Automate Linux Systems with Ansible System Roles

Posted on 38 views

Nowadays due to the complexity of working environments, many organizations have adopted the concept of automation. This technology has brought several tools into play. The common automation tools include Ansible, Puppet, Chef, Foreman, Katello, CFEngine, Salt stack e.t.c.

Ansible is a free and open-source tool used for configuration management and automation. This tool written in Python is highly preferred due to the following:

  • It is free and open-source
  • It is easy to set up and use
  • Powerful and can be used to model complex IT environments
  • Efficient since one does not need to install other software or firewall ports
  • It has improved security and compliance

Linux System Roles can be defined as ansible roles used to manage and configure everyday Linux tasks/components. This mainly provides an automation API that is consistent across several Linux distributions. These roles are normally available in Ansible Galaxy at Linux-system-roles. At times one may prefer using a collection instead of individual roles. The collection consists of the following Roles:

  • logging
  • kdump
  • metrics
  • firewall
  • crypto_policies
  • cockpit
  • nbde_server
  • nbde_client
  • ssh
  • sshd
  • network
  • SELinux
  • ha_cluster
  • tlog
  • VPN
  • timesync
  • storage
  • kernel_settings

Currently supported distributions

The supported Linux distributions are:

  • Fedora
  • Red Hat Enterprise Linux (RHEL 6+)
  • RHEL 6+ derivatives such as CentOS 6+

This guide provides the treadboard on how to automate Linux Systems with Ansible System Roles.

Step 1 – Install and Configure Ansible on Your Workstation

For the orchestration to occur, Ansible is installed on a manager node often known as the control node. This node carries the playbook to be executed on the managed nodes.

Ansible can be installed on the above-listed distributions using two methods:

  • Using PIP

From, PIP, you need to install the below packages:

sudo yum install python3 python3-pip -y

Install Ansible with the command:

sudo pip3 install ansible
  • Using EPEL repositories

Add the EPEL repository to the system.

##On RHEL 7/CentOS 7
sudo yum -y install

##On RHEL 8/CentOS 8/Alma Linux 8/Rocky Linux 8
sudo yum -y install

Now install Ansible with the command:

sudo yum install ansible ansible-core

Verify the installation.

$ ansible --version
ansible [core 2.12.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/alma/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/alma/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.12 (default, Apr 21 2022, 07:55:08) [GCC 8.5.0 20210514 (Red Hat 8.5.0-10)]
  jinja version = 2.10.3
  libyaml = True

Create the Ansible Hosts Inventory file

This ansible file comprises the managed Nodes. Add the hosts to the file as shown.

$ sudo vim /etc/ansible/hosts
[CentOS8] ansible_ssh_user=username

[CentOS7] ansible_ssh_user=username

[Rocky8] ansible_ssh_user=username

In the above file, remember to replace “username” with the sudo username on your managed node. Also, ensure that the user added here is able to execute sudo commands without a password:

$ sudo vim /etc/sudoers
##Find/Add the line
username   ALL=(ALL)      NOPASSWD: ALL

Next, generate and copy the SSH keys of the Control Node to the Managed nodes:

ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/ [email protected]8.205.9
ssh-copy-id -i ~/.ssh/ [email protected]
ssh-copy-id -i ~/.ssh/ [email protected]

By doing so, the control node will execute the commands without a password required. Test if everything is okay.

$ ansible -m ping all | SUCCESS => 
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    "changed": false,
    "ping": "pong" | SUCCESS => 
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    "changed": false,
    "ping": "pong" | SUCCESS => 
        "discovered_interpreter_python": "/usr/bin/python3.6"
    "changed": false,
    "ping": "pong"

Step 2 – Install Linux System Roles Ansible Collection

For this guide, we will simply install all the roles as a collection. There are two ways to install the Linux System Roles Collection in your setup.

