前期我们安装了数百台服务器,接下来使用ansible对它们进行优化
安装
继续在管理机192.168.128.10上操作
ansible在epel源中
yum install ansible -y
sed -i ‘/host_key_checking/s/^#//’ /etc/ansible/ansible.cfg
定义主机组
cat >>/etc/ansible/hosts <<EOF
[manager]
192.168.128.10
[servers]
192.168.128.[21:26]
EOF
批量发送公钥至所有服务器
三列分别是主机名,ip地址,密码
cat >~/host-ip-pwd <<-EOF
server1 192.168.128.21 123456
server2 192.168.128.22 123456
server3 192.168.128.23 123456
server4 192.168.128.24 123456
server5 192.168.128.25 123456
server4 192.168.128.26 123456
EOF
cat >~/copy_ssh_id.sh <<-EOF
#!/bin/bash
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa -N ''
cat ~/host-ip-pwd | while read host ip pwd; do
sshpass -p \$pwd ssh-copy-id -o StrictHostKeyChecking=no root@\${ip}
ssh -nq root@\$ip "hostnamectl set-hostname \$host"
echo \$ip \$host | sudo tee -a /etc/hosts
done
cat ~/host-ip-pwd | while read host ip pwd; do
scp /etc/hosts root@\$ip:/etc/
done
EOF
执行发送
sh ~/copy_ssh_id.sh
测试
ansible servers -m ping
系统密码修改
安全考虑,前期批量安装现在要修改所有服务器root用户的密码
user模块修改密码不能直接填入明文
cat >>update_pwd.yml <<EOF
- hosts: servers
gather_facts: false
remote_user: root
tasks:
- name: update user passwd
user: name={{ name }} password={{ chpass | password_hash('sha512') }} update_password=always
EOF
检查语法:
ansible-playbook --syntax-check update_pwd.yml -e "name=root chpass=1qscfg@#CF_2019"
执行:
ansible-playbook update_pwd.yml -e "name=root chpass=1qscfg@#CF_2019"
修改所有服务器系统性能参数
vim centos7-optimization.sh
#! /bin/bash
sed -i 's/*/#*/g' /etc/security/limits.d/20-nproc.conf
cat << EOF >>/etc/security/limits.conf
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
cat >>/etc/sysctl.conf <<-EOF
net.core.somaxconn = 2048
net.core.netdev_max_backlog = 16384
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_orphans = 32768
fs.file-max = 6815744
fs.aio-max-nr = 1048576
EOF
/usr/sbin/sysctl -p
cat >>/etc/systemd/system.conf <<-EOF
DefaultLimitCORE=infinity
DefaultLimitNOFILE=102400
DefaultLimitNPROC=102400
EOF
systemctl daemon-reexec
##centos7 ssh连接速度优化
sed -i '/GSSAPIAuthentication/s/yes/no/' /etc/ssh/sshd_config
sed -i '/UseDNS/s/^#//; /UseDNS/s/yes/no/' /etc/ssh/sshd_config
systemctl restart sshd
chmod +x centos7-optimization.sh
ansible servers -m script -a '/etc/ansible/tmp/centos7-optimization.sh'
分发局域网yum文件
vim /etc/ansible/tmp/yum-update.sh
#! /bin/bash
mkdir /etc/yum.repos.d/repobak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/repobak
cat >>/etc/yum.repos.d/epel.repo <<-EOF
[epel]
name=CentOS-\$releasever - epel
baseurl=http://192.168.128.10/epel/\$releasever
enabled=1
gpgcheck=0
EOF
cat >>/etc/yum.repos.d/CentOS-Base.repo <<-EOF
[base]
name=CentOS-\$releasever - Base
baseurl=http://192.168.128.10/centos/\$releasever/os
gpgcheck=0
enabled=1
EOF
yum clean all
yum makecache
chmod +x /etc/ansible/tmp/yum-update.sh
ansible servers -m script -a '/etc/ansible/tmp/yum-update.sh'
chronyd时间同步
时间服务器192.168.128.10
cat >>/etc/ansible/tmp/chrony.yml <<EOF
---
- hosts: servers
gather_facts: false
remote_user: root
tasks:
- name: install chrony
yum: name=chrony state=present
- name: update chrony.conf
shell: sed -i 's/^server/#server/g' /etc/chrony.conf;echo "server 192.168.1.10 iburst" >>/etc/chrony.conf
- name: restart chronyd service
service: name=chronyd state=restarted enabled=true
EOF
开始执行任务
ansible-playbook /etc/ansible/tmp/chrony.yml
版权声明:本文为q2398352642原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。