1.docker基于二进制 roles
源码下载地址:github.com/raymond9999…
[root@ansible-server ansible]# mkdir -p roles/docker-binary/{tasks,files,vars}
[root@ansible-server ansible]# cd roles/docker-binary/
[root@ansible-server docker-binary]# ls
files tasks vars
[root@ansible-server docker-binary]# wget https://mirrors.cloud.tencent.com/docker-ce/linux/static/stable/x86_64/docker-20.10.9.tgz -P files/
[root@ansible-server docker-binary]# vim vars/main.yml
DOCKER_VERSION: 20.10.9
[root@ansible-server docker-binary]# vim files/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H unix://var/run/docker.sock
ExecReload=/bin/kill -s HUP \$MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
[root@ansible-server docker-binary]# vim files/daemon.json
{
"registry-mirrors": [
"https://hzw5xiv7.mirror.aliyuncs.com",
"https://docker.mirrors.ustc.edu.cn",
"http://f1361db2.m.daocloud.io",
"https://registry.docker-cn.com",
"https://dockerhub.azk8s.cn",
"https://reg-mirror.qiniu.com",
"https://hub-mirror.c.163.com",
"https://mirror.ccs.tencentyun.com"
]
}
[root@ansible-server docker-binary]# vim tasks/docker_files.yml
- name: unarchive docker package
unarchive:
src: "docker-{{ DOCKER_VERSION }}.tgz"
dest: /usr/local/src
- name: move docker files
shell:
cmd: mv /usr/local/src/docker/* /usr/bin/
[root@ansible-server docker-binary]# vim tasks/service_file.yml
- name: copy docker.service file
copy:
src: docker.service
dest: /lib/systemd/system/docker.service
[root@ansible-server docker-binary]# vim tasks/set_mirror_accelerator.yml
- name: mkdir /etc/docker
file:
path: /etc/docker
state: directory
- name: set mirror_accelerator
copy:
src: daemon.json
dest: /etc/docker/
[root@ansible-server docker-binary]# vim tasks/set_alias.yml
- name: set docker alias
lineinfile:
path: ~/.bashrc
line: "{{ item }}"
loop:
- "alias rmi=\"docker images -qa|xargs docker rmi -f\""
- "alias rmc=\"docker ps -qa|xargs docker rm -f\""
[root@ansible-server docker-binary]# vim tasks/service.yml
- name: start docker
systemd:
name: docker
state: started
enabled: yes
daemon_reload: yes
[root@ansible-server docker-binary]# vim tasks/set_swap.yml
- name: set WARNING No swap limit support
replace:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=.*)\"$'
replace: '\1 swapaccount=1"'
when:
- ansible_distribution=="Ubuntu"
- name: update-grub
shell:
cmd: update-grub
when:
- ansible_distribution=="Ubuntu"
- name: reboot Ubuntu system
reboot:
when:
- ansible_distribution=="Ubuntu"
[root@ansible-server docker-binary]# vim tasks/main.yml
- include: docker_files.yml
- include: service_file.yml
- include: set_mirror_accelerator.yml
- include: set_alias.yml
- include: service.yml
- include: set_swap.yml
[root@ansible-server docker-binary]# cd ../../
[root@ansible-server ansible]# tree roles/docker-binary/
roles/docker-binary/
├── files
│ ├── daemon.json
│ ├── docker-20.10.9.tgz
│ └── docker.service
├── tasks
│ ├── docker_files.yml
│ ├── main.yml
│ ├── service_file.yml
│ ├── service.yml
│ ├── set_alias.yml
│ ├── set_mirror_accelerator.yml
│ └── set_swap.yml
└── vars
└── main.yml
3 directories, 11 files
2.docker-compose roles
[root@ansible-server ansible]# mkdir -p roles/docker-compose/{tasks,files}
[root@ansible-server ansible]# cd roles/docker-compose/
[root@ansible-server docker-compose]# ls
files tasks
[root@ansible-server docker-compose]# wget https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 -P files
[root@ansible-server docker-compose]# vim tasks/install_docker_compose.yml
- name: copy docker compose file
copy:
src: docker-compose-linux-x86_64
dest: /usr/bin/docker-compose
mode: 755
[root@ansible-server docker-compose]# vim tasks/main.yml
- include: install_docker_compose.yml
[root@ansible-server ansible]# tree roles/docker-compose/
roles/docker-compose/
├── files
│ └── docker-compose-linux-x86_64
└── tasks
├── install_docker_compose.yml
└── main.yml
2 directories, 3 files
3.harbor-https roles
[root@ansible-server ansible]# mkdir -p roles/harbor-https/{tasks,files,templates,vars,meta}
[root@ansible-server ansible]# cd roles/harbor-https/
[root@ansible-server harbor-https]# ls
files meta tasks templates vars
[root@ansible-server harbor-https]# wget https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz -P files/
[root@ansible-server harbor-https]# vim templates/harbor.service.j2
