Nowadays due to the complexity of working environments, many organizations have adopted the concept of automation. This technology has brought several tools into play. The common automation tools include Ansible, Puppet, Chef, Foreman, Katello, CFEngine, Salt stack e.t.c.
Ansible is a free and open-source tool used for configuration management and automation. This tool written in Python is highly preferred due to the following:
- It is free and open-source
- It is easy to set up and use
- Powerful and can be used to model complex IT environments
- Efficient since one does not need to install other software or firewall ports
- It has improved security and compliance
Linux System Roles can be defined as ansible roles used to manage and configure everyday Linux tasks/components. This mainly provides an automation API that is consistent across several Linux distributions. These roles are normally available in Ansible Galaxy at Linux-system-roles. At times one may prefer using a collection instead of individual roles. The collection consists of the following Roles:
- logging
- kdump
- metrics
- firewall
- crypto_policies
- cockpit
- nbde_server
- nbde_client
- ssh
- sshd
- network
- SELinux
- ha_cluster
- tlog
- VPN
- timesync
- storage
- kernel_settings
Currently supported distributions
The supported Linux distributions are:
- Fedora
- Red Hat Enterprise Linux (RHEL 6+)
- RHEL 6+ derivatives such as CentOS 6+
This guide provides the treadboard on how to automate Linux Systems with Ansible System Roles.
Step 1 – Install and Configure Ansible on Your Workstation
For the orchestration to occur, Ansible is installed on a manager node often known as the control node. This node carries the playbook to be executed on the managed nodes.
Ansible can be installed on the above-listed distributions using two methods:
- Using PIP
From, PIP, you need to install the below packages:
sudo yum install python3 python3-pip -yInstall Ansible with the command:
sudo pip3 install ansible- Using EPEL repositories
Add the EPEL repository to the system.
##On RHEL 7/CentOS 7
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
##On RHEL 8/CentOS 8/Alma Linux 8/Rocky Linux 8
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmNow install Ansible with the command:
sudo yum install ansible ansible-coreVerify the installation.
$ ansible --version
ansible [core 2.12.2]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/alma/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
ansible collection location = /home/alma/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.12 (default, Apr 21 2022, 07:55:08) [GCC 8.5.0 20210514 (Red Hat 8.5.0-10)]
jinja version = 2.10.3
libyaml = TrueCreate the Ansible Hosts Inventory file
This ansible file comprises the managed Nodes. Add the hosts to the file as shown.
$ sudo vim /etc/ansible/hosts
[CentOS8]
192.168.205.9 ansible_ssh_user=username
[CentOS7]
192.168.205.5 ansible_ssh_user=username
[Rocky8]
192.168.205.2 ansible_ssh_user=usernameIn the above file, remember to replace “username” with the sudo username on your managed node. Also, ensure that the user added here is able to execute sudo commands without a password:
$ sudo vim /etc/sudoers
.......
##Find/Add the line
username ALL=(ALL) NOPASSWD: ALL
Next, generate and copy the SSH keys of the Control Node to the Managed nodes:
ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]By doing so, the control node will execute the commands without a password required. Test if everything is okay.
$ ansible -m ping all
192.168.205.9 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
192.168.205.2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
192.168.205.5 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3.6"
},
"changed": false,
"ping": "pong"
}Step 2 – Install Linux System Roles Ansible Collection
For this guide, we will simply install all the roles as a collection. There are two ways to install the Linux System Roles Collection in your setup.
- Install from Ansible Galaxy
$ ansible-galaxy collection install fedora.linux_system_roles
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/download/fedora-linux_system_roles-1.24.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/fedora-linux_system_roles-1.24.0-agt0_560
Installing 'fedora.linux_system_roles:1.24.0' to '/home/alma/.ansible/collections/ansible_collections/fedora/linux_system_roles'
Downloading https://galaxy.ansible.com/download/ansible-posix-1.4.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/ansible-posix-1.4.0-u_nq0p75
fedora.linux_system_roles:1.24.0 was installed successfully
Installing 'ansible.posix:1.4.0' to '/home/alma/.ansible/collections/ansible_collections/ansible/posix'
Downloading https://galaxy.ansible.com/download/community-general-5.1.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/community-general-5.1.0-33n2krfl
ansible.posix:1.4.0 was installed successfully
Installing 'community.general:5.1.0' to '/home/alma/.ansible/collections/ansible_collections/community/general'
community.general:5.1.0 was installed successfullyOnce complete, the roles will be available as fedora.linux_system_roles.<role_name>
- Install from YUM
sudo yum install rhel-system-rolesStep 3 – Automate Linux System using Linux System Roles
You can now automate your system by creating a playbook YAML consisting of the desired tasks to be executed on managed nodes.
