System Administration

by

Working with Inventory File in Ansible

I have been learning from this book Fabio Alessandro Locati, published under Packt>. The example can be found at https://github.com/PacktPublishing/Learning-Ansible-2.X-Third-Edition/tree/master/Chapter03

Basics

Today I am learning on working with Inventory Files. This time we are dealing with multiple hosts. These hosts have to be placed in the inventory file. An example is pasted here. In hosts.ini, we have

[Compute] 
node01.example.com 
node02.example.com
 
[Login] 
login.example.com

To run the ansible playfile

ansible-playbook -i hosts.ini firstrun.yaml

firstrun.yaml is taken from the site listed. It is to ensure the ansible user exist, accept the SSH keys and provided with sudoers rights with no password.

 hosts: all 
  user: vagrant 
  tasks: 
    - name: Ensure ansible user exists 
      user: 
        name: ansible 
        state: present 
        comment: Ansible 
      become: True
    - name: Ensure ansible user accepts the SSH key 
      authorized_key: 
        user: ansible 
        key: https://github.com/fale.keys 
        state: present 
      become: True
    - name: Ensure the ansible user is sudoer with no password required 
      lineinfile: 
        dest: /etc/sudoers 
        state: present 
        regexp: '^ansible ALL\=' 
        line: 'ansible ALL=(ALL) NOPASSWD:ALL' 
        validate: 'visudo -cf %s'
      become: True

Regular Expressions

If you have a larger number of servers with predictable names, you may want to consider the following expression. You can save 100 lines of listing the server with the following expression

[Compute] 
node[01:100].example.com 

 
[Login] 
login.example.com

Group Variables

If you wish to set a variable for the whole group, you may want to set a variable that is valid for the whole group,. A quick note from the book is that the host variables will override the group variables if the same variable is declared in both spaces.

[Compute] 
node[01:100].example.com 

[compute:vars]
firewalld_enabled=false
 
[Login] 
login.example.com

Working with iterates in Ansibles. For example in a un-iterates codes below

- name: Ensure the HTTP can pass the firewall 
      firewalld: 
        name: http 
        state: enabled 
        permament: True
        immediate: True
    - name: Ensure the HTTPS can pass the firewall 
      service: 
        name: https 
        state: enabled 
        enabled: True 
      become: True

The codes can be shortened with the following with_items

- name: Ensure HTTP and HTTPS can pass the firewall 
      firewalld: 
        service: '{{ item }}'  
        state: enabled 
        permanent: True 
        immediate: True 
      become: True
      with_items:
        - http
        - https

Using nested loops – with_nested

If you need to iterate all elements of a list with all items from other lists. For example, you may want to create multiple folderw in multiple paths

--- 
- hosts: all 
  remote_user: ansible
  vars: 
    users: 
      - alice 
      - bob 
    folders: 
      - mail 
      - public_html 
  tasks: 
    - name: Ensure the users exist 
      user: 
        name: '{{ item }}' 
      become: True 
      with_items: 
        - '{{ users }}' 
    - name: Ensure the folders exist 
      file: 
        path: '/home/{{ item.0 }}/{{ item.1 }}' 
        state: directory 
      become: True 
      with_nested: 
        - '{{ users }}' 
        - '{{ folders }}'

Fileglobs loop – with_fileglobs

If you want to perform an action on every file present in a certain folder like copying multiples files with similar names from one folder to another, you can do the following

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure the folder /tmp/iproute2 is present 
      file: 
        dest: '/tmp/iproute2' 
        state: directory 
      become: True 
    - name: Copy files that start with rt to the tmp folder 
      copy: 
        src: '{{ item }}' 
        dest: '/tmp/iproute2' 
        remote_src: True 
      become: True 
      with_fileglob: 
        - '/etc/iproute2/rt_*'
by

How to check Disk Usage

Checking whether the root partition has run out of inodes. Use the command. If it shows 100%, there are many small files. Perhaps, do look for some of these files at /tmp

df -i
Filesystem                                      Inodes        IUsed        IFree IUse% Mounted on
/dev/mapper/centos-root                        9788840       320849      9467991    4% /
devtmpfs                                      70101496          560     70100936    1% /dev
tmpfs                                         70105725            8     70105717    1% /dev/shm
tmpfs                                         70105725         1581     70104144    1% /run
.....
.....