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f {{ HARBOR_INSTALL_DIR }}/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f {{ HARBOR_INSTALL_DIR }}/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
[root@ansible-server harbor-https]# vim vars/main.yml
HARBOR_INSTALL_DIR: /apps
HARBOR_VERSION: 2.3.5
HARBOR_ADMIN_PASSWORD: 123456
DOMAIN: raymonds.cc
HARBOR_DOMAIN: harbor.raymonds.cc
[root@ansible-server harbor-https]# vim tasks/harbor_files.yml
- name: create HARBOR_INSTALL_DIR directory
file:
path: "{{ HARBOR_INSTALL_DIR }}"
state: directory
- name: unarchive harbor package
unarchive:
src: "harbor-offline-installer-v{{ HARBOR_VERSION }}.tgz"
dest: "{{ HARBOR_INSTALL_DIR }}/"
creates: "{{ HARBOR_INSTALL_DIR }}/harbor"
[root@ansible-server harbor-https]# vim tasks/create_certs.yml
- name: touch file
file:
path: /root/.rnd
state: touch
- name: create certs directory
file:
path: "{{ HARBOR_INSTALL_DIR }}/harbor/certs/"
state: directory
- name: create ca.crt file
shell:
chdir: "{{ HARBOR_INSTALL_DIR }}/harbor/certs/"
cmd: openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -subj "/CN=ca.{{ DOMAIN }}" -days 365 -out ca.crt
- name: create hostname.csr file
shell:
chdir: "{{ HARBOR_INSTALL_DIR }}/harbor/certs/"
cmd: openssl req -newkey rsa:4096 -nodes -sha256 -subj "/CN={{ HARBOR_DOMAIN }}" -keyout {{ HARBOR_DOMAIN }}.key -out {{ HARBOR_DOMAIN }}.csr
- name: create hostname.csr file
shell:
chdir: "{{ HARBOR_INSTALL_DIR }}/harbor/certs/"
cmd: openssl x509 -req -in {{ HARBOR_DOMAIN }}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out {{ HARBOR_DOMAIN }}.crt
[root@ansible-server harbor-https]# vim tasks/config.yml
- name: mv harbor.yml
shell:
cmd: mv {{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml.tmpl {{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml
creates: "{{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml"
- name: set harbor.yml file 'hostname' string line
replace:
path: "{{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml"
regexp: '^(hostname:) .*'
replace: '\1 {{ ansible_default_ipv4.address }}'
- name: set harbor.yml file 'harbor_admin_password' string line
replace:
path: "{{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml"
regexp: '^(harbor_admin_password:) .*'
replace: '\1 {{ HARBOR_ADMIN_PASSWORD }}'
- name: set harbor.yml file 'certificate' string line
replace:
path: "{{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml"
regexp: ' (certificate:) .*'
replace: ' \1 {{ HARBOR_INSTALL_DIR }}/harbor/certs/{{ HARBOR_DOMAIN }}.crt'
- name: set harbor.yml file 'private_key' string line
replace:
path: "{{ HARBOR_INSTALL_DIR }}/harbor/harbor.yml"
regexp: ' (private_key:) .*'
replace: ' \1 {{ HARBOR_INSTALL_DIR }}/harbor/certs/{{ HARBOR_DOMAIN }}.key'
[root@ansible-server harbor-https]# vim tasks/install_python.yml
- name: install CentOS or Rocky python
yum:
name: python3
when:
- (ansible_distribution=="CentOS" or ansible_distribution=="Rocky")
- name: delete lock files
file:
path: "{{ item }}"
state: absent
loop:
- /var/lib/dpkg/lock
- /var/lib/apt/lists/lock
- /var/cache/apt/archives/lock
when:
- ansible_distribution=="Ubuntu"
- name: apt update
apt:
update_cache: yes
force: yes
when:
- ansible_distribution=="Ubuntu"
- name: install Ubuntu python
apt:
name: python3
when:
- ansible_distribution=="Ubuntu"
[root@ansible-server harbor-https]# vim tasks/install_harbor.yml
- name: install harbor
shell:
cmd: "{{ HARBOR_INSTALL_DIR }}/harbor/install.sh"
[root@ansible-server harbor-https]# vim tasks/service_file.yml
- name: copy harbor.service
template:
src: harbor.service.j2
dest: /lib/systemd/system/harbor.service
[root@ansible-server harbor-https]# vim tasks/service.yml
- name: service enable
systemd:
name: harbor
state: started
enabled: yes
daemon_reload: yes
[root@ansible-server harbor-https]# vim tasks/main.yml
- include: harbor_files.yml
- include: create_certs.yml
- include: config.yml
- include: install_python.yml
- include: install_harbor.yml
- include: service_file.yml
- include: service.yml
#这里是harbor依赖的角色,docker-binary就是docker基于二进制安装,根据情况修改
[root@ansible-server harbor-https]# vim meta/main.yml
dependencies:
- role: docker-binary
- role: docker-compose
[root@ansible-server harbor-https]# cd ../../
[root@ansible-server ansible]# tree roles/harbor-https/
roles/harbor-https/
├── files
│ └── harbor-offline-installer-v2.3.5.tgz
├── meta
│ └── main.yml
├── tasks
│ ├── config.yml
│ ├── create_certs.yml
