Nowadays due to the complexity of working environments, many organizations have adopted the concept of automation. This technology has brought several tools into play. The common automation tools include Ansible, Puppet, Chef, Foreman, Katello, CFEngine, Salt stack e.t.c.
Ansible is a free and open-source tool used for configuration management and automation. This tool written in Python is highly preferred due to the following:
- It is free and open-source
- It is easy to set up and use
- Powerful and can be used to model complex IT environments
- Efficient since one does not need to install other software or firewall ports
- It has improved security and compliance
Linux System Roles can be defined as ansible roles used to manage and configure everyday Linux tasks/components. This mainly provides an automation API that is consistent across several Linux distributions. These roles are normally available in Ansible Galaxy at Linux-system-roles. At times one may prefer using a collection instead of individual roles. The collection consists of the following Roles:
Currently supported distributions
The supported Linux distributions are:
- Red Hat Enterprise Linux (RHEL 6+)
- RHEL 6+ derivatives such as CentOS 6+
This guide provides the treadboard on how to automate Linux Systems with Ansible System Roles.
Step 1 – Install and Configure Ansible on Your Workstation
For the orchestration to occur, Ansible is installed on a manager node often known as the control node. This node carries the playbook to be executed on the managed nodes.
Ansible can be installed on the above-listed distributions using two methods:
- Using PIP
From, PIP, you need to install the below packages:
sudo yum install python3 python3-pip -y
Install Ansible with the command:
sudo pip3 install ansible
- Using EPEL repositories
Add the EPEL repository to the system.
##On RHEL 7/CentOS 7 sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ##On RHEL 8/CentOS 8/Alma Linux 8/Rocky Linux 8 sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Now install Ansible with the command:
sudo yum install ansible ansible-core
Verify the installation.
$ ansible --version ansible [core 2.12.2] config file = /etc/ansible/ansible.cfg configured module search path = ['/home/alma/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.8/site-packages/ansible ansible collection location = /home/alma/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.8.12 (default, Apr 21 2022, 07:55:08) [GCC 8.5.0 20210514 (Red Hat 8.5.0-10)] jinja version = 2.10.3 libyaml = True
Create the Ansible Hosts Inventory file
This ansible file comprises the managed Nodes. Add the hosts to the file as shown.
$ sudo vim /etc/ansible/hosts [CentOS8] 192.168.205.9 ansible_ssh_user=username [CentOS7] 192.168.205.5 ansible_ssh_user=username [Rocky8] 192.168.205.2 ansible_ssh_user=username
In the above file, remember to replace “username” with the sudo username on your managed node. Also, ensure that the user added here is able to execute sudo commands without a password:
$ sudo vim /etc/sudoers ....... ##Find/Add the line username ALL=(ALL) NOPASSWD: ALL
Next, generate and copy the SSH keys of the Control Node to the Managed nodes:
ssh-keygen -t rsa ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
By doing so, the control node will execute the commands without a password required. Test if everything is okay.
$ ansible -m ping all 192.168.205.9 | SUCCESS => "ansible_facts": "discovered_interpreter_python": "/usr/libexec/platform-python" , "changed": false, "ping": "pong" 192.168.205.2 | SUCCESS => "ansible_facts": "discovered_interpreter_python": "/usr/libexec/platform-python" , "changed": false, "ping": "pong" 192.168.205.5 | SUCCESS => "ansible_facts": "discovered_interpreter_python": "/usr/bin/python3.6" , "changed": false, "ping": "pong"
Step 2 – Install Linux System Roles Ansible Collection
For this guide, we will simply install all the roles as a collection. There are two ways to install the Linux System Roles Collection in your setup.
