• hosts: test
  roles:
  • install_zabbix_agent
  • install_java1.8
  • check_iptables
  • replace_yumrepo
  • install_check_sshd
  • install_maintainer_tools
  • selinux_stop
  • set_ulimit_maxfiles
  • set_timezone
  • set_kernel_args

  • install_ntp_or_chrony
    
    每一个项目的目录结构
    
    --[root@scsv01181 roles]# cat check_iptables/tasks/main.yml

  • name: check iptables status
    shell: ps aux |grep iptables|grep -v grep|wc -l
    register: iptables
  • name: if have iptables process to stop it
    shell: systemctl stop iptables
    when: iptables.stdout != "0"
  • name: check firewalld status
    shell: ps aux |grep firewall|grep -v grep|wc -l
    register: firewall
  • name: if have firewall process to stop it
    shell: systemctl stop firewalld
    when: firewall.stdout != "0"
  • name: disable iptables
    shell: systemctl disable iptables
    when: firewall.stdout != "0"
  • name: disable firewalld
    shell: systemctl disable firewalld
    when: firewall.stdout != "0"
  • name: print iptanles and firewalld info
    debug:
    msg: "iptables and firewalld is not running"
    when: iptables.stdout == "0" and firewall.stdout == "0"

--[root@scsv01181 roles]# cat install_check_sshd/tasks/main.yml

• name: check sshd is or not install
  shell: rpm -qa|grep openssh-server|wc -l warn=False
  register: sshd_count
• name: print sshd install info
  debug:
  msg: "sshd is not install"
  when: sshd_count.stdout == "0"
• name: check sshd is or not running
  shell: ps aux |grep /usr/sbin/sshd |grep -v grep|wc -l
  register: ssh_process_count
  when: sshd_count.stdout == "1"
• name: print sshd is not running
  debug:
  msg: "sshd service is not running"
  when: ssh_process_count.stdout == "0"
• name: start sshd service
  service: name=sshd state=started
  when: ssh_process_count.stdout == "0"
• name: make sshd servuice enabled of system started
  service: name=sshd enabled=yes

  when: ssh_process_count == "0"

--[root@scsv01181 roles]# cat install_java1.8/tasks/main.yml

• name: check the java version
  shell: java -version
  ignore_errors: yes
  register: javaversion
• debug:
  msg: "{{ javaversion.stderr_lines[0] }}"
• name: print java version
  debug:
  msg: "java is installed and the version is 1.8"
  when: javaversion.stderr_lines[0].count(‘1.8‘) == 1
• name: find java 1.8 package name
  shell: yum list|grep openjdk.x86_64|grep 1.8|cut -d " " -f1|uniq warn=False
  register: java_version

• debug:
  msg: "{{ java_version.stdout }}"

• name: install java 1.8 package
  shell: yum install -y {{ java_version.stdout }}
  when: javaversion.stderr_lines[0].count(‘1.8‘) != 1

--[root@scsv01181 roles]# cat install_maintainer_tools/tasks/main.yml

• name: install telnet for system
  yum: state=present name=telnet
• name: install iftop for system
  yum: state=present name=iftop
• name: install sysstat for system
  yum: state=present name=sysstat
• name: install iotop for system
  yum: state=present name=iotop
• name: install vim for system
  yum: state=present name=vim
• name: install dstat for system
  yum: state=present name=dstat
• name: install openssl for system
  yum: state=present name=openssl,openssl-devel

--[root@scsv01181 roles]# cat install_ntp_or_chrony/tasks/main.yml

• name: check ntp is not install
  shell: ps aux |grep ntp|grep -v grep|wc -l
  register: count_ntp
• name: check chrony is or not install
  shell: ps aux |grep chrony|grep -v grep|wc -l
  register: count_chrony
• name: stop chrony
  service: name=chronyd state=stoped
  when: count_chrony.stdout == "1"

• name: disable chronyd
  service: name=chronyd enabled=no
  when: count_chrony.stdout == "1"

• name: install ntp client
  yum: state=present name=ntp
  when: count_ntp.stdout != "1"
• name: copy local ntp config file to remote host
  copy: src=ntp.conf dest=/etc/ntp.conf mode=644 owner=root group=root backup=yes force=yes
  when: count_ntp.stdout != "1"
• name: start ntp client
  service: name=ntpd state=started
• name: make the ntp clinet service enable
  service: name=ntpd enabled=yes

