FLASH 294

Question	Answer
parted (Create a new primary partition)	- parted: device: /dev/sdb number: 1 state: present
parted (Remove partition number 1)	- parted: device: /dev/sdb number: 1 state: absent
parted (Create a new primary partition with a size of 1GiB)	- parted: device: /dev/sdb number: 1 state: present part_end: 1GiB
parted (# Create a new primary partition for LVM )	- parted: device: /dev/sdb number: 2 flags: [ lvm ] state: present part_start: 1GiB
lvg (# Create a volume group on top of /dev/sda1 with physical extent size = 32MB.)	- lvg: vg: vg.services pvs: /dev/sda1 pesize: 32
lvg (# Remove a volume group with name vg.services.)	- lvg: vg: vg.services state: absent
lvol (Create a logical volume of 512m.)	- lvol: vg: firefly lv: test size: 512
lvol (# Create a logical volume of 512m with disks /dev/sda and /dev/sdb)	- lvol: vg: firefly lv: test size: 512 pvs: /dev/sda,/dev/sdb
lvol (# Create a logical volume of 512g.)	- lvol: vg: firefly lv: test size: 512g
filesystem (# Create a ext2 filesystem on /dev/sdb1.)	- filesystem: fstype: ext2 dev: /dev/sdb1
mount (Mount up device by label)	- mount: path: /srv/disk src: LABEL=SOME_LABEL fstype: ext4 state: present
mount (Mount up device by UUID)	- mount: path: /home src: UUID=b3e48f45-f933-4c8e-a700-22a159ec9077 fstype: xfs opts: noatime state: present
copy (Copy using inline content)	- copy: content: '# This file was moved to /etc/other.conf' dest: /etc/mine.conf
copy (Copy a "sudoers" file on the remote machine for editing)	- copy: src: /etc/sudoers dest: /etc/sudoers.edit remote_src: yes validate: /usr/sbin/visudo -csf %s
file (Change file ownership, group and permissions)	- file: path: /etc/foo.conf owner: foo group: foo mode: '0644'
file (Give insecure permissions to an existing file)	- file: path: /work owner: root group: root mode: '1777'
file (Create a symbolic link)	- file: src: /file/to/link/to dest: /path/to/symlink owner: foo group: foo state: link
file (Touch again the same file, but dont change times this makes the task idempotent)	- file: path: /etc/foo.conf state: touch mode: u+rw,g-wx,o-rwx modification_time: preserve access_time: preserve
file (Remove file (delete file) or directory )	- name: Remove file (delete file) or directory file: path: /etc/foo.txt state: absent
lineinfile (Validate the sudoers file before saving)	- lineinfile: path: /etc/sudoers state: present regexp: '^%ADMIN ALL=' line: '%ADMIN ALL=(ALL) NOPASSWD: ALL' validate: /usr/sbin/visudo -cf %s
lineinfile (Add a line to a file if the file does not exist, without passing regexp)	lineinfile: path: /tmp/testfile line: 192.168.1.99 foo.lab.net foo create: yes
lineinfile (Replace a localhost entry with our own)	- lineinfile: path: /etc/hosts regexp: '^127\.0\.0\.1' line: 127.0.0.1 localhost owner: root group: root mode: '0644'
lineinfile (Ensure SELinux is set to enforcing mode)	- lineinfile: path: /etc/selinux/config regexp: '^SELINUX=' line: SELINUX=enforcing
firewalld (Redirect port 443 to 8443 with Rich Rule)	- firewalld: rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443 zone: public permanent: yes immediate: yes state: enabled
firewalld (# Enable source zone 192.0.2.0/24 (internal) zone )	- firewalld: source: 192.0.2.0/24 zone: internal state: enabled
firewalld (# Enable HTTP DMZ zone)	- firewalld: zone: dmz service: http permanent: yes state: enabled
yum (Install a list of packages, nginx,postgresql postgresql-server )	- yum: name: - nginx - postgresql - postgresql-server state: present
yum (Download the nginx package but do not install it)	- yum: name: - nginx state: latest download_only: true
yum (Install Development Tools)	- yum: name: "@Development Tools" state: latest
yum (Install a list of package with variable (packages) and loop)	yum: name: "{{ item }}" state: latest loop: - "{{ packages }}"
yum_repository (Add repository)	- yum_repository: name: epel description: EPEL YUM repo baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
dnf (Uninstall httpd but keep its dependencies)	- dnf: name: httpd state: absent autoremove: no
systemd (just force systemd to reread configs)	- systemd: daemon_reload: yes
systemd (Star a list of packages and enbale it)	systemd: name: "{{ item }}" state: started enabled: true with_items: - "{{ web }}" - "{{ firewall }}
Implementing Handlers	- hosts: rhce tasks: - name: Copy file copy: src: fstype.yml dest: /tmp/ notify: - restart_apache handlers: - name: restart_apache systemd: name: httpd state: restarted
Tags	hosts: rhce tasks: - name: install httpd yum: name: httpd state: latest tags: webservers [root@ansible-master ansible]# ansible-playbook tags.yml --tags 'webservers'
Ignore Erros	- yum: name: notapkg state: latest ignore_errors: yes
Force execution of handlers	- hosts: all force_handlers: yes tasks: - yum: name: notapkg state: latest notify: restart_database handlers: - name: restart_database service: name: mariadb state: restarted
Ansible blocks and error handling	Image: Block (binary/octet-stream)
Configure VI VIM for YML	set ts=2 set sts=2 set sw=2 set expandtab syntax on filetype indent plugin on set ruler
