RH294 - ch08s05

Bookmark this page

Lab: Troubleshooting Ansible

In this lab, you troubleshoot problems that occur when you try to run a playbook that has been provided to you.

Outcomes

Troubleshoot playbooks.
Troubleshoot managed hosts.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start troubleshoot-review

This command ensures that Ansible is installed on the workstation machine. It also creates the /home/student/troubleshoot-review/ directory and populates it with the ansible.cfg, inventory, index.html, secure-web.yml, and vhosts.conf files.

Procedure 8.3. Instructions

In the /home/student/troubleshoot-review directory, there is a playbook named secure-web.yml. This playbook contains one play that is supposed to set up Apache HTTPD with TLS/SSL for hosts in the webservers group. The serverb.lab.example.com node is supposed to be the only host in the webservers group right now. Ansible can connect to that host using the remote devops account and SSH keys that have already been set up. That user can also become root on the managed host without a sudo password.

Unfortunately, several problems exist that you need to fix before you can run the playbook successfully.

From the /home/student/troubleshoot-review directory, validate the syntax of the secure-web.yml playbook. Fix the issue that is reported.

Change into the /home/student/troubleshoot-review directory.

[student@workstation ~]$ cd ~/troubleshoot-review/
[student@workstation troubleshoot-review]$

Validate the syntax of the secure-web.yml playbook. This playbook sets up Apache HTTPD with TLS/SSL for hosts in the webservers group when everything is correct.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml --syntax-check
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  mapping values are not allowed in this context

The error appears to be in '/home/student/troubleshoot-review/secure-web.yml': line 7, column 30, but may be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  vars:
    random_var: This is colon: test
                             ^ here

In the value for a variable, colons need to be protected by quoting the string. Correct the syntax issue in the definition of the random_var variable by adding double quotation marks to the This is colon: test string. The resulting change should appear as follows:
```
...output omitted...
  vars:
    random_var: "This is colon: test"
...output omitted...
```

Validate the syntax of the secure-web.yml playbook again. It still has a problem. Fix the issue that is reported.

Validate the syntax of secure-web.yml using ansible-navigator run -m stdout --syntax-check again.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml --syntax-check
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  did not find expected '-' indicator

The error appears to be in '/home/student/troubleshoot-review/secure-web.yml': line 38, column 10, but may be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


         - name: Start and enable web services
         ^ here

Correct any syntax issues in the indentation. Remove the extra space at the beginning of the start and enable web services task elements. The resulting change should appear as follows:

...output omitted...
          args:
            creates: /etc/pki/tls/certs/serverb.lab.example.com.crt

        - name: Start and enable web services
          ansible.builtin.service:
            name: httpd
            state: started
            enabled: yes

        - name: Deliver content
          ansible.builtin.copy:
            dest: /var/www/vhosts/serverb-secure
            src: html/
...output omitted...

Validate the syntax of the secure-web.yml playbook again. Another problem is detected. Fix the issue that is reported.

Validate the syntax of the secure-web.yml playbook.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml --syntax-check
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  found unacceptable key (unhashable type: 'AnsibleMapping')

The error appears to be in '/home/student/troubleshoot-review/secure-web.yml': line 13, column 20, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

          ansible.builtin.dnf:
            name: {{ item }}
                   ^ here
We could be wrong, but this one looks like it might be an issue with
missing quotes. Always quote template expression brackets when they
start a value. For instance:

    with_items:
      - {{ foo }}

Should be written as:

    with_items:
      - "{{ foo }}"

Correct the item variable in the install web server packages task. A value must be protected by double quotation marks if braces appear at the start of the value. Add double quotation marks to {{ item }}. The resulting change should appear as follows:

...output omitted...
        - name: Install web server packages
          ansible.builtin.dnf:
            name: "{{ item }}"
            state: latest
          notify:
            - Restart services
          loop:
            - httpd
            - mod_ssl
...output omitted...

Validate the syntax of the secure-web.yml playbook a fourth time. It should not show any syntax errors.
Review the syntax of the secure-web.yml playbook. It should not show any syntax errors.
[student@workstation troubleshoot-review]$ ansible-navigator run \ > -m stdout secure-web.yml --syntax-check playbook: /home/student/troubleshoot-review/secure-web.yml

Run the secure-web.yml playbook. Ansible is not able to connect to the serverb.lab.example.com host. Two problems prevent a successful connection. Fix both problems.

Important

If you resolve these issues without looking at the solution, it is possible that you solve both issues at the same time, or in a different order than shown in the solution.

Run the secure-web.yml playbook. This fails with an error.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml

PLAY [Create secure web service] ***********************************************

TASK [Gathering Facts] *********************************************************
fatal: [serverb.lab.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: students@serverc.lab.example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}

PLAY RECAP *********************************************************************
serverb.lab.example.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
Please review the log for errors.

For some reason, when ansible-navigator tried to connect to the serverb.lab.example.com host, it instead attempted to connect to the serverc.lab.example.com host as the students user.

Run the secure-web.yml playbook again, adding the -vvv parameter to increase the verbosity of the debug output.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml -vvv
...output omitted...
TASK [Gathering Facts] *********************************************************
task path: /home/student/troubleshoot-review/secure-web.yml:3
<serverc.lab.example.com> ESTABLISH SSH CONNECTION FOR USER: students
<serverc.lab.example.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="students"' -o ConnectTimeout=10 -o 'ControlPath="/home/runner/.ansible/cp/bc0c05136a"' serverc.lab.example.com '/bin/sh -c '"'"'echo ~students && sleep 0'"'"''
<serverc.lab.example.com> (255, b'', b'students@serverc.lab.example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n')
...output omitted...

