Deploy a shopxo mall (ansible implementation)

Environmental preparation:

Insert picture description here
Configure openvpn in m01
#运行客户端脚本
[[email protected] ~]# sh openvpn_server.sh
echo "安装openvpn和证书工具"
yum -y install openvpn  && yum -y install easy-rsa
echo "生成服务器配置文件"
cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
echo "准备证书签发相关文件"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
echo "准备签发证书相关变量的配置文件"
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars
echo "建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长"
echo "初始化服务端PKI生成PKI相关目录和文件"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki
echo "创建CA证书"
./easyrsa build-ca nopass
cat pki/serial 
echo "生成服务端证书"
./easyrsa gen-req server nopass
echo "签发服务端证书"
./easyrsa sign server server
echo "创建 Diffie-Hellman 密钥"
./easyrsa gen-dh
cat > /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca  /etc/openvpn/certs/ca.crt
cert  /etc/openvpn/certs/server.crt
key  /etc/openvpn/certs/server.key  # This file should be kept secret
dh  /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status  /var/log/openvpn/openvpn-status.log
log-append   /var/log/openvpn/openvpn.log
verb 3
mute 20
EOF
echo "openvpn 日志文件"
mkdir -p /var/log/openvpn
echo "openvpn 服务端文件"
mkdir -p /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
echo "修改内核参数"
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
echo "安装IPtables-services"
yum install iptables-services -y
systemctl disable --now firewalld
systemctl start iptables
echo "清除防火墙默认规则"
iptables -F
echo "添加openVPN网络转发规则" 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
#service iptables save  永久生效
echo "查看iptables获取规则" 
iptables -vnL -t nat    
#2   104 MASQUERADE  all  --  *      *       10.8.0.0/24          0.0.0.0/0     
#有且只有此一行
echo "重启OpenVpn"
systemctl daemon-reload
systemctl enable --now [email protected]
echo "查看路由规则" 
route -n


#客户端脚本
[[email protected] ~]# sh openvpn_client.sh
read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
read -p "请输入远程代理IP(如:${IP}): " IP
echo "客户端证书环境"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa
cd /etc/openvpn/easy-rsa-client/3
echo "初始化pki证书目录"
./easyrsa init-pki
echo "生成客户端证书"
./easyrsa gen-req ${NAME} nopass
echo "将客户端证书同步到服务端"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
echo "查看客户端证书"
ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req 
echo "签发客户端证书,请输入:yes"
./easyrsa sign client ${NAME}
echo "查看证书"
cat pki/index.txt
ll pki/certs_by_serial/
cat pki/issued/${NAME}.crt 
echo "创建客户端配置文件"
mkdir -p /etc/openvpn/client/${NAME}
cd /etc/openvpn/client/${NAME}
cat > /etc/openvpn/client/${NAME}/${NAME}.ovpn <<EOF
client
dev tun
proto tcp
remote ${IP} 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
EOF
cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .
echo "打包用户证书"
tar -czvf ${NAME}.tar.gz ./
echo "重启OpenVpn"
systemctl daemon-reload
systemctl enable --now [email protected]

#如果已经配好openvpn,运行以下脚本开启路由转发
[[email protected] ~]# sh start_route.sh 
systemctl stop iptables && systemctl start iptables
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat   
systemctl daemon-reload
Do no secret

[[email protected] ~]# sh ssh.sh
ssh-keygen -R 172.16.1.5
ssh-keygen -R 172.16.1.6
ssh-keygen -R 172.16.1.7
ssh-keygen -R 172.16.1.8
ssh-keygen -R 172.16.1.9
ssh-keygen -R 172.16.1.31
ssh-keygen -R 172.16.1.41
ssh-keygen -R 172.16.1.51
ssh-keygen -R 172.16.1.71
yum install expect -y
for ip in ‘lb01’ ‘lb02’ ‘web01’ ‘web02’ ‘web03’ ‘backup’ ‘nfs’ ‘db’ ‘m01’ ‘prometheus’
do
expect -c "
spawn ssh-copy-id -i [email protected]$ip
expect {
“(yes/no)” {send “yes\r”;exp_continue}
“password” {send “1\r”;exp_continue}
} "
done

