Section 12 Flashcards by Joshua Cahoe

Configure a New RHEL Managed Node
user password should be configured
a password should be set
Run root commands with no password and in wheel group
Register RHEL subscription
username and pass in ansible vault
add subscriptions rh-gluster-3-client-for-rhel-9-for-x86_64-rpms
and
rhel-8-for-x86_64-appstream-debug-rpms
use tags

Add new host info in inventory
Setup whatever you need to get the host running

sudo dnf install sshpass (because we’ll be working with ssh passwords in a non-interactive way)

name: Add host to inventory
hosts: localhost
tasks:
- fail:
  msg: “Add the options -e newhost=hostname -e newhostip=ip and try again”
  when: (newhost is undefined) or (newhostip is undefined)
name: Add a new host to the inventory
lineinfile:
path: inventory
state: present
line: “{{ newhost }}”
name: Add new host to /etc/hosts
lineinfile:
path: /etc/hosts
state: present
line: “{{ nowhostip }} {{ newhost }}”
tags: addhost

second play
- name: Configure a new RHEL host
hosts: “{{ newhost }}”
remote_user: root
become: false
tasks:
- name: Configure user ansible
user:
name: ansible
groups: wheel
append: yes
state: present

  - name: Set user password
     shell: 'echo password | passwd --stdin ansible'

  - name: Enable sudo without password
    lineinfile:
      path: /etc/sudoers
      regexp: '*%wheel'
      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
      validate: /usr/sbin/visudo -cf %s

name: Create SSH directory in user ansible home
file:
path: /home/ansible/.ssh
state: directory
owner: ansible
group: ansible

- name: Copy SSH public key to remote host
   copy:
      src: /home/ansible/.ssh/id_rsa.pub
      dest: /home/ansible/.ssh/authorized_keys
  tags: setuphost (He's putting the tags on the same line as the - in - name)

If you want to test so far:
ansible-playbook -C -k site.yml -e newhost=ansible3 -e newhostip=192.168.10.123 (the k asks for root password)

Now let’s go add our RedHat subscription creds to a file
ansible-vault create info.vault.yml
rhsm_user: username
rhsm_pass: user_pass

Now we can finish the original playbook with our final play

name: Use subscription manager to register and sertup repos
hosts: “{{ newhost }}”
vars_files:
- info.vault.yml
  tasks:
- name: Register and subscribe {{ newhost }}
  redhat_subscription:
  username: “{{ rhsm_user }}”
  password: “{{ rhsm_pass }}”
  state: present
- name: Configure additional repo access
  rhsm_repository:
  name:
  - rh-gluster-3-client-for-rhel-9-x86_64-rpms
  - rhel-8-for-x86_64-appstream-debug-rpms
    state: present
tags: registerhost

now let’s run it
ansible-playbook -k –ask-vault-pass site.yml -e newhost=ansible3 -e newhostip=192.168.10.123
-

How well did you know this?

Not at all

Perfectly

In terms of the user module how do you add a primary and secondary groups for a user? How do you not overwrite previous secondary groups?
Create an ssh key for them that’s 2048 bits and store the private key in the user’s private file

user:
name: anna
create_home: true
groups: wheel,students
append: true
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa

groups is for extended groups
group would be for primary, but it will make one with the same username automatically.

How well did you know this?

Not at all

Perfectly

How would you write the header of a play so that you can login and performs commands without ssh keys being setup

name: Whatever
hosts: “{{ variable }}”
remote_user: root
become: false

How well did you know this?

Not at all

Perfectly

How do you add variables to your playbook via parameters

ansible-playbook -e var1 -e var2 site.yml

How well did you know this?

Not at all

Perfectly

How would you change a the user ansible’s password to ‘password’ via a playbook?

shell: ‘echo password | passwd –stdin ansible’

How well did you know this?

Not at all

Perfectly

How would you change the wheel group to not ask for passwords?

name: Enable sudo without password
lineinfile:
path: /etc/sudoers
regexp: ‘*%wheel’
line: ‘%wheel ALL=(ALL) NOPASSWD: ALL’
validate: /usr/sbin/visudo -cf %s

How well did you know this?