What is ansible?	Ansible is an open source configuration management and orchestration utility. It can automate and standardize the configuration of remote hosts and virtual machines. Its orchestration functionality allows Ansible to coordinate the launch and graceful shutdown of multitiered applications. Because of this, Ansible can perform rolling updates of multiple systems in a way that results in zero downtime.
Static host inventory	[salem] oregon01.example.com oregon02.example.com
Install package - ADHOC	ansible rhce -b -m yum -a "name=httpd state=latest"
Start service - ADHOC	ansible node -m systemd -a "name=httpd state=started enabled=true"
Firewall rule - ADHOC	ansible node -m firewalld -a "service=http state=enabled immediate=true permanent=true"
Create user - ADHOC	ansible rhce -m user -a "user=luiz.eduardo group=wheel"
copy file - ADHOC	ansible rhce -m copy -a "src=index.html dest=/tmp/"
Create a file and a directory - ADHOC	ansible rhce -m file -a "path=/home/luiz.eduardo/secret state=touch owner=luiz.eduardo group=root"
Create a directory - ADHOC	ansible rhce -m file -a "path=/home/luiz.eduardo/secret3
Git Clone - ADHOC	ansible rhce -m git -a "repo=https://github.com/isweluiz/itsm.git dest=/tmp/itsm"
Print various ansible facts	Image: Debug Facts (binary/octet-stream)
replace (Alter authentication in ssh file)	- replace: path: /etc/ssh/sshd_config regexp: "#PubkeyAuthentication yes" replace: "PubkeyAuthentication yes" backup: true
privilege_escalation	hosts: datacenter remote_user: isweluiz become: yes become_method: sudo tasks:
Register variable debug	- file: path: /tmp/testFile state: touch register: var - name: display debug mensage debug: msg="Register output is {{ var }}"
template	- name: Information about the system template: src: templates/informations_host.j2 dest: /tmp/report.txt
sefcontext ( configure selinux context )	- sefcontext: target: '/webdev(/.*)?' setype: httpd_sys_content_t state: present - name: run restorecon command: restorecon -irv /webdev
authorized_key set-ssh key	tasks: - name: Transferencia de chaves SSH authorized_key: user: root state: present key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" validate_certs: false
additional paths to search for roles in, colon separated	roles_path = /etc/ansible/roles/
uncomment this to disable SSH key host checking	host_key_checking = False
private key file for authentication	private_key_file = /path/to/file
privilege_escalation	[privilege_escalation] #become=True #become_method=sudo #become_user=root #become_ask_pass=False
defaults	[defaults] inventory = /etc/ansible/hosts #remote_port = 22 roles_path = /etc/ansible/roles/ host_key_checking = False
descompress file from controller node	unarchive: src: projetos.tar.gz dest: /tmp/projetos/playbooks remote_src: no
upgrade all packages	yum: name: '*' state: latest
cron schedule	cron: name: schedule yum update minute: "20" hour: "12" month: "" weekday: "" user: root state: absent job: "yum -y update"
at (coppy http error log)	at: command: cp /tmp/testFile4 /opt/ count: 2 units: minutes
Check if HTTPD is installed	shell: cmd: rpm -q httpd register: httpd_status failed_when: httpd_status.rc == 1
unarchive Get SSL conf	unarchive: src: "{{ ssl_uri }}" dest: /etc/httpd/conf.d/ssl/ copy: no notify: restart_services
Create a index file	copy: content: " {{ ansible_fqdn }} ({{ ansible_default_ipv4['address'] }}) has been customized by Ansible\n" dest: /var/www/html/index.html
stat Verify if ssl.conf existis	- name: Verify if ssl.conf existis stat: path: /etc/httpd/conf.d/ssl.conf register: ssl_file - name: Rename ssl.conf file case it ssl.conf exist shell: cmd: mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak when: ssl_file.stat.exists
include	- include: configure_firewall.yml vars: fw_package: firewalld fw_service: firewalld tags: production
Ansible role subdirectories	defaults files handlers meta tasks templates tests vars
Using Ansible roles in a playbook	- hosts: remote.example.com roles: - role1 - role2
Ansible Galaxy	is a public library of Ansible roles written by a variety of Ansible administrators and users. It is an archive that contains thousands of Ansible roles and it has a searchable database that helps Ansible users identify roles that might help them accomplish an administrative task.
Ansible Galaxy - Commands	ansible-galaxy search postgresql ansible-galaxy list ansible-galaxy info ansible-galaxy install ansible-galaxy remove ansible-galaxy init apache ansible-galaxy search postgresql --author geerlingguy
The default directory for roles	ansible.cfg [defaults] roles_path = /etc/...
user: Create users on JBosseapServers	Image: B B8o0xe (image/png)
user Change user password	Image: J T Qji Pk (image/png)
Install roles galaxy	Image: W Ueob Ij (image/png)
Configuring parallelism	[root@ansible-master ~]# grep -i forks /etc/ansible/ansible.cfg #forks = 5
Running tasks in parallel	Image: Sd Jb Xd4 (image/png)
Ansible facts	Image: P9e C1 Xz (image/png)
Custom facts	Image: A556 O0 H (image/png)
include_vars	Image: Ny2b Ry5 (image/png)
fileservers	Image: Y Rd I For (image/png)
uri get url