Configure the host list
[[email protected] ~]# vim /etc/ansible/hosts 
[lb]
172.16.1.5
172.16.1.6
[web]
172.16.1.7
172.16.1.8
172.16.1.9
[nfs]
172.16.1.31
[backup]
172.16.1.41
[db]
172.16.1.51
[m01]
172.16.1.61
[prometheus]
172.16.1.71
Install ansible and create roles
#安装ansible
[[email protected] ~]# yum install -y ansible

#创建backup角色
[[email protected] ~]# ansible-galaxy init backup

#创建nfs角色
[[email protected] ~]# ansible-galaxy init nfs

#创建mariadb角色
[[email protected] ~]# ansible-galaxy init maria

#创建nginx角色
[[email protected] ~]# ansible-galaxy init nginx

#创建php角色
[[email protected] ~]# ansible-galaxy init php

#创建package角色
[[email protected] ~]# ansible-galaxy init package

#创建prometheus角色
[[email protected] ~]# ansible-galaxy init prometheus

#创建prometheus-db角色
[[email protected] ~]# ansible-galaxy init prometheus-db

#创建prometheus-web角色
[[email protected] ~]# ansible-galaxy init prometheus-web

#创建负载均衡角色
[[email protected] ~]# ansible-galaxy init lb

Configure the backup role
#编辑任务清单
[[email protected] tasks]# vim main.yml 
- include: create_user.yml
- include: install.yml
- include: rsync_conf.yml
- include: rsync_passwd.yml
- include: create_dir.yml
- include: start.yml
#创建用户
[[email protected] tasks]# vim create_user.yml 
- name: create user
  user:
    name: www
    uid: 1000
#安装rsync
[[email protected] tasks]# vim install.yml 
- name: install rsync
  yum:
    name: rsync
    state: installed
#编辑rsync配置文件
[[email protected] tasks]# vim rsync_conf.yml 
- name: write rsync conf
  template:
    src: rsync.conf.j2
    dest: /etc/rsyncd.conf
#下面为rsync配置文件内容
[[email protected] ansible]# vim roles/backup/templates/rsync.conf.j2
uid = www     
gid = www
port = 873	 
fake super = yes
use chroot = no
max connections = 200
timeout = 600
ignore errors   
read only = false
list = false   
auth users = yzl
secrets file = /etc/rsync.passwd
log file = /var/log/rsyncd.log
[database]
comment = welcome to oldboyedu database!
path = /backup/database
#创建rsync服务端密码文件
    [[email protected] tasks]# vim rsync_passwd.yml 
- name: create rsync passwd
  copy:
    content: yzl:123
    dest: /etc/rsync.passwd 
    mode: 0600
    #创建模块目录
[[email protected] roles]# vim backup/tasks/create_dir.yml 
- name: create database directory
  file:
    path: /backup/database
    state: directory
    owner: www
#启动rsync
[[email protected] tasks]# vim start.yml 
- name: start rsyncd
  service:
    name: rsyncd
    state: started
Configure nfs role

