Red hat RHCE exam afternoon - RHCE (RH294)

RH294 mission overview

• The examination time is 4 hours, 6 virtual machines and 15 questions
• The problems originally done through scripts or clusters now need to be implemented by playbook
• There are about 6 virtual servers in the exam, all of which have made mutual secret free
• The problem is done in the ansible control node workstation, but it needs to be verified by other virtual servers
• During the examination, you need to start all 6 virtual servers in the examination environment, and click the button on the left of the physical machine interface to start
• During the exam, all Ansible playbook s are placed in the ordinary user directory and executed by ordinary users

1. Note: during the exam, please put the playbook in the designated user's home directory and log in with the designated user to do the questions!
2. Note: the scoring method of the test is to remotely execute the playbook or script under the specified directory through ordinary users. If you use root to do the test, you will get zero if you don't have permission

1. Install and configure Ansible as required

• Install and configure Ansible on the control node workstation.lab.example.com as described below:

Task requirements

1. Install the required software package (verify whether ansible is installed during the exam)
2. Create a static manifest file named / home/student/ansible/inventory to meet the following requirements:
   servera is a member of the dev host group
   serverb is a member of the test host group
   serverc and serverd are members of the prod host group
   The prod group is a member of the webservers host group
   bastion is a member of the balancers host group
3. Create a configuration file named / home/student/ansible/ansible.cfg to meet the following requirements:
   The host manifest file is / home/student/ansible/inventory
   The locations of roles used in playbook include / home/student/ansible/roles
   Note: because student s need to enter a password when executing the command, which will lead to ansible execution failure, sudoers rules need to be added first (they do not need to be modified in the exam, and the admin user is used in the exam)

Prepare a job

• You don't need to do it during the exam
• Install ansible, edit and distribute / etc/sudoers.d/student to provide authorization for the ordinary user sutudent

[root@workstation ~]# vim /etc/sudoers.d/student 
student ALL=(ALL) NOPASSWD: ALL
[root@workstation ~]# for i in server{a..d} bastion
> do scp /etc/sudoers.d/student root@$i:/etc/sudoers.d/
> done
[root@workstation ~]# su - student

Complete step

• First install ansible with root on the control side. It may be installed during the exam. It doesn't hurt to install it again

[kiosk@foundation ~]$ ssh -X root@workstation ## First log in with the root account and confirm whether ansible is installed
[root@workstation ~]# dnf install -y ansible 

• Remember to cut back to the question and ask the user to do the question
• You need to use the users required in the questions to complete all ansible questions. You need to use student in practice and admin in the exam

[root@workstation ~]# su - student

• Requirement 1: configure inventory host grouping list file

[student@workstation ansible]$ vim inventory 
[dev]
servera 
[test] 
serverb 
[prod] 
serverc
serverd 
[balancers] 
bastion
[webservers:children] 
prod

• Requirement 2: to configure the ansible.cfg file, specify the directory of host list and role in the specified directory
  Note: after installing ansible, there will be a default configuration file. Just take it and change it

1. Modify host manifest file location inventory 
2. modify playbook Role location roles_path
3. Specify the remote execution user as student remote_user(You can specify what you want in the exam)
4. Disable remote user password detection host_key_checkin
5. Granting rights to remote users: found[privilege_escalation]Just remove the four comments below

• The following operations are performed with student. Enter the student directory first

[student@workstation ~]$ mkdir ansible  ## Create an ansible directory first
[student@workstation ~]$ cd ansible
## After installing ansible, a default configuration file will be copied to the specified directory in the title for modification
[student@workstation ~]$ cp /etc/ansible/ansible.cfg /home/student/ansible/ ## Pay attention to the permission. Do not use the - a parameter. The permission should be student's
[student@workstation ~]$ vi ansible.cfg
[defaults]
inventory = /home/student/ansible/inventory ## First, find the inventory and change it to the directory specified in the title
remote_user = student  ## Change the remote execution user to the user specified in the topic, which is a student here, and adapt to the situation during the exam
roles_path = /home/student/ansible/roles ## Modify the role directory to the specified directory
host_key_checking = no  ## Turn off the host key check
## Find the [privilege_escalation] tag and these become s, remove the following four lines of comments, and change the last one to no
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = no

Note: the last group is a nested group. You need to add the keyword: children

• For verification, verify in the ansible directory, because ansible needs to read the configuration file in the current directory

[student@workstation ansible]$ ansible all -m ping

Knowledge points of investigation

ansible composition

• Host lists group hosts
• Modules realize different functions
• The plug-in implements supplementary functions
• Interface third party program call

Ansible installation

yum info ansible --enablerepo=*

• Installation using epel source

yum -y install ansible --enablerepo=*

ansible -version
rpm -ql ansible
which ansible

• ansible is not a long-running program
• ansible uses ssh to interact with other servers. There is no corresponding service, that is, there is no private port

Ansible related documents

1. configuration file

• The main configuration file, such as / etc/ansible/ansible.cfg, configures ansible working features. You can also create this file in the project directory,
  If ansible.cfg also exists in the current directory, this file will take precedence. It is recommended to create a unique ansible.cfg file in each project directory
• /Host list of / etc/ansible/hosts
• // etc/ansible/roles / directory where roles are stored

