DO374 - ch06s02

Preface A: Introduction

Section A.1: Developing Advanced Automation with Red Hat Ansible Automation Platform

Section A.2: Orientation to the Classroom Environment

Section A.3: Performing Lab Exercises

Chapter 1: Developing Playbooks with Ansible Automation Platform 2

Section 1.1: Red Hat Ansible Automation Platform 2

Section 1.2: Quiz: Red Hat Ansible Automation Platform 2

Section 1.3: Running Playbooks with Automation Content Navigator

Section 1.4: Guided Exercise: Running Playbooks with Automation Content Navigator

Section 1.5: Managing Ansible Project Materials Using Git

Section 1.6: Guided Exercise: Managing Ansible Project Materials Using Git

Section 1.7: Implementing Recommended Ansible Practices

Section 1.8: Guided Exercise: Implementing Recommended Ansible Practices

Section 1.9: Lab: Developing Playbooks with Ansible Automation Platform

Section 1.10: Summary

Chapter 2: Managing Content Collections and Execution Environments

Section 2.1: Reusing Content from Ansible Content Collections

Section 2.2: Guided Exercise: Reusing Content from Ansible Content Collections

Section 2.3: Finding and Installing Ansible Content Collections

Section 2.4: Guided Exercise: Finding and Installing Ansible Content Collections

Section 2.5: Selecting an Execution Environment

Section 2.6: Guided Exercise: Selecting an Execution Environment

Section 2.7: Lab: Managing Content Collections and Execution Environments

Section 2.8: Summary

Chapter 3: Running Playbooks with Automation Controller

Section 3.1: Explaining the Automation Controller Architecture

Section 3.2: Quiz: Explaining the Automation Controller Architecture

Section 3.3: Running Playbooks in Automation Controller

Section 3.4: Guided Exercise: Running Playbooks in Automation Controller

Section 3.5: Lab: Running Playbooks with Automation Controller

Section 3.6: Summary

Chapter 4: Working with Ansible Configuration Settings

Section 4.1: Examining the Ansible Configuration with Automation Content Navigator

Section 4.2: Guided Exercise: Examining the Ansible Configuration with Automation Content Navigator

