如何使用組態工具 Ansible 自動部署 WordPress 環境 / Using Ansible for Auto-deployment of WordPress Development_林震洲 / Chris Lin

Transcript

1. ইֵ֜አ奲䙪ૡٍ Ansible 
 ᛔ㵕᮱ᗟ WordPress 姜ᒊ

2. ᛔ౯Օ奧 • ຋ᵵၖ / Chris Lin • 樄නᔮ妞ጱࡅঅᘏ, ྋࣁറᔱ WordPress

   姜ᒊຝ戔岈䤖䢡涐㵕妿冓 • email: [email protected] • website: https://techseo.tw • facebook: @run.a.wordpress.site

3. ౯ضڹጱ WordPress ຝ戔妿涢 • ຝࣁ ubuntu 18.04 Ӥ • ؉کߺ

   google کߺ • ૡ֢夹ኼړ౮ӣ᮱ړғ • Linux ඪൔᑕୗғufw, fail2ban and etc. • ஍ᒒඪൔزկғmysql, php-fpm, redis and etc. • WordPress ๜℆岈ൊկ҅क़懃ጱӥ斉戔ਧ • 奞℄౯஫ԧ

4. ՔॠړՁ㲌਻ 1. Ansible ฎՋ焒ҘAnsible ጱᇙᜋҘ 2. Ansible ਞ愇岈戔ਧ 3. Ansible

   ெ焒䁆ᤈ 4. ֵአ Ansible ຝ戔 WordPress 5. Demo 6.婦奾

5. 1. Ansible ฎՋ焒ҘAnsible ጱᇙᜋҘ • Ӟॺᛔ㵕۸奲䙪ᓕቘૡٍ • ٍ℆䋿匍 IaC (Infrastructure

   as Code) ᓕഴ岈戔ਧ • ݝᵱਞ愇ࣁഴګԆ䱛ᒒ҅᭐晃 ssh 䌘ᤩഴԆ䱛ᒒ昲ᤈഴګ౲᮱ᗟ҅ӧ ᵱᥝׁ搫դቘᑕୗ • ֵአᘏզ YMAL ໒ୗ娒䌃҅ฃෝᇇഴ敟℆ᓕቘ • 䋊嬹ใ娄ੜ

6. 2. Ansible ਞ愇岈戔ਧ • ࣁഴګᒒԆ䱛Ӥ ( Mac ) • ֵአ

   pip ౲ brew • ኞ౮ SSH ل槄岈ᐺ槄ҁpublich & private key҂ $ssh-keygen -t rsa • 愢愚ل槄کᤩഴᒒ $ssh-copy-id <user>@<managed host> • ࣁᤩഴᒒԆ䱛Ӥ • 嘦扯 ssh ૪妿㺠㵕 • 嘦扯ጭ桟䒒彚ݢ؉ sudo ਂݐ • 嘦扯 python ᑕୗ૪ਞ愇

7. $ cat ansible.cfg [defaults] inventory = hosts host_key_checking = False

   remote_user=vagrant private_key_file=~/.ssh/id_rsa • Inventory ғhosts ᤩഴᒒԆ䱛ፘ橕㷢䤖 • ansible.cfg ansible 䁆ᤈ䦒ጱ㷢䤖 3. Ansible ெ焒䁆ᤈ $ cat hosts [webhost] web 142.93.214.145 ansible_python_interpreter=/usr/ bin/python3

8. $ ansible dev1.local -m "command" -a "date" dev1.local | CHANGED

   | rc=0 >> Mon Dec 9 22:21:05 UTC 2019 $ ansible dev1.local -m ping dev1.local | SUCCESS => { "changed": false, "ping": "pong" } 㻌ེձ㵗 $ ansible <host> -m <module> -a <argument>

