从零开始的云计算生活——项目实战
一.项目需求
二.主机清单与角色分配
三.基础环境部署(所有节点)
系统初始化
安全加固与工具集
内核参数优化(所有节点)
四.各主机需要安装的应用列表
五.NFS存储服务器和ELK日志系统部署(在elk_nfs节点上操作)
1.安装NFS服务
2. 创建共享目录
3. 配置NFS共享
4. 启动NFS服务
5.安装Elasticsearch,logstash,kibana
6.配置elk参数
六.Web服务器部署(在web_01和web_02上操作)
1. 安装NFS客户端并挂载共享目录
2. 部署PHP环境(用于Discuz)
3. 部署Tomcat环境(用于Java商城)(java8,tomcat8)
编辑编辑编辑
4.部署Nginx
5. 部署应用(示例,实际需要下载应用代码)
七.负载均衡器部署(在lb_01和lb_02上操作)
1. 安装HAProxy和Keepalived
2. 配置HAProxy(两台负载均衡器配置相同)
3. 配置Keepalived(实现高可用)
八.Redis高可用部署(在redis_01和redis_02上操作)
1. 安装Redis
2. 配置主从复制
编辑编辑
3. 启动Redis
4. 验证主从
九.MySQL高可用部署(在db_01和db_02上操作)
6.1 安装MySQL
6.2 初始化MySQL
6.3 配置主主复制
6.4 配置主主复制
6.5 检查复制状态
十.Zabbix监控部署(在zas_00节点上操作)
1. 安装Zabbix Server
2. 创建数据库(在MySQL主节点上操作,比如db_01)
3. 导入初始数据(在zas_00上操作)
验证导入结果
4. 配置Zabbix Server连接数据库
5. 启动Zabbix Server
6. 配置PHP时区(Zabbix前端)
监控全部服务器
十一.Rsync备份服务器(在rbk_00节点上操作)
1. 安装Rsync
2. 配置Rsync服务端
3. 创建备份目录
4. 启动Rsync服务
5.在NFS服务器(elk_nfs)上设置实时同步
任务2代理层可以通过HAproxy基于ACL实现不同的域名访问到不同的应用上。
任务五部署ELK日志监控系统,收集所有服务器的日志信息。被监控端使用filebeat采集日志信息
任务八采用role角色方式实现自动化部署
创建主机清单
设置全局变量(group_vars/all.yml)
创建角色(Roles)
编写主剧本(site.yml)
执行部署
一.项目需求
1.WEB服务器层部署nginx与php环境;tomcat环境;分别部署Discuz(基于PHP)和线上商城应用(基于java),业务应用的数据存储在nfs服务器中。
2.代理层可以通过HAproxy基于ACL实现不同的域名访问到不同的应用上。
3. Reids缓存层实现高可用。
4.MySQL数据库层实现高可用。
5.部署ELK日志监控系统,收集所有服务器的日志信息。被监控端使用filebeat采集日志信息
6.部署Zabbix监控系统,监控:系统、中间件等
7.部署Rsync备份系统,使得nfs服务的数据能够实时备份。
8.整套项目最终汇写成Ansible部署的Plavbook脚本,采用role角色方式实现自动化部署
二.主机清单与角色分配
三.基础环境部署(所有节点)
系统初始化
# 设置主机名(以lb_01为例)sudo hostnamectl set-hostname lb_01# 配置静态IP(所有节点)sudo tee /etc/sysconfig/network-scripts/ifcfg-ens33 <<EOFTYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=eui64NAME=ens33DEVICE=ens33ONBOOT=yesIPADDR=192.168.71.111PREFIX=24GATEWAY=192.168.71.2DNS1=8.8.8.8EOF# 全局hosts解析sudo tee -a /etc/hosts <<EOF192.168.71.111 lb_01192.168.71.112 lb_02192.168.71.113 web_01192.168.71.114 web_02192.168.71.115 redis_01192.168.71.116 redis_02192.168.71.117 db_01192.168.71.118 db_02192.168.71.119 elk_nfs192.168.71.120 zab_ans192.168.71.121 rsy_bkEOF安全加固与工具集
# 关闭防火墙(测试环境)sudo systemctl stop firewalld && sudo systemctl disable firewalld# 禁用SELinuxsudo setenforce 0sudo sed -i \'s/SELINUX=enforcing/SELINUX=disabled/g\' /etc/selinux/config# 安装基础工具sudo yum install -y epel-releasesudo yum install -y vim net-tools wget curl telnet chrony sshpass# 时间同步sudo systemctl enable chronyd && sudo systemctl start chronydsudo chronyc sources内核参数优化(所有节点)
# 增加文件描述符限制sudo tee -a /etc/security/limits.conf <<EOF* soft nofile 65535* hard nofile 65535* soft nproc 65535* hard nproc 65535EOF# 内核参数优化sudo tee -a /etc/sysctl.conf <<EOFnet.core.somaxconn = 2048net.ipv4.tcp_max_syn_backlog = 4096vm.swappiness = 10vm.overcommit_memory = 1EOFsudo sysctl -p四.各主机需要安装的应用列表
haproxy keepalivednginx php-fpm php-mysqlnd tomcat8 java-8redis sentinel keepalived (VIP管理)mysql-server nfs-utils elasticsearch logstash kibana filebeatzabbix-server-mysql zabbix-web-mysql zabbix-agent2 ansiblersync inotify-tools根据项目需求,我们为每台主机规划需要安装的软件:
-