--[root@scsv01181 roles]# cat install_zabbix_agent/tasks/main.yml

• name: install zabbix-agent for zabbix-server
  yum: state=present name=zabbix-agent
• name: make the zabbix-agent enable
  shell: systemctl enable zabbix-agent
• name: copy base zabbix-agent configuration file
  copy: src=zabbix_agentd.conf dest=/etc/zabbix/zabbix_agentd.conf mode=644 owner=root group=root backup=yes force=yes
• name: get hostname daxie
  shell: echo {{ ansible_hostname }}|tr ‘a-z‘ ‘A-Z‘
  register: hostname
• debug:
  msg: "{{ hostname.stdout }}"
• name: configuration zabbix-agent file hostname
  lineinfile:
  dest: /etc/zabbix/zabbix_agentd.conf
  regexp: ‘^Hostname=‘
  line: ‘Hostname={{ hostname.stdout}}‘
• name: configuration zabbix-agent file hostname
  lineinfile:
  dest: /etc/zabbix/zabbix_agentd.conf
  regexp: ‘^HostMetadata=‘
  line: ‘HostMetadata={{ META_DATA}}‘
• name: start zabbix-agent
  service: name=zabbix-agent state=started
• debug:
  msg: "now zabbix-agent is running and configuration complete"
• name: configuration zabbix-agent server address
  lineinfile:
  dest: /etc/zabbix/zabbix_agentd.conf
  regexp: ‘^Server=‘
  line: ‘Server={{ SERVERIP }}‘
• name: configuration zabbix-agent server active address
  lineinfile:
  dest: /etc/zabbix/zabbix_agentd.conf
  regexp: ‘ServerActive=‘
  line: ‘ServerActive={{ SERVERIP }}‘

--[root@scsv01181 roles]# cat replace_yumrepo/tasks/main.yml

• name: copy current local yum repo to remote host
  copy: src=SAIC-CentOS.repo dest=/etc/yum.repos.d/ mode=644 owner=root group=root backup=yes force=yes
• name: clean yum repo
  shell: yum clean all warn=False

  - name: yum makecahce

  shell: yum makecache warn=False

--[root@scsv01181 roles]# cat selinux_stop/tasks/main.yml

• name: configuration SELINUX for system
  lineinfile:
  dest: /etc/selinux/config
  regexp: ‘^SELINUX=‘
  line: ‘SELINUX=disabled‘
• name: get the status of selinux
  shell: getenforce
  register: selinux_num
• name: temporary change for system
  shell: setenforce 0
  when: selinux_num.stdout == "1"

--[root@scsv01181 roles]# cat set_kernel_args/tasks/main.yml

• name: 开启SYN Cookies
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_syncookies = 1‘

• name: TIME-WAIT sockets重新用于新的TCP连接
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_tw_reuse = 1‘

• name: 开启TCP连接中TIME-WAIT sockets的快速回收
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_tw_recycle = 1‘

• name: 当keepalive起用的时候，TCP发送keepalive消息的频度
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_keepalive_time = 600‘

• name: SYN队列长度
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_max_syn_backlog = 16384‘

• name: 表示系统同时保持TIME_WAIT套接字的最大数量
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_max_tw_buckets = 36000‘

• name: 设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_synack_retries = 3‘

• name: 套接字由本端要求关闭的保持时间
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.tcp_fin_timeout = 10‘

• name: 禁止IP转发
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.ip_forward = 0‘

• name: 禁止发送ICMP重定向
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.conf.all.send_redirects = 0‘

• name: 禁止发送ICMP重定向,默认定向目录关闭
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.conf.default.send_redirects = 0‘

• name: 记录可疑的包源地址
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.conf.all.log_martians = 1‘

• name: 记录可疑的包源地址,默认地址
  lineinfile:
  dest: /etc/sysctl.conf
  regexp: ‘^$‘
  line: ‘net.ipv4.conf.default.log_martians = 1‘

• name: make the change effective
  shell: sysctl -p

--[root@scsv01181 roles]# cat set_timezone/tasks/main.yml

• name: set the time local
  shell: timedatectl set-timezone Asia/Shanghai warn=False

--[root@scsv01181 roles]# cat set_ulimit_maxfiles/tasks/main.yml

• name: configuration ulimit soft max files for system
  lineinfile:
  dest: /etc/security/limits.conf
  regexp: ‘^$‘
  line: ‘* soft nofile 65536‘
• name: configuration ulimit hard max files for system
  lineinfile:
  dest: /etc/security/limits.conf
  regexp: ‘^$‘
  line: ‘* hard nofile 65536‘
• name: temporary configuration ulimit max files
  shell: ulimit -n 65536

引用的文件都会直接放在当前项目的files目录里面作为文件根目录

ansible基于role 机器初始化脚本案例

原文：http://blog.51cto.com/13945009/2166411