You may want to check which directories is using the most space with the commands below

% du -hx -d 1 |sort -h
1.3M    ./Espresso-BEEF
4.9M    ./NB07
8.3M    ./Gaussian2
31M     ./Gaussian
65M     ./MATLAB
478M    ./Abaqus
647M    ./pytorch-GAN
10G     ./COMSOL
12G     .

-h argument produces the human-readable output
-x restricts the search to the current directory
-d 1 is the summary for each directory
sort -h produces human-readable output and the directories with the largest usage will appear at the bottom of the list.

by

Enabling EPEL, Python Bindings for SELinux, and Firewall Settings

I have been learning from this book Fabio Alessandro Locati, published under Packt>.

There is one simple exercise where there is an example of “Configuring a basic server”. The codes can be found

Enabling EPEL

To enable EPEL, in RHEL/CentOS 7, just install the epel-release package

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure EPEL is enabled 
      yum: 
        name: epel-release 
        state: present 
      become: True

Python bindings for SELINUX

Ansible is written in python, and mainly use the Python bindings to operate on the operating system.

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
     - name: Ensure libselinux-python is present 
      yum: 
        name: libselinux-python  
        state: present 
      become: True 
    - name: Ensure libsemanage-python is present 
      yum: 
        name: libsemanage-python 
        state: present 
      become: True

Firewall Settings

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure FirewallD is running 
      service: 
        name: firewalld 
        state: started 
        enabled: True 
      become: True 
    - name: Ensure SSH can pass the firewall 
      firewalld: 
        service: ssh 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True
by

Basic Installing and Configuring NTP with Ansible

I have been learning from this book Fabio Alessandro Locati, published under Packt>.

There is one simple exercise where there is an example of “Ensuring that NTP is installed, configured and running”. The codes can be found at https://github.com/PacktPublishing/Learning-Ansible-2.X-Third-Edition/tree/master/Chapter02

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure NTP is installed 
      yum: 
        name: ntp 
        state: present 
      become: True 
    - name: Ensure the timezone is set to UTC 
      file: 
        src: /usr/share/zoneinfo/GMT 
        dest: /etc/localtime 
        state: link 
      become: True 
    - name: Ensure the NTP service is running and enabled 
      service: 
        name: ntpd 
        state: started 
        enabled: True 
      become: True
by

Basic Installing and Configuring a Web Server with Ansible

I have been learning from this book Fabio Alessandro Locati, published under Packt>

There is one simple exercise where there is an example of “Installing and Configuring a Web Server”. The codes can be found at https://github.com/PacktPublishing/Learning-Ansible-2.X-Third-Edition/tree/master/Chapter02

Installing and Configuring a Web Server

The first set of codes deal with the installation and enabling of HTTPd package and services. In addition, both HTTP and HTPS must be able to pass through the firewalld

-- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure the HTTPd package is installed 
      yum: 
        name: httpd 
        state: present 
      become: True 
    - name: Ensure the HTTPd service is enabled and running 
      service: 
        name: httpd 
        state: started 
        enabled: True 
      become: True 
    - name: Ensure HTTP can pass the firewall 
      firewalld: 
        service: http 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True 
    - name: Ensure HTTPS can pass the firewall 
      firewalld: 
        service: https 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True

Reviewing and Running the Deployment, we can use the command to fire it. 