#Edit task list

[[email protected] ansible]# vim roles/nfs/tasks/main.yml 
- include: create_user.yml
- include: install.yml 
- include: create_passwd.yml
- include: write_exports.yml
- include: create_dir.yml
- include: unarchive_niushop.yml
- include: chown.yml
- include: start.yml 
- include: showmount.yml
- include: unarchive.yml
- include: write_confxml.yml
- include: run_sersync.yml
#创建用户
[[email protected] tasks]# vim create_user.yml 
- name: Create User
  user: 
    name: "{{ USER_NAME }}"
    uid: "{{ UID }}"
#定义变量    
[[email protected] roles]# vim nfs/defaults/main.yml 
USER_NAME: www
UID: 1000
#安装rsync
[[email protected] tasks]# vim install.yml 
- name: install rsync
  yum:
    name: rsync,nfs-utils,rpcbind
    state: installed
#创建rsync客户端软件    
[[email protected] tasks]# vim create_passwd.yml 
- name: create rsync.passwd
  copy:
    content: 123
    dest: /etc/rsync.passwd 
    mode: 0600
#编辑创建挂载点的文件
[[email protected] tasks]# vim write_exports.yml 
- name: write exports
  template:
    src: exports.j2
    dest: /etc/exports
#创建挂载点
[[email protected] roles]# vim nfs/templates/exports.j2 
/nfs/web 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
/nfs/datase 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
#创建目录
[[email protected] tasks]# vim create_dir.yml 
- name: create dir
  file:
    path: "{{ item }}"
    state: directory
  with_items:
    - /nfs
    - /nfs/web
    - /nfs/database
#解压项目包
[[email protected] tasks]# vim unarchive_shopxo.yml 
- name: unzip niushop
  unarchive:
    src: zongzhige-shopxo-master.zip
    dest: /nfs/web
    copy: yes
#授权目录
[[email protected] tasks]# vim chown.yml 
- name: chown www
  shell:
    cmd: "chown -R www.www /nfs"
#开启nfs服务    
[[email protected] tasks]# vim start.yml 
- name: start nfs rpcbind service
  shell:
    cmd: "systemctl start nfs rpcbind"
#查看挂载点(此步可省略)
[[email protected] tasks]# vim showmount.yml 
- name: showmount point
  shell:
    cmd: "showmount -e"
#解压sersync (此处opt可去掉,将压缩包放入角色的file文件下即可)  
[[email protected] tasks]# vim unarchive.yml 
- name: unarchive sersync
  unarchive:
    src: /opt/sersync.gz
    dest: /nfs
#编写sersync配置文件
[[email protected] tasks]# vim write_confxml.yml 
- name: write confxml.xml
  template:
    src: confxml.j2
    dest: /nfs/GNU-Linux-x86/confxml.xml
#sersync配置内容
[[email protected] roles]# vim nfs/templates/confxml.j2 
<?xml version="1.0" encoding="ISO-8859-1"?>
<head version="2.5">
    <host hostip="localhost" port="8008"></host>
    <debug start="false"/>
    <fileSystem xfs="false"/>
    <filter start="false">
	<exclude expression="(.*)\.svn"></exclude>
	<exclude expression="(.*)\.gz"></exclude>
	<exclude expression="^info/*"></exclude>
	<exclude expression="^static/*"></exclude>
    </filter>
    <inotify>
	<delete start="true"/>
	<createFolder start="true"/>
	<createFile start="true"/>
	<closeWrite start="true"/>
	<moveFrom start="true"/>
	<moveTo start="true"/>
	<attrib start="true"/>
	<modify start="true"/>
    </inotify>

    <sersync>
	<localpath watch="/nfs/database">
	    <remote ip="172.16.1.41" name="database"/>
	    <!--<remote ip="192.168.8.39" name="tongbu"/>-->
	    <!--<remote ip="192.168.8.40" name="tongbu"/>-->
	</localpath>
	<rsync>
	    <commonParams params="-az"/>
	    <auth start="true" users="yzl" passwordfile="/etc/rsync.passwd"/>
	    <userDefinedPort start="false" port="874"/><!-- port=874 -->
	    <timeout start="false" time="100"/><!-- timeout=100 -->
	    <ssh start="false"/>
	</rsync>
	<failLog path="/tmp/rsync_fail_log.sh" timeToExecute="60"/><!--default every 60mins execute once-->
	<crontab start="false" schedule="600"><!--600mins-->
	    <crontabfilter start="false">
		<exclude expression="*.php"></exclude>
		<exclude expression="info/*"></exclude>
	    </crontabfilter>
	</crontab>
	<plugin start="false" name="command"/>
    </sersync>

    <plugin name="command">
	<param prefix="/bin/sh" suffix="" ignoreError="true"/>	<!--prefix /opt/tongbu/mmm.sh suffix-->
	<filter start="false">
	    <include expression="(.*)\.php"/>
	    <include expression="(.*)\.sh"/>
	</filter>
    </plugin>

    <plugin name="socket">
	<localpath watch="/opt/tongbu">
	    <deshost ip="192.168.138.20" port="8009"/>
	</localpath>
    </plugin>
    <plugin name="refreshCDN">
	<localpath watch="/data0/htdocs/cms.xoyo.com/site/">
	    <cdninfo domainname="ccms.chinacache.com" port="80" username="xxxx" passwd="xxxx"/>
	    <sendurl base="http://pic.xoyo.com/cms"/>
	    <regexurl regex="false" match="cms.xoyo.com/site([/a-zA-Z0-9]*).xoyo.com/images"/>
	</localpath>
    </plugin>
</head>

