用户脚本] ******
changed: [tencent]
PLAY RECAP ******
tencent : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 六、Role tags
Role 也支持设置 tags,具体用法还是老样子
k8s.yml
---
- name: "系统初始化"
hosts: all
gather_facts: true
roles:
- initial
tags:
- initial
- name: "部署 Container Runtime"
hosts: all
gather_facts: true
roles:
- cri
tags:
- cri
- name: "部署 Kubernetes 集群"
hosts: all
gather_facts: true
roles:
- kubernetes
tags:
- kubernetes在使用时也很简单
$ ap -i inventory --tags=initial,kubernetes k8s.yml
$ ap -i inventory --skip-tags=initial k8s.yml七、Role 规范实践
前面,我们一直使用的是 ansible-galaxy init 初始化的结构,在这种结构下,所有任务都堆在一个 role 里去完成
role-demo1
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml这样有一个明显的缺点,耦合严重,变量、任务,回调等等
所以,后来经过学习实践,目录结构调整为如下
$ tree ansible-k8s-role
ansible-k8s-role/
├── alicloud.py
├── aliyun-ecs-sdk.py
├── instance_ids.txt
├── inventory
├── meta
│ └── main.yml
├── README.md
├── roles
│ ├── cri
│ │ ├── files
│ │ │ └── buildkit.service
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── setup.yml
│ │ ├── tasks
│ │ │ ├── install_containerd.yml
│ │ │ └── main.yml
│ │ ├── templates
│ │ │ └── config.toml.j2
│ │ └── vars
│ │ └── main.yml
│ ├── initial
│ │ ├── files
│ │ │ ├── 99-prophet.conf
│ │ │ ├── hosts
│ │ │ ├── k8s.conf
│ │ │ └── kubernetes.conf
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── setup.yml
│ │ ├── tasks
│ │ │ ├── disable_firewall.yml
│ │ │ ├── install_tools.yml
│ │ │ ├── install_zsh.yml
│ │ │ ├── kernel_update.yml
│ │ │ ├── main.yml
│ │ │ ├── reboot.yml
│ │ │ ├── set_hosts_resolve.yml
│ │ │ └── swap_kernel_ipvs_timezone_log_config.yml
│ │ ├── tests
│ │ │ ├── inventory
│ │ │ └── test.yml
│ │ └── vars
│ │ └── main.yml
│ └── kubernetes
│ ├── files
│ │ └── kubernetes.repo
│ ├── handlers
│ │ └── main.yml
│ ├── setup.yml
│ ├── tasks
│ │ ├── install_kubernetes.yml
│ │ └── main.yml
│ ├── templates
│ │ └── kubeadm.yaml.j2
│ ├── tests
│ │ └── test.yml
│ └── vars
│ └── main.yml
└── setup.yml
21 directories, 40 files将某个大的、复杂的部署任务,按照类型拆解成多个 Role 角色,然后再根据具体的任务拆分到各 tasks,以上面的为例
部署一套 Kubernetes 集群,我拆分成了三个 Role
- initial:初始化操作系统,执行包括 安装软件包、设置主机名、升级内核、配置防火墙、内核参数等等
- cri:安装容器运行时 Containerd、nerdctl、buildkit 等
- kubernetes:初始化集群
这个机构其实可以在优化一点,例如,将 kubernetes/tasks/install_kubernetes.yml 进行拆分,分为一下几个部分
- 软件包安装:执行仓库添加 kubectl、kubeadm、kubelet 安装
- 集群镜像拉取:拉取 kubeadm.yaml 用到的镜像,以及后续会用到的镜像
- 集群创建:主节点初始化、工作节点加入集群
- CNI 配置:flannel、calico 部署
- 以及其他后续问题的处理,例如:coredns 重建、以及修复 scheduler control-manager 端口配置问题
在运行时,我们根据自己所需,既可以直接执行总的入口文件
$ ansible-playbook -i alicloud.py setup.yml也可以执行特定的 role
$ ansible-playbook -i alicloud.py --tags=cri setup.yml
$ ansible-playbook -i alicloud.py roles/cri/setup.yml我们还可以用 tags 标识一组 tasks 文件,下面是我之前写的一个 victoria-metrics 单节点快速部署角色,具体示例代码已分享到 Coding
$ cat roles/single-server/tasks/main.yml
---
- include_tasks:
file: "install_node_exporter.yml"
apply:
tags: ["node_exporter"]
tags: ["node_exporter"]
- include_tasks:
file: "install_promoter.yml"
apply:
tags: [ "promoter" ]
tags: [ "promoter" ]
- include_tasks:
file: "install_alertmanager.yml"
apply:
tags: ["alertmanager"]
tags: ["alertmanager"]
- include_tasks:
file: "install_victoriametrics.yml"
apply:
tags: ["vm"]
tags: ["vm"]
- include_tasks:
file: "install_grafana.yml"
apply:
tags: ["grafana"]
tags: ["grafana"]在执行时,通过 tags 安装需要的部分即可
$ ap --tags=node_exporter,grafana roles/prometheus/setup.yml
