RHCE role practice questions
1. Use RHEL system roles
Install the RHEL system role package and create a playbook /home/student/ansible/timesync.yml with the following conditions:
run on all managed nodes
Use the timesync role
Configure the role to use the currently valid NTP provider
Configure the role to use the time server classroom.example.com
Configure the role to enable the iburst parameter
[student@ansible ansible]$ sudo dnf -y install rhel-system-roles-1.7.3-2.el8.noarch [student@ansible ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.timesync/ /home/student/ansible/roles/timesync [student@ansible ansible]$ vim timesync.yml --- - name: test hosts: all vars: timesync_ntp_servers: - hostname: classroom.example.com iburst: yes roles: - timesync [student@ansible ansible]$ ansible-playbook timesync.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] ok: [node3] ok: [node2] TASK [timesync : Set version specific variables] ******************************* ok: [node3] ok: [node1] ok: [node2] TASK [timesync : Populate service facts] *************************************** ok: [node3] ok: [node2] ok: [node1] TASK [Set variable `timesync_services` with filtered uniq service names] ******* ok: [node1] ok: [node2] ok: [node3] TASK [Check that variable 'timesync_services' is defined] ********************** ok: [node1] => { "changed": false, "msg": "All assertions passed" } ok: [node2] => { "changed": false, "msg": "All assertions passed" } ok: [node3] => { "changed": false, "msg": "All assertions passed" } TASK [timesync : Check if only NTP is needed] ********************************** ok: [node1] ok: [node2] ok: [node3] TASK [timesync : Check if single PTP is needed] ******************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Check if both NTP and PTP are needed] ************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Determine current NTP provider] ******************************* ok: [node1] ok: [node3] ok: [node2] TASK [timesync : Select NTP provider] ****************************************** ok: [node1] ok: [node2] ok: [node3] TASK [timesync : Install chrony] *********************************************** ok: [node3] ok: [node2] ok: [node1] TASK [timesync : Install ntp] ************************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Install linuxptp] ********************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Gather package facts] ***************************************** ok: [node1] ok: [node3] ok: [node2] TASK [timesync : Run phc_ctl on PTP interface] ********************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Check if PTP interface supports HW timestamping] ************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate chrony.conf file] ************************************ changed: [node2] changed: [node1] changed: [node3] TASK [timesync : Generate chronyd sysconfig file] ****************************** changed: [node1] changed: [node2] changed: [node3] TASK [timesync : Generate ntp.conf file] *************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate ntpd sysconfig file] ********************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate ptp4l.conf file] ************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate ptp4l sysconfig file] ******************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate phc2sys sysconfig file] ****************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Generate timemaster.conf file] ******************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Update network sysconfig file] ******************************** changed: [node1] changed: [node2] changed: [node3] TASK [timesync : Disable chronyd] ********************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable ntpd] ************************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable ntpdate] ********************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable sntp] ************************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable ptp4l] ************************************************ skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable phc2sys] ********************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Disable timemaster] ******************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Enable chronyd] *********************************************** ok: [node3] ok: [node1] changed: [node2] TASK [timesync : Enable ntpd] ************************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Enable ptp4l] ************************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Enable phc2sys] *********************************************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [timesync : Enable timemaster] ******************************************** skipping: [node1] skipping: [node2] skipping: [node3] RUNNING HANDLER [timesync : restart chronyd] *********************************** changed: [node2] changed: [node3] changed: [node1] PLAY RECAP ********************************************************************* node1 : ok=15 changed=4 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0 node2 : ok=15 changed=5 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0 node3 : ok=15 changed=4 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0