调度器 (lb_01, lb_02):
- HAProxy(用于负载均衡)
- Keepalived(用于VIP高可用)
-
应用服务器 (web_01, web_02):
- Nginx(Web服务器)
- PHP(运行Discuz)
- Tomcat(运行Java商城应用)
- 其他依赖:PHP扩展(如php-fpm, php-mysqlnd等)、JDK
-
Redis服务器 (redis_01, redis_02):
- Redis(缓存服务)
- Redis Sentinel(实现高可用)
- Keepalived(用于VIP漂移,可选,但需求中要求高可用,通常使用Sentinel+VIP方式)
-
数据库服务器 (db_01, db_02):
- MySQL(数据库服务)
- MHA或Galera Cluster相关软件(实现高可用)
- 如果使用MHA,则需要额外的管理节点(但这里没有单独节点,可能安装在db_01或db_02上,或者利用zas_00)
-
ELK与NFS服务器 (elk_nfs):
- NFS服务端(共享存储)
- Elasticsearch(日志存储)
- Logstash(日志处理)
- Kibana(日志展示)
- 同时,该主机需要配置为NFS服务器
-
Zabbix与Ansible服务器 (zas_00):
- Zabbix Server(监控服务)
- Zabbix Agent(自身监控)
- Ansible(自动化部署)
- 可能还需要安装Zabbix Web前端(需要Web服务器和数据库,数据库可以连接db_01/db_02)
-
Rsync备份服务器 (rbk_00):
- Rsync(备份服务)
- 可能还需要inotify-tools(用于实时备份,但通常安装在NFS服务器上触发)
五.NFS存储服务器和ELK日志系统部署(在elk_nfs节点上操作)
1.安装NFS服务
dnf install nfs-utils -y
2. 创建共享目录
mkdir -p /data/web_appschmod 777 /data/web_apps # 为了方便,赋予所有用户读写权限,生产环境需根据用户权限设置3. 配置NFS共享
# 编辑/etc/exports文件vim /etc/exports# 添加以下内容,允许整个网段访问(根据你的网络情况,这里是192.168.71.0/24)/data/web_apps 192.168.71.0/24(rw,sync,no_root_squash)4. 启动NFS服务
systemctl enable --now nfs-serverexportfs -r # 重新加载配置exportfs # 查看共享的目录
5.安装Elasticsearch,logstash,kibana
6.配置elk参数
# 配置Elasticsearchvim /etc/elasticsearch/elasticsearch.yml修改以下参数:network.host: 0.0.0.0cluster.name: my-clusternode.name: elk_nfs# 配置Kibanavim /etc/kibana/kibana.yml修改以下参数:server.host: \"0.0.0.0\"elasticsearch.hosts: [\"http://elk_nfs:9200\"]六.Web服务器部署(在web_01和web_02上操作)
1. 安装NFS客户端并挂载共享目录
# 安装NFS客户端工具dnf install nfs-utils -y# 创建本地挂载点mkdir /mnt/web_apps# 挂载NFS共享目录mount -t nfs elk_nfs:/data/web_apps /mnt/web_apps# 设置开机自动挂载echo \"elk_nfs:/data/web_apps /mnt/web_apps nfs defaults 0 0\" >> /etc/fstab# 查看挂载情况df -h
2. 部署PHP环境(用于Discuz)
# 启用PHP模块dnf module enable php:7.4 -y# 安装PHP及相关扩展dnf install php php-fpm php-mysqlnd php-gd php-mbstring -y# 启动php-fpm服务systemctl enable --now php-fpm# 检查状态systemctl status php-fpm
3. 部署Tomcat环境(用于Java商城)(java8,tomcat8)
# 安装OpenJDK和Tomcatdnf install java tomcat -y# 启动Tomcat服务systemctl enable --now tomcat# 检查状态systemctl status tomcat
4.部署Nginx
# 安装Nginxdnf install nginx -y# 配置Nginx支持PHP和Tomcat# 在/etc/nginx/conf.d/目录下创建两个配置文件:discuz.conf和shop.conf# discuz.conf配置(用于Discuz)cat > /etc/nginx/conf.d/discuz.conf < /etc/nginx/conf.d/shop.conf <<EOFserver { listen 80; server_name shop.example.com; location / { proxy_pass http://192.168.71.113:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }}EOF# 启动Nginxsystemctl enable --now nginx5. 部署应用(示例,实际需要下载应用代码)
在NFS共享目录上创建应用目录(在elk_nfs上操作,因为web服务器已经挂载)# 在elk_nfs上执行mkdir /data/web_apps/discuzmkdir /data/web_apps/shop下载Discuz并解压到共享目录(在任意一台机器上操作,因为共享目录已经挂载到所有web服务器)# 在web_01或web_02上操作cd /mnt/web_appswget https://download.comsenz.com/DiscuzX/3.4/Discuz_X3.4_SC_UTF8.zipunzip Discuz_X3.4_SC_UTF8.zip -d discuzchmod -R 777 discuz/upload # 赋予Discuz需要的权限# 将商城应用(假设是一个war包)放到Tomcat的webapps目录(这里放在本地,因为Tomcat服务在各自机器上)# 注意:这里因为是测试,所以直接放到本地Tomcat的webapps目录,实际生产可以将商城代码放在共享目录,然后做软链接到Tomcat的webapps目录。