From the Linux System Roles Ansible Collection, you can execute several commands on the managed host. For this guide, I will cover examples on:
Configuring the Network
The playbook can be created as shown:
vim network-playbook.yamlThe file below can be used to create a network bond:
- hosts: 192.168.205.2
become: true
become_method: sudo
become_user: root
vars:
network_connections:
# Specify the bond profile
- name: bond0
state: up
type: bond
interface_name: bond0
# ip configuration (optional)
ip:
address:
- "192.168.205.40/24"
# bond configuration settings: (optional)
bond:
mode: active-backup
miimon: 110
# add an ethernet profile to the bond
- name: member1
state: up
type: ethernet
interface_name: enp1s0
controller: bond0
# add a second ethernet profile to the bond
- name: member2
state: up
type: ethernet
interface_name: enp10s0
controller: bond0
roles:
- fedora.linux_system_roles.network
#- rhel-system-roles.networkRemember to replace the role with the exact role name for example:
fedora.linux_system_roles.network
##OR
rhel-system-roles.networkThis playbook configures a network bond using two network interfaces attached to the managed node. Identify the two interfaces with the command:
$ nmcli device status
DEVICE TYPE STATE CONNECTION
enp9s0 ethernet connected Ethernet connection
enp10s0 ethernet connected Ethernet connection 1
enp1s0 ethernet connected enp1s0
virbr0 bridge connected (externally) virbr0
lo loopback unmanaged --
virbr0-nic tun unmanaged -- This command may not work as desired if you haven’t attached two secondary network adapters to your system. Execute the playbook on the set node
ansible-playbook network-playbook.yamlSample Output:
Verify the changes on the managed node.
Configure Timesysnc
Create the YAML
vim timesync-playbook.yamlThe below file can be used for Rocky Linux systems.
- hosts: 192.168.205.2
become: true
become_method: sudo
become_user: root
vars:
timesync_ntp_servers:
- hostname: 3.ke.pool.ntp.org
iburst: yes
- hostname: 2.africa.pool.ntp.org
pool: yes
- hostname: 0.africa.pool.ntp.org
pool: yes
roles:
- fedora.linux_system_roles.timesync
#- rhel-system-roles.timesyncApply the playbook.
ansible-playbook timesync-playbook.yamlSample Output:
Verify the changes:
$ chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* time.cloudflare.com 3 6 17 12 -297us[ -298us] +/- 17ms
^+ any.time.nl 2 6 17 12 +313us[ +312us] +/- 18ms
^- ntp.cd.net.za 2 6 17 12 -5761us[-5763us] +/- 102msConfigure SELinux
Create the playbook.
vim selinux-playbook.yamlMake desired settings on the node(s)
- hosts: 192.168.205.9
become: true
become_method: sudo
become_user: root
vars:
# Enable SELinux. Yes, do it, else Klinsmann cries.
selinux_policy: targeted
# Set "enforcing" mode
selinux_state: enforcing
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
- { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
# SELinux_file_contexts:
# - { target: '/var/mycrash(/.*)?', setype: 'kdump_crash_t', ftype: 'd' }
roles:
#- fedora.linux_system_roles.selinux
- rhel-system-roles.selinuxApply the YAML.
ansible-playbook selinux-playbook.yamlSample Output:
Check the SELinux status on the managed node:
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33More examples can be found under /usr/share/doc/rhel-system-roles/<role_name>
Ansible Learning resources:
Final Thoughts
We have successfully walked through how to automate Linux Systems with Ansible System Roles. This guide has only provided you with the basic knowledge on how to automate systems using Ansible roles. Now you have the power to explore other Linux System Roles not covered here. I hope this was insightful.
See more:
- How To Setup LEMP stack for WordPress using Ansible
- Deploy Graylog Server using Ansible on Ubuntu/Debian/CentOS
- Install and Use Ansible on Debian