1. ansible master profile

• Ansible's configuration files can be placed in many different places, and the order of priority is as follows from high to low

#Environment variable. Note that this item cannot be seen with ansible --version, but it can take effect
ANSIBLE_CONFIG ## Global validation 
 #Ansible.cfg in the current directory. Execute the ansible command in a directory. If ansible.cfg exists in the directory and the environment variable is not configured, this configuration can be automatically loaded by ansible
./ansible.cfg ## Take effect in the directory as far as possible
#The. Ansible.cfg in the current user's home directory. If there is ansible.cfg in the user's home directory and the environment variable is not configured, the configuration in the home directory can be automatically loaded by ansible in the directory without configuration file
~/.ansible.cfg  ## Effective only when switching to the specified user
/etc/ansible/ansible.cfg #The system default configuration file is not available, so the default configuration file is used

• Ansible's default configuration file is / etc/ansible/ansible.cfg. Most of the configuration contents do not need to be modified

[defaults]
#inventory = /etc/ansible/hosts #Host list profile
#library = /usr/share/my_modules/ #Storage directory of library files
#remote_tmp = $HOME/.ansible/tmp #The temporary py command file is stored in the remote host directory
#local_tmp = $HOME/.ansible/tmp #Local temporary command execution directory
#forks = 5 #Default concurrency
#sudo_user = root #Default sudo user
#ask_sudo_pass = True #Whether to ask for ssh password every time the ansible command is executed
#ask_pass = True
#remote_port = 22
#host_key_checking = False #Check the host of the corresponding server_ Key, it is recommended to cancel the comment on this line to automatically trust the target host for the first connection
#log_path=/var/log/ansible.log #Log file, it is recommended to enable
#module_name = command #The default module can be modified to shell module
[privilege_escalation] #Normal user authorization configuration
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

1. inventory host manifest file

• The main function of ansible is batch host operation. In order to use some hosts conveniently, they can be grouped and organized in the inventory host list file
• The default inventory file is / etc/ansible/hosts
• There can be multiple inventory file s, and they can also be generated dynamically through Dynamic Inventory
  Note: it is recommended to create a project independent hosts file in each project directory
• Host manifest file format
• The inventory file follows the INI file style, and the characters in brackets are group names. The same host can be merged into multiple different groups at the same time
• In addition, if the target host uses a non default SSH port, you can also use a colon and port number after the host name
• If the host names follow a similar naming pattern, you can also use a list to identify each host
• Inventory parameter description

ansible_ssh_host #The remote host name to be connected. If it is different from the alias of the host you want to set, it can be set through this variable
ansible_ssh_port #ssh port number. If it is not the default port number, set it through this variable. This can use ip: port 192.168.1.100:2222
ansible_ssh_user #Default ssh user name
ansible_ssh_pass #SSH password (this method is not secure. We strongly recommend using -- ask pass or SSH key)
ansible_sudo_pass #Sudo password (this method is not secure. We strongly recommend -- ask sudo pass)
ansible_sudo_exe (new in version 1.8) #sudo command path (applicable to version 1.8 and above)
ansible_connection #The connection type with the host. For example: local, ssh or paramiko. Ansible 1.2 used paramiko.1.2 by default, and later used 'smart'. The 'ssh' method will be judged according to whether it supports ControlPersist
ansible_ssh_private_key_file #The private key file used by SSH. It is applicable to the case where there are multiple keys and you do not want to use SSH proxy
ansible_shell_type #shell type of the target system. By default, the command is executed using 'sh' syntax, which can be set to 'csh' or 'fish'
ansible_python_interpreter #The python path of the target host. Applicable to: there are multiple Python in the system, or the command path is not "/ usr/bin/python", such as \ * BSD, or / usr/bin/python is not Python in version 2.X. The reason why the "/ usr/bin/env" mechanism is not used is that the path of the remote user is set correctly, and the "Python" executable program name cannot be a name other than python (it may actually be named python26). The working mode is the same as that of ansible_python_interpreter. You can set the path such as ruby or perl

• Host list special usage example

[webservers]
www[1:100].example.com
[dbservers]
db-[a:f].example.com
[appservers]
10.0.0.[1:100]
#Define that the testsrvs group includes two other groups to realize group nesting
[testsrvs:children]
webservers
dbservers

[test]
10.0.0.8 ansible_connection=local #Specify a local connection without ssh configuration
#ansible_connection=ssh requires StrictHostKeyChecking no
10.0.0.7 ansible_connection=ssh ansible_ssh_port=2222 ansible_ssh_user=sun
ansible_ssh_password=123456
10.0.0.6 ansible_connection=ssh ansible_ssh_user=root
ansible_ssh_password=123456
#The alias is displayed when the ansible command is executed, such as web01
[websrvs]
web01 ansible_ssh_host=10.0.0.101
web02 ansible_ssh_host=10.0.0.102
[websrvs:vars]
ansible_ssh_password=123456
some_host ansible_ssh_port=2222 ansible_ssh_user=manager
aws_host ansible_ssh_private_key_file=/home/example/.ssh/aws.pem
freebsd_host ansible_python_interpreter=/usr/local/bin/python
ruby_module_host ansible_ruby_interpreter=/usr/bin/ruby.1.9.3