RH294 - ch02s06

Bookmark this page

Guided Exercise: Running Ad Hoc Commands

In this exercise, you will execute ad hoc commands on multiple managed hosts.

Outcomes

You should be able to execute commands on managed hosts on an ad hoc basis using privilege escalation.

You will execute ad hoc commands on workstation and servera using the devops user account. This account has the same sudo configuration on both workstation and servera.

On workstation, run the lab deploy-adhoc start command. This script ensures that the managed host servera is reachable on the network. It also creates and populates the /home/student/deploy-adhoc working directory with materials used in this exercise.

[student@workstation ~]$ lab deploy-adhoc start

Procedure 2.3. Instructions

Determine the sudo configuration for the devops account on both workstation and servera.
1. Determine the sudo configuration for the devops account that was configured when workstation was built. Enter student if prompted for the password for the student account.
```
[student@workstation ~]$ sudo -l -U devops
...output omitted...
User devops may run the following commands on workstation:
    (ALL) NOPASSWD: ALL
```
  Note that the user has full sudo privileges but does not require password authentication.
2. Determine the sudo configuration for the devops account that was configured when servera was built.
```
[student@workstation ~]$ ssh devops@servera.lab.example.com
[devops@servera ~]$ sudo -l
...output omitted...
User devops may run the following commands on servera:
    (ALL) NOPASSWD: ALL
[devops@servera ~]$ exit
```
  Note that the user has full sudo privileges but does not require password authentication.
Change directory to /home/student/deploy-adhoc and examine the contents of the ansible.cfg and inventory files.
```
[student@workstation ~]$ cd ~/deploy-adhoc
[student@workstation deploy-adhoc]$ cat ansible.cfg
[defaults]
inventory=inventory
[student@workstation deploy-adhoc]$ cat inventory
[control_node]
localhost

[intranetweb]
servera.lab.example.com
```
The configuration file uses the directory's inventory file as the Ansible inventory. Note that Ansible is not yet configured to use privilege escalation.

Using the all host group and the ping module, execute an ad hoc command that ensures all managed hosts can run Ansible modules using Python.

[student@workstation deploy-adhoc]$ ansible all -m ping
servera.lab.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
localhost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Using the command module, execute an ad hoc command on workstation to identify the user account that Ansible uses to perform operations on managed hosts. Use the localhost host pattern to connect to workstation for the ad hoc command execution. Because you are connecting locally, workstation is both the control node and managed host.
```
[student@workstation deploy-adhoc]$ ansible localhost -m command -a 'id'
localhost | CHANGED | rc=0 >>
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
Notice that the ad hoc command was performed on the managed host as the student user.

Execute the previous ad hoc command on workstation but connect and perform the operation with the devops user account by using the -u option.

[student@workstation deploy-adhoc]$ ansible localhost -m command -a 'id' -u devops
localhost | CHANGED | rc=0 >>
uid=1001(devops) gid=1001(devops) groups=1001(devops) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Notice that the ad hoc command was performed on the managed host as the devops user.

Using the copy module, execute an ad hoc command on workstation to change the contents of the /etc/motd file so that it consists of the string "Managed by Ansible" followed by a newline. Execute the command using the devops account, but do not use the --become option to switch to root. The ad hoc command should fail due to lack of permissions.
```
[student@workstation deploy-adhoc]$ ansible localhost -m copy \
> -a 'content="Managed by Ansible\n" dest=/etc/motd' -u devops
localhost | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "checksum": "4458b979ede3c332f8f2128385df4ba305e58c27",
    "msg": "Destination /etc not writable"
}
```
The ad hoc command failed because the devops user does not have permission to write to the file.
Run the command again using privilege escalation. You could fix the settings in the ansible.cfg file, but for this example just use appropriate command-line options of the ansible command.
Using the copy module, execute the previous command on workstation to change the contents of the /etc/motd file so that it consists of the string "Managed by Ansible" followed by a newline. Use the devops user to make the connection to the managed host, but perform the operation as the root user using the --become option. The use of the --become option is sufficient because the default value for the become_user directive is set to root in the /etc/ansible/ansible.cfg file.
```
[student@workstation deploy-adhoc]$ ansible localhost -m copy \
> -a 'content="Managed by Ansible\n" dest=/etc/motd' -u devops --become
localhost | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "checksum": "4458b979ede3c332f8f2128385df4ba305e58c27",
    "dest": "/etc/motd",
    "gid": 0,
    "group": "root",
    "md5sum": "65a4290ee5559756ad04e558b0e0c4e3",
    "mode": "0644",
    "owner": "root",
    "secontext": "system_u:object_r:etc_t:s0",
    "size": 19,
    "src": "/home/devops/.ansible/tmp/ansible-tmp-1558954193.0260043-131348380629718/source",
    "state": "file",
    "uid": 0
}
```
Note that the command succeeded this time because the ad hoc command was executed with privilege escalation.

Run the previous ad hoc command again on all hosts using the all host group. This ensures that /etc/motd on both workstation and servera consist of the text " Managed by Ansible ".

[student@workstation deploy-adhoc]$ ansible all -m copy \
> -a 'content="Managed by Ansible\n" dest=/etc/motd' -u devops --become
servera.lab.example.com | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "checksum": "4458b979ede3c332f8f2128385df4ba305e58c27",
    "dest": "/etc/motd",
    "gid": 0,
    "group": "root",
    "md5sum": "65a4290ee5559756ad04e558b0e0c4e3",
    "mode": "0644",
    "owner": "root",
    "secontext": "system_u:object_r:etc_t:s0",
    "size": 19,
    "src": "/home/devops/.ansible/tmp/ansible-tmp-1558954250.7893758-136255396678462/source",
    "state": "file",
    "uid": 0
}
localhost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "checksum": "4458b979ede3c332f8f2128385df4ba305e58c27",
    "dest": "/etc/motd",
    "gid": 0,
    "group": "root",
    "mode": "0644",
    "owner": "root",
    "path": "/etc/motd",
    "secontext": "system_u:object_r:etc_t:s0",
    "size": 19,
    "state": "file",
    "uid": 0
}

You should see SUCCESS for localhost and CHANGED for servera. However, localhost should report "changed": false because the file is already in the correct state. Conversely, servera should report "changed": true because the ad hoc command updated the file to the correct state.

Using the command module, execute an ad hoc command to run cat /etc/motd to verify that the contents of the file have been successfully modified on both workstation and servera. Use the all host group and the devops user to specify and make the connection to the managed hosts. You do not need privilege escalation for this command to work.
```
[student@workstation deploy-adhoc]$ ansible all -m command \
> -a 'cat /etc/motd' -u devops
servera.lab.example.com | CHANGED | rc=0 >>
Managed by Ansible