9. ಢེձ㵗 $ansible-playbook <host> <playbook>

10. Playbook ጱ䯤౮ • play • hosts • tasks • module

    --- # The playbook creates a new database test. - hosts: $servername remote_user: root tasks: - name: Create a new database and user mongodb_user: login_user=admin login_password=$ {mongo_admin_pass} login_port=${mongos_port} database=test user=admin password=${mongo_admin_pass} state=present - name: Pause for the user to get created and replicated pause: minutes=3 - name: Execute the collection creation script command: /usr/bin/mongo localhost:${mongos_port}/test - admin -p ${mongo_admin_pass} /tmp/testsharding.js - name: Enable sharding on the database and collection command: /usr/bin/mongo localhost:${mongos_port}/admin admin -p ${mongo_admin_pass} /tmp/enablesharding.js Ӟ㮆 play ࢥ㮆 Tasks

11. Playbook ݚӞ圵୵ୗғrole • play • hosts • roles --- #

    This playbook deploys the whole application this site. - name: apply common configuration to all nod hosts: all remote_user: root roles: - common - name: configure and deploy the webservers a application code hosts: webservers remote_user: root roles: - web - name: deploy MySQL and configure the databa hosts: dbservers remote_user: root roles: - db զroles 奲౮ձ㵗Ⴔ㻌 ӣ㮆 play

12. Playbook Ӿጱ᥯ᜋҁRole҂ • ࢥ㮆ձ㵗岈൫ᯈጱ䲆ໜ䯤౮ ጱ role --- # This playbook

    contains common plays that wil - name: Install ntp yum: name=ntp state=present tags: ntp - name: Configure ntp file template: src=ntp.conf.j2 dest=/etc/ntp.conf tags: ntp notify: restart ntp - name: Start the ntp service service: name=ntpd state=started enabled=yes tags: ntp - name: test to see if selinux is running command: getenforce register: sestatus changed_when: false ࢥ㮆ձ㵗 NTP 戔ਧ䲆ཛྷ຃

13. Playbook Ӿጱཛྷ຃ᔮ妞ҁtemplate҂ • jinja2 ཛྷ຃୚කᓕቘ戔ਧ ҁconfiguration҂෈կ • ᭐晃捧䤖޾ཛྷ຃ (Templates)҅㵕 䙪叨ኞ晍ᒒጱ戔ਧ䲆

    driftfile /var/lib/ntp/drift restrict 127.0.0.1 restrict -6 ::1 server {{ ntpserver }} includefile /etc/ntp/crypto/pw keys /etc/ntp/keys Ӟ㮆戔ਧ䲆ཛྷ຃ 捧䤖

14. ᥯ᜋҁRole҂娒䌃 • ansible-galaxy init ୌᒈ໛ຝ $ ansible-galaxy init wordpress-addons -

    Role wordpress-addons was created successfully $ tree ./wordpress-addons/ ./wordpress-addons/ ├── README.md ├── defaults │ └── main.yml ├── files ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates ├── tests │ ├── inventory │ └── test.yml └── vars └── main.yml

15. 4. ֵአ Ansible ຝ戔 WordPress • ᵱ࿢ • 朼䌘ग़ݣ ubuntu

    18.04 ຝ戔 • 墋ฃᴠᅉ℃ ufw • ਞ愇ຝ戔 Web֑๐࢏ nginx / php-fpm • ਞ愇ຝ戔揾ා䓚 mysql • ӥ斉㺠㵕 WordPress ๜℆岈承᥺ / क़懃 / क़䟑۱

16. ӧ殾ᥝ᯿ෛ咳ก斪ৼғℂ GitHub ׵አ $ git clone https://github.com/l3lackcurtains/ansible-wordpress-nginx (base) $ tree

    . ├── ansible.cfg ├── group_vars │ └── all.yml ├── hosts ├── play.yml ├── readme.md └── roles ├── common │ └── tasks │ └── main.yml ├── mysql │ └── tasks │ └── main.yml ├── nginx │ ├── tasks │ │ └── main.yml │ └── templates │ └── default ├── php-fpm │ └── tasks │ └── main.yml ├── users │ └── tasks │ └── main.yml ├── wordpress │ └── tasks │ └── main.yml └── wpcli └── tasks └── main.yml • ansible 䌕ໜጱ䲆ໜ奾䯤 • ansible.cfg • group_vars • hosts • play.yml • roles