parted (Create a new primary partition)

- parted: device: /dev/sdb number: 1 state: present

parted (Remove partition number 1)

- parted: device: /dev/sdb number: 1 state: absent

parted (Create a new primary partition with a size of 1GiB)

- parted: device: /dev/sdb number: 1 state: present part_end: 1GiB

parted (# Create a new primary partition for LVM )

- parted: device: /dev/sdb number: 2 flags: [ lvm ] state: present part_start: 1GiB

lvg (# Create a volume group on top of /dev/sda1 with physical extent size = 32MB.)

- lvg: vg: vg.services pvs: /dev/sda1 pesize: 32

lvg (# Remove a volume group with name vg.services.)

- lvg: vg: vg.services state: absent

lvol (Create a logical volume of 512m.)

- lvol: vg: firefly lv: test size: 512

lvol (# Create a logical volume of 512m with disks /dev/sda and /dev/sdb)

- lvol: vg: firefly lv: test size: 512 pvs: /dev/sda,/dev/sdb

lvol (# Create a logical volume of 512g.)

- lvol: vg: firefly lv: test size: 512g

filesystem (# Create a ext2 filesystem on /dev/sdb1.)

- filesystem: fstype: ext2 dev: /dev/sdb1

mount (Mount up device by label)

- mount: path: /srv/disk src: LABEL=SOME_LABEL fstype: ext4 state: present

mount (Mount up device by UUID)

- mount: path: /home src: UUID=b3e48f45-f933-4c8e-a700-22a159ec9077 fstype: xfs opts: noatime state: present

copy (Copy using inline content)

- copy: content: '# This file was moved to /etc/other.conf' dest: /etc/mine.conf

copy (Copy a "sudoers" file on the remote machine for editing)

- copy: src: /etc/sudoers dest: /etc/sudoers.edit remote_src: yes validate: /usr/sbin/visudo -csf %s

file (Change file ownership, group and permissions)

- file: path: /etc/foo.conf owner: foo group: foo mode: '0644'

file (Give insecure permissions to an existing file)