- Install from Ansible Galaxy
$ ansible-galaxy collection install fedora.linux_system_roles Starting galaxy collection install process Process install dependency map Starting collection install process Downloading https://galaxy.ansible.com/download/fedora-linux_system_roles-1.24.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/fedora-linux_system_roles-1.24.0-agt0_560 Installing 'fedora.linux_system_roles:1.24.0' to '/home/alma/.ansible/collections/ansible_collections/fedora/linux_system_roles' Downloading https://galaxy.ansible.com/download/ansible-posix-1.4.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/ansible-posix-1.4.0-u_nq0p75 fedora.linux_system_roles:1.24.0 was installed successfully Installing 'ansible.posix:1.4.0' to '/home/alma/.ansible/collections/ansible_collections/ansible/posix' Downloading https://galaxy.ansible.com/download/community-general-5.1.0.tar.gz to /home/alma/.ansible/tmp/ansible-local-7951pymjog1f/tmp9cxatqf0/community-general-5.1.0-33n2krfl ansible.posix:1.4.0 was installed successfully Installing 'community.general:5.1.0' to '/home/alma/.ansible/collections/ansible_collections/community/general' community.general:5.1.0 was installed successfully
Once complete, the roles will be available as
- Install from YUM
sudo yum install rhel-system-roles
Step 3 – Automate Linux System using Linux System Roles
You can now automate your system by creating a playbook YAML consisting of the desired tasks to be executed on managed nodes.
From the Linux System Roles Ansible Collection, you can execute several commands on the managed host. For this guide, I will cover examples on:
Configuring the Network
The playbook can be created as shown:
The file below can be used to create a network bond:
- hosts: 192.168.205.2 become: true become_method: sudo become_user: root vars: network_connections: # Specify the bond profile - name: bond0 state: up type: bond interface_name: bond0 # ip configuration (optional) ip: address: - "192.168.205.40/24" # bond configuration settings: (optional) bond: mode: active-backup miimon: 110 # add an ethernet profile to the bond - name: member1 state: up type: ethernet interface_name: enp1s0 controller: bond0 # add a second ethernet profile to the bond - name: member2 state: up type: ethernet interface_name: enp10s0 controller: bond0 roles: - fedora.linux_system_roles.network #- rhel-system-roles.network
Remember to replace the role with the exact role name for example:
fedora.linux_system_roles.network ##OR rhel-system-roles.network
This playbook configures a network bond using two network interfaces attached to the managed node. Identify the two interfaces with the command:
$ nmcli device status DEVICE TYPE STATE CONNECTION enp9s0 ethernet connected Ethernet connection enp10s0 ethernet connected Ethernet connection 1 enp1s0 ethernet connected enp1s0 virbr0 bridge connected (externally) virbr0 lo loopback unmanaged -- virbr0-nic tun unmanaged --
This command may not work as desired if you haven’t attached two secondary network adapters to your system. Execute the playbook on the set node
Verify the changes on the managed node.
Create the YAML
The below file can be used for Rocky Linux systems.
- hosts: 192.168.205.2 become: true become_method: sudo become_user: root vars: timesync_ntp_servers: - hostname: 3.ke.pool.ntp.org iburst: yes - hostname: 2.africa.pool.ntp.org pool: yes - hostname: 0.africa.pool.ntp.org pool: yes roles: - fedora.linux_system_roles.timesync #- rhel-system-roles.timesync
Apply the playbook.
Verify the changes:
$ chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* time.cloudflare.com 3 6 17 12 -297us[ -298us] +/- 17ms ^+ any.time.nl 2 6 17 12 +313us[ +312us] +/- 18ms ^- ntp.cd.net.za 2 6 17 12 -5761us[-5763us] +/- 102ms
Create the playbook.
Make desired settings on the node(s)
- hosts: 192.168.205.9 become: true become_method: sudo become_user: root vars: # Enable SELinux. Yes, do it, else Klinsmann cries. selinux_policy: targeted # Set "enforcing" mode selinux_state: enforcing selinux_booleans: - name: 'samba_enable_home_dirs', state: 'on' - name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' # SELinux_file_contexts: # - target: '/var/mycrash(/.*)?', setype: 'kdump_crash_t', ftype: 'd' roles: #- fedora.linux_system_roles.selinux - rhel-system-roles.selinux
Apply the YAML.
Check the SELinux status on the managed node:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33
More examples can be found under /usr/share/doc/rhel-system-roles/
We have successfully walked through how to automate Linux Systems with Ansible System Roles. This guide has only provided you with the basic knowledge on how to automate systems using Ansible roles. Now you have the power to explore other Linux System Roles not covered here. I hope this was insightful.