# 例如,在web_01上:wget -O /usr/share/tomcat/webapps/shop.war http://example.com/shop.war# Tomcat会自动解压war包根据你的情况,需要将Discuz源码解压到NFS挂载目录,并确保Nginx配置正确。以下是具体步骤:### **一、解压Discuz源码到NFS挂载目录**```bash# 进入root目录(假设压缩包在此)cd ~# 创建临时目录并解压mkdir discuz_tempunzip Discuz_X3.5_SC_UTF8_20250205.zip -d discuz_temp# 复制到NFS挂载目录(确保权限正确)cp -r discuz_temp/upload/* /var/www/discuz/ # 覆盖已有文件(如果有)# 设置权限chown -R nginx:nginx /var/www/discuzchmod -R 777 /var/www/discuz/data # Discuz数据目录需要写权限```### **二、配置Nginx访问Discuz**编辑Nginx配置文件:```bashvim /etc/nginx/conf.d/discuz.conf```确保配置如下:```confserver { listen 80; server_name 192.168.52.113; root /var/www/discuz; # 指向Discuz根目录 index index.php index.html; # PHP处理 location ~ \\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # 静态文件优化(可选) location / { try_files $uri $uri/ /index.php?$query_string; }}```### **三、重启Nginx服务**```bashnginx -t # 检查配置语法systemctl restart nginx```### **四、访问Discuz安装向导**1. **删除安装锁定文件**(如果存在): ```bash rm -f /var/www/discuz/install/lock ```2. **浏览器访问安装页面**: ``` http://192.168.52.113/install/ # 进入安装向导 ```3. **按提示完成安装**: - 选择“全新安装” - 填写数据库信息(使用项目中的MySQL服务器,如`db_01`) - 设置管理员账号 - 完成安装后,删除`install`目录: ```bash rm -rf /var/www/discuz/install ```### **五、验证安装**访问Discuz首页:```http://192.168.52.113/```如果看到论坛页面,说明安装成功。### **常见问题**1. **500 Internal Server Error**: - 检查PHP错误日志:`tail -f /var/log/nginx/error.log` - 确保`/var/www/discuz/data`目录可写2. **白屏或无法加载页面**: - 检查Nginx配置路径是否正确 - 确认PHP-FPM服务正常运行:`systemctl status php-fpm`3. **数据库连接失败**: - 确保MySQL服务器可访问(使用`mysql`命令测试) - 检查Discuz安装时填写的数据库用户名、密码、主机是否正确完成以上步骤后,Discuz将通过Nginx+PHP-FPM正常运行,且数据存储在NFS服务器中,符合项目架构设计。要在db_01主机上创建Discuz所需的数据库,并完成安装,可按以下步骤操作:### **一、在db_01(192.168.71.117)上创建Discuz数据库**#### 1. 登录MySQL(使用root账号)```bashmysql -u root -p```输入root密码后进入MySQL命令行。#### 2. 创建Discuz数据库```sqlCREATE DATABASE discuz CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;```#### 3. 创建专用用户并授权```sql-- 创建用户(用户名: discuz,密码: your_password)CREATE USER \'discuz\'@\'%\' IDENTIFIED BY \'your_password\';-- 授权用户访问discuz数据库GRANT ALL PRIVILEGES ON discuz.* TO \'discuz\'@\'%\';-- 刷新权限FLUSH PRIVILEGES;```**注意**:将`your_password`替换为强密码,并记住此用户名和密码,后续安装Discuz时会用到。### **二、在web_01(192.168.71.113)上完成Discuz安装**#### 1. 浏览器访问安装向导打开浏览器,访问:```http://192.168.71.113/install/```你会看到Discuz安装界面。#### 2. 环境检测点击“下一步”,系统会检查环境配置。确保所有项目均为“通过”,否则需调整PHP配置。#### 3. 填写数据库信息在“创建数据库”页面填写:- **数据库服务器**:`192.168.52.117`(db_01的IP)- **数据库名**:`discuz`(刚才创建的数据库)- **数据库用户名**:`discuz`(刚才创建的用户)- **数据库密码**:`your_password`(刚才设置的密码)- **数据库表前缀**:`pre_`(默认即可)#### 4. 设置管理员账号填写论坛管理员账号信息(如用户名、密码、邮箱)。#### 5. 执行安装点击“执行安装”,系统会自动创建表结构并导入初始数据。#### 6. 完成安装安装成功后,按提示删除`install`目录:```bashrm -rf /var/www/discuz/install```### **三、验证安装**访问Discuz首页:```http://192.168.52.113/```使用刚才设置的管理员账号登录,测试论坛功能。### **常见问题排查**1. **数据库连接失败**: - 检查db_01的MySQL服务是否正常运行:`systemctl status mysqld` - 确认防火墙是否允许web_01访问db_01的3306端口: ```bash # 在db_01上执行 firewall-cmd --permanent --add-port=3306/tcp firewall-cmd --reload ```2. **权限不足**: - 在db_01的MySQL中重新授权用户: ```sql GRANT ALL PRIVILEGES ON discuz.