- file: path: /work owner: root group: root mode: '1777'

file (Create a symbolic link)

- file: src: /file/to/link/to dest: /path/to/symlink owner: foo group: foo state: link

file (Touch again the same file, but dont change times this makes the task idempotent)

- file: path: /etc/foo.conf state: touch mode: u+rw,g-wx,o-rwx modification_time: preserve access_time: preserve

file (Remove file (delete file) or directory )

- name: Remove file (delete file) or directory file: path: /etc/foo.txt state: absent

lineinfile (Validate the sudoers file before saving)

- lineinfile: path: /etc/sudoers state: present regexp: '^%ADMIN ALL=' line: '%ADMIN ALL=(ALL) NOPASSWD: ALL' validate: /usr/sbin/visudo -cf %s

lineinfile (Add a line to a file if the file does not exist, without passing regexp)

lineinfile: path: /tmp/testfile line: 192.168.1.99 foo.lab.net foo create: yes

lineinfile (Replace a localhost entry with our own)

- lineinfile: path: /etc/hosts regexp: '^127\.0\.0\.1' line: 127.0.0.1 localhost owner: root group: root mode: '0644'

lineinfile (Ensure SELinux is set to enforcing mode)

- lineinfile: path: /etc/selinux/config regexp: '^SELINUX=' line: SELINUX=enforcing

firewalld (Redirect port 443 to 8443 with Rich Rule)

- firewalld: rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443 zone: public permanent: yes immediate: yes state: enabled

firewalld (# Enable source zone 192.0.2.0/24 (internal) zone )

- firewalld: source: 192.0.2.0/24 zone: internal state: enabled

firewalld (# Enable HTTP DMZ zone)

- firewalld: zone: dmz service: http permanent: yes state: enabled

yum (Install a list of packages, nginx,postgresql postgresql-server )

- yum: name: - nginx - postgresql - postgresql-server state: present

yum (Download the nginx package but do not install it)

- yum: name: - nginx state: latest download_only: true

yum (Install Development Tools)

- yum: name: "@Development Tools" state: latest

yum (Install a list of package with variable (packages) and loop)

yum: name: "{{ item }}" state: latest loop: - "{{ packages }}"

yum_repository (Add repository)

- yum_repository: name: epel description: EPEL YUM repo baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/

dnf (Uninstall httpd but keep its dependencies)

- dnf: name: httpd state: absent autoremove: no

systemd (just force systemd to reread configs)

- systemd: daemon_reload: yes

systemd (Star a list of packages and enbale it)

systemd: name: "{{ item }}" state: started enabled: true with_items: - "{{ web }}" - "{{ firewall }}

Implementing Handlers

- hosts: rhce tasks: - name: Copy file copy: src: fstype.yml dest: /tmp/ notify: - restart_apache handlers: - name: restart_apache systemd: name: httpd state: restarted

Tags

hosts: rhce tasks: - name: install httpd yum: name: httpd state: latest tags: webservers [root@ansible-master ansible]# ansible-playbook tags.yml --tags 'webservers'

Ignore Erros

- yum: name: notapkg state: latest ignore_errors: yes

Force execution of handlers

- hosts: all force_handlers: yes tasks: - yum: name: notapkg state: latest notify: restart_database handlers: - name: restart_database service: name: mariadb state: restarted

Ansible blocks and error handling

Image: Block (binary/octet-stream)

Configure VI VIM for YML

set ts=2 set sts=2 set sw=2 set expandtab syntax on filetype indent plugin on set ruler

What is ansible?

Ansible is an open source configuration management and orchestration utility. It can automate and standardize the configuration of remote hosts and virtual machines. Its orchestration functionality allows Ansible to coordinate the launch and graceful shutdown of multitiered applications. Because of this, Ansible can perform rolling updates of multiple systems in a way that results in zero downtime.