 [[email protected] tasks]# vim run_sersync.yml 
- name: run sersync
  shell:
    cmd: "/nfs/GNU-Linux-x86/sersync2 -dro /nfs/GNU-Linux-x86/confxml.xml"
Configure database roles
#编辑任务清单
[[email protected] roles]# vim  mariadb/tasks/main.yml 
- include: install.yml
- include: start.yml
- include: creat.passwd.yml
- include: copy.sh.yml
- include: run.yml 
- include: create_database.yml
- include: permission.yml 
- include: remove_user.yml
- include: shuaxin.yml
#安装数据库
[[email protected] roles]# vim mariadb/tasks/install.yml 
- name: Install MariaDB Service
  yum: 
    name: mariadb,mariadb-server
    state: installed
#启动数据库服务   
[[email protected] roles]# vim  mariadb/tasks/start.yml 
- name: Start MariaDB Service
  service:
    name: mariadb
    state: started
    
#推送检测脚本(因为数据库起来以后,可能会有延迟,)
[[email protected] roles]# vim  mariadb/tasks/copy.sh.yml 
- name: create jiance.sh
  template:
    src: jiance.sh.j2
    dest: /root/jiance.sh

#检测数据库的脚本
[[email protected] roles]# vim mariadb/templates/jiance.sh.j2 
#!/bin/bash
while true;
do
    mysql -uroot -p123 -e "show databases;" > /dev/null
	
    if [ $? -eq 0 ];then
	break;
    fi

done
#运行数据库脚本
[[email protected] roles]# vim  mariadb/tasks/run.yml 
- name: run check.sh
  shell:
    cmd: "sh /root/jiance.sh"
    
#创建数据库root用户的密码    
[[email protected] roles]# vim  mariadb/tasks/creat.passwd.yml 
- name: create mysql_user
  shell:
    cmd: "mysqladmin -uroot password '123'"
#创建数据库    
[[email protected] roles]# vim mariadb/tasks/create_database.yml 
- name: create database
  shell:
    cmd: 'mysql -uroot -p123 -e "create database shopxo;"'
#授权root用户远程登录(默认情况下root用户不能远程登录,此处关系到能否监控到mysql,项目能否安装成功)
[[email protected] roles]# vim mariadb/tasks/permission.yml 
- name: permission user
  shell:
    cmd: "mysql -root -p123 -e  \"GRANT ALL PRIVILEGES ON shopxo.* TO 'root'@'%' IDENTIFIED BY '123' WITH GRANT OPTION;\""
#刷新权限(不刷新的话上面的授权不一定成立)
[[email protected] roles]# vim mariadb/tasks/shuaxin.yml 
- name: shuaxin permission
  shell:
    cmd: "mysql -root -p123 -e \"FLUSH PRIVILEGES;\""
    
Configure the lb role
#编辑任务清单
[[email protected] roles]# vim lb/tasks/main.yml 
- include: create_repo.yaml
- include: install_nginx.yaml
- include: vhost.yaml
- include: restart.yaml
- include: install_keepalived.yaml
- include: create_config__keepalived.yaml
- include: create_check_keepalived.yaml
- include: restart_keepalived.yaml
#创建nginx-yum源
[[email protected] roles]# vim lb/tasks/create_repo.yaml 
- name: create nginx repo
  template:
    src: nginx.repo.j2
    dest: /etc/yum.repos.d/nginx.repo
#nginx-yum源文件内容
[[email protected] roles]# vim lb/templates/nginx.repo.j2 
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
module_hotfixes=true
#安装nginx
[[email protected] roles]# vim lb/tasks/install_nginx.yaml 
- name: Install Nginx
  yum: 
    name: nginx
    state: installed
#编辑nginx配置文件
[[email protected] roles]# vim lb/tasks/vhost.yaml 
- name: Create Nginx Vhost Config
  template: 
    src: lb.conf.j2
    dest: /etc/nginx/conf.d/lb.conf
#nginx配置文件内容
[[email protected] roles]# vim lb/templates/lb.conf.j2 
upstream discuz {
	server 172.16.1.7:80;
	server 172.16.1.8:80;