  • Install from Ansible Galaxy
$ ansible-galaxy collection install fedora.linux_system_roles
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/fedora-linux_system_roles-1.24.0-agt0_560
Installing 'fedora.linux_system_roles:1.24.0' to '/home/alma/.ansible/collections/ansible_collections/fedora/linux_system_roles'
Downloading to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/ansible-posix-1.4.0-u_nq0p75
fedora.linux_system_roles:1.24.0 was installed successfully
Installing 'ansible.posix:1.4.0' to '/home/alma/.ansible/collections/ansible_collections/ansible/posix'
Downloading to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/community-general-5.1.0-33n2krfl
ansible.posix:1.4.0 was installed successfully
Installing 'community.general:5.1.0' to '/home/alma/.ansible/collections/ansible_collections/community/general'
community.general:5.1.0 was installed successfully

Once complete, the roles will be available as fedora.linux_system_roles.

  • Install from YUM
sudo yum install rhel-system-roles

Step 3 – Automate Linux System using Linux System Roles

You can now automate your system by creating a playbook YAML consisting of the desired tasks to be executed on managed nodes.

From the Linux System Roles Ansible Collection, you can execute several commands on the managed host. For this guide, I will cover examples on:

Configuring the Network

The playbook can be created as shown:

vim network-playbook.yaml

The file below can be used to create a network bond:

- hosts:
  become: true
  become_method: sudo
  become_user: root
      # Specify the bond profile
      - name: bond0
        state: up
        type: bond
        interface_name: bond0
        # ip configuration (optional)
            - ""
        # bond configuration settings: (optional)
          mode: active-backup
          miimon: 110

      # add an ethernet profile to the bond
      - name: member1
        state: up
        type: ethernet
        interface_name: enp1s0
        controller: bond0

      # add a second ethernet profile to the bond
      - name: member2
        state: up
        type: ethernet
        interface_name: enp10s0
        controller: bond0

Remember to replace the role with the exact role name for example:

This playbook configures a network bond using two network interfaces attached to the managed node. Identify the two interfaces with the command:

$ nmcli device status
DEVICE      TYPE      STATE                   CONNECTION            
enp9s0      ethernet  connected               Ethernet connection   
enp10s0     ethernet  connected               Ethernet connection 1 
enp1s0      ethernet  connected               enp1s0                
virbr0      bridge    connected (externally)  virbr0                
lo          loopback  unmanaged               --                    
virbr0-nic  tun       unmanaged               --                    

This command may not work as desired if you haven’t attached two secondary network adapters to your system. Execute the playbook on the set node

ansible-playbook network-playbook.yaml

Sample Output:


Verify the changes on the managed node.


Configure Timesysnc

Create the YAML

vim timesync-playbook.yaml

The below file can be used for Rocky Linux systems.

- hosts:
  become: true
  become_method: sudo
  become_user: root
      - hostname:
        iburst: yes
      - hostname:
        pool: yes
      - hostname:  
        pool: yes
    - fedora.linux_system_roles.timesync
    #- rhel-system-roles.timesync

Apply the playbook.

ansible-playbook timesync-playbook.yaml

Sample Output:


Verify the changes:

$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
^*           3   6    17    12   -297us[ -298us] +/-   17ms
^+                   2   6    17    12   +313us[ +312us] +/-   18ms
^-                 2   6    17    12  -5761us[-5763us] +/-  102ms

Configure SELinux

Create the playbook.

vim selinux-playbook.yaml

Make desired settings on the node(s)

- hosts:
  become: true
  become_method: sudo
  become_user: root

    # Enable SELinux.  Yes, do it, else Klinsmann cries.
    selinux_policy: targeted
    # Set "enforcing" mode
    selinux_state: enforcing

      -  name: 'samba_enable_home_dirs', state: 'on' 
      -  name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' 

#    SELinux_file_contexts:
#      -  target: '/var/mycrash(/.*)?', setype: 'kdump_crash_t', ftype: 'd' 

   #- fedora.linux_system_roles.selinux
    - rhel-system-roles.selinux

Apply the YAML.

ansible-playbook selinux-playbook.yaml

Sample Output:


Check the SELinux status on the managed node:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

More examples can be found under /usr/share/doc/rhel-system-roles/

Final Thoughts

We have successfully walked through how to automate Linux Systems with Ansible System Roles. This guide has only provided you with the basic knowledge on how to automate systems using Ansible roles. Now you have the power to explore other Linux System Roles not covered here. I hope this was insightful.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.