Not at all

Perfectly

Name what the following directories and files do:
.ssh/
id_rsa
id_rsa.pub
authorized_keys
known_hosts
config

.ssh/ - user ssh directory

id_rsa - private key for user

id_rsa.pub - public key corresponding to id_rsa

authorized_keys - file that stores the public keys of all users who are allowed to log into this user’s account via ssh

known_hosts - ssh clients store the fingerprints of remote servers to verify the server’s id on subsequent connections

config - user specific ssh configs

known_hosts

config

How well did you know this?

Not at all

Perfectly

Manually create ssh keys and use them

Create asymmetric keys (public and private keys, public encrypts data and private decrypts it)
ssh-keygen -t rsa -b 4096

How well did you know this?

Not at all

Perfectly

What’s the difference between symmetric and asymmetric encryption?

Asymmetric - pub and priv
DSA - diffie hellman base
ECC - RSA is one of these
pgp
gpg

symmetric - one key, much faster than asymmetric
AES
DES
3DES

hashing (non-reversable/ verifies integrity) - Not encryption, creates fixed length string based on input data.
MD5
SHA

How well did you know this?

Not at all

Perfectly

Create ssh logins on your own for an ansible host that isn’t setup yet

What keys do you copy?

You copy id_rsa.pub to the hosts authorized_keys

name: Create SSH directory in user ansible home
file:
path: /home/ansible/.ssh
state: directory
owner: ansible
group: ansible

- name: Copy SSH public key to remote host
   copy:
      src: /home/ansible/.ssh/id_rsa.pub
      dest: /home/ansible/.ssh/authorized_keys
  tags: setuphost (He's putting the tags on the same line as the - in - name)

How well did you know this?

Not at all

Perfectly

What are the steps for managing a new ansible host
Around 6 steps

Add hostname and ip to /etc/hosts and inventory, login as root (become false, remote_user root)

Configure user, allow wheel no passwd, put user in wheel, give password

Create SSH directory and copy keys

give subscriptions to user

The HOSTess cake brings you in to see a big warehouse full of INVENTORY. He tells you you haven’t been pulling your wait and he’s hiring a new manager, a drug addict lying on the ground. He tosses the keys to the warehouse on him and takes you to a door in the back. “Here’s your new office”, he laughs. Opening the door you see a man in a gimp suit and a red hat being nasty with the floor.

How well did you know this?

Not at all

Perfectly

Create a group named students and place a new user into that group and wheel.
Make sure to setup ssh keys for the user

group:
name: students
state: present

user:
name: nathan
create_home: true
groups: student,wheel
append:
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa

How well did you know this?

Not at all

Perfectly

Create multiple groups that need sudo access and multiple groups that don’t need sudo access via a variable file.

Now create a template that gives sudo access to the groups that require it

Create a playbook that creates the users and groups and adds them necessary groups to sudo that need to be

Page 311

sudo_groups:
- name: developers
group_id: 5000
sudo: false
- name: admins
group_id: 5001
sudo: true

{% for item in sudo_groups % }
{ % if item.sudo }
%{{ item.name }} ALL=(ALL:ALL) NOPASSWD:ALL
{% endif %}
{% endfor %}

How well did you know this?

Not at all

Perfectly

What is the process for logging in via ssh

User contacts ssh server
Server sends pub host key to id itself (id token)
Client checks key again a list of known hosts (known_hosts)
If this is the first time logging in it will ask you to trust and save it
Shared Secret established for encryption
or
Verify ID if saved host key

User can either enter a password now or generate an authentication token based on user’s private key

If token used, based on user’s private key, token is received by server which matches against user’s pub keys authorized_keys

If this fails, password is ran

Client contacts server via ssh
Server sends pub host key to ID itself
Client checks known_hosts
Client and server establish encryption
client proves ID SSH agent of client uses private key to sign challenge
Server checks signature against any matching pub key in authorized_keys

Adventurer goes to kingdom gate and knocks on the door.

Gatekeeper shows a glowing key (pub host key)

Adventurer checks his journal (known hosts) and finds a match

He recites a magic incantation and they now speak in a language only they can hear

The gatekeeper now proof he is who he says he is. The adventurer shows him his private key which reflects his true identity.
Th guard checks his journal of authorized_keys and nods.

How well did you know this?