│ ├── harbor_files.yml
│ ├── install_harbor.yml
│ ├── install_python.yml
│ ├── main.yml
│ ├── service_file.yml
│ └── service.yml
├── templates
│ └── harbor.service.j2
└── vars
└── main.yml
5 directories, 12 files
[root@ansible-server ansible]# vim harbor_https_role.yml
---
- hosts: all
roles:
- role: harbor-https
[root@ansible-server ansible]# ansible-playbook harbor_https_role.yml
PLAY [all] ************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************
ok: [172.31.0.103]
ok: [172.31.0.104]
ok: [172.31.0.105]
ok: [172.31.0.101]
ok: [172.31.0.102]
TASK [docker-binary : unarchive docker package] **********************************************************************************************
changed: [172.31.0.101]
changed: [172.31.0.102]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.103]
TASK [docker-binary : move docker files] ******************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.102]
changed: [172.31.0.101]
TASK [docker-binary : copy docker.service file] ***********************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.102]
changed: [172.31.0.101]
TASK [docker-binary : mkdir /etc/docker] ******************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.102]
changed: [172.31.0.101]
TASK [docker-binary : set mirror_accelerator] *************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [docker-binary : set docker alias] *******************************************************************************************************
changed: [172.31.0.103] => (item=alias rmi="docker images -qa|xargs docker rmi -f")
changed: [172.31.0.104] => (item=alias rmi="docker images -qa|xargs docker rmi -f")
changed: [172.31.0.102] => (item=alias rmi="docker images -qa|xargs docker rmi -f")
changed: [172.31.0.105] => (item=alias rmi="docker images -qa|xargs docker rmi -f")
changed: [172.31.0.101] => (item=alias rmi="docker images -qa|xargs docker rmi -f")
changed: [172.31.0.103] => (item=alias rmc="docker ps -qa|xargs docker rm -f")
changed: [172.31.0.104] => (item=alias rmc="docker ps -qa|xargs docker rm -f")
changed: [172.31.0.105] => (item=alias rmc="docker ps -qa|xargs docker rm -f")
changed: [172.31.0.101] => (item=alias rmc="docker ps -qa|xargs docker rm -f")
changed: [172.31.0.102] => (item=alias rmc="docker ps -qa|xargs docker rm -f")
TASK [docker-binary : start docker] ***********************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.101]
changed: [172.31.0.102]
changed: [172.31.0.104]
changed: [172.31.0.105]
TASK [docker-binary : set WARNING No swap limit support] **************************************************************************************
skipping: [172.31.0.101]
skipping: [172.31.0.102]
skipping: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
TASK [docker-binary : update-grub] ************************************************************************************************************
skipping: [172.31.0.102]
skipping: [172.31.0.101]
skipping: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
TASK [docker-binary : reboot Ubuntu system] ***************************************************************************************************
skipping: [172.31.0.101]
skipping: [172.31.0.102]
skipping: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
TASK [docker-compose : copy docker compose file] **********************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : create HARBOR_INSTALL_DIR directory] *************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : unarchive harbor package] ***********************************************************************************************
changed: [172.31.0.102]
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.101]
changed: [172.31.0.104]
TASK [harbor-https : touch file] **************************************************************************************************************
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.103]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : create certs directory] **************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.102]
changed: [172.31.0.101]
TASK [harbor-https : create ca.crt file] ******************************************************************************************************
changed: [172.31.0.105]
changed: [172.31.0.103]
changed: [172.31.0.101]
changed: [172.31.0.102]
changed: [172.31.0.104]
