What statement do you use for error handling? For instance, if you have code in a block and it fails, give it something to do to roll with the punches and maybe fix the error.
rescue:
- name:
module:
In your block there are tasks that fail. What do you put to run the next code in the block regardless if these fail.
always:
- name:
module:
Create a block of tasks
First it will remove a file
If there are any issues with this task failing, create a file in /tmp called ‘rescuefile’ and allow the playbook to complete.
Next, regardless of success or failure of the first task, have a task run make a log message.
There should be a message noting everything that’s happening in the playbook.
- name: using blocks
hosts: all
tasks:- name: Intended to be successful block
block:- name: remove file
shell:
cmd: rm /var/www/html/index.html - name: print status
debug:
msg: ‘block was operated’ - name: create a file
rescue:- name: create a file
shell:
cmd: touch /tmp/rescuefile - name: print rescue status
debug:
msg: ‘Rescue complete’
always:- name: log message
shell:
cmd: logger hello
- name: log message
- name: always print this message
debug:
msg: logger update
- name: create a file
- name: remove file
- name: Intended to be successful block
Blocks are great, but what’s a feature they don’t have?
You can’t use a loop that all tasks in block share
block:
tasks:
loop: {{ whatever }}
What are the most commonly used file modules? There are 10
file
copy
fetch - fetch files from remote locations
acl
find
lininfile
blockinfile
replace
synchronize
stat
How do you find related modules to file?
ansible-doc file
Show the statistics of /tmp/temporary
- stat:
path: /tmp/temporary
register: fs - debug:
msg: “{{ fs }}”
Register a files stats and make a condition based on one of the pieces of info. If it is not met, force the playbook to fail
- command: touch /tmp/statfile
- name stat file
stat:
path: /tmp/statfile
register: fs - fail:
msg: ‘unexpected file mode’
when: st.stat.mode != ‘0640’
Check SSHD for the permitrootlogin line and change it to no
If this causes a change, restart sshd
- name: SSH config
hosts: all
tasks:
- name: Disable Root Login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
notify: restart sshd
handlers:
- name: Restart SSHD
service:
name: sshd
state: restartedCreate a file named /tmp/hosts and add the below lines to it:
192.168.4.110 host1.example.com
192.168.4.110 host1.example.com
- name: Add Hosts
hosts: all
tasks:
- name: Create file
file:
path: /tmp/hosts
state: touch
- name: Add junk
blockinfile:
path: /tmp/hosts
block: |
192.168.4.110 host1.example.com
192.168.4.110 host1.example.com
state: presentWhat are four things the file module can do?
Create new files or directories
create links
remove files
set permissions and ownership
What’s the difference between the modules synchronize and copy?
Copy always makes a new file
synchronize just updates it
Copy is used to copy files FROM the control node
How do you copy files FROM the managed node
fetch
What is a checksum used for?
Copy over /etc/hosts to the managed node’s /tmp directory.
Add two lines to it for whatever hosts you want
Register a checksum for /tmp/hosts
Print the checksum
grab the file from /tmp/hosts and put it in your tmp folder
Where did the file go?
Checksums are used to determin if a file has changed and needs to be copied or updated.