}

server {
	listen 80;
	server_name www.shopxo.com;
	location / {
		proxy_pass http://discuz;
        	proxy_set_header Host $http_host;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        	proxy_connect_timeout 30;
       		proxy_send_timeout 60;
        	proxy_read_timeout 60;
        
        	proxy_buffering on;
        	proxy_buffer_size 32k;
        	proxy_buffers 4 128k;
	}
}
#重启nginx服务
[[email protected] roles]# vim lb/tasks/restart.yaml 
- name: Restart Nginx Service
  service:
    name: nginx
    state: restarted
#安装keepalived
[[email protected] roles]# vim lb/tasks/install_keepalived.yaml 
- name: Install Keepalived
  yum:
    name: keepalived
    state: installed
#编辑keepalived配置文件
[[email protected] roles]# vim lb/tasks/create_config__keepalived.yaml 
- name: Create Keepalived Config
  template:
    src: keepalived.conf.j2
    dest: /etc/keepalived/keepalived.conf
#keepalived配置文件内容
[[email protected] roles]# vim lb/templates/keepalived.conf.j2 
global_defs {
    router_id {{ ansible_hostname }}
}

#设置自定化检测脚本
vrrp_script check_web {
    script "{{ CHECK_WEB_SHELL }}"
    interval 2 
}

vrrp_instance VI_1 {
        state BACKUP
        interface eth1
        virtual_router_id 51
        priority 100
        nopreempt
        advert_int 3
        authentication {
            auth_type PASS
            auth_pass 1111
        }
        virtual_ipaddress {
            172.16.1.3
        }
        # 调用脚本
        track_script {
            check_web
        }
}

#推送检测nginx心跳的脚本
[[email protected] roles]# vim lb/tasks/create_check_keepalived.yaml 
- name: Create Test Shell File
  template:
    src: check_web.sh.j2
    dest: "{{ CHECK_WEB_SHELL }}"
#检测nginx心跳的脚本文件
[[email protected] ~]# cat /etc/ansible/roles/lb/templates/check_web.sh.j2 
#!/bin/bash
nginxnum=`ps -ef | grep [n]ginx | wc -l`

if [ $nginxnum -eq 0 ];then
  systemctl start nginx
  sleep 3
  nginxnum=`ps -ef | grep [n]ginx | wc -l`

  if [ $nginxnum -eq 0 ];then
    systemctl stop keepalived.service
  fi
fi
#定义变量
[[email protected] ansible]# vim roles/lb/defaults/main.yml 
CHECK_WEB_SHELL: /etc/keepalived/check_web.sh
#重启keepalived服务
[[email protected] roles]# vim lb/tasks/restart_keepalived.yaml 
- name: Start Keepalived Service
  service:
    name: keepalived
    state: restarted
Configure nginx role
#编辑任务清单
[[email protected] roles]# vim nginx/tasks/main.yml 
- include: create_user.yml
- include: create_repo.yml
- include: install.yml
- include: nginx.conf.yml
- include: start.yml
#创建用户
[[email protected] roles]# vim nginx/tasks/create_user.yml 
- name: Create User
  user:
    name: "{{ USER_NAME }}"
    uid: "{{ UID }}"
#定义变量
[[email protected] roles]# vim nginx/defaults/main.yml 
USER_NAME: www
UID: 1000
#创建nginx-yum源
[[email protected] roles]# vim nginx/tasks/create_repo.yml 
- name: create nginx repo
  template:
    src: nginx.repo.j2
    dest: /etc/yum.repos.d/nginx.repo
#编写nginx源
[[email protected] roles]# vim nginx/templates/nginx.repo.j2 
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
module_hotfixes=true
#安装nginx
[[email protected] roles]# vim nginx/tasks/install.yml 
- name: Install Nginx Service
  yum: 
    name: nginx
    state: installed
#推送nginx配置文件
[[email protected] roles]# vim nginx/tasks/nginx.conf.yml 
- name: change nginx.conf     
  template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
#nginx配置文件内容
[[email protected] roles]# cat nginx/templates/nginx.conf.j2 

user  {{ USER_NAME }};
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
#启动服务
[[email protected] roles]# vim nginx/tasks/start.yml 
- name: Start Nginx Server
  service:
    name: nginx
    state: started
Configure package
#编辑任务清单
[[email protected] roles]# vim package/tasks/main.yml 
- include: create_dir.yml
- include: shopxo.yml
- include: permission.yml
- include: mount.yml
- include: remove.yml
- include: restart.yml
#创建挂载目录
[[email protected] roles]# vim package/tasks/create_dir.yml 
- name: Create Dir
  file:
    name: "{{ ROOT_PATH }}"
    state: directory
#定义变量
[[email protected] roles]# vim package/defaults/main.yml 
ROOT_PATH: /www/shopxo/public/
#编辑站点目录
[[email protected] roles]# vim package/tasks/shopxo.yml 
- name: Create discuz Config
  template: 
    src: shopxo.conf.j2
    dest: /etc/nginx/conf.d/shopxo.conf