$ ansible-playbook webserver.yaml --list-tasks
$ ansible-playbook -i host webserver.yaml

Publishing a Simple Website

Assuming the Website is a simple single-page website using a simple template call index.html.j2

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure the website is present and updated 
      template: 
        src: index.html.j2 
        dest: /var/www/html/index.html 
        owner: root 
        group: root 
        mode: 0644 
      become: True

Just a note that the “become: True” parameter represents the fact that the tasks should be executed with sudo access. In other words, the sudo user’s file should allow access

by

Basic Ansible Introductory Learning Notes

I have been learning from this book Fabio Alessandro Locati, published under Packt>

I thought I just capture a few learning notes as I read.

Introduction to Playbooks

Playgroups are one of the core features of Ansible and tell what Ansible what to execute. They are like a do-list for Ansible that contains a list of tasks; each task internally links to a piece of code called a module

- hosts: all 
  remote_user: vagrant
  tasks: 
    - name: Ensure the HTTPd package is installed 
      yum: 
        name: httpd 
        state: present 
      become: True 
    - name: Ensure the HTTPd service is enabled and running 
      service: 
        name: httpd 
        state: started 
        enabled: True 
      become: True

What it means?

  • hosts: List the Host or Host groups. The Host field is required. The –list-hosts-host will let us know which hosts the playbook is using.
  • remote_user: The user Ansible will be using while logging onto the system.
  • There are 2 tasks.
    • The first one is to ensure that the httpd package is present
    • The 2nd one is to enable the httpd service is enabled and running
  • The tasks are quite self-explanatory.
  • become: True. The commands should be executed with sudo access. If the sudo user’s file does not allow the user to run the particular command, the command will fail

Running a Playbook

$ ansible-playbook -i host setup_apache.yml

Ansible Verbosity

You can increase the verbosity by using the parameter -v, -vv or -vvv

Variables in Ansible

---
- hosts: all
  remote_user: vagrant
  tasks: 
    - name: Print OS and version
      debug:
        msg: '{{ ansible_distribution }} {{ ansible_distribution_version }}'

Creating the Ansible User

--- 
- hosts: all 
  user: vagrant 
  tasks: 
    - name: Ensure ansible user exists 
      user: 
        name: ansible 
        state: present 
        comment: Ansible 
      become: True
    - name: Ensure ansible user accepts the SSH key 
      authorized_key: 
        user: ansible 
        key: https://github.com/fale.keys 
        state: present 
      become: True
    - name: Ensure the ansible user is sudoer with no password required 
      lineinfile: 
        dest: /etc/sudoers 
        state: present 
        regexp: '^ansible ALL\=' 
        line: 'ansible ALL=(ALL) NOPASSWD:ALL' 
        validate: 'visudo -cf %s'
      become: True

The lineinfile is an interesting module. It works in a similar way to sed (a stream editor) where you specify the regular expression that will be used to match the line, and then specify the new line that will be used to substitute the matched line.

by

Installing Environment Modules on Rocky Linux 8.5

Step 1: Download the modules packages

You can download the latest version of Modules Environment from http://modules.sourceforge.net/. The current version is 5.1

% dnf install tcl tcl-devel
% tar -zxvf modules-5.1.0.tar.gz
% cd modules-5.1.0
% ./configure --prefix=/usr/local/Modules \
--modulefilesdir=/usr/local/Modules/modulefiles
$ make && make install

By default, /usr/local/Modules/modulefiles will be setup as the default directory containing modulefiles. –modulefilesdir option enables to change this directory location.

Step 2: Configuration

# ln -s /usr/local/Modules/init/profile.sh /etc/profile.d/modules.sh
# ln -s /usr/local/Modules/init/profile.csh /etc/profile.d/modules.csh

Step 3: Source the Configuration

# source /etc/profile.d/modules.sh

Step 4: Start Adding Modules. Sample. A Sample File may look something like this. This is a Gcc-6.50 