You can identify two problems from the verbose debug output.

The ansible-navigator command is attempting to connect as the students user, when it should be using devops as the user.
The ansible-navigator command is attempting to connect to the serverc.lab.example.com host instead of the serverb.lab.example.com host.

Inspect the inventory file. It sets an ansible_host host variable that causes connections for the serverb.lab.example.com managed host to be incorrectly directed to the serverc.lab.example.com managed host.
Delete the ansible_host host variable so that the file has the following contents:
```
[webservers]
serverb.lab.example.com
```

Edit the secure-web.yml playbook to ensure that devops is the remote_user for the play. The first lines of the playbook should appear as follows:

---
# start of secure web server playbook
- name: Create secure web service
  hosts: webservers
  remote_user: devops
...output omitted...

Run the secure-web.yml playbook again. The connection to the serverb.lab.example.com host works now, but there is a new issue. Fix the issue that is reported.

Run the secure-web.yml playbook, adding the -vvv parameter to increase the verbosity of the debug output.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml -vvv
...output omitted...
failed: [serverb.lab.example.com] (item=mod_ssl) => {
    "ansible_loop_var": "item",
    "changed": false,
...output omitted...
    },
    "item": "mod_ssl",
    "msg": "This command has to be run under the root user.",
    "results": []
}
...output omitted...

The play is not being run with privilege escalation.

Edit the play to make sure that it has become: true set. The resulting change should appear as follows:

---
# start of secure web server playbook
- name: Create secure web service
  hosts: webservers
  remote_user: devops
  become: true
...output omitted...

Run the secure-web.yml playbook one more time. It should complete successfully. Use an ad hoc command to verify that the httpd service is running on the serverb.lab.example.com host.

Run the secure-web.yml playbook.

[student@workstation troubleshoot-review]$ ansible-navigator run \
> -m stdout secure-web.yml

PLAY [Create secure web service] ***********************************************
...output omitted...

TASK [Install web server packages] *********************************************
ok: [serverb.lab.example.com] => (item=httpd)
ok: [serverb.lab.example.com] => (item=mod_ssl)
...output omitted...

TASK [Httpd_conf_syntax variable] **********************************************
ok: [serverb.lab.example.com] => {
    "msg": "The httpd_conf_syntax variable value is {'changed': True, 'stdout': '', 'stderr': 'Syntax OK', 'rc': 0, 'cmd': ['/sbin/httpd', '-t'], 'start': '2022-07-14 17:39:51.096013', 'end': '2022-07-14 17:39:51.134925', 'delta': '0:00:00.038912', 'msg': '', 'stdout_lines': [], 'stderr_lines': ['Syntax OK'], 'failed': False, 'failed_when_result': False}"
}
...output omitted...

RUNNING HANDLER [Restart services] *********************************************
changed: [serverb.lab.example.com]

PLAY RECAP *********************************************************************
serverb.lab.example.com    : ok=11   changed=7    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Use an ad hoc command to determine the state of the httpd service on managed hosts in the webservers host group. The httpd service should now be running on the serverb.lab.example.com host.

[student@workstation troubleshoot-review]$ ansible webservers -u devops -b \
> -m command -a 'systemctl status httpd'
serverb.lab.example.com | CHANGED | rc=0 >>
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-07-14 17:39:53 EDT; 3min 11s
...output omitted...

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade troubleshoot-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish troubleshoot-review

This concludes the section.

Discuss Red Hat Enterprise Linux Automation with Ansible

Go to community

Red Hat Linux Automation with Ansible (RH294)

Haley_Ruccio

24 lip 2023

Learn how to automate Linux system administration tasks with Red Hat Ansible Automation PlatformRed Hat Enterprise Linux Automation with Ansible (RH294) is designed for Linux administrators and developers who need to automate repeatable and error-prone steps for system provisioning, configuration, application deployment, and orchestration. This course is based on Red Hat® Enterprise Linux® 9 and Red Hat Ansible Automation Platform 2.2.Course content summaryInstall Red Hat Ansible Automation Platform on control nodes.Create and update inventories of managed hosts and manage connections to them.Automate administration tasks with Ansible Playbooks and ad hoc commands.Write effective playbooks at scale.Protect sensitive data used by Ansible Automation Platform with Ansible Vault.Reuse code and simplify playbook development with Ansible Roles and Ansible Content Collections.Audience for this courseThis course is geared toward Linux system administrators, DevOps engineers, infrastructure automation engineers, and systems design engineers who are responsible for these tasks:Automating configuration managementEnsuring consistent and repeatable application deploymentProvisioning and deployment of development, testing, and production serversIntegrating with DevOps continuous integration/continuous delivery workflowsPrerequisites for this coursePass the Red Hat Certified System Administrator (RHCSA) exam (EX200), or demonstrate equivalent Red Hat Enterprise Linux knowledge and experience.Take our free assessment to gauge whether this offering is the best fit for your skills.

980

curl finds no route to host?

TPeters

23 lip 2023

I am doing the self-paced course RH294 . With two exercises (Ch.3 final Lab and Ch.4 lab exercise 2) I ran into this problem:after installing and starting a web service, from the classroom web termicaI I cannot reach servera.lab.example.com with curl: "No route to host". This despite the fact that I can ping it, open a shell to it, and install the package on it with Ansible.Anyone else have the same problem?What might be the cause?

1702

Welcome to the Red Hat Linux Automation with Ansible (RH294) group in the Red Hat Learning Community

cschunke

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Linux Automation with Ansible! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH294.Read more about Red Hat Linux Automation with Ansible here.

351

Revision: rh294-9.0-c95c7de