Ansible OS Tuning¶

1. Ansible role structure¶

cog-ansible/
|-- roles
|   └-- base
|       ├-- files           # 放置文件（含需推送至被控机的配件文件、可执行文件等）
|       ├-- handlers
|       |   └-- main.yaml   # 可选：处理程序（如重启服务）
|       ├-- tasks
|       |   └-- main.yaml   # Ansible 主任务清单
|       ├-- templates       # 放置模板文件（如需要传参的配件文件）
|       └-- vars
|           └-- main.yaml   # 变量定义

2. Prepare playbook¶

Login with ansible

2.1 Download ansible roles from gitlab

cd ~
git clone https://wzs-sat-qas-gitlab.wistron.com/wzsse/cog-ansible.git

2.2 Create config file

vim ~/ansible.cfg

Add below parameters (check/change remote user to your remote maintain user)

[defaults]
inventory = ./cog-ansible/inventory
roles_path = ./cog-ansible/roles
remote_user = ansible
host_key_checking = False
forks = 20
deprecation_warnings=False

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

2.3 Create inventory file

vim ~/cog-ansible/inventory

Add client info into inventory file

[group1]
apserver  ansible_ssh_host=10.xx.xx.xx

[group2]
dbserver  ansible_ssh_host=10.xx.xx.xx

[group:children]
group1
group2

Create and encrypt password file

vault folder: group_vars/{ group name with inventory file }

mkdir -p ~/cog-ansible/group_vars/all   # create the `all` vault folder for all roles
ansible-vault create ~/cog-ansible/group_vars/all/vault.yaml   # Setup access vault file password

add below content to vault.yaml (the password has been change to the actual remote user password)

# group_vars/all/vault.yml
ansible_ssh_pass: "MySecretSSHPassword123!"
ansible_sudo_pass: "MySecretSudoPassword456!"

Create OS tuning playbook

vim ~/ostuning.yaml

example:

disable_root_remote : Disable user root remote ssh login

install_zabbix : Use ansible to install zabbix agent

create_user_forSE : Do you want to create a local account for SE

---
- name: OS Base Tuning
  hosts: IP/aliasName/groupName
  become: yes
  vars:
    # on/off
    use_http_proxy: false
    disable_root_remote: true
    install_zabbix: true
    create_user_forSE: true

    # common variables
    remote_user: ansible
    timezone: Asia/Shanghai
    env: QAS    #to-change: DEV, QAS, PRD, STB
    server_type: Default   #to-change: Default(非DB或k8s节点), DB(Oracle/PG DB), K8S(Satellite/Armstrong k8s节点)

    # local server
    ansible_server: 10.xx.xx.xx
    yum_server: wzs-yum.wistron.com
    zabbix_server: 10.xx.xx.xx
    monitor_server: 10.xx.xx.xx
    http_proxy: 10.xx.xx.xx:xx:xxxx
    dnsserver:
      - 10.41.xx.xx
      - 10.55.xx.xx
    seteam:
      - jane
      - seven
      - alice
      - swingye

  roles:
    - role: ./cog-ansible/roles/base

3. OS tuning¶

ansible-playbook ostuning.yaml --ask-vault-pass