17. ӧ殾ᥝ᯿ෛ咳ก斪ৼғplay.yml - hosts: webhost user: root roles: - users -

    common - mysql - nginx - php-fpm - wordpress - wpcli • play.yml 抠አ roles ׁଧ • ୌᒈadmin 䒒彚 • ๅෛ apt cache • ਞ愇 mySQL • ਞ愇 nginx҅֕ݝඪ ൔ http • ਞ愇 php-fpm 7.2 • 戔ਧ mySQL ׀ WordPress ֵአ • ਞ愇 WordPress

18. ڥአ匍౮斪ৼ • 䌔ᤩഴԆ䱛ړ气 • ᤩഴԆ䱛Ӥຝ戔ᴠᅉ℃҅׵አ᥯ᜋ markahesketh.ufw • ᥯ᜋ nginx ीےඪൔ

    https ۑᚆ • ᥯ᜋ php-fpm ද౮ׁ捧䤖ਞ愇 php ᇇ๜ • ᥯ᜋ wpcli ݷ圸ӧก҅䌔ۑᚆᑏک᥯ᜋ wordpress 㲌݄҅ᴻ๜᥯ ᜋ • ीے᥯ᜋ wordpress-addons҅൉׀ے愇क़懃ҁ Theme )҅क़䟑 ҁ Plugin ҂ۑᚆ

19. 憒㴟ᤩഴԆ䱛, ץද hosts [all] dev1.local ansible_host=192.168.50.5 staging1 ansible_host=192.168.50.10 prod1 ansible_host=192.168.50.11

    prod2 ansible_host=192.168.50.12 [development] dev1.local [staging] staging1 [production] prod1 prod2 [taipei] staging1 prod1 [tokyo] prod2 • 妔ਧݱݑഴԆ䱛 IP, 䧞圸 • ׁۑᚆړᗭ奲 • ׁࣈ焧ړᗭ奲

20. ׵አ᥯ᜋҁrole) markahesketh.ufw / carloslongarela.php7 • 㻌加ړ㳨ے愇 $ansible-galaxy install markahesketh.ufw $ansible-galaxy

    install carloslongarela.php7 • ౲ฎ娒斯 requirements.yml - name : markahesketh.ufw - name : carloslongarela.php7 ٚЩ᩸斉ف $ansible-galaxy install -r requirements.yml

21. nginx ीےඪൔ https - name: Install Nginx apt: name: nginx

    state: latest - name: Self Signed Certificate include_tasks: self-signed-cert.yml when: host_name == "dev1.local" tags: self-signed - name: Add {{ ssh_user }} to www-data group user: name: "{{ ssh_user }}" groups: www-data append: yes - name: Use nginx configuration for wordpress template: src: https.conf.j2 dest: /etc/nginx/sites-available/default - name: Restart Nginx service: name: nginx state: restarted enabled: yes - name: Install Nginx apt: name: nginx state: latest - name: Add {{ ssh_user }} to www- data group user: name: "{{ ssh_user }}" groups: www-data append: yes - name: Use nginx configuration for wordpress template: src: default dest: /etc/nginx/sites- available/default - name: Restart Nginx service: name: nginx state: restarted enabled: yes

