Red Hat Enterprise Linux Automation with Ansible
Performance Checklist
In this lab, you will write and run an Ansible Playbook that uses variables, secrets, and facts.
Outcomes
You should be able to define variables and use facts in a playbook, as well as use variables defined in an encrypted file.
Log in to workstation as student using student as the password.
The files subdirectory contains:
A
httpd.confconfiguration file for the Apache web service for basic authenticationA
.htaccessfile, used to control access to the web server's document root directoryA
htpasswdfile containing credentials for permitted users
[student@workstation ~]$lab data-review start
Procedure 3.4. Instructions
In the working directory, create the
playbook.ymlplaybook and add thewebserverhost group as the managed host. Define the following play variables:Table 3.5. Variables
Variable Values firewall_pkgfirewalldfirewall_svcfirewalldweb_pkghttpdweb_svchttpdssl_pkgmod_sslhttpdconf_srcfiles/httpd.confhttpdconf_dest/etc/httpd/conf/httpd.confhtaccess_srcfiles/.htaccesssecrets_dir/etc/httpd/secretssecrets_srcfiles/htpasswdsecrets_dest"{{ secrets_dir }}/htpasswd"web_root/var/www/htmlChange to the
/home/student/data-reviewworking directory.[student@workstation ~]$cd ~/data-review[student@workstation data-review]$Create the
playbook.ymlplaybook file and edit it in a text editor. The beginning of the file should appear as follows:--- - name: install and configure webserver with basic auth hosts: webserver vars: firewall_pkg: firewalld firewall_svc: firewalld web_pkg: httpd web_svc: httpd ssl_pkg: mod_ssl httpdconf_src: files/httpd.conf httpdconf_dest: /etc/httpd/conf/httpd.conf htaccess_src: files/.htaccess secrets_dir: /etc/httpd/secrets secrets_src: files/htpasswd secrets_dest: "{{ secrets_dir }}/htpasswd" web_root: /var/www/html
Add a
taskssection to the play. Write a task that ensures the latest version of the necessary packages are installed. These packages are defined by thefirewall_pkg,web_pkg, andssl_pkgvariables.Define the beginning of the
taskssection by adding the following line to the playbook:tasks:
Add the following lines to the playbook to define a task that uses the
yummodule to install the required packages.- name: latest version of necessary packages installed yum: name: - "{{ firewall_pkg }}" - "{{ web_pkg }}" - "{{ ssl_pkg }}" state: latest
Add a second task to the playbook that ensures that the file specified by the
httpdconf_srcvariable has been copied (with thecopymodule) to the location specified by thehttpdconf_destvariable on the managed host. The file should be owned by therootuser and therootgroup. Also set 0644 as the file permissions.Add the following lines to the playbook to define a task that uses the
copymodule to copy the contents of the file defined by thehttpdconf_srcvariable to the location specified by thehttpdconf_destvariable.- name: configure web service copy: src: "{{ httpdconf_src }}" dest: "{{ httpdconf_dest }}" owner: root group: root mode: 0644Add a third task that uses the
filemodule to create the directory specified by thesecrets_dirvariable on the managed host. This directory holds the password files used for the basic authentication of web services. The file should be owned by theapacheuser and theapachegroup. Set 0500 as the file permissions.Add a fourth task that uses the
copymodule to place a htpasswd file, used for basic authentication of web users. The source should be defined by thesecrets_srcvariable. The destination should be defined by thesecrets_destvariable. The file should be owned by theapacheuser and group. Set0400as the file permissions.Add a fifth task that uses the
copymodule to create a.htaccessfile in the document root directory of the web server. Copy the file specified by thehtaccess_srcvariable to{{ web_root }}/.htaccess. The file should be owned by theapacheuser and theapachegroup. Set 0400 as the file permissions.Add the following lines to the playbook to define a task which uses the
copymodule to create the.htaccessfile using the file defined by thehtaccess_srcvariable.- name: .htaccess file installed in docroot copy: src: "{{ htaccess_src }}" dest: "{{ web_root }}/.htaccess" owner: apache group: apache mode: 0400Add a sixth task that uses the
copymodule to create the web content fileindex.htmlin the directory specified by theweb_rootvariable. The file should contain the message "HOSTNAME (IPADDRESS) has been customized by Ansible.", whereHOSTNAMEis the fully-qualified host name of the managed host andIPADDRESSis its IPv4 IP address. Use thecontentoption to thecopymodule to specify the content of the file, and Ansible facts to specify the host name and IP address.Add the following lines to the playbook to define a task that uses the
copymodule to create theindex.htmlfile in the directory defined by theweb_rootvariable. Populate the file with the content specified using theansible_facts['fqdn']andansible_facts['default_ipv4']['address']Ansible facts retrieved from the managed host.- name: create index.html copy: content: "{{ ansible_facts['fqdn'] }} ({{ ansible_facts['default_ipv4']['address'] }}) has been customized by Ansible.\n" dest: "{{ web_root }}/index.html"Add a seventh task that uses the
servicemodule to enable and start the firewall service on the managed host.Add an eighth task that uses the
firewalldmodule to allow thehttpsservice needed for users to access web services on the managed host. This firewall change should be permanent and should take place immediately.Add a final task that uses the
servicemodule to enable and start the web service on the managed host for all configuration changes to take effect. The name of the web service is defined by theweb_svcvariable.Define a second play targeted at
localhostwhich will test authentication to the web server. It does not need privilege escalation. Define a variable namedweb_userwith the valueguest.Add the following line to define the start of a second play. Note that there is no indentation.