* TO \'discuz\'@\'%\'; FLUSH PRIVILEGES; ```3. **字符集问题**: - 确保数据库创建时使用了`utf8mb4`字符集,以支持Emoji等特殊字符。完成以上步骤后,Discuz将成功连接到MySQL数据库,并通过NFS服务器存储上传的文件,符合项目架构设计。在192.168.71.117的mysql上再创建一个和192.168.71.114连接的用户mysql> create user \'root\'@\'192.168.71.114\' identified by \'Q1w2e3@123!!!!!\';Query OK, 0 rows affected (0.02 sec)mysql> grant all privileges on biyesheji.* to \'root\'@\'192.168.71.114\'; Query OK, 0 rows affected (0.00 sec)mysql> flush privileges -> ;Query OK, 0 rows affected (0.01 sec)mysql> select host, user from mysql.user where user=\'root\';+----------------+------+| host | user |+----------------+------+| 192.168.71.114 | root || localhost | root |+----------------+------+2 rows in set (0.00 sec)将war包放入tomcat的解压文件目录webapps中,将原有ROOT文件夹删除,重命名为ROOT.war,启动tomcat后会自动解压
再进入WEB-INF中的classes,修改jdbc.properties文件,将里面的ip指向117的数据库
重启tomcat,登录8080端口(因为命名为ROOT所以用加文件地址)
七.负载均衡器部署(在lb_01和lb_02上操作)
1. 安装HAProxy和Keepalived
dnf install haproxy keepalived -y2. 配置HAProxy(两台负载均衡器配置相同)
# 备份原配置文件cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak# 编辑配置文件vim /etc/haproxy/haproxy.cfg# 替换为以下内容global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemondefaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000frontend http-in bind *:80 acl host_discuz hdr(host) -i discuz.example.com acl host_shop hdr(host) -i shop.example.com use_backend discuz_cluster if host_discuz use_backend shop_cluster if host_shopbackend discuz_cluster balance roundrobin server web01 192.168.71.113:80 check backend shop_cluster balance roundrobin server web02 192.168.71.114:8080 check# 启动HAProxysystemctl enable --now haproxy若启动未成功查看是否有haproxy用户和组,还有/run/haproxy是否存在(以下是终极解决措施)
清除占用资源# 停止服务并清除残留sudo systemctl stop haproxysudo rm -f /run/haproxy/* # 清除所有套接字文件sudo rm -f /var/run/haproxy.pid # 清除PID文件强制释放占用端口# 查找占用 /run/haproxy 的进程sudo lsof /run/haproxy# 如果发现有残留进程(通常是旧haproxy),立即终止:sudo kill -9 $(sudo lsof -t /run/haproxy)修复目录权限(关键步骤)# 重建运行时目录sudo rm -rf /run/haproxysudo mkdir /run/haproxysudo chown haproxy:haproxy /run/haproxysudo chmod 755 /run/haproxy# 重新启动服务sudo systemctl daemon-reloadsudo systemctl start haproxy3. 配置Keepalived(实现高可用)
lb_01(主)的配置:vim /etc/keepalived/keepalived.confvrrp_script chk_haproxy { script \"killall -0 haproxy\" # 检查haproxy进程是否存在 interval 2 # 每2秒检查一次 weight 2 # 如果检查成功,优先级+2}vrrp_instance VI_1 { state MASTER interface ens33 # 网卡名称,根据实际情况修改 virtual_router_id 51 priority 100 # 主节点优先级高 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.71.254/24 # VIP } track_script { chk_haproxy }}lb_02(备)的配置:vim /etc/keepalived/keepalived.confvrrp_script chk_haproxy { script \"killall -0 haproxy\" interval 2 weight 2}vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 51 priority 99 # 备节点优先级低 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.115.254/24 } track_script { chk_haproxy }}启动Keepalivedsystemctl enable --now keepalived八.Redis高可用部署(在redis_01和redis_02上操作)
1. 安装Redis
