What is ansible Role :-
- Roles provide a framework for fully independent or interdependent collections of files, tasks, templates, variables, and modules. The role is the primary mechanism for breaking a playbook into multiple files. This simplifies writing complex playbooks and makes them easier to reuse. The breaking of the playbook allows you to break the playbook into reusable components.
- This is a standardized structure for all Ansible roles, which allows Ansible playbooks to automatically load predefined variables, tasks, handlers, templates, and default values located in separate YAML files.
- Roles are not playbooks. Roles are small functionality that can be used within the playbooks independently. Roles have no specific setting for which hosts the role will apply.
# ansible-galaxy -h
ansible-galaxy [delete|import|info|init|install|list|login|remove|search|setup] [--help] [options] ...
- -h:
(help) it shows this help message and exit.
- -v:
(verbose) Verbose mode (-vvv for more, -vvvv to enable connection
debugging).
- --version: it shows program version number and exit.
Defaults ==> Data about the Role/ application . default
variables.
files ==> put
the static files here. Files will then be copied on remote machine.
handlers ==> based on notify do something specified. Triggers restart service.
meta ==> Information about the role. Author,
supported platforms, dependencies, etc.
tasks ==> List of taks to be executed by the
role.
templates ==> Similar to files except that templates support
dynamic files. Jinja2 -template language
dynamic variable use in nginx.conf file
tests ==> if you want additional verification
of your build.
vars ==> Both vars and defaults stores variable. Variables stored under “vars” has got higher priority and difficult to override.
# ansible-galaxy init nginx_role
1.Defined tasks
# vim /etc/ansible/nginx_role/tasks/main.yml
2. Script.sh Keep in a files
directory.
# cp -rf script.sh nginx_role/files
3.Create a template in a
# vim templates/resolv.conf.j2
nameserver {{ dns }}
4.defined variable in a vars directory.
# vars/main.yml
---
# Variables
dns: templates.8.8.8.8
5.Create playbook for run Role.
# vim /etc/ansible/role-main.yml
---
- hosts: jenkins
gather_facts: false
roles:
- {role:
'nginx_role', tags: 'nginx_role'}
Check file from remote server.
- hosts: demo
user: ansible
become: yes
connection: ssh
vars:
packages:
- name: webserver
required: True
- name: newserver
required: False
tasks:
- include_role:
name: "{{ item.name }}"
when:
- item.required == True
loop: "{{ packages }}"
# site.yml
- hosts: client_host
become_user: ansadm
become: yes
become_method: sudo
# sudo: yes
roles:
- Security-Hardening
# ansible-galaxy init roles/Security-Hardening
#ls /root/anisble_project/roles/Security-Hardening
# cd vars
#cat main.yml
hardening_artefact_name: "Security_Hardening_Artifacts_{{ ansible_date_time.iso8601_basic_short }}.txt"
hardening_artefact_path: "/home/Automation/Reports/"
#cd tasks
#vim main.yml
---
# tasks file for Security-Hardening
- name: Check availability for Artefacts Report path "{{hardening_artefact_path}}"
file: path="{{hardening_artefact_path}}" state=directory
delegate_to: 127.0.0.1
- include: httpd_file_check.yml
#vim httpd_file_check.yml
- name: "httpd_file task"
vars:
env: staging
block:
- name: template file onto remote hosts
template:
src: my_app.conf.j2
dest:
/tmp/my_app.conf
# cd templates/
#vim my_app.conf.j2
env = {{ env }}
local_ip = {{ ansible_host }}
local_user = {{ ansible_user }}
#client side my_app.conf file created.
#cat /tmp/my_app.conf
env = staging
local_ip = 172.31.42.127
local_user = ansadm
- name: "httpd_file task"
vars:
env: staging
my_app_version: v1.1
block:
- name: template file onto remote hosts
#delegate_to: 127.0.0.1
template:
src: "{{ item }}.j2"
dest: "/tmp/{{ item }}"
owner: ansadm
group: ansadm
mode: 0600
become: true
loop:
- my_app.conf
- my_app-release
# cd templates/
# cat my_app-release.j2
MyApp tomcat {{ my_app_version }}
#cat my_app.conf.j2
env = {{ env }}
local_ip = {{ ansible_host }}
local_user = {{ ansible_user }}
configuration file create in client server on /tmp path.