2. Use selinux roles
Configure this role and write a playbook of selinux.yml to enable selinux of all controlled nodes
[student@ansible ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.selinux/ /home/student/ansible/roles/selinux [student@ansible ansible]$ cat selinux.yml --- - hosts: all vars: selinux_state: enforcing tasks: - name: selinux block: - include_role: name: selinux rescue: - name: failed reason require reboot fail: when: not selinux_reboot_required - name: reboot reboot: - name: config selinux include_role: name: selinux [student@ansible ansible]$ ansible-playbook selinux.yml PLAY [all] ********************************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] ok: [node2] ok: [node3] TASK [include_role : selinux] ************************************************** TASK [selinux : Install SELinux python2 tools] ********************************* skipping: [node3] skipping: [node1] skipping: [node2] TASK [selinux : Install SELinux python3 tools] ********************************* ok: [node3] ok: [node2] ok: [node1] TASK [selinux : refresh facts] ************************************************* ok: [node2] ok: [node3] ok: [node1] TASK [selinux : Install SELinux tool semanage] ********************************* ok: [node2] ok: [node3] ok: [node1] TASK [selinux : Set permanent SELinux state if enabled] ************************ ok: [node2] ok: [node3] ok: [node1] TASK [selinux : Set permanent SELinux state if disabled] *********************** skipping: [node3] skipping: [node1] skipping: [node2] TASK [selinux : Set ansible facts if needed] *********************************** ok: [node1] ok: [node2] ok: [node3] TASK [selinux : Fail if reboot is required] ************************************ skipping: [node1] skipping: [node2] skipping: [node3] TASK [selinux : debug] ********************************************************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [selinux : Drop all local modifications] ********************************** skipping: [node3] skipping: [node1] skipping: [node2] TASK [selinux : Purge all SELinux boolean local modifications] ***************** skipping: [node2] skipping: [node3] skipping: [node1] TASK [selinux : Purge all SELinux file context local modifications] ************ skipping: [node2] skipping: [node1] skipping: [node3] TASK [selinux : Purge all SELinux port local modifications] ******************** skipping: [node1] skipping: [node2] skipping: [node3] TASK [selinux : Purge all SELinux login local modifications] ******************* skipping: [node1] skipping: [node2] skipping: [node3] TASK [selinux : Set SELinux booleans] ****************************************** TASK [selinux : Set SELinux file contexts] ************************************* TASK [selinux : Restore SELinux labels on filesystem tree] ********************* TASK [selinux : Restore SELinux labels on filesystem tree in check mode] ******* TASK [selinux : Set an SELinux label on a port] ******************************** TASK [selinux : Set linux user to SELinux user mapping] ************************ TASK [selinux : Get SELinux modules facts] ************************************* ok: [node2] ok: [node3] ok: [node1] TASK [selinux : include_tasks] ************************************************* skipping: [node1] skipping: [node2] skipping: [node3] PLAY RECAP ********************************************************************* node1 : ok=7 changed=0 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0 node2 : ok=7 changed=0 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0 node3 : ok=7 changed=0 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0 //View managed host status [root@node1 ~]# getenforce 0 Enforcing
3. Install roles using Ansible Galaxy
Using Ansible Galaxy and the requirements file /home/student/ansible/roles/requirements.yml, download roles from the following URL and install to /home/student/ansible/roles:
http://content.example.com/haproxy.tar.gz The name of this role should be balancer
http://content.example.com/phpinfo.tar.gz The name of this role should be phpinfo
//Define the path to install roles [student@ansible ansible]$ cd roles/ [student@ansible roles]$ vim test.yml --- - name: balancer src: file:///home/student/haproxy.tar.gz - name: phpinfo src: file:///home/student/phpinfo.tar.gz [student@ansible ansible]$ ansible-galaxy install -r /home/student/ansible/roles/test.yml -p /home/student/ansible/roles/ - balancer is already installed, skipping. - downloading role from file:///home/student/phpinfo.tar.gz - extracting phpinfo to /home/student/ansible/roles/phpinfo - phpinfo was installed successfully [student@ansible ansible]$ cd roles/ [student@ansible roles]$ ls balancer selinux timesync phpinfo test.yml
4. Create and use roles
Create a role named apache in /home/student/ansible/roles with the following requirements:
The httpd package is installed, set to enable and start at system boot
Firewall is enabled and running with rules that allow access to the Web server
The template file index.html.j2 already exists to create the file /var/www/html/index.html with the following output:
Welcome to HOSTNAME on IPADDRESS
where HOSTNAME is the fully qualified domain name of the managed node and IPADDRESS is the IP address of the managed node.
