Ansible Tower标准化管理案例
Ansible Tower标准化管理案例
魏新宇
发布于 2018-04-18 11:39:10
发布于 2018-04-18 11:39:10
. 配置sudo
1. 修改文件权限
[root@localhost]# cat mod-sudo-1.yml
---
- hosts: all
tasks:
- name: chmod u+w
file:
path: /etc/sudoers
mode: u+w
2. 修改文件,在特定行下面插入一行
[root@localhost]# cat mod-sudo-2.yml
---
- hosts: all
tasks:
- name: change file context
lineinfile:
path: /etc/sudoers
state: present
insertafter: 'root\tALL'
line: 'osmaster ALL=(ALL) ALL'
3. 修改回原来文件权限
[root@localhost]# cat mod-sudo-3.yml
---
- include: mod-sudo-1.yml
- include: mod-sudo-2.yml
- hosts: all
tasks:
- name: chmod u-w
file:
path: /etc/sudoers
mode: u-w2 编辑seLinux关闭
[root@localhost]# cat selinux-off.yml
---
- hosts: all
tasks:
- name: selinux off
selinux:
state: disabled
notify:
- selinux-off
handlers:
- name: selinux-off
shell: setenforce 03 关闭防火墙
[root@localhost]# cat firewalld-off.yml
---
- hosts: all
tasks:
- name: firewalld off
service:
name: firewalld
state: stopped
enabled: false
register: result
ignore_errors: true
- name: phase1
service: name=firewalld state=stopped
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)4 编辑无响应注销
[root@localhost]# cat timeout.yml
---
- hosts: all
tasks:
- name: remove former define
lineinfile:
path: /etc/profile
state: absent
line: 'export TMOUT'
- name: change file context
lineinfile:
path: /etc/profile
state: present
line: 'export TMOUT=3600'5 编辑history时间戳
[root@localhost]# cat 0307-history-format.yml
---
- hosts: all
tasks:
- name: remove former define
lineinfile:
path: /etc/bashrc
state: absent
line: 'export HISTTIMEFORMAT'
- name: change file context
lineinfile:
path: /etc/bashrc
state: present
line: 'export HISTTIMEFORMAT="%F %T"'6 修改SNMP默认团体名public为snmp_ciitc
[root@localhost]# cat0308-snmp.yml
---
- hosts: all
tasks:
- name: if the file is there
file:
path: /etc/snmp/snmpd.conf
state: file
register: result
ignore_errors: true
- name: change file context
lineinfile:
path: /etc/snmp/snmpd.conf
state: present
backrefs: yes
regexp: 'com2sec notConfigUser default public'
line: 'com2sec notConfigUser default snmp_ciitc'
when: result|success7 编辑访问控制
[root@localhost]# cat 0309-access-control.yml
---
- hosts: all
tasks:
- name: change /etc/bashrc
lineinfile:
path: /etc/bashrc
state: present
insertafter:
line: 'umask 027'
- name: change /etc/profile
lineinfile:
path: /etc/profile
state: present
backrefs: yes
regexp: ' umask 022'
line: ' umask 027'8 编辑登录失败用户锁定策略
[root@localhost]# cat 0310-user-lock.yml
---
- hosts: all
tasks:
- name: add /etc/pam.d/system-auth
lineinfile:
path: /etc/pam.d/system-auth
state: present
insertafter:
line: 'auth required pam_tally2.so onerr=fail deny=10 unlock_time=180 root_unlock_time=1'9 编辑口令策略
[root@localhost]# cat password-policy.yml
---
- hosts: all
tasks:
- name: add /etc/pam.d/system-auth
lineinfile:
path: /etc/pam.d/system-auth
state: present
backrefs: yes
regexp: 'password requisite'
line: 'password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 retry=3'
- name: add /etc/pam.d/passwd
lineinfile:
path: /etc/pam.d/passwd
state: present
insertafter:
line: 'password required pam_unix.so remember=5 use_authtok md5'10 编辑口令规则
[root@localhost]# cat password-rule.yml
---
- hosts: all
tasks:
- name: change /etc/login.defs
lineinfile:
path: /etc/login.defs
state: present
backrefs: yes
regexp: 'PASS_MIN_LEN\t5'
line: 'PASS_MIN_LEN\t8'11 解决通过SCP传输提示输密码慢问题
[root@localhost]# cat 0313-tcp-trans.yml
---
- hosts: all
tasks:
- name: change SCP
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: 'GSSAPIAuthentication yes'
backrefs: yes
line: 'GSSAPIAuthentication no'
- name: change SSH Rhosts
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#IgnoreRhosts yes'
backrefs: yes
line: 'IgnoreRhosts yes'
- name: change SSH empty password
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#PermitEmptyPasswords no'
backrefs: yes
line: 'PermitEmptyPasswords no'
- name: change SSH Rhosts RSA Auth
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#RhostsRSAAuthentication no'
backrefs: yes
line: 'RhostsRSAAuthentication no'
- name: change SSH Rhosts
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#HostbasedAuthentication no'
backrefs: yes
line: 'HostbasedAuthentication no'12 解决SSH登录慢问题,关闭DNS验证
[root@localhost]# cat tcp-dns.yml
---