Section 4.3: Configuring Automation Content Navigator

Section 4.4: Guided Exercise: Configuring Automation Content Navigator

Section 4.5: Lab: Working with Ansible Configuration Settings

Section 4.6: Summary

Chapter 5: Managing Inventories

Section 5.1: Managing Dynamic Inventories

Section 5.2: Guided Exercise: Managing Dynamic Inventories

Section 5.3: Writing YAML Inventory Files

Section 5.4: Guided Exercise: Writing YAML Inventory Files

Section 5.5: Managing Inventory Variables

Section 5.6: Guided Exercise: Managing Inventory Variables

Section 5.7: Lab: Managing Inventories

Section 5.8: Summary

Chapter 6: Managing Task Execution

Section 6.1: Controlling Privilege Escalation

SectionSection 6.2: Guided Exercise: Controlling Privilege Escalation

Section 6.3: Controlling Task Execution

Section 6.4: Guided Exercise: Controlling Task Execution

Section 6.5: Running Selected Tasks

Section 6.6: Guided Exercise: Running Selected Tasks

Section 6.7: Optimizing Execution for Speed

Section 6.8: Guided Exercise: Optimizing Execution for Speed

Section 6.9: Lab: Managing Task Execution

Section 6.10: Summary

Chapter 7: Transforming Data with Filters and Plug-ins

Section 7.1: Processing Variables Using Filters

Section 7.2: Guided Exercise: Processing Variables Using Filters

Section 7.3: Templating External Data Using Lookups

Section 7.4: Guided Exercise: Templating External Data Using Lookups

Section 7.5: Implementing Advanced Loops

Section 7.6: Guided Exercise: Implementing Advanced Loops

Section 7.7: Using Filters to Work with Network Addresses

Section 7.8: Guided Exercise: Using Filters to Work with Network Addresses

Section 7.9: Lab: Transforming Data with Filters and Plug-ins

Section 7.10: Summary

Chapter 8: Coordinating Rolling Updates

Section 8.1: Delegating Tasks and Facts

Section 8.2: Guided Exercise: Delegating Tasks and Facts

Section 8.3: Configuring Parallelism

Section 8.4: Guided Exercise: Configuring Parallelism

Section 8.5: Managing Rolling Updates

Section 8.6: Guided Exercise: Managing Rolling Updates

Section 8.7: Lab: Coordinating Rolling Updates

Section 8.8: Summary

Chapter 9: Creating Content Collections and Execution Environments

Section 9.1: Writing Ansible Content Collections

Section 9.2: Guided Exercise: Writing Ansible Content Collections

Section 9.3: Building a Custom Automation Execution Environment

Section 9.4: Guided Exercise: Building a Custom Automation Execution Environment

Section 9.5: Validating a Custom Execution Environment

Section 9.6: Guided Exercise: Validating a Custom Execution Environment

Section 9.7: Using Custom Content Collections and Execution Environments in Automation Controller

Section 9.8: Guided Exercise: Using Custom Content Collections and Execution Environments in Automation Controller

Section 9.9: Lab: Creating Content Collections and Execution Environments

Section 9.10: Summary

Chapter 10: Comprehensive Review

Section 10.1: Comprehensive Review

Section 10.2: Lab: Managing Inventory Variables to Use with Automation Content Navigator

Section 10.3: Lab: Optimizing a Playbook for Large-scale Use

Section 10.4: Lab: Creating and Using Ansible Content Collections and Automation Execution Environments

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10

Guided Exercise: Controlling Privilege Escalation

Configure a playbook to escalate privileges only for specific plays, roles, tasks, or blocks that might need them to operate correctly.

Outcomes

Select the appropriate escalation method and privilege isolation.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start task-escalation

Procedure 6.1. Instructions

Clone the https://git.lab.example.com/student/task-escalation.git Git repository into the /home/student/git-repos directory and then create a new branch for this exercise.
1. From a terminal, create the /home/student/git-repos directory if it does not already exist, and then change into it.
```
[student@workstation ~]$ mkdir -p ~/git-repos/
[student@workstation ~]$ cd ~/git-repos/
```
2. Clone the https://git.lab.example.com/student/task-escalation.git repository and then change directory to the cloned repository:
```
[student@workstation git-repos]$ git clone \
> https://git.lab.example.com/student/task-escalation.git
Cloning into 'task-escalation'...
...output omitted...
[student@workstation git-repos]$ cd task-escalation
```
3. Create the exercise branch and check it out.
```
[student@workstation task-escalation]$ git checkout -b exercise
Switched to a new branch 'exercise'
```
Review the global privilege escalation setting in the project ansible.cfg file. Notice that become is set to false so no tasks run with escalated privileges.
```
[privilege_escalation]
become=false
become_method=sudo
become_user=root
become_ask_pass=false
```

Examine the intranet.yml playbook to determine the tasks that require escalation.

---
- name: Enable intranet services
  hosts: servera.lab.example.com
  tasks:
    - name: latest version of httpd and firewalld installed
      ansible.builtin.yum:
        name:
          - httpd
          - firewalld
        state: latest

    - name: test html page is installed
      ansible.builtin.copy:
        content: "Welcome to the example.com intranet!\n"
        dest: /var/www/html/index.html

    - name: firewalld enabled and running
      ansible.builtin.service:
        name: firewalld
        enabled: true
        state: started

    - name: firewalld permits http service
      ansible.posix.firewalld:
        service: http
        permanent: true
        state: enabled
        immediate: true

    - name: httpd enabled and running
      ansible.builtin.service:
        name: httpd
        enabled: true
        state: started

- name: Test intranet web server
  hosts: localhost
  tasks:
    - name: connect to intranet web server
      ansible.builtin.uri:
        url: http://servera.lab.example.com
        return_content: true
        status_code: 200

The tasks from the first play need privilege escalation to run, but the one task from the second play does not. You can use any of the following methods to satisfy those requirements:

Add become: true to the top of the first play. This setting causes every task in that play to run with privilege escalation unless otherwise specified.
Wrap sequential tasks that need escalation with a block setting, and set privilege escalation for the whole block.