#此步骤是因为程序里用的是apace用户,与我们自己定义的www用户不一致
[[email protected] roles]# vim package/tasks/permission.yml 
- name: permisson
  shell: 
    cmd: "chown -R www.www /var/lib/php"
#挂载目录
[[email protected] roles]# vim package/tasks/mount.yml 
- name: mount dir
  shell:
    cmd: "mount -t nfs 172.16.1.31:/nfs/web /www/"
#删除nginx默认站点文件
[[email protected] roles]# vim package/tasks/remove.yml 
- name: remove default.conf
  file:
    path: /etc/nginx/conf.d/default.conf
    state: absent
#重启
[[email protected] roles]# vim package/tasks/restart.yml 
- name: Restart Nginx Service
  service:
    name: nginx
    state: restarted
Configure PHP roles
#编辑PHP任务清单
[[email protected] roles]# vim php/tasks/main.yml 
- include: php.repo.yml
- include: install.yml 
- include: www.conf.yml
- include: start.yml
#创建PHPyum源
[[email protected] roles]# vim php/tasks/php.repo.yml 
- name: create PHP Yum Repo
  template: 
    src: php.repo.j2
    dest: /etc/yum.repos.d/php.repo
#编辑PHP-yum源文件
[[email protected] roles]# cat php/templates/php.repo.j2 
[php-webtatic]
name = PHP Repo
baseurl = http://us-east.repo.webtatic.com/yum/el7/x86_64/
gpgcheck = 0
#安装PHP
[[email protected] roles]# vim php/tasks/install.yml 
- name: Install PHP Service
  yum:
    name: php71w,php71w-cli,php71w-common,php71w-devel,php71w-embedded,php71w-gd,php71w-mcrypt,php71w-mbstring,php71w-pdo,php71w-xml,php71w-fpm,php71w-mysqlnd,php71w-opcache,php71w-pecl-memcached,php71w-pecl-redis,php71w-pecl-mongodb,php71w-bcmath 
    state: installed
  notify: Start_PHP_Serivice
#编辑PHP配置文件
[[email protected] roles]# vim php/tasks/www.conf.yml 
- name: Copy PHP Config
  template: 
    src: www.conf.j2
    dest: /etc/php-fpm.d/www.conf
#编辑文件内容  
[[email protected] roles]# cat php/templates/www.conf.j2 
[www]
user = {{ USER_NAME }}
group = {{ USER_NAME }}
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
#开启PHP服务
[[email protected] roles]# vim php/tasks/start.yml 
- name: start php server
  service: 
    name: php-fpm
    state: started


Configure prometheus role
#编写prometheus任务清单
[[email protected] roles]# vim prometheus/tasks/main.yml 
#运行prometheus脚本
- name: script prometheus.sh
  script: prometheus.sh
#复制grafana压缩包
- name: config  grafana-7.3.6-1.x86_64.rpm
  copy:
    src: grafana-7.3.6-1.x86_64.rpm
    dest: /opt/
#安装grafana压缩包
- name: install grafana-7.3.6-1.x86_64.rpm
  shell: yum install -y /opt/grafana-7.3.6-1.x86_64.rpm
#配置prometheus文件
- name: config prometheus.yml 
  copy:
    src: prometheus.yml
    dest: /usr/local/prometheus/
#prometheus脚本
[[email protected] roles]# vim prometheus/files/prometheus.sh 
echo "1.下载"
cd /opt/ &&\

wget https://github.com/prometheus/prometheus/releases/download/v2.27.1/prometheus-2.27.1.linux-amd64.tar.gz &&\

echo "2.解压"
tar -xf /opt/prometheus-2.27.1.linux-amd64.tar.gz -C /usr/local/ &&\

echo "3. 建立超链接"
ln -s /usr/local/prometheus-2.27.1.linux-amd64 /usr/local/prometheus &&\

echo "4.创建环境变量"
echo "export PATH=$PATH:/usr/local/prometheus/" >> /etc/profile.d/prometheus.sh &&\

echo "5.加载环境变量"
source /etc/profile &&\

echo "6.创建promethets的systemd启动文件"
cat >>/usr/lib/systemd/system/prometheus.service <<EOF
[Unit]
Description=https://prometheus.io