TASK [harbor-https : create hostname.csr file] ************************************************************************************************
changed: [172.31.0.102]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.105]
changed: [172.31.0.103]
TASK [harbor-https : create hostname.csr file] ************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.105]
changed: [172.31.0.102]
TASK [harbor-https : mv harbor.yml] ***********************************************************************************************************
changed: [172.31.0.104]
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : set harbor.yml file 'hostname' string line] ******************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : set harbor.yml file 'harbor_admin_password' string line] *****************************************************************
changed: [172.31.0.103]
changed: [172.31.0.101]
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.102]
TASK [harbor-https : set harbor.yml file 'certificate' string line] ***************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : set harbor.yml file 'private_key' string line] ***************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.105]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.102]
TASK [harbor-https : install CentOS or Rocky python] ******************************************************************************************
skipping: [172.31.0.104]
skipping: [172.31.0.105]
changed: [172.31.0.102]
changed: [172.31.0.101]
changed: [172.31.0.103]
TASK [harbor-https : delete lock files] *******************************************************************************************************
skipping: [172.31.0.101] => (item=/var/lib/dpkg/lock)
skipping: [172.31.0.101] => (item=/var/lib/apt/lists/lock)
skipping: [172.31.0.101] => (item=/var/cache/apt/archives/lock)
skipping: [172.31.0.102] => (item=/var/lib/dpkg/lock)
skipping: [172.31.0.102] => (item=/var/lib/apt/lists/lock)
skipping: [172.31.0.102] => (item=/var/cache/apt/archives/lock)
skipping: [172.31.0.103] => (item=/var/lib/dpkg/lock)
skipping: [172.31.0.103] => (item=/var/lib/apt/lists/lock)
skipping: [172.31.0.103] => (item=/var/cache/apt/archives/lock)
changed: [172.31.0.104] => (item=/var/lib/dpkg/lock)
changed: [172.31.0.105] => (item=/var/lib/dpkg/lock)
changed: [172.31.0.104] => (item=/var/lib/apt/lists/lock)
changed: [172.31.0.105] => (item=/var/lib/apt/lists/lock)
changed: [172.31.0.105] => (item=/var/cache/apt/archives/lock)
changed: [172.31.0.104] => (item=/var/cache/apt/archives/lock)
TASK [harbor-https : apt update] **************************************************************************************************************
skipping: [172.31.0.101]
skipping: [172.31.0.102]
skipping: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
TASK [harbor-https : install Ubuntu python] ***************************************************************************************************
skipping: [172.31.0.101]
skipping: [172.31.0.102]
skipping: [172.31.0.103]
ok: [172.31.0.105]
ok: [172.31.0.104]
TASK [harbor-https : install harbor] **********************************************************************************************************
changed: [172.31.0.102]
changed: [172.31.0.101]
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.105]
TASK [harbor-https : copy harbor.service] *****************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.104]
changed: [172.31.0.101]
changed: [172.31.0.102]
changed: [172.31.0.105]
TASK [harbor-https : service enable] **********************************************************************************************************
changed: [172.31.0.103]
changed: [172.31.0.102]
changed: [172.31.0.101]
changed: [172.31.0.105]
changed: [172.31.0.104]
PLAY RECAP ************************************************************************************************************************************
172.31.0.101 : ok=25 changed=24 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
172.31.0.102 : ok=25 changed=24 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
172.31.0.103 : ok=25 changed=24 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
172.31.0.104 : ok=30 changed=28 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
172.31.0.105 : ok=30 changed=28 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