dnf install redis -y2. 配置主从复制
在redis_01(主)上配置:vim /etc/redis.conf修改以下参数:bind 0.0.0.0requirepass yourpassword # 设置密码masterauth yourpassword # 主节点也需要设置masterauth,因为可能发生主从切换在redis_02(从)上配置:vim /etc/redis.confbind 0.0.0.0requirepass yourpasswordmasterauth yourpasswordreplicaof redis_01 6379 # 指定主节点
3. 启动Redis
systemctl enable --now redis4. 验证主从
# 在主节点上redis-cli -a yourpassword> info replication# 在从节点上同样执行,查看角色九.MySQL高可用部署(在db_01和db_02上操作)
6.1 安装MySQL
dnf install mysql-server -y6.2 初始化MySQL
mysql_secure_installation# 根据提示设置root密码,并完成初始化# 启用MySQL服务systemctl enable --now mysqld6.3 配置主主复制
在db_01上:# 登录MySQLmysql -u root -p# 创建复制账号CREATE USER \'repl\'@\'%\' IDENTIFIED BY \'replicationpassword\';GRANT REPLICATION SLAVE ON *.* TO \'repl\'@\'%\';# 修改配置文件vim /etc/my.cnf.d/mysql-server.cnf添加以下内容:[mysqld]server-id=1log-bin=mysql-binbinlog_format=ROWgtid_mode=ONenforce_gtid_consistency=ON在db_02上:# 同样登录MySQL创建复制账号(同上)# 修改配置文件vim /etc/my.cnf.d/mysql-server.cnf[mysqld]server-id=2log-bin=mysql-binbinlog_format=ROWgtid_mode=ONenforce_gtid_consistency=ON6.4 配置主主复制
在db_01上执行:CHANGE MASTER TOMASTER_HOST=\'db_02\',MASTER_USER=\'repl\',MASTER_PASSWORD=\'replicationpassword\',MASTER_AUTO_POSITION=1;START SLAVE;在db_02上执行:CHANGE MASTER TOMASTER_HOST=\'db_01\',MASTER_USER=\'repl\',MASTER_PASSWORD=\'replicationpassword\',MASTER_AUTO_POSITION=1;START SLAVE;6.5 检查复制状态
SHOW SLAVE STATUS\\G;# 确保Slave_IO_Running和Slave_SQL_Running都是Yes
十.Zabbix监控部署(在zas_00节点上操作)
1. 安装Zabbix Server
R9rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rocky/9/x86_64/zabbix-release-7.0-5.el9.noarch.rpmR8rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rocky/8/x86_64/zabbix-release-7.0-5.el8.noarch.rpm 下载yum install zabbix-server-mysql zabbix-web-mysql zabbix-nginx-conf zabbix-sql-scripts zabbix-selinux-policy zabbix-agent 2. 创建数据库(在MySQL主节点上操作,比如db_01)
CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin;CREATE USER \'zabbix\'@\'%\' IDENTIFIED BY \'Q1w2e3@123!!!!!\';GRANT ALL PRIVILEGES ON zabbix.* TO \'zabbix\'@\'%\';FLUSH PRIVILEGES;3. 导入初始数据(在zas_00上操作)
R9# 将数据导入到远程数据库zcat /usr/share/doc/zabbix-sql-scripts/mysql/server.sql.gz | mysql -h db_01 -u zabbix -p zabbix --password=Q1w2e3@123!!!!!R8# 将数据导入到远程数据库zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql -h db_01 -u zabbix -p zabbix --password=Q1w2e3@123!!!!!验证导入结果
4. 配置Zabbix Server连接数据库
vim /etc/zabbix/zabbix_server.conf修改以下参数:DBHost=db_01DBName=zabbixDBUser=zabbixDBPassword=Q1w2e3@123!!!!!5. 启动Zabbix Server
systemctl enable --now zabbix-server6. 配置PHP时区(Zabbix前端)
vim /etc/php-fpm.d/zabbix.conf修改:php_value[date.timezone] = Asia/Shanghai按照向导完成安装(数据库配置填写db_01的信息)。
监控全部服务器
十一.Rsync备份服务器(在rbk_00节点上操作)
1. 安装Rsync
dnf install rsync -y2. 配置Rsync服务端