Static host inventory

[salem] oregon01.example.com oregon02.example.com

Install package - ADHOC

ansible rhce -b -m yum -a "name=httpd state=latest"

Start service - ADHOC

ansible node -m systemd -a "name=httpd state=started enabled=true"

Firewall rule - ADHOC

ansible node -m firewalld -a "service=http state=enabled immediate=true permanent=true"

Create user - ADHOC

ansible rhce -m user -a "user=luiz.eduardo group=wheel"

copy file - ADHOC

ansible rhce -m copy -a "src=index.html dest=/tmp/"

Create a file and a directory - ADHOC

ansible rhce -m file -a "path=/home/luiz.eduardo/secret state=touch owner=luiz.eduardo group=root"

Create a directory - ADHOC

ansible rhce -m file -a "path=/home/luiz.eduardo/secret3

Git Clone - ADHOC

ansible rhce -m git -a "repo=https://github.com/isweluiz/itsm.git dest=/tmp/itsm"

Print various ansible facts

Image: Debug Facts (binary/octet-stream)

replace (Alter authentication in ssh file)

- replace: path: /etc/ssh/sshd_config regexp: "#PubkeyAuthentication yes" replace: "PubkeyAuthentication yes" backup: true

privilege_escalation

hosts: datacenter remote_user: isweluiz become: yes become_method: sudo tasks:

Register variable debug

- file: path: /tmp/testFile state: touch register: var - name: display debug mensage debug: msg="Register output is {{ var }}"

template

- name: Information about the system template: src: templates/informations_host.j2 dest: /tmp/report.txt

sefcontext ( configure selinux context )

- sefcontext: target: '/webdev(/.*)?' setype: httpd_sys_content_t state: present - name: run restorecon command: restorecon -irv /webdev

authorized_key set-ssh key

tasks: - name: Transferencia de chaves SSH authorized_key: user: root state: present key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" validate_certs: false

additional paths to search for roles in, colon separated

roles_path = /etc/ansible/roles/

uncomment this to disable SSH key host checking

host_key_checking = False

private key file for authentication

private_key_file = /path/to/file

privilege_escalation

[privilege_escalation] #become=True #become_method=sudo #become_user=root #become_ask_pass=False

defaults

[defaults] inventory = /etc/ansible/hosts #remote_port = 22 roles_path = /etc/ansible/roles/ host_key_checking = False

descompress file from controller node

unarchive: src: projetos.tar.gz dest: /tmp/projetos/playbooks remote_src: no

upgrade all packages

yum: name: '*' state: latest

cron schedule

cron: name: schedule yum update minute: "20" hour: "12" month: "*" weekday: "*" user: root state: absent job: "yum -y update"

at (coppy http error log)

at: command: cp /tmp/testFile4 /opt/ count: 2 units: minutes

Check if HTTPD is installed

shell: cmd: rpm -q httpd register: httpd_status failed_when: httpd_status.rc == 1

unarchive Get SSL conf

unarchive: src: "{{ ssl_uri }}" dest: /etc/httpd/conf.d/ssl/ copy: no notify: restart_services

Create a index file

copy: content: " {{ ansible_fqdn }} ({{ ansible_default_ipv4['address'] }}) has been customized by Ansible\n" dest: /var/www/html/index.html

stat Verify if ssl.conf existis

- name: Verify if ssl.conf existis stat: path: /etc/httpd/conf.d/ssl.conf register: ssl_file - name: Rename ssl.conf file case it ssl.conf exist shell: cmd: mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak when: ssl_file.stat.exists

include

- include: configure_firewall.yml vars: fw_package: firewalld fw_service: firewalld tags: production

Ansible role subdirectories

defaults files handlers meta tasks templates tests vars

Using Ansible roles in a playbook

- hosts: remote.example.com roles: - role1 - role2

Ansible Galaxy

is a public library of Ansible roles written by a variety of Ansible administrators and users. It is an archive that contains thousands of Ansible roles and it has a searchable database that helps Ansible users identify roles that might help them accomplish an administrative task.

Ansible Galaxy - Commands

ansible-galaxy search postgresql ansible-galaxy list ansible-galaxy info ansible-galaxy install ansible-galaxy remove ansible-galaxy init apache ansible-galaxy search postgresql --author geerlingguy

The default directory for roles

ansible.cfg [defaults] roles_path = /etc/...

user: Create users on JBosseapServers

Image: B B8o0xe (image/png)

user Change user password

Image: J T Qji Pk (image/png)

Install roles galaxy

Image: W Ueob Ij (image/png)

Configuring parallelism

[root@ansible-master ~]# grep -i forks /etc/ansible/ansible.cfg #forks = 5

Running tasks in parallel

Image: Sd Jb Xd4 (image/png)