[Service]    
Restart=on-failure
ExecStart=/usr/local/prometheus/prometheus --config.file=/usr/local/prometheus/prometheus.yml

[Install]
WantedBy=multi-user.target  
EOF
echo "7.启动promethets"
systemctl daemon-reload &&\
systemctl enable --now prometheus.service
#prometheus配置文件内容
[[email protected] roles]# cat prometheus/files/prometheus.yml 
# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  #服务名
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.
    #端口
    static_configs:
    - targets: ['172.16.1.71:9090']
    
  - job_name: 'linux12 web'
    static_configs:
    - targets: ['172.16.1.7:9100']
    - targets: ['172.16.1.8:9100']
    - targets: ['172.16.1.9:9100']
  
  - job_name: 'linux12 db'
    static_configs:
    - targets: ['172.16.1.51:9104']
#开启grafana和prometheus服务
- name: start grafana-server.service && prometheus.service
  systemd:
    name: "{{ item.name }}"
    state: restarted
  with_items:
    - { name: "grafana-server.service" }
    - { name: "prometheus.service" }



Configure prometheus-db (monitor db database)
#编辑任务清单
[[email protected] roles]# vim prometheus-db/tasks/main.yml
- name: unarchive  mysqld_exporter-0.12.1.linux-amd64.tar.gz 
  unarchive:
    src: mysqld_exporter-0.12.1.linux-amd64.tar.gz
    dest: /usr/local/
#创建mysql可供prometheus监控的端口
- name: script mysqld_exporter.sh
  script: mysqld_exporter.sh
  notify: restart_mysqld_exporter.service
#添加启动端口的配置文件
- name: script mysqld_systemd.sh
  script: mysqld_systemd.sh
  notify: restart_mysqld_exporter.service
#创建mysql端口的文件
[[email protected] roles]# vim prometheus-db/files/mysqld_exporter.sh 
echo "1. 建立超链接"
ln -s /usr/local/mysqld_exporter-0.12.1.linux-amd64/ /usr/local/mysqld_exporter &&\
echo "2.编辑my.cnf"

cat >> /usr/local/mysqld_exporter/.my.cnf <<EOF
[client]
host=172.16.1.51
user=root
password=123
EOF
#创建启动mysql.sh文件内容
[[email protected] roles]# vim prometheus-db/files/mysqld_systemd.sh 
echo "1.创建systemdqldmysqld_exporter.service务"
cat >> /usr/lib/systemd/system/mysqld_exporter.service <<EOF
[Unit]
Description=Prometheus

[Service]
Environment=DATA_SOURCE_NAME=root:[email protected](172.16.1.51:3306)/
ExecStart=/usr/local/mysqld_exporter/mysqld_exporter --config.my-cnf=/usr/local/mysqld_exporter/.my.cnf --web.listen-address=:9104
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

echo "2.启动node_exporter服务"
systemctl daemon-reload &&\
systemctl enable --now mysqld_exporter.service
Configure prometheus-web role (monitor web cluster)
#配置任务清单
[[email protected] roles]#vim prometheus-web/tasks/main.yml 
- name : unarchive node_exporter-1.1.2.linux-amd64.tar.gz
  unarchive:
    src: node_exporter-1.1.2.linux-amd64.tar.gz
    dest: /usr/local/
#运行node.sh(创建node端口)
- name: script node.sh
  script: node.sh

[[email protected] roles]# vim prometheus-web/files/node.sh 
echo "1. 建立超链接"
ln -s /usr/local/node_exporter-1.1.2.linux-amd64/ /usr/local/node_exporter &&\

echo "2.创建systemd服务"
cat > /etc/systemd/system/node_exporter.service <<EOF
[Unit]
Description=This is prometheus node exporter
After=node_exporter.service

[Service]
Type=simple
ExecStart=/usr/local/node_exporter/node_exporter
ExecReload=/bin/kill -HUP
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
echo "3.启动node_exporter服务"
systemctl daemon-reload &&\
systemctl enable --now node_exporter.service