22. ᛔᤈ墣ᗟጱ SSL 䚣挨 - name: Ensure python OpenSSL dependencies are

    installed. pip: name: pyOpenSSL state: present - name: Ensure directory exists for local self-signed TLS certs. file: path: "{{ certificate_dir }}/{{ host_name }}" state: directory - name: Generate an OpenSSL private key. openssl_privatekey: path: "{{ certificate_dir }}/{{ host_name }}/ privkey.pem" - name: Generate an OpenSSL CSR. openssl_csr: path: "{{ certificate_dir }}/{{ host_name }}.csr" privatekey_path: "{{ certificate_dir }}/ {{ host_name }}/privkey.pem" common_name: "{{ host_name }}" - name: Generate a Self Signed OpenSSL certificate. openssl_certificate: path: "{{ certificate_dir }}/{{ host_name }}/ fullchain.pem" privatekey_path: "{{ certificate_dir }}/ {{ host_name }}/privkey.pem" csr_path: "{{ certificate_dir }}/ {{ host_name }}.csr" provider: selfsigned • ֵአ Crypto ཛྷ奲 • openssl_privatekey • openssl_csr • openssl_certificate

23. 戔ਧ nginx ඪൔ https # Redirect HTTP traffic to HTTPS.

    server { listen 80 default_server; server_name _; index index.html; return 301 https://$host$request_uri; } # Serve HTTPS traffic using the self-signed certificate created Ansible. server { listen 443 ssl default_server; server_name {{ host_name }}; root /var/www/html/wordpress; index index.php index.html index.htm index.nginx-debian.htm ssl_certificate {{ certificate_dir }}/{{ host_name }}/ fullchain.pem; ssl_certificate_key {{ certificate_dir }}/{{ host_name }}/ privkey.pem; location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php{{php_version}}-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ /\.ht { deny all; } } server { listen 80; listen [::]:80; root /var/www/html/wordpress; index index.php index.html index.htm index.nginx-debian.html; client_max_body_size 256M; server_name {{ host_name }}; location / { try_files $uri $uri/ / index.php$is_args$args; } location ~ \.php$ { include snippets/fastcgi- php.conf; fastcgi_pass unix:/run/php/ php{{ php_version }}-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ /\.ht { deny all; } }

24. ᛔ䌃᥯ᜋ wordpress-addons • ݝ娒䌃 tasks/main.yml, զ wp ೰ե愇戔 • 承᥺۱

    • क़懃 • ൊկ • ٌ沓ፓ桟䲆ໜӧ㵕 # tasks file for install_themes_plugins - name: site language install and activate command: wp --path="/var/www/html/wordpress" language core install {{ site_language }} --activate ignore_errors: yes become: yes become_user: "www-data" when: site_language != '' - name: theme install and activate command: wp --path="/var/www/html/wordpress" theme install {{ activate_theme }} --activate ignore_errors: yes become: yes become_user: "www-data" when: activate_theme != '' - name: plugins install and activate command: wp --path="/var/www/html/wordpress" plugin install {{ item }} --activate become: yes become_user: "www-data" when: item != '' with_items: - "{{ activate_plugins | default([]) }}" - name: plugins install command: wp --path="/var/www/html/wordpress" plugin install {{ item }} become: yes become_user: "www-data" when: item != '' with_items: - "{{ plugins | default([]) }}"

25. ץද㴣๜ - hosts: all become: yes roles: - users -

    common - markahesketh.ufw - mysql - { role: 'nginx', tags: 'nginx' } # - php-fpm - carloslongarela.php7 - wordpress # - wpcli - { role: wordpress-addons, tags: 'wordpress-addons' } - name: Provision LEMP / WordPress and related tools - hosts: webhost user: root roles: - users - common - mysql - nginx - php-fpm - wordpress - wpcli ෛी ෛी ๊䟵

26. ץද group_vars/all.yml • ीے php_version: 7.3 • ीے site_language: zh_TW

    # ansible public and private keys ansible_ssh_pub_key: "{{ lookup('file', '~/ ansible_ssh_private_key_file: ~/.ssh/id_rsa # sudo user and group ssh_user: ansible ssh_groups: "sudo" php_version: 7.3 site_language : 'zh_TW' # default theme|slug|url|zip (local path, / activate_theme : 'twentyseventeen' themes : [] # slug|url|zip (local path, /vagrant/plugin activate_plugins: - query-monitor plugins: - health-check