vim /etc/rsyncd.conf添加以下内容:uid = rootgid = rootuse chroot = yesmax connections = 4pid file = /var/run/rsyncd.pidlog file = /var/log/rsyncd.log[web_backup]path = /backupcomment = Backup Directoryread only = no创建rsync.service文件:cat > /etc/systemd/system/rsync.service <<EOF[Unit]Description=Fast remote file copy program daemonAfter=network.target[Service]Type=forkingExecStart=/usr/bin/rsync --daemon Restart=on-failure[Install]WantedBy=multi-user.targetEOF重新加载systemd配置:systemctl daemon-reload启动rsync服务:systemctl start rsync验证服务状态:systemctl status rsync3. 创建备份目录
mkdir /backupchmod 777 /backup4. 启动Rsync服务
systemctl enable --now rsyncd
5.在NFS服务器(elk_nfs)上设置实时同步
# 安装inotify-toolsdnf install inotify-tools -y# 创建实时同步脚本cat > /usr/local/bin/rsync_backup.sh < /var/log/rsync_backup.log 2>&1 &任务2代理层可以通过HAproxy基于ACL实现不同的域名访问到不同的应用上。
配置nginx.conf文件(自己为例)
user nginx;worker_processes auto;error_log /var/log/nginx/error.log;pid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.include /usr/share/nginx/modules/*.conf;events { worker_connections 1024;}http { log_format main \'$remote_addr - $remote_user [$time_local] \"$request\" \'\'$status $body_bytes_sent \"$http_referer\" \'\'\"$http_user_agent\" \"$http_x_forwarded_for\"\'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80; server_name discuz.example.com;root /var/www/discuz; index index.php index.html index.htm; location ~ \\.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location / {try_files $uri $uri/ /index.php?$args; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } # 配置IP访问:重定向到域名 server { listen 80; server_name 192.168.71.113; # 服务器IP return 301 http://discuz.example.com$request_uri;}}# 备份原配置sudo cp /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.bak# 创建安全配置sudo tee /etc/php-fpm.d/www.conf > /dev/null <<\'EOF\'[www]user = nginxgroup = nginxlisten = 127.0.0.1:9000pm = dynamicpm.max_children = 5pm.start_servers = 2pm.min_spare_servers = 1pm.max_spare_servers = 3EOF在本机hosts上增加域名文件
用管理员身份编辑 hosts 文件:关闭所有文本编辑器右键点击 记事本 → 以管理员身份运行点击 文件 → 打开 → 找到 C:\\Windows\\System32\\drivers\\etc\\hosts加入内容192.168.71.100 discuz.example.com192.168.71.100 shop.example.com确认并保存:确保内容不变(如您图5所示)按 Ctrl+S 保存看到 \"是否要以管理员权限覆盖\" 提示 → 点 是强制刷新DNS缓存:(管理员身份打开cmd)ipconfig /flushdnsping discuz.example.com 现在应该看到:正在 Ping discuz.example.com [192.168.71.100] 具有 32 字节的数据:来自 192.168.71.100 的回复...此时登录对应域名即可访问界面
任务五部署ELK日志监控系统,收集所有服务器的日志信息。被监控端使用filebeat采集日志信息
任务八采用role角色方式实现自动化部署
创建主机清单
[load_balancer]lb_01 ansible_host=192.168.71.111lb_02 ansible_host=192.168.71.112[web]web_01 ansible_host=192.168.71.113web_02 ansible_host=192.168.71.114[redis]redis_01 ansible_host=192.168.71.115redis_02 ansible_host=192.168.71.116[database]db_01 ansible_host=192.168.71.117db_02 ansible_host=192.168.71.118[elk_nfs]elk_nfs ansible_host=192.168.71.119[backup]rsy_bk ansible_host=192.168.71.121# 特殊组(控制机自己)[zabbix]zab_ans ansible_host=192.168.71.120设置全局变量(group_vars/all.yml)