localhost | CHANGED | rc=0 >>
Managed by Ansible
```

Finish

On workstation, run the lab deploy-adhoc finish script to clean up this exercise.

[student@workstation ~]$ lab deploy-adhoc finish

This concludes the guided exercise.

Discuss Red Hat Enterprise Linux Automation with Ansible

Go to community

Red Hat Linux Automation with Ansible (RH294)

Haley_Ruccio

24 lip 2023

Learn how to automate Linux system administration tasks with Red Hat Ansible Automation PlatformRed Hat Enterprise Linux Automation with Ansible (RH294) is designed for Linux administrators and developers who need to automate repeatable and error-prone steps for system provisioning, configuration, application deployment, and orchestration. This course is based on Red Hat® Enterprise Linux® 9 and Red Hat Ansible Automation Platform 2.2.Course content summaryInstall Red Hat Ansible Automation Platform on control nodes.Create and update inventories of managed hosts and manage connections to them.Automate administration tasks with Ansible Playbooks and ad hoc commands.Write effective playbooks at scale.Protect sensitive data used by Ansible Automation Platform with Ansible Vault.Reuse code and simplify playbook development with Ansible Roles and Ansible Content Collections.Audience for this courseThis course is geared toward Linux system administrators, DevOps engineers, infrastructure automation engineers, and systems design engineers who are responsible for these tasks:Automating configuration managementEnsuring consistent and repeatable application deploymentProvisioning and deployment of development, testing, and production serversIntegrating with DevOps continuous integration/continuous delivery workflowsPrerequisites for this coursePass the Red Hat Certified System Administrator (RHCSA) exam (EX200), or demonstrate equivalent Red Hat Enterprise Linux knowledge and experience.Take our free assessment to gauge whether this offering is the best fit for your skills.

980

curl finds no route to host?

TPeters

23 lip 2023

I am doing the self-paced course RH294 . With two exercises (Ch.3 final Lab and Ch.4 lab exercise 2) I ran into this problem:after installing and starting a web service, from the classroom web termicaI I cannot reach servera.lab.example.com with curl: "No route to host". This despite the fact that I can ping it, open a shell to it, and install the package on it with Ansible.Anyone else have the same problem?What might be the cause?

1702

Welcome to the Red Hat Linux Automation with Ansible (RH294) group in the Red Hat Learning Community

cschunke

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Linux Automation with Ansible! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH294.Read more about Red Hat Linux Automation with Ansible here.

351

Revision: rh294-8.4-9cb53f0