- hosts: all
tasks:
- name: change SSH DNS
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#UseDNS yes'
backrefs: yes
line: 'UseDNS no'13 编辑SSH登录
[root@localhost]# cat ssh-login.yml
---
- hosts: all
tasks:
- name: change SSH empty password
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#PermitEmptyPasswords no'
backrefs: yes
line: 'PermitEmptyPasswords no'
- name: change SSH banner
lineinfile:
path: /etc/ssh/sshd_config
state: present
insertafter: "#Banner none"
line: 'Banner /etc/motd'14 配置关键目录权限控制
[root@localhost]# cat 0314-directory-access.yml
---
- hosts: all
tasks:
- name: /etc/passwd 644
file:
path: /etc/passwd
mode: 0644
- name: /etc/shadow 600
file:
path: /etc/shadow
mode: 0600
- name: /etc/group 644
file:
path: /etc/group
mode: 064415 修改Linux系统TCP连接数
[root@localhost]# cat 0316-tcp-connections.yml
---
- hosts: all
tasks:
- name: soft nofile
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* soft nofile 65536'
- name: hard nofile
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* hard nofile 65536'
- name: soft nproc
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* soft nproc 65536'
- name: hard nproc
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* hard nproc 65536'16 Linux系统内核参数调优
[root@localhost]# cat 0317-kernel-param.yml
---
- hosts: all
tasks:
- name: kernel panic
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'kernel.panic_on_oops=1'
- name: vm.min
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'vm.min_free_kbytes=819200'
- name: vm.max
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'vm.max_map_count=131060'
- name: fs.file-max
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'fs.file-max = 6815744'
- name: fs.aio-max-nr
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'fs.aio-max-nr = 1048576'
- name: session
lineinfile:
path: /etc/pam.d/login
state: present
insertafter:
line: 'session required /lib64/security/pam_limits.so'17 关闭Linux服务
[root@localhost]# cat 0318-service-close.yml
---
- hosts: all
tasks:
- name: service off
service: name=avahi-daemon state=stopped enabled=no
register: result
ignore_errors: true
- name: phase1
service: name=avahi-daemon state=stopped enabled=no
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)
- name: service off
service: name=bluetooth state=stopped enabled=no
register: result
ignore_errors: true
- name: phase1
service: name=bluetooth state=stopped enabled=no
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)18 配置网卡DNS信息
[root@localhost]# cat config-dns.yml
---
- hosts: all
tasks:
- name: config DNS
lineinfile:
path: /etc/resolv.conf
state: present
insertafter:
line: 'nameserver 10.19.249.104'
- name: config DNS2
lineinfile:
path: /etc/resolv.conf
state: present
insertafter:
line: 'nameserver 10.19.249.105'
19 配置服务器时间同步
[root@localhost]# cat 0322-config-ntp.yml
---
- hosts: all
tasks:
- name: copy files
become: true
copy:
src: /var/lib/awx/projects/0322-config-ntp/example.conf
dest: /etc/ntp.conf
backup: yes
具体配置文件如下:
[root@localhost]# cat /var/lib/awx/projects/0322-config-ntp/example.conf
server ntp.ciitc.com.cn prefer
server 10.19.250.1
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
keys /etc/ntp/keys
includefile /etc/ntp/crypto/pw20 把系统时间写入到硬件时间
[root@localhost]# cat 0323-hwclock.yml
---
- hosts: all
tasks:
- name: hwclock
lineinfile:
path: /etc/sysconfig/ntpd
state: present
insertafter:
line: 'SYNC_HWCLOCK=yes'21 配置yum源
[root@localhost]# cat repo-create.yml
---
- hosts: all
tasks:
- name: test connection
ping:
- name: Add repository
yum_repository:
name: rhel
description: RHEL YUM repo
file: rhel
baseurl: http://172.20.16.227:8090/rhel/
gpgcheck: no
enabled: yes22 升级特定版本补丁
[root@localhost]# cat check-rpm-info.yml
---
- hosts: all
tasks:
- name: install ntp
package:
name: ntp-4.2.6p5
state: present
when: ansible_distribution_major_version == "7"
notify:
- restart ntpd
- name: install openssh
package:
name: openssh-7.4p1
state: present
when: ansible_distribution_major_version == "7"
notify:
- restart sshd
handlers:
- name: restart ntpd
service: name=ntpd state=restarted
- name: restart sshd
service: name=sshd state=restarted本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-04-11,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录