- name: test web server with basic auth
Add the following line to indicate that the play applies to the
localhostmanaged host.hosts: localhost
Add the following line to disable privilege escalation.
become: no
Add the following lines to define a variables list and the
web_uservariable.vars: web_user: guest
Add a directive to the play that adds additional variables from a variable file named
vars/secret.yml. This file contains a variable namedweb_passthat specifies the password for the web user. You will create this file later in the lab.Define the start of the task list.
Add two tasks to the second play.
The first uses the
urimodule to request content fromhttps://serverb.lab.example.comusing basic authentication. Use theweb_userandweb_passvariables to authenticate to the web server. Note that the certificate presented byserverbwill not be trusted, so you will need to avoid certificate validation. The task should verify a return HTTP status code of200. Configure the task to place the returned content in the task results variable. Register the task result in a variable.The second task uses the
debugmodule to print the content returned from the web server.Add the following lines to create the task for verifying the web service from the control node. Be sure to indent the first line with four spaces.
- name: connect to web server with basic auth uri: url: https://serverb.lab.example.com validate_certs: no force_basic_auth: yes user: "{{ web_user }}" password: "{{ web_pass }}" return_content: yes status_code: 200 register: auth_testCreate the second task using the debug module. The content returned from the web server is added to the registered variable as the key
content.- debug: var: auth_test.contentThe completed playbook should appear as follows:
--- - name: install and configure webserver with basic auth hosts: webserver vars: firewall_pkg: firewalld firewall_svc: firewalld web_pkg: httpd web_svc: httpd ssl_pkg: mod_ssl httpdconf_src: files/httpd.conf httpdconf_dest: /etc/httpd/conf/httpd.conf htaccess_src: files/.htaccess secrets_dir: /etc/httpd/secrets secrets_src: files/htpasswd secrets_dest: "{{ secrets_dir }}/htpasswd" web_root: /var/www/html tasks: - name: latest version of necessary packages installed yum: name: - "{{ firewall_pkg }}" - "{{ web_pkg }}" - "{{ ssl_pkg }}" state: latest - name: configure web service copy: src: "{{ httpdconf_src }}" dest: "{{ httpdconf_dest }}" owner: root group: root mode: 0644 - name: secrets directory exists file: path: "{{ secrets_dir }}" state: directory owner: apache group: apache mode: 0500 - name: htpasswd file exists copy: src: "{{ secrets_src }}" dest: "{{ secrets_dest }}" owner: apache group: apache mode: 0400 - name: .htaccess file installed in docroot copy: src: "{{ htaccess_src }}" dest: "{{ web_root }}/.htaccess" owner: apache group: apache mode: 0400 - name: create index.html copy: content: "{{ ansible_facts['fqdn'] }} ({{ ansible_facts['default_ipv4']['address'] }}) has been customized by Ansible.\n" dest: "{{ web_root }}/index.html" - name: firewall service enable and started service: name: "{{ firewall_svc }}" state: started enabled: true - name: open the port for the web server firewalld: service: https state: enabled immediate: true permanent: true - name: web service enabled and started service: name: "{{ web_svc }}" state: started enabled: true - name: test web server with basic auth hosts: localhost become: no vars: - web_user: guest vars_files: - vars/secret.yml tasks: - name: connect to web server with basic auth uri: url: https://serverb.lab.example.com validate_certs: no force_basic_auth: yes user: "{{ web_user }}" password: "{{ web_pass }}" return_content: yes status_code: 200 register: auth_test - debug: var: auth_test.contentSave and close the
playbook.ymlfile.
Create a file encrypted with Ansible Vault, named
vars/secret.yml. Use the passwordredhatto encrypt it. It should set theweb_passvariable toredhat, which will be the web user's password.Create a subdirectory named
varsin the working directory.[student@workstation data-review]$mkdir varsCreate the encrypted variable file,
vars/secret.yml, using Ansible Vault. Set the password for the encrypted file toredhat.[student@workstation data-review]$ansible-vault create vars/secret.ymlNew Vault password:redhatConfirm New Vault password:redhatAdd the following variable definition to the file.
web_pass: redhat
Save and close the file.
Run the
playbook.ymlplaybook. Verify that content is successfully returned from the web server, and that it matches what was configured in an earlier task.Before running the playbook, verify that its syntax is correct by running
ansible-playbook --syntax-check. Use the--ask-vault-passto be prompted for the vault password. Enterredhatwhen prompted for the password. If it reports any errors, correct them before moving to the next step. You should see output similar to the following:[student@workstation data-review]$ansible-playbook --syntax-check \>--ask-vault-pass playbook.ymlVault password:redhatplaybook: playbook.ymlUsing the
ansible-playbookcommand, run the playbook with the--ask-vault-passoption. Enterredhatwhen prompted for the password.[student@workstation data-review]$ansible-playbook playbook.yml --ask-vault-passVault password:redhatPLAY [Install and configure webserver with basic auth] ********************* ...output omitted... TASK [connect to web server with basic auth] *********************************** ok: [localhost] TASK [debug] ******************************************************************* ok: [localhost] => { "auth_test.content": "serverb.lab.example.com (172.25.250.11) has been customized by Ansible.\n" } PLAY RECAP ********************************************************************* localhost : ok=3 changed=0 unreachable=0 failed=0 serverb.lab.example.com : ok=10 changed=8 unreachable=0 failed=0