# 所有机器通用配置ntp_server: time.google.comdomain_name: ourcluster.local# VIP地址haproxy_vip: 192.168.71.254redis_vip: 192.168.71.251mysql_vip: 192.168.71.252# NFS配置nfs_server_ip: 192.168.71.119nfs_share_path: /data/apps创建角色(Roles)
ansible-galaxy init roles/commonroles/common/tasks/main.yml- name: 安装基础工具 apt: name: [\'vim\', \'curl\', \'htop\', \'net-tools\'] state: present- name: 设置时区 timezone: name: Asia/Shanghai- name: 配置主机名 hostname: name: \"{{ inventory_hostname }}\"- name: 添加域名解析 lineinfile: path: /etc/hosts line: \"{{ hostvars[item].ansible_host }} {{ item }}\" loop: \"{{ groups.all }}\"roles/haproxy/tasks/main.yml- name: 安装HAProxy和Keepalived apt: name: [\'haproxy\', \'keepalived\'] state: present- name: 配置HAProxy template: src: haproxy.cfg.j2 dest: /etc/haproxy/haproxy.cfg- name: 配置Keepalived(主) template: src: keepalived_master.conf.j2 dest: /etc/keepalived/keepalived.conf when: inventory_hostname == \"lb_01\"- name: 配置Keepalived(备) template: src: keepalived_backup.conf.j2 dest: /etc/keepalived/keepalived.conf when: inventory_hostname == \"lb_02\"- name: 启动服务 service: name: \"{{ item }}\" state: restarted enabled: yes loop: [haproxy, keepalived]Web服务器角色(web_server):web_01和web_02# 安装Nginx+PHP- name: 安装Nginx和PHP apt: name: [\'nginx\', \'php-fpm\', \'php-mysql\'] state: present# 安装Tomcat- name: 安装Java环境 apt: name: java-1.8.0-openjdk-devel state: present# roles/tomcat/tasks/main.yml---- name: 创建安装目录 file: path: /usr/local state: directory- name: 复制Tomcat安装包 copy: src: \"{{ tomcat_package_path }}\" dest: /tmp/apache-tomcat-8.5.40.tar.gz- name: 解压Tomcat unarchive: src: /tmp/apache-tomcat-8.5.40.tar.gz dest: /usr/local remote_src: yes- name: 创建符号链接 file: src: /usr/local/apache-tomcat-8.5.40 dest: /usr/local/tomcat state: link- name: 配置环境变量 lineinfile: path: /etc/profile line: \"export CATALINA_HOME=/usr/local/tomcat\"- name: 创建Tomcat服务用户 user: name: tomcat system: yes shell: /sbin/nologin- name: 设置目录权限 file: path: /usr/local/tomcat owner: tomcat group: tomcat recurse: yes- name: 配置systemd服务 template: src: tomcat.service.j2 dest: /etc/systemd/system/tomcat.service- name: 重载systemd systemd: daemon_reload: yes- name: 启动Tomcat服务 systemd: name: tomcat state: started enabled: yes# roles/tomcat/templates/tomcat.service.j2[Unit]Description=Apache Tomcat 8.5After=network.target[Service]Type=forkingUser=tomcatGroup=tomcatEnvironment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pidEnvironment=CATALINA_HOME=/usr/local/tomcatEnvironment=CATALINA_BASE=/usr/local/tomcatExecStart=/usr/local/tomcat/bin/startup.shExecStop=/usr/local/tomcat/bin/shutdown.shRestartSec=10Restart=always[Install]WantedBy=multi-user.target# roles/tomcat/defaults/main.ymltomcat_package_path: \"/path/to/apache-tomcat-8.5.40.tar.gz\"# 挂载NFS(应用数据)- name: 创建挂载点 file: path: /mnt/appdata state: directory- name: 挂载NFS mount: path: /mnt/appdata src: \"{{ nfs_server_ip }}:{{ nfs_share_path }}\" fstype: nfs state: mountedRedis角色(redis):redis_01和redis_02- name: 安装Redis apt: name: redis-server state: present- name: 配置Redis主从 template: src: redis.conf.j2 dest: /etc/redis/redis.conf notify: restart redis# Redis Sentinel配置- name: 配置Sentinel template: src: sentinel.conf.j2 dest: /etc/redis/sentinel.conf数据库角色(mysql):db_01和db_02- name: 安装MySQL apt: name: mysql-server state: present- name: 配置主从复制 template: src: master.cnf.j2 # 或slave.cnf.j2 dest: /etc/mysql/mysql.conf.d/replication.cnf- name: 创建复制用户 mysql_user: name: replicator password: securepass host: \'%\' priv: \'*.