Add the privilege escalation to tasks in the first play by using a block statement.

---
- name: Enable intranet services
  hosts: servera.lab.example.com
  tasks:
    - name: Tasks that require privilege escalation
      become: true
      block:
        - name: latest version of httpd and firewalld installed
          ansible.builtin.yum:
            name:
              - httpd
              - firewalld
            state: latest

        - name: test html page is installed
          ansible.builtin.copy:
            content: "Welcome to the example.com intranet!\n"
            dest: /var/www/html/index.html

        - name: firewalld enabled and running
          ansible.builtin.service:
            name: firewalld
            enabled: true
            state: started

        - name: firewalld permits http service
          ansible.posix.firewalld:
            service: http
            permanent: true
            state: enabled
            immediate: true

        - name: httpd enabled and running
          ansible.builtin.service:
            name: httpd
            enabled: true
            state: started

- name: Test intranet web server
  hosts: localhost
  tasks:
    - name: connect to intranet web server
      ansible.builtin.uri:
        url: http://servera.lab.example.com
        return_content: true
        status_code: 200

Use the ansible-navigator command to run the playbook:

[student@workstation task-escalation]$ ansible-navigator run intranet.yml

  Play name                 Ok  Changed  ...  Failed  ...  Task count   Progress
0│Enable intranet services   6        4  ...       0  ...           6   Complete
1│Test intranet web server   2        0  ...       0  ...           2   Complete

^f/PgUp page up     ^b/PgDn page down     ↑↓ scroll    esc back   ... Successful

Press ESC to exit from the ansible-navigator command.

Test that the playbook ran correctly:

[student@workstation task-escalation]$ curl servera.lab.example.com
Welcome to the example.com intranet!

Remove the block statement from the first play and add the become: true directive. This statement enables privilege escalation for every task in the first play.

Instead of removing the block manually, use the git command to restore the original file.
```
[student@workstation task-escalation]$ git restore intranet.yml
```

Add privilege escalation to tasks in the first play by using a become: true statement. The second play does not require privilege escalation and inherits become: false from the settings defined in the ansible.cfg file.

---
- name: Enable intranet services
  hosts: servera.lab.example.com
  become: true
  tasks:
    - name: latest version of httpd and firewalld installed
      ansible.builtin.yum:
        name:
          - httpd
          - firewalld
        state: latest

    - name: test html page is installed
      ansible.builtin.copy:
        content: "Welcome to the example.com intranet!\n"
        dest: /var/www/html/index.html

    - name: firewalld enabled and running
      ansible.builtin.service:
        name: firewalld
        enabled: true
        state: started

    - name: firewalld permits http service
      ansible.posix.firewalld:
        service: http
        permanent: true
        state: enabled
        immediate: true

    - name: httpd enabled and running
      ansible.builtin.service:
        name: httpd
        enabled: true
        state: started

- name: Test intranet web server
  hosts: localhost
  tasks:
    - name: connect to intranet web server
      ansible.builtin.uri:
        url: http://servera.lab.example.com
        return_content: true
        status_code: 200

Use the ansible-navigator command to run the playbook:

[student@workstation task-escalation]$ ansible-navigator run intranet.yml

  Play name                 Ok  Changed  ...  Failed  ...  Task count   Progress
0│Enable intranet services   6        0  ...       0  ...           6   Complete
1│Test intranet web server   2        0  ...       0  ...           2   Complete

^f/PgUp page up     ^b/PgDn page down     ↑↓ scroll    esc back   ... Successful

Press ESC to exit from the ansible-navigator command.

Test that the playbook ran correctly:

[student@workstation task-escalation]$ curl servera.lab.example.com
Welcome to the example.com intranet!

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish task-escalation

This concludes the section.

Discuss Developing Advanced Automation with Red Hat Ansible Automation Platform

Go to community

Welcome to the Developing Advanced Automation with Red Hat Ansible Automation (DO374) group!

Deanna

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Developing Advanced Automation with Red Hat Ansible Automation Platform! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO374.Read more about Developing Advanced Automation with Red Hat Ansible Automation Platform here.

2367

Revision: do374-2.2-82dc0d7