Ansible實現主備模式的高可用(Keepalived)

前言

　　Ansible是一款極其簡單的IT自動化運維工具，基於Python開發，集合了衆多運維工具(puppet、cfengine、chef、func、fabric)的優勢，實現了批量系統配置、批量程序部署、批量運行命令等功能。Ansible是基於模塊工做的，自己沒有批量部署的能力，真正具備批量部署的是Ansible所運行的模塊，Ansible只是提供一種框架。Ansible主要承擔的工做包括：配置管理、服務即時開通、應用部署、流程編排、監控告警、日誌記錄等。

　　Ansible的基本架構：

• 核心模塊(Core Module)：在模塊庫(Module Library)中分爲兩塊，一個是核心模塊,另一個就是自定義模塊(Custom Modules)。核心模塊中都是Ansible自帶的模塊，模塊資源分發到遠程節點使其執行特定任務或匹配一個特定的狀態；
• 自定義模塊(Custom Modules)：若是Ansible知足不了你所需求的模塊，則在此處添加自定義化的模塊；
• 插件(Plugins)：協助模塊來完成某個功能；
• 劇本(Playbooks)：定義須要給遠程主機執行的一系列任務；
• 鏈接插件(Connectior Plugins)：Ansible默認基於SSH鏈接到目標機器上執行操做的，但也支持不一樣的鏈接方法，此時須要鏈接插件來幫助咱們完成鏈接；
• 主機清單(Host Inventory)：定義須要管理的主機，小型環境中咱們只須要在host文件中寫入主機的IP地址便可，但到了中大型環境咱們有可能須要使用靜態inventory或者動態主機清單來生成咱們所須要執行的目標主機。

實驗拓撲圖

　　兩臺Nginx做爲Web Proxy，配置實現KeepAlived作主備；後端兩臺Apache，一臺部署Apache+PHP，一臺部署Apache+MySQL。

搭建Ansible

[root@ansible ~]# systemctl stop firewalld.service
[root@ansible ~]# systemctl disable firewalld.serive
[root@ansible ~]# vim /etc/selinux/config
    ...
    SELINUX=disabled
    ...
[root@ansible ~]# init 6
[root@ansible ~]# ntpdate ntp1.aliyun.com
[root@ansible ~]# yum -y install ansible
[root@ansible ~]# vim /etc/ansible/hosts
    ...
    [hasrvs]
    192.168.4.117
    192.168.4.118
    [websrvs]
    192.168.4.119
    192.168.4.120
　　[php]
　　192.168.4.119
　　[mysql]
　　192.168.4.120
[root@ansible ~]# vim /etc/hosts
    ...
    192.168.4.117 nginx1
    192.168.4.118 nginx2
    192.168.4.119 apache1
    192.168.4.120 apache2
[root@ansible ~]# ssh-keygen -t rsa -N ''  #生成密鑰對，實現ssh免密碼登陸
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): 
    Created directory '/root/.ssh'.
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub
[root@ansible ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.4.117  #複製公鑰到各遠程主機
[root@ansible ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.4.118
[root@ansible ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.4.119
[root@ansible ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.4.120

 測試連通性

[root@ansible ~]# ansible all -m ping
    192.168.4.117 | SUCCESS => {
        "changed": false, 
        "ping": "pong"
    }
    192.168.4.118 | SUCCESS => {
        "changed": false, 
        "ping": "pong"
    }
    192.168.4.120 | SUCCESS => {
        "changed": false, 
        "ping": "pong"
    }
    192.168.4.119 | SUCCESS => {
        "changed": false, 
        "ping": "pong"
    }

同步時間，關閉firewalld及selinux

[root@ansible ~]# ansible all -m shell -a 'echo "TZ='Asia/Shanghai'; export TZ" >> /etc/profile'
[root@ansible ~]# ansible all -m cron -a 'minute=*/5 job="/usr/sbin/ntpdate ntp1.aliyun.com &> /dev/null" name=UpdateTime'  #每隔3分鐘同步一次時間
[root@ansible ~]# ansible all -m shell -a 'systemctl stop firewalld.service; systemctl disable firewalld.service; setenfore 0'

