The goal of this exercise is to understand and use pre-existing content in the forms of roles and collections from Automation Hub and Ansible Galaxy.
Linux System Roles create a consistent user interface to provide settings to a given subsystem that is abstract from any particular implementation. For example, assigning an IP Address to a network interface should be a generic concept separate from any particular implementations such as init networking scripts, NetworkManager, or systemd-networkd.
This exercise will use two Linux System Roles, the
In the Ansible Automation Controller UI navigate to Projects then click on the Ansible official demo project:
Take note of the Github repository that was pre-loaded into your Ansible Automation Controller environment:
Open the repository linked above in your web browser. Navigate to playbooks/security/hardening.yml
Take note of these two tasks:
- name: Configure Firewall when: harden_firewall | bool include_role: name: linux-system-roles.firewall - name: Configure Timesync when: harden_time | bool include_role: name: redhat.rhel_system_roles.timesync
There are two tasks that include a role and a role from a collection respectively. If you have trouble distinguishing a role that comes directly from Ansible Galaxy versus a role that is in an Ansible Collection this nomenclature should help you:
The Ansible Playbooks are simple. They just use the pre-built Ansible Playbooks provided by Ansible Galaxy and Automation Hub. These were pre-installed for this Ansible Workshop.
vars: firewall: service: 'tftp' state: 'disabled'
vars: timesync_ntp_servers: - hostname: foo.example.com iburst: yes - hostname: bar.example.com iburst: yes - hostname: baz.example.com iburst: yes
In the Ansible Automation Controller UI navigate to Templates.
Click on the rocket to launch the SERVER / Hardening job template:
This will launch a survey before starting the job. Fill out the survey:
Click the NEXT button:
Review the EXTRA VARIABLES to understand what the survey did. Click the LAUNCH button:
Watch the Job kick off!
From the Ansible control node, ssh to the node you configured:
$ ssh node1
For Red Hat Enterprise Linux 8 the timesync system role used chronyd. Check if it is installed, enabled and running with
systemctl status command:
$ sudo systemctl status chronyd.service
Here is the full output:
[student@ansible ~]$ sudo systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-04-21 14:37:14 UTC; 13h ago Docs: man:chronyd(8) man:chrony.conf(5) Main PID: 934 (chronyd) Tasks: 1 (limit: 23902) Memory: 1.8M CGroup: /system.slice/chronyd.service └─934 /usr/sbin/chronyd Apr 21 14:37:14 localhost.localdomain systemd: Starting NTP client/server... Apr 21 14:37:14 localhost.localdomain chronyd: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) Apr 21 14:37:14 localhost.localdomain chronyd: Using right/UTC timezone to obtain leap second data Apr 21 14:37:14 localhost.localdomain systemd: Started NTP client/server. Apr 21 14:38:12 ip-172-16-47-87.us-east-2.compute.internal chronyd: Selected source 184.108.40.206 Apr 21 14:38:12 ip-172-16-47-87.us-east-2.compute.internal chronyd: System clock TAI offset set to 37 seconds
Here are some other commands that can be used to verify time is working correctly:
# chronyc tracking # chronyc sources # chronyc sourcestats # systemctl status chronyd # chronyc activity # timedatectl
$ timedatectl Local time: Wed 2020-04-22 03:52:15 UTC Universal time: Wed 2020-04-22 03:52:15 UTC RTC time: Wed 2020-04-22 03:52:15 Time zone: UTC (UTC, +0000) System clock synchronized: yes NTP service: active
You have completed lab exercise