Create a playbook /home/student/ansible/newrole.yml that uses this role as described below:
The playbook is running on a host in the webservers host group
[student@ansible roles]$ ansible-galaxy init apache - Role apache was created successfully [student@ansible roles]$ ls apache phpinfo test.yml balancer selinux timesync [student@ansible roles]$ cd apache/templates/ [student@ansible templates]$ vim index.html.j2 Welcome to {{ansible_fqdn}} on {{ansible_ens160.ipv4.address}} [student@ansible apache]$ cat tasks/main.yml --- # tasks file for apache - name: mount cdrom mount: src: /dev/cdrom path: /mnt fstype: iso9660 state: mounted - name: repo1 yum_repository: file: server name: BaseOS description: CtenOS8 baseurl: file:///mnt/BaseOS enabled: yes gpgcheck: no - name: repo2 yum_repository: file: server name: AppStream description: CtenOS8 baseurl: file:///mnt/AppStream enabled: yes gpgcheck: no - name: install httpd dnf: name: - httpd - firewalld state: present - name: cp file template: src: index.html.j2 dest: /var/www/html/index.html notify: - restarted httpd - name: firewalld firewalld: service: http state: enabled permanent: yes immediate: yes [student@ansible apache]$ cat handlers/main.yml --- # handlers file for apache - name: restart httpd service: name: httpd state: restarted enabled: yes [student@ansible ansible]$ cat newrole.yml --- - name: apache hosts: all roles: - apache [student@ansible ansible]$ ansible-playbook newrole.yml PLAY [apache] ****************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node3] ok: [node2] ok: [node1] TASK [apache : mount cdrom] **************************************************** ok: [node1] ok: [node3] ok: [node2] TASK [apache : repo1] ********************************************************** ok: [node1] ok: [node2] ok: [node3] TASK [apache : repo2] ********************************************************** ok: [node1] ok: [node2] ok: [node3] TASK [apache : install httpd] ************************************************** ok: [node2] ok: [node3] ok: [node1] TASK [apache : cp file] ******************************************************** ok: [node2] ok: [node1] ok: [node3] TASK [apache : firewalld] ****************************************************** ok: [node1] ok: [node2] ok: [node3] PLAY RECAP ********************************************************************* node1 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node2 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node3 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 [student@ansible ansible]$ curl http://node1.example.com Welcome to node1.example.com on 192.168.244.140 [student@ansible ansible]$ curl http://node2.example.com Welcome to node2.example.com on 192.168.244.141 [student@ansible ansible]$ curl http://node3.example.com Welcome to node3.example.com on 192.168.244.142
5. Use roles from Ansible Galaxy
Create a playbook named /home/student/ansible/roles.yml with the following requirements:
The playbook contains a play that runs on hosts in the balancers host group and will use the balancer role.
This role configures a service to balance the load of Web server requests among hosts in the webservers host group.
Browsing to a host in the balancers host group (eg http://bastion.lab.example.com/ ) will generate the following output:
Welcome to serverc.example.com on 172.25.1.12
Reloading the browser will generate output from another Web server:
Welcome to serverd.example.com on 172.25.1.13
The playbook contains a play that runs on hosts in the webservers host group and will use the phpinfo role.
Browsing to a host in the webservers host group via the URL /hello.php produces the following output:
Hello PHP World from FQDN
where FQDN is the fully qualified name of the host.
For example, browse to http://serverc.lab.example.com/hello.php produces the following output:
Hello PHP World from serverc.lab.example.com
There are also various details of the PHP configuration, such as the installed PHP version, etc.
Likewise, browse to http://serverd.lab.example.com/hello.php produces the following output:
Hello PHP World from serverd.lab.example.com
There are also various details of the PHP configuration, such as the installed PHP version, etc.
[student@ansible ansible]$ cat roles.yml --- - name: gather facts for webservers hosts: webservers - name: balancer role hosts: balancers roles: - balancer - name: php role hosts: webservers roles: - phpinfo [student@ansible ansible]$ ansible-playbook roles.yml PLAY [gather facts for webservers] ********************************************* TASK [Gathering Facts] ********************************************************* ok: [node2] ok: [node3] [WARNING]: Could not match supplied host pattern, ignoring: balancers PLAY [balancer role] *********************************************************** skipping: no hosts matched PLAY [php role] **************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node2] ok: [node3] TASK [phpinfo : Install Apache] ************************************************ ok: [node2] ok: [node3] TASK [phpinfo : Install firewalld] ********************************************* ok: [node2] ok: [node3] TASK [phpinfo : Start and enable firewalld] ************************************ ok: [node3] ok: [node2] TASK [phpinfo : Enable http in firewall] *************************************** ok: [node2] ok: [node3] TASK [phpinfo : Copy the hello_ver.html.j2] ************************************ changed: [node2] changed: [node3] TASK [phpinfo : Start and enable httpd] **************************************** ok: [node2] changed: [node3] RUNNING HANDLER [phpinfo : restart httpd] ************************************** changed: [node2] changed: [node3] PLAY RECAP ********************************************************************* node2 : ok=9 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node3 : ok=9 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 verify: [student@workstation ansible]$ curl http://bastion.lab.example.com Welcome to serverc.lab.example.com on 172.25.250.12 [student@workstation ansible]$ curl http://bastion.lab.example.com Welcome to serverd.lab.example.com on 172.25.250.13 [student@workstation ansible]$ curl http://serverc.lab.example.com/hello.php Hello PHP World form serverc.lab.example.com [student@workstation ansible]$ curl http://serverd.lab.example.com/hello.php Hello PHP World form serverd.lab.example.com