 配置Apache服務的roles

[root@ansible ~]# mkdir -pv /etc/ansible/roles/apache/{files,templates,tasks,handlers,vars,meta,default}  #建立相關目錄
[root@ansible ~]# vim /etc/ansible/roles/apache/templates/vhost.conf.j2  #Apache主機模板
    <virtualhost *:80>
        ServerName www.test.org
        DirectoryIndex index.html index.php
        DocumentRoot /var/www/html
        ProxyRequests off
        ProxyPassMatch ^/(.*\.php)$ fcgi://192.168.4.119:9000/var/www/html/$1
        ProxyPassMatch ^/(ping|status)$ fcgi://192.168.4.119:9000/$1
        <Directory />
        options FollowSymlinks
        Allowoverride None
        Require all granted
        </Directory>
    </virtualhost>
[root@ansible ~]# vim /etc/ansible/roles/apache/templates/index.html  #Apache主頁
    <h1> This is {{ ansible_hostname }} </h1>
[root@ansible ~]# vim /etc/ansible/roles/apache/files/index.php
    <?php
        phpinfo();
    ?>
[root@ansible ~]# vim /etc/ansible/roles/apache/tasks/main.yml  #定義實現Apache的task
    - name: install apache
      yum: name=httpd state=latest
    - name: copy conf
      template: src=vhost.conf.j2 dest=/etc/httpd/conf.d/vhost.conf
    - name: copy index.html
      template: src=index.html dest=/var/www/html/index.html
    - name: copy index.php
      copy: src=index.php dest=/var/www/html/index.php
    - name: start httpd
      service: name=httpd state=started

配置php-fpm服務的roles

[root@ansible ~]# mkdir -pv /etc/ansible/roles/php-fpm/{files,templates,tasks,handlers,vars,meta,default}  #建立相關目錄
[root@ansible ~]# cp /etc/php-fpm.d/www.conf /etc/ansible/roles/php-fpm/templates/www.conf.j2  #直接複製事先準備的配置模板
[root@ansible ~]# vim /etc/ansible/roles/php-fpm/templates/www.conf.j2
    #修改以下配置
    listem = 0.0.0.0:9000
    ;listen.allowed_clients = 127.0.0.1
    pm.status_path = /status
    ping.path = /ping
    ping.response = pong
[root@ansible ~]# vim /etc/ansible/roles/php-fpm/tasks/main.yml  #定義實現php-fpm的task
    - name: install php
      yum: name={{ item }} state=latest
      with_items:
      - php-fpm
      - php-mysql
      - php-mbstring
      - php-mcrypt
    - name: copy config
      template: src=www.conf.j2 dest=/etc/php-fpm.d/www.conf
    - name: create directory
      file: path=/var/lib/php/session group=apache owner=apache state=directory
    - name: start php-fpm
      service: name=php-fpm state=started

 配置MySQL服務的roles

[root@ansible ~]# mkdir -pv /etc/ansible/roles/mysql/{files,templates,tasks,handlers,vars,meta,default}  #建立相關目錄
[root@ansible ~]# cp /etc/my.cnf /etc/ansible/roles/mysql/templates/my.cnf.j2  #複製事先準備的模板
[root@ansible ~]# vim /etc/ansible/roles/mysql/templates/my.cnf.j2
    #添加以下配置
    skip-name-resolve=ON
    innodb-file-per-table=ON
[root@ansible ~]# vim /etc/ansible/roles/mysql/tasks/main.yml  #定義實現MySQL的task
    - name: install mysql
      yum: name=mariadb-server state=latest
    - name: copy config
      template: src=my.cnf.j2 dest=/etc/my.cnf
    - name: start mysql
      service: name=mariadb state=started

配置Nginx服務的roles

[root@ansible ~]# mkdir -pv /etc/ansible/roles/nginx/{files,templates,tasks,handlers,vars,meta,default}  #建立相關目錄
[root@ansible ~]# cp /etc/nginx/nginx.conf /etc/ansible/roles/nginx/templates/nginx.conf.j2  #複製事先準備的模板
[root@ansible ~]# vim /etc/ansible/roles/nginx/templates/nginx.conf.j2
　　#修改配置
    http {
        ...
        upstream websrvs {
            server 192.168.4.119:80;
            server 192.168.4.120:80;
            server 127.0.0.1:80 backup;
        }
        server {
        
            listen 80;
            include /etc/nginx/default.d/*.conf;
    
            location / {
                proxy_pass http://websrvs;
                proxy_set_header host $http_host;
                proxy_set_header X-Forward-For $remote_addr;
            }
            ...
        }
        ...
    }
[root@ansible ~]# vim /etc/ansible/roles/nginx/templates/localhost.conf.j2  #定義本地的Nginx服務
    server {
        listen 127.0.0.1:80;
        root /usr/share/nginx/html;
        index index.html;
    }
[root@ansible ~]# vim /etc/ansible/roles/nginx/templates/index.html
    <h1> Balance Server {{ ansible_hostname }} </h1>
[root@ansible ~]# vim /etc/ansible/roles/nginx/tasks/main.yml  #定義實現Nginx的task
    - name: install nginx
      yum: name=nginx state=latest
    - name: copy nginx conf
      template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
    - name: copy local conf
      template: src=localhost.conf.j2 dest=/etc/nginx/conf.d/localhost.conf
    - name: copy index
      template: src=index.html dest=/usr/share/nginx/html/index.html
    - name: start nginx
      service: name=nginx state=started