27. ीے hosts/dev1.local.yml • 䲆ݷ੪ฎԆ䱛圸ݷ + .yml • 㱪ਂ春ݣԆ䱛䌕ํጱ戔ਧ ansible_user: vagrant

    ansible_python_interpreter: "/usr/ bin/python3" # Wordpress Database Information host_name: "dev1.local" wp_db_name: wordpress1 wp_db_user: wordpress wp_db_password: w0rdpr355 wp_db_prefix: wp_ # Wordpress Website Information wp_title: Demo Dev1 Website wp_admin_user: admin wp_admin_password: passw0rd wp_admin_email: [email protected] # Self-signed certificate settings. certificate_dir: /etc/ssl/private

28. ֵአ Ansible Vault ᓕቘභఽ揾ා • 䌘ก෈䲆ໜ昲ᤈےੂ $ ansible-vault encrypt —vault-id

    prompt dev1.yml $ ansible-vault encrypt —vault-id mark@pwdfile dev1.yml host_vars/dev1.yml $ANSIBLE_VAULT;1.2;AES256;mark 33343138306636363630323636323938313932383762366364313564366663613339653161363331 3538383865393632623162313030306534313135393139360a396464623366306264323761376130 37343733356238666139643361356636343064333564383136383635366563663264633266343431 6436653563633764350a366533333861666261346537346435363632633262366361363734316135 31313339303263356638333263633663656233383136363565646237373366343866326633373662 30333535666261376261653930366565306166356536326339316261666661626638313566623664 33366637656133363964363035316662626330386530653464306634333438393732636165633964 37353033623636383761643261623061613335656637643531383037663065643837636434653839 64623533376666396564623364623666643737636536336132663734623262333035616334613762 35386135303833306462613332616635313535303761323366653435633763633061326539333563 31306633346138343264356565383662386361663231393934333533326431336330363635646566 63396331616130343538316363383465613235313333323434656262393631386437306339303130 30326133616165326536393038646161616231353566633332623462663436663764376436663031 30333235363139343661623364366163393665366361653162333862356233653437653063303131 38666330343066376466393335626430636662326333653935353866316637333965366636383533 61313933333732306434343765623864336464666634633739613039386330613534373936323532 61646464393965303563623565323265386632343630366439386165313831646436333263393664 61376432323933643439343466656431636233326466643161623137383538333830653536363335 62346536653032303435613437383639336538373965336637666231353062383139363237626336 38616661316464386664383166656163636433626364393038643830303331656530346536656132 61393738373338313533343662396565633434616333633330623462356637303761386435613033 3466366634363866653462623466653032336162633235373564

29. 䁆ᤈ Ansible playbook • 嘦扯 ansible.cfg 戔ਧ҅׵አጱ᥯ᜋ૪斉ف $ansible-playbook play.yml —

    limit <host> $ansible-playbook play.yml — vault-id prompt $ansible-playbook play.yml — vault-id <vault_password_file>

30. ᴻ梊ੜ൉ᐏ • ansible-playbook 䁆ᤈ晝殻 • — list-tasks ڜڊࣁܨ䌔ᥝ䁆ᤈጱ playbook ӾํߺԶ

    tasks 䨝ᤩ䁆ᤈ • — list-hosts ڜڊፓڹᥝ䁆ᤈጱ playbook 䨝ࣁߺԶ hosts Ӥ䁆ᤈ • — limit <host> ݝࣁߺԶ hosts Ӥ䁆ᤈ • — tags <tags1, tags2..> ݝ䁆ᤈᮎԶ tags ಅ䰤ਧጱૡ֢ҁTask҂

31. 5. Demo

32. None

33. 6. 婦奾 • Քॠ౯㮉Օ奧ԧ • च๜ ansible 懃ஷ҅زᔰֵ҅አ • ansible

    playbook ጱ䯤౮ • 晤አ ansible ೰եຝ戔ԧӞ㮆 WordPress 姜ᒊ㪔؉ Demo

34. ҪѿҚ

35. 拽拽