*:REPLICATION SLAVE\' state: presentELK+NFS角色(elk_nfs):elk_nfs# NFS部分- name: 安装NFS服务 apt: name: nfs-kernel-server state: present- name: 创建共享目录 file: path: \"{{ nfs_share_path }}\" state: directory mode: 0777# ELK部分# roles/elk_stack/tasks/main.yml---- name: 创建安装目录 file: path: /opt/elk state: directory# Elasticsearch安装- name: 复制Elasticsearch copy: src: \"{{ es_package_path }}\" dest: /tmp/elasticsearch-7.1.1-x86_64.rpm- name: 安装Elasticsearch yum: name: /tmp/elasticsearch-7.1.1-x86_64.rpm state: present- name: 配置Elasticsearch template: src: elasticsearch.yml.j2 dest: /etc/elasticsearch/elasticsearch.yml- name: 启动Elasticsearch systemd: name: elasticsearch state: started enabled: yes# Logstash安装- name: 复制Logstash copy: src: \"{{ logstash_package_path }}\" dest: /tmp/logstash-7.1.1.rpm- name: 安装Logstash yum: name: /tmp/logstash-7.1.1.rpm state: present- name: 配置Logstash template: src: logstash.conf.j2 dest: /etc/logstash/conf.d/main.conf- name: 启动Logstash systemd: name: logstash state: started enabled: yes# Kibana安装- name: 复制Kibana copy: src: \"{{ kibana_package_path }}\" dest: /tmp/kibana-7.1.1-x86_64.rpm- name: 安装Kibana yum: name: /tmp/kibana-7.1.1-x86_64.rpm state: present- name: 配置Kibana template: src: kibana.yml.j2 dest: /etc/kibana/kibana.yml- name: 启动Kibana systemd: name: kibana state: started enabled: yes# roles/elk_stack/templates/elasticsearch.yml.j2cluster.name: elk-clusternode.name: \"{{ ansible_hostname }}\"network.host: 0.0.0.0http.port: 9200discovery.seed_hosts: [\"elk_nfs\"]cluster.initial_master_nodes: [\"elk_nfs\"]# roles/elk_stack/defaults/main.ymles_package_path: \"/path/to/elasticsearch-7.1.1-x86_64.rpm\"logstash_package_path: \"/path/to/logstash-7.1.1.rpm\"kibana_package_path: \"/path/to/kibana-7.1.1-x86_64.rpm\"备份角色(backup):rsy_bk- name: 安装Rsync apt: name: rsync state: present- name: 创建备份目录 file: path: /backup state: directory- name: 配置Rsync服务 template: src: rsyncd.conf.j2 dest: /etc/rsyncd.conf 监控角色(zabbix):zab_ans- name: 安装Zabbix apt_repository: repo: \"deb https://repo.zabbix.com/zabbix/6.0/ubuntu/ focal main\" state: present- name: 安装Zabbix组件 apt: name: [\'zabbix-server-mysql\', \'zabbix-frontend-php\', \'zabbix-apache-conf\'] state: present编写主剧本(site.yml)
---- name: 基础配置 hosts: all roles: - common- name: 负载均衡器配置 hosts: load_balancer roles: - haproxy- name: 应用服务器配置 hosts: web roles: - web_server- name: Redis集群配置 hosts: redis roles: - redis- name: 数据库配置 hosts: database roles: - mysql- name: ELK和NFS配置 hosts: elk_nfs roles: - elk_nfs- name: 备份系统配置 hosts: backup roles: - backup- name: 监控系统配置 hosts: zabbix roles: - zabbix执行部署
# 测试连接ansible all -m ping# 运行整个剧本ansible-playbook -i inventories/production site.yml# 单独运行某个部分(例如只更新Web服务器)ansible-playbook -i inventories/production site.yml --tags web
