roles基本概述

roles不管是Ansible还是saltstack，我在写一键部署的时候，都不可能把所有的步骤全部写入到一个'剧本'文件当中，我们肯定需要把不同的工作模块，拆分开来，解耦，那么说到解耦，我们就需要用到roles官方推荐，因为roles的目录结构层次更加清晰。
例如：我们之前推荐大家写一个base.yml里面写所有基础优化的项目，其实把所有东西摞进去也是很鸡肋的，不如我们把这些功能全部拆分开，谁需要使用，就调用即可。
建议：每个roles最好只使用一个tasks这样方便我们去调用，能够很好的做到解耦。（SOA）

roles目录结构（官方推荐样式）

# 商业转载请联系作者获得授权，非商业转载请注明出处。
# For commercial use, please contact the author for authorization. For non-commercial use, please indicate the source.
# 协议(License)：署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)
# 作者(Author)：曾志高翔(DriverZeng)
# 链接(URL)：https://blog.driverzeng.com/driverzeng/6833.html
# 来源(Source)：火鸡味锅巴

production                # inventory file for production servers
staging                   # inventory file for staging environment

group_vars/
   group1.yml             # here we assign variables to particular groups
   group2.yml
host_vars/
   hostname1.yml          # here we assign variables to particular systems
   hostname2.yml

library/                  # if any custom modules, put them here (optional)
module_utils/             # if any custom module_utils to support modules, put them here (optional)
filter_plugins/           # if any custom filter plugins, put them here (optional)

site.yml                  # master playbook
webservers.yml            # playbook for webserver tier
dbservers.yml             # playbook for dbserver tier

roles/
    common/               # this hierarchy represents a "role"
        tasks/            #
            main.yml      #  <-- tasks file can include smaller files if warranted
        handlers/         #
            main.yml      #  <-- handlers file
        templates/        #  <-- files for use with the template resource
            ntp.conf.j2   #  <------- templates end in .j2
        files/            #
            bar.txt       #  <-- files for use with the copy resource
            foo.sh        #  <-- script files for use with the script resource
        vars/             #
            main.yml      #  <-- variables associated with this role
        defaults/         #
            main.yml      #  <-- default lower priority variables for this role
        meta/             #
            main.yml      #  <-- role dependencies
        library/          # roles can also include custom modules
        module_utils/     # roles can also include custom module_utils
        lookup_plugins/   # or other types of plugins, like lookup in this case

    webtier/              # same kind of structure as "common" was above, done for the webtier role
    monitoring/           # ""
    fooapp/               # ""

roles目录结构使用galaxy创建

[root@m01 ~]# cd /etc/ansible/roles/
[root@m01 roles]# tree wordpress/
nfs/                #项目名称
├── defaults        #低优先级变量
├── files           #存放文件
├── handlers        #触发器文件
├── meta            #依赖关系文件
├── tasks           #工作任务文件
├── templates       #jinja2模板文件
├── tests           #测试文件
└── vars            #变量文件

Ansible Roles依赖关系

roles允许你再使用roles时自动引入其他的roles。role依赖关系存储在roles目录中meta/main.yml文件中。
例如：推送wordpress并解压，前提条件，必须要安装nginx和php，把服务跑起来，才能运行wordpress的页面，此时我们就可以在wordpress的roles中定义依赖nginx和php的roles
[root@m01 roles]# vim /etc/ansible/roles/wordpress/meta/main.yml
dependencies:
  - { role: nginx }
  - { role: php }
#如果编写了meta目录下的main.yml文件，那么Ansible会自动先执行meta目录中main.yml文件中的dependencies文件，如上所示，就会先执行nginx和php的安装。

roles执行流程

Ansible Roles最佳实践

#部署安装七层负载服务
# 任务
#base优化
[root@m01 roles]# cat /opt/ansible/roles/base
- name: 删除官方源
  archive:
    path: /etc/yum.repo.d/*
    dest: /tmp/yum.gz
    format: gz
    remove: true

- name: 更换阿里云
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  - with_items:
    - { src: /root/ansible/base/conf/Centos-7.repo,dest: /etc/yum.repo.d/Centos-Base.repo}
    - { src: /root/ansible/base/conf/epel-7.repo,dest: /etc/yum.repo/epel.repo }

 - name: 关闭防火墙
   service:
     name: firewalld
     state: stopped
     enabled: false

 - name: 关闭SeLinux
   selinux:
     state: disabled

 - name: 优化文件描述符
   pam_limits:
     domain: '*'
     limit_type: '-'
     limit_item: nofile
     value: '65535'

- name: 创建{{ user_group }}组
  group:
    name: {{ user_group }}
    gid: {{ id }}

- name: 创建{{ user }}用户
  user:
    name: {{ user_group }}
    uid: {{ id }}
    group: {{ id }}
    shell: /sbin/onlogin
    create_home: false
[root@m01 roles]# vim nginx/tasks/main.yml
---
# tasks file for zls-nginx
- name: 安装nginx
  yum:
    name: nginx
    state: present
- name: 推送主配置文件
  template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
  notify: Restart Nginx
- name: 启动nginx
  service:
    name: nginx
    state: started
    enabled: true
## 定义变量
[root@m01 vars]# vim /opt/ansible/roles/nginx/vars/main.yml
---
# vars file for nginx
user_group: 'root'
## 准备配置文件
[root@m01 roles]# ll nginx/templates/
total 4
-rw-r--r-- 1 root root 658 May 29 10:49 nginx.conf.j2
## 触发器
[root@m01 roles]# cat zlsnginx/handlers/main.yml
---
# handlers file for zls-nginx
- name: Restart Nginx
  service:
    name: nginx
    state: reloaded
# lb
## 依赖
[root@m01 roles]# cat lb/meta/main.yml
dependencies:
  - {role: zls-nginx}
## 任务
[root@m01 roles]# cat lb/tasks/main.yml
---
# tasks file for lb
- name: 推送负载均衡配置文件
  copy:
    src: lb.conf
    dest: /etc/nginx/conf.d
  notify: Restart Nginx
## 触发器
[root@m01 roles]# cat lb/handlers/main.yml
---
# handlers file for lb
- name: Restart Nginx
  service:
    name: nginx
    state: reloaded
## 配置文件
[root@m01 roles]# ll lb/files/lb.conf
-rw-r--r-- 1 root root 430 May 29 10:28 lb/files/lb.conf
# 入口文件
[root@m01 roles]# cat site.yml
- hosts: all
  roles:
  - {role: lb,when: ansible_hostname is match 'web*'}
## 执行入口文件
[root@m01 roles]# ansible-playbook site.yml

ansible galaxy使用

# 查询ansible代码仓库
[root@m01 ~]# ansible-galaxy search nginx
# 下载代码仓库中的代码
[root@m01 ~]# ansible-galaxy collection install aaronpederson.nginx

ansible vault

# 加密
[root@m01 ansible]# ansible-vault
encrypt site.yml
# 查看
[root@m01 ansible]# ansible-vault view
site.yml
# 编辑
[root@m01 ansible]# ansible-vault edit
site.yml
# 取消密码
[root@m01 ansible]# ansible-vault
decrypt site.yml
# 修改密码
[root@m01 ansible]# ansible-vault rekey
site.yml