9. This task for found /etc/security/limits.conf file and add parameter and generate logs in local machine.
1. If First Task will fails, then other task will be skipped.
2. Any tasks failed then rescue block will be executed.
3. Any task may fail or pass, but the always block will be executed.
Some parameter add in Ansible.cfg
1.root permission
[privilege_escalation]
become=True
2.remote user
remote_user = ansadm
# cd anisble_project
# vim site.yml
[root@prometheus anisble_project]# cat site.yml
---
- hosts: client_host
#become_user: ansadm
become: yes
#become_method: sudo
roles:
-
Security-Hardening
# mkdir -p roles
# ansible-galaxy init roles/Security-Hardening
# cd /roles/ Security-Hardening/tasks
# vim main.yml
---
# tasks file for Security-Hardening
- name: Check availability for Artefacts Report path "{{hardening_artefact_path}}"
file: path="{{hardening_artefact_path}}" state=directory
delegate_to: 127.0.0.1
- include: httpd_file_check.yml
# vim httpd_file_check.yml
- name: "3_limit_conf"
block:
- name: Check if limits.conf file exists
stat: path=/etc/security/limits.conf
register: file_path
- name: Create backup of the file /etc/security/limits.conf
shell: cp /etc/security/limits.conf /tmp/limits.conf_{{ansible_date_time.date}}.bkp
register: backup
when: file_path.stat.exists
- name: Set maxlogin in limits.conf file
lineinfile:
path: /etc/security/limits.conf
regexp: ^\*\s+\-\s+maxlogins\s.*
line: '* - maxlogins 1'
register: output
when: file_path.stat.exists
- name: Grep the final value
shell: "cat /etc/security/limits.conf |grep maxlogins"
register: result
rescue:
- name: "write rescue to temp file"
delegate_to: 127.0.0.1
template: src=log_limit.j2 dest="/tmp/shashi_log"
always:
- name: "write always to temp file"
delegate_to: 127.0.0.1
template: src=log_limit.j2 dest="/tmp/shashi_log"
# vim vars/main.yml
hardening_artefact_name: "Security_Hardening_Artifacts_{{ ansible_date_time.iso8601_basic_short }}.txt"
hardening_artefact_path: "/home/Automation/Reports/"
# vim templates/log_limit.j2
log file {{ ansible_date_time.date }} {{ ansible_date_time.time }} output<>
{% if file_path.stat.exists %}
File is found ... in {{file_path.stat. exists}}
{% else %}
File is not found..! in {{file_path.stat. exists}}
{% endif %}
{% if backup.failed %}
Failed to execute command. "{{backup.cmd}}"
{% else %}
Command executed Successfully. "{{backup.cmd}}"
{% endif %}
{% for result in backup.stdout_lines %}
{{result}}
{% endfor %}
Updating "maxlogins" in {{file_path.stat.path}}
{% if output.failed %}
Some Error!! Couldn't change the file content
{% elif output.changed %}
Value "* - maxlogins 1" is successfully updated in file.
{% else %}
Values "* - maxlogins 1" is already accurate in file.
{% endif %}
{% if result.failed %}
Failed to execute command
{% else %}
Command "{{result.cmd}}" is executed Successfully
{% endif %}
{% for result1 in result.stdout_lines %}
{{result1}}
{% endfor %}
# cat /tmp/shashi_log
Is a repository of some community-maintained roles
You can download roles or upload roles to ansible galaxy.
# ansible-galaxy –help
[root@ansible ~]# ansible-galaxy --help
# ansible-galaxy search ntp
# ansible-galaxy info bennojoy.ntp
# ansible-galaxy install bennojoy.ntp
# ansible-galaxy list
# cd /etc/ansible/roles/bennojoy.ntp/
[root@ansible ~]# vi ntpsite.yaml
---
- name: Configure NTP
on CentOS/RHEL/Debian System
become: true
hosts: all
roles:
- {role:
bennojoy.ntp}
# ansible-playbook -i hosts ntpsite.yaml
No comments:
Post a Comment