#####Edit the overall configuration file

[[email protected] roles]# cat ../shopxo.yml 
- hosts: backup
  remote_user: root
  roles: 
    - backup
- hosts: nfs
  remote_user: root
  roles:
    - nfs
- hosts: web
  remote_user: root
  roles:
    - nginx  
    - php
    - package
    - prometheus-web
- hosts: db
  remote_user: root
  roles:
    - mariadb
    - prometheus-db
- hosts: lb
  remote_user: root
  roles:
    - lb
- hosts: prometheus
  remote_user: root
  roles:
    - prometheus

For the operation of monitoring (prometheus), please refer to:
https://blog.csdn.net/givenchy_yzl/article/details/117459102

For the application cannot access the database:

Because there is no authorization, use the following command to authorize
MariaDB [mysql]> grant all on . To [email protected]'172.16.1.%' identified by '123';
MariaDB [mysql]> flush privileges;

Cannot monitor mysql data for prometheus
[[email protected] mysqld_exporter]# mysql -uroot -p123

MariaDB [(none)]> use mysql;

MariaDB [mysql]> select Host,User from user;

MariaDB [mysql]> grant all on *.* to [email protected]'172.16.1.%' identified by '123';

MariaDB [mysql]> delete from user where Host <> "172.16.1.%";

MariaDB [mysql]> flush privileges;

MariaDB [mysql]> select Host,User from user;
+------------+------+
| Host       | User |
+------------+------+
| 172.16.1.% | root |
+------------+------+
1 row in set (0.00 sec)

[[email protected] mysqld_exporter]# systemctl restart mariadb.service  mysqld_export

Expansion: database commands that may be used

show databases;       //查看数据库
use  数据库名;         
show tables;          //查看数据表
describe 数据库名;     //显示数据表的结构(字段)
create  database  数据库名;               //创建数据库
create  table  表名(字段定义....)        //创建数据表

通过MySQL用户去限制访问
开启远程访问:
- 更新用户
use mysql;
update user set host = "%" where user = "root";
flush privileges;
- 添加用户
use mysql;
insert into user(host, user, password) values("%", "root",password("yourpassword"))
grant all privileges on *.* to 'root'@'%' with grant option #赋予任何主机访问数据库权限
flush privileges;
关闭远程访问:
use mysql;
update user set host = "localhost" where user = "root" andhost= "%";
flush privileges;
查看用户权限:
use information_schema;
select * from user_privileges;
查看当前mysql用户:
use mysql;
select user, host from user;
更新用户:
update mysql.user set password=password('新密码') whereUser="phplamp" and Host="localhost";
flush privileges;

删除用户:
DELETE FROM user WHERE User="phplamp" and Host="localhost";
flush privileges;
delete from user where Host <> "172.16.1.%";
flush privileges;

user host指定方法:
Host值可以是主机名或IP号,或’localhost’指出本地主机。
你可以在Host列值使用通配符字符“%”和“_”。
host值’%’匹配任何主机名,空Host值等价于’%’。它们的含义与LIKE操作符的模式匹配操作相同。例如,’%’的Host值与所有主机名匹配,而’%.mysql.com’匹配mysql.com域的所有主机。

ip地址例子:
192.0.0.0/255.0.0.0(192 A类网络的任何地址)
192.168.0.0/255.255.0.0(192.168 A类网络的任何地址)
192.168.1.0/255.255.255.0(192.168.1 C类网络的任何地址)
192.168.1.1(只有该IP)

删除用户授权,需要使用REVOKE命令,具体命令格式为:
REVOKE privileges ON 数据库[.表名]FROM user-name;
具体实例,先在本机登录mysql:
mysql -u root -p"youpassword"
进行授权操作:
GRANT select,insert,update,delete ON shopxo.* TO [email protected]"%" IDENTIFIEDBY "123";
GRANT all ON shopxo.* TO [email protected]"%" IDENTIFIEDBY "123";
再进行删除授权操作:
REVOKE all on TEST-DB from test-user;
****注:该操作只是清除了用户对于TEST-DB的相关授权权限,但是这个“test-user”这个用户还是存在。

最后从用户表内清除用户:
DELETE FROM user WHERE user="test-user";

重载授权表:
FLUSH PRIVILEGES;

Data upload directory: /www/shopxo/public/static/upload/