文章目录
- 1、环境配置 :
- 2、ansible配置文件以及 资源清单相关配置:
- a、ansible配置文件
- b、 inventory文件
- c、primary DNS与 secondary DNS服务的配置如下
- 3、准备工作完成了,让我们快乐的开始写playbook叭
- a、主dns的playbook的写法
- b、然后将我们主dns的playbook文件复制一份,我们稍加修改,就可以变成辅dns服务器
- 4、最后一步,编写unbound缓存服务器的playbook
经历了项目上的与甲方唇枪舌战,生离死别,多少得死一个的局面之后,终于闲下来能够好好整理自己的一些技术和心得了。
事情是这样的,当我们完成工作比较出色,部署服务器飞快的一批的时候,问题来了,甲方粑粑看我们比较闲,就希望多给我们搞点任务,本来不属于我们管的dns服务器,要求让我们在新的环境下再部署一套
八嗦了,累了,团队好兄弟萌都是刚出来的小伙子,谁经得住这架势啊,纷纷不想干,结果我们的PM还是妥协了(他们给的太多了 )
于是乎有了这篇文章
1、环境配置 :
control.lab.example.com
servera.lab.example.com
192.168.0.10
serverb.lab.example.com
192.168.0.11
serverc.lab.example.com
192.168.0.12
serverd.lab.example.com
192.168.0.13
为了数据脱敏,为了新鲜热乎的经验,所以这次我就用的我实验环境的四台虚拟机来搞了
2、ansible配置文件以及 资源清单相关配置:
a、ansible配置文件
可以说是非常的朴实无华了
(反正是做完配置之后就要移除的东西,甲方不想用,觉得不安全)(反正不是我运维)
[defaults]
inventory=./inventory
remote_user=devops
[privilege_escalation]
become = False
become_method = sudo
become_user = root
become_ask_pass = False
b、 inventory文件
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
c、primary DNS与 secondary DNS服务的配置如下
primary-192.168.0.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
10.0.168.192.IN-ADDR.ARPA. IN PTR servera.backend.lab.example.com.
11 IN PTR serverb.backend.lab.example.com.
12 IN PTR serverc.backend.lab.example.com.
13 IN PTR serverd.backend.lab.example.com.
primary-backend.lab.example.com.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041806 ;serial number
1H ;refresh secondary
5m ;retry refresh
1w ;expire zone
1m ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb
; IN MX 10 serverb.backend.lab.example.com.
; IN A 192.168.0.11
servera IN A 192.168.0.10
serverb IN A 192.168.0.11
serverc IN A 192.168.0.12
serverd IN A 192.168.0.13
primary-named.backend.conf
zone "backend.lab.example.com" IN {
type master;
file "backend.lab.example.com.zone";
forwarders {};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
forwarders {};
};
primary-named.conf
options {
listen-on port 53 { any; };
directory "/var/named";
allow-transfer { 192.168.0.12; };
allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
secondary-named.conf
options {
listen-on port 53 { any; };
directory "/var/named";
allow-transfer { 192.168.0.12; };
allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
secondary-named.backend.conf
zone "backend.lab.example.com" IN {
type slave;
file "slaves/backend.lab.example.com.zone";
masters { 192.168.0.11; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.0.zone";
masters { 192.168.0.11; };
};
以及unbound的配置文件
unbound.conf.j2
server:
interface: {{ interface }}
interface-automatic: {{ interface_automatic }}
{% for acl in access_control %}
access-control: {{ acl }}
{% endfor %}
domain-insecure: "{{ domain_insecure }}"
forward-zone:
name: "{{ forward_zone_name }}"
forward-addr: {{ forward_zone_addr }}
目录结构如下:
tree .
.
├── ansible.cfg
├── files
│ ├── primary-192.168.0.zone
│ ├── primary-backend.lab.example.com.zone
│ ├── primary-named.backend.conf
│ ├── primary-named.conf
│ ├── secondary-named.backend.conf
│ └── secondary-named.conf
├── inventory
└── templates
└── unbound.conf.j2
2 directories, 9 files
3、准备工作完成了,让我们快乐的开始写playbook叭
a、主dns的playbook的写法
---
- name: Configure primary nameserver
hosts: serverb.lab.example.com
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: latest
- name: Copy primary config file
copy:
src: files/primary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy forward zone file to primary
copy:
src: files/primary-backend.lab.example.com.zone
dest: /var/named/backend.lab.example.com.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy reverse zone file to primary
copy:
src: file/primary-192.168.0.zone
dest: /var/named/192.168.0.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/primary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: true
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: true
handlers:
- name: reload_named
service:
name: named
state: reloaded
b、然后将我们主dns的playbook文件复制一份,我们稍加修改,就可以变成辅dns服务器
---
- name: Configure second nameserver
hosts: serverc.lab.example.com
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: latest
- name: Copy primary config file
copy:
src: files/secondary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/secondary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: true
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: true
handlers:
- name: reload_named
service:
name: named
state: reloaded
检查我们的剧本
ansible-playbook --syntax-check playbook1.yml
ansible-playbook --syntax-check playbook2.yml
如果没有消息,那就是最好的消息,直接开始你的剧本叭~
之后我们,记得要dig一下验证我们是否成功配置完成dns
dig servera.backend.lab.example.com @serverb.lab.example.com
4、最后一步,编写unbound缓存服务器的playbook
---
- name: Install cache only nameserver
hosts: servera.lab.example.com
remote_user: devops
become: yes
vars:
interface: 0.0.0.0
interface_automatic: "yes"
access_control:
- "172.25.250.0/24 allow"
domain_insecure: example.com
forward_zone_name: .
forward_zone_addr: "172.25.250.254"
tasks:
- name: Install cache only nameserver
yum:
name: unbound
state: present
- name: Create configuration file on caching server host
template:
src: unbound.conf.j2
dest: /etc/unbound/conf.d/unbound.conf
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure unbound is running and enabled
service:
name: unbound
state: started
enabled: yes
handlers:
- name: restart_unbound
service:
name: unbound
state: restarted
至此,我们三个playbook均已编写完成
感谢大家的观看,我们下波再见
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)