- name: Test
hosts: all
tasks:
- name: copy
copy:
src: /etc/hosts
dest: /tmp/hosts
- name: Add junk
blockinfile:
path: /tmp/hosts
block: |
192.168.4.110 host1.example.com
192.168.4.110 host1.example.com
state: present
- name: checksum
stat:
path:
checksum_algorithm: md5
register: result
- name: debug
debug:
msg: {{ result.stat.checksum }}
- name: fetch file
fetch:
src: /tmp/hosts
dest: /tmpA directory was created for it in tmp with it’s name
Create a file on ansible1
register it’s status in a variable and print it
Change the user to ‘ansible’ if that isn’t the owner
Add another play that:
gets the motd from ansible1, put it in your temp directory
Add a play that adds text the motd
copy the motd to ansible2
- name: Testing file manipulation
hosts: ansible1
tasks:- name: Create a new file
file:
path: /tmp/newfile
state: touch - name: Check file status
stat:
path: /tmp/newfile
register: newfile - name: debugging
debug:
msg: “{{ newfile }}” - name: Change file owner if needed
file:
path: /tmp/newfile
owner: ansible
when: newfile.stat.pw_name != ‘ansible’
- name: Create a new file
- name: Fetching remote file
hosts: ansible1
tasks:- name: Fetch file from a remote machine
fetch:
src: /etc/motd
dest: /tmp
- name: Fetch file from a remote machine
- name: Add text to the file that is now on localhost
hosts: localhost
tasks:- name: Add a message
blockinfile:
path: /tmp/ansible1/etc/motd
block: |
Welcome to this server
for authorized users only
state: present - name: Copy file to ansible2
hosts: ansible2
tasks:- name: copy motd file
copy:
src: /tmp/ansible/etc/motd
dest: /tmp
- name: copy motd file
- name: Add a message
What’s setting the context at file level rather than the selinux context
chcon vs semanage fcontext
What do you need to run selinux ansible playbooks on a managed node
policycoreutils-python-utils
Install Selinux commands
Create a file
Give it the contenxt type httpd_sys_content_type
Run restorecon
- name: show selinux
hosts: all
tasks:- name: Install required packages
dnf:
name: policycoreutils-python-utils
state: latest - name: Create test file
file:
name: /tmp/testfile
state: touch - name: Set Selinux Context
sefcontext:
target: /tmp/selinux
setype: httpd_sys_content_t
state: present
notify:- run restorecon
- name: run restorecon
command: restorecon -v /tmp/selinux - name: Install required packages
What does it mean to configure a service with a nondefault document root
Changing /var/www/html to a different path via httpd <- example
Create a playbook variable of httpd_read_user_content
Enable SElinux in targeted mode
Check the boolean’s status/info and register it
Show the boolean’s status
Enabled the boolean
- name: enable selinux and boolean
hosts: ansible1
vars:- my_boolean: httpd_read_user_content
tasks: - name: Enable SELinux
selinux:
policy: targeted
state: enforcing - name: Check current {{ my_boolean }} boolean status
shell: getsebool -a | grep {{ my_boolean }}
register: bool_stat - name: Show boolean status
debug:
msg: the current {{ my_boolean }} status is {{ bool_stat.stdout }} - name: enable boolean
seboolean:
name: “{{ my_boolean }}”
state: yes
persistent: yes
- my_boolean: httpd_read_user_content
Install , start and configure a webserver that has the DocumentRoot set to the /web directory. The file should be called index.html and it should say something welcoming the user to the server.
Ensure that SElinux is enabled and allows acces to the web server document root.
SElinux should allow user to publish web pages from their home directory.
This will reveal something is wrong when you try to curl the page, figure out why.
Best practice for a long playbook like this it to create the file header and add the task names prior.
- name: Managing web server SELinux properties
hosts: ansible1
tasks:- name: Ensure SELinux is enabled and enforcing
selinux:
policy: targeted
state: enforcing - name: install webserver
dnf:
name: httpd
state: latest - name: start and enable webserver
service:
name: httpd
state: started
enabled: true - name: open firewall service
block:- firewalld:
service: http
state: enabled
immediate: yes
- firewalld:
- name: create /web directory
file:
path: /web
state: directory - name: create index.html file in /web
copy:
content: |
welcome to the web server
dest: /web/index.html - name: use lineinfile to change webserver config
lineinfile:
path: /etc/httpd/conf/httpd.conf
regexp: ‘^<Directory “/var/www”>
line: ‘<Directory “/web”>’ - name: use sefcontext to set context on new documentroot
sefcontext:
target: /web(/.*)?
setype: httpd_sys_content_t
state: present - name: run resorecon
shell: restorecon -Rv /web - name: allow web server to run user content
seboolean:
name: httpd_read_user_content
state: yes
persistent: yes
- name: Ensure SELinux is enabled and enforcing