 配置KeepAlived服務的roles

[root@ansible keepalived]# mkdir -pv /etc/ansible/roles/keepalived/{files,templates,tasks,handlers,vars,meta,default}  #建立相關目錄
[root@ansible keepalived]# vim /etc/ansible/roles/keepalived/templates/keepalived.conf.j2  #KeepAlived配置文件
    global_defs {
           notification_email {
             root@localhost
           }
           notification_email_from keepalived@localhost
           smtp_server 127.0.0.1
           smtp_connect_timeout 30
           router_id {{ ansible_nodename }}
           vrrp_skip_check_adv_addr
           vrrp_mcast_group4 224.0.0.10
    }
    
    vrrp_instance VIP_1 {
        state {{ keepalived_role }}
        interface eno16777736
        virtual_router_id 1
        priority {{ keepalived_pri }}
        advert_int 1
        authentication {
            auth_type PASS
            auth_pass %&hhjj99
        }
        virtual_ipaddress {
        　　192.168.4.155/24 dev eno16777736 label eno16777736:0
        }
    }
[root@ansible keepalived]# vim /etc/ansible/hosts  #添加變量
        ...
    [hasrvs]
    192.168.4.117 keepalived_role=MASTER keepalived_pri=100
    192.168.4.118 keepalived_role=BACKUP keepalived_pri=99
    ...
[root@ansible keepalived]# vim /etc/ansible/roles/keepalived/tasks/main.yml  #定義實現Keepalived的task
    - name: install keepalived
      yum: name=keepalived state=latest
    - name: copy config
      template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
    - name: start keepalived
      service: name=keepalived state=started

 配置Apache+PHP服務的playbook

[root@ansible keepalived]# mkdir /etc/ansible/playbooks  #建立playbook存放目錄
[root@ansible roles]# vim /etc/ansible/playbooks/ap1.yml  定義實現Apache+php-fpm的playbook
    - hosts: php
      remote_user: root
      roles:
      - apache
      - php-fpm
[root@ansible roles]# ansible-playbook --syntax-check /etc/ansible/playbooks/ap1.yml  #檢查是否有語法錯誤
[root@ansible roles]# ansible-playbook /etc/ansible/playbooks/ap1.yml  #執行

配置Apache+MySQL服務的playbook

[root@ansible ~]# vim /etc/ansible/playbooks/ap2.yml
    - hosts: mysql
      remote_user: root
      roles:
      - apache
      - mysql
[root@ansible ~]# ansible-playbook --syntax-check /etc/ansibleplaybooks/ap2.yml
[root@ansible ~]# ansible-playbook /etc/ansibleplaybooks/ap2.yml

 配置Nginx+Keepalived服務的playbook

[root@ansible ~]# vim /etc/ansible/playbooks/ha.yml
    - hosts: hasrvs
      remote_user: root
      roles:
      - nginx
      - keepalived 
[root@ansible ~]# ansible-playbook --syntax-check /etc/ansible/playbooks/ha.yml 
[root@ansible ~]# ansible-playbook /etc/ansible/playbooks/ha.yml

 客戶端測試訪問

[root@client ~]# vim /etc/hosts
    ...
    192.168.4.155 www.test.org
    ...
[root@client ~]# for i in {1..10};do curl http://www.test.org;done
    <h1> This is apache2 </h1>
    <h1> This is apache1 </h1>
    <h1> This is apache2 </h1>
    <h1> This is apache1 </h1>
    <h1> This is apache2 </h1>
    <h1> This is apache1 </h1>
    <h1> This is apache2 </h1>
    <h1> This is apache1 </h1>
    <h1> This is apache2 </h1>
    <h1> This is apache1 </h1>

小插曲：

　　[root@ansible ~]# ansible all -m ping --list-hosts
　　ERROR! Unexpected Exception, this is probably a bug: (cryptography 0.8.2 (/usr/lib64/python2.7/site-packages), Requirement.parse('cryptography>=1.1'))

　　運行ansible命令時報錯，python的cryptography版本必須>=1.1。

　　解決辦法：

　　[root@ansible ~]# yum -y install python-pip

　　[root@ansible ~]# pip install --upgrade cryptography