#%Module1.0
proc ModulesHelp { } {

global version prefix

        puts stderr "\tmodules - loads the gcc-6.5.0"
        puts stderr "\n\tThis adds $prefix/* to several of the"
        puts stderr "\tenvironment variables."
        puts stderr "\n\tVersion $version\n"
}

module-whatis   "gcc-6.5.0"

if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/m4-1.4.18" ] } { } else {
                module load "gnu/m4-1.4.18"
        }
}

if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/gmp-6.1.0" ] } { } else {
                module load "gnu/gmp-6.1.0"
        }
}


if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/mpfr-3.1.4" ] } { } else {
                module load "gnu/mpfr-3.1.4"
        }
}


if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/mpc-1.0.3" ] } { } else {
                module load "gnu/mpc-1.0.3"
        }
}


if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/gsl-2.1" ] } { } else {
                module load "gnu/gsl-2.1"
        }
}


if { [ module-info mode load ] } {
        if { [ is-loaded "gnu/isl-0.18" ] } { } else {
                module load "gnu/isl-0.18"
        }
}

# for Tcl script use only
set     version         6.5.0
set     prefix          /usr/local/gcc-6.5.0
set     exec_prefix     ${prefix}
set     datarootdir     ${prefix}

prepend-path    PATH                    ${prefix}/bin
prepend-path    LD_LIBRARY_PATH         ${prefix}/lib:${prefix}/lib64:${prefix}/libexec
prepend-path    MANPATH                 ${prefix}/share

References:

  1. Installing Modules on Unix
by

Managing of Roaming Users’ Home Directories with Systemd-Homed

This article can be taken from OpenSource.com titled “Manage Linux users’ home directories with systemd-homed

Image By: OpenSource.com

The systemd-homed service supports user account portability independent of the underlying computer system. A practical example is to carry around your home directory on a USB thumb drive and plug it into any system which would automatically recognize and mount it. According to Lennart Poettering, lead developer of systemd, access to a user’s home directory should not be allowed to anyone unless the user is logged in. The systemd-homed service is designed to enhance security, especially for mobile devices such as laptops. It also seems like a tool that might be useful with containers.

This objective can only be achieved if the home directory contains all user metadata. The ~/.identity file stores user account information, which is only accessible to systemd-homed when the password is entered. This file holds all of the account metadata, including everything Linux needs to know about you, so that the home directory is portable to any Linux host that uses systemd-homed. This approach prevents having an account with a stored password on every system you might need to use.

The home directory can also be encrypted using your password. Under systemd-homed, your home directory stores your password with all of your user metadata. Your encrypted password is not stored anywhere else thus cannot be accessed by anyone. Although the methods used to encrypt and store passwords for modern Linux systems are considered to be unbreakable, the best safeguard is to prevent them from being accessed in the first place. Assumptions about the invulnerability of their security have led many to ruin.

This service is primarily intended for use with portable devices such as laptops. Poettering states, “Homed is intended primarily for client machines, i.e., laptops and thus machines you typically ssh from a lot more than ssh to, if you follow what I mean.” It is not intended for use on servers or workstations that are tethered to a single location by cables or locked into a server room.

The systemd-homed service is enabled by default on new installations—at least for Fedora, which is the distro that I use. This configuration is by design, and I don’t expect that to change. User accounts are not affected or altered in any way on systems with existing filesystems, upgrades or reinstallations that keep the existing partitions, and logical volumes.

Manage Linux users’ home directories with systemd-homed (OpenSource.com)

For more Read-Up, do take a look at “Manage Linux users’ home directories with systemd-homed

by

Checking Disk Usage within the subfolders but avoid mount-point

If you need to check Usage, but you wish to avoid the mount-point, you can use the command

[root@hpc-hn /]# du -h -x -d 1
48M     ./etc
552M    ./root
11G     ./var
1.1G    ./tmp
11G     ./usr
0       ./media
0       ./mnt
4.8G    ./opt
0       ./srv
0       ./install
0       ./log
0       ./misc
0       ./net
0       ./server_priv
0       ./ProjectSpace
0       ./media1
0       ./media2
28G     .
  • -h refers to human-readable
  • -d refers to depth level. By default, it is 0 which is the same as summarize
  • -x skip directories on different file systems