Not at all

Perfectly

SSH process Castle

__________________________________
Verifying Both Ends

An adventurer knocks on the castle door (establish connection)

A guard opens a tiny space in the door and shows a magical royal seal (public host key used to verify the private key)

The adventurer checks his notebook to see if he knows of this seal. If he doesn’t, he can choose to learn this and record it.
(adds or checks pub key in known_hosts)

The client uses the seal to bless his speech, allowing him to speak in the mystic language of the mysterious community behind the door.

Now no one can understand their specific conversation.

____________________________________
Authentication

Now that they both know they are who they say they are and can speak privately:

The adventurer offers dull copy of his family ring to the guard

The guard inspects it, shuffles for something behind the door, and comes back displaying a crude wooden puzzle that only he can solve with a bright light from his family ring.

The adventurer solves it, and then signs the bottom of the puzzle with his ring hand using his family’s signature.

If the ring doesn’t match then the guard asks the adventurer for a secret password

How well did you know this?

Not at all

Perfectly

What can you use to access data from outside sources, like reading file systems, or contact external datastores and services?

The lookup module

How well did you know this?

Not at all

Perfectly

Store the contents of /etc/hosts into a variable called file_contents

name: demo
hosts: localhost
vars:
file_content: “{{ lookup(‘file’, ‘etc/hosts/) }}”
tasks:
- name: debug
  debug:
  var: file_contents

How well did you know this?

Not at all

Perfectly

Which module would you use to send multiple pub keys to authorized_keys?

Copy for one

authorized_keys for multiple

How well did you know this?

Not at all

Perfectly

Show an example of how you would send your pub keys without using the copy module

name: test
hosts: ansible3
tasks:
- name: copy auth keys
  authorized_key:
  user: ansible
  state: present
  key: “{{ lookup(‘file’, ‘/home/danny/.ssh/id_rsa.pub’) }}”

Basically this means the user danny on YOUR server will be able to login as ansible on the REMOTE server

Always Use Some Keys

How well did you know this?

Not at all

Perfectly

Create two var files with groups to add to a server and users
Add them to the server
Create ssh keys for all the users

page 316

lookup can’t read hidden files so place them somewhere where it can find them

CORRECTION
It can’t read relative paths

How well did you know this?

Not at all

Perfectly

Why do you need to move your public keys to use the authorized_keys module?

Because it can’t read hidden files

How well did you know this?

Not at all

Perfectly

ssh-keygen and generate-ssh-key have a major difference, what is it?

How do you fix this?

generate_ssh_key doesn’t add username@host which will make the key invalid, you will need to add it personally

name: keygen
user:
name: nathan
generate_ssh_key: true
ssh_key_comment: controller_user@controller

How well did you know this?

Not at all

Perfectly

Create a local use with ssh keys and then allow them to remote to a host

PG 318

What does password: accept in the user module?

only encrypted strings

What separates the params in /etc/shadow?

The dollar sign

What are the three elements separated in /etc/shadow?

Hashing Algorithm Random Salt used to encrypt pass The actual encrypted hash

What is a salt used for?

Prevent two users who have identical passwords The salt and unencrypted password are combined and encrypted which generates the encrypted hash.

Create a hashed password for a user and use it

ansible ansible2 -m debug -a "msg={{ 'password_here' | password_hash('sha512') }}" >> yourplaybook you can trim the uneeded bits yourself or /msg yw - yank word or shell: echo 'password' | passwd -stdin ansible' You can also make the password a var in a file encrypted with vault

Create sever users and groups Enable ssh-key remote connections for them Give them passwords Allow them all to not require a password for sudo

pg 323

What does systemd do differently that service?

mask daemon_reload to reread is config files after applying changes

Using systemd, reload a daemon and ensure it is not masked, enable it too

systemd: name: httpd enabled: yes state: started masked: no daemon_reload: yes

Setup a cron job to run everyday at 4:05 and 19:05 as user ansible

cron: name: "run fstrim" minute: "5" hour: "4,19" job: "fstrim" user: ansible minute hour day = of the month month weekday

Delete the cron job "run fstrim"

cron: name: "run fstrim" state: absent

What do you use if you only want to run a job once? What are it's arguments?

at command: specifies command to be used units: minute, hour, day, week count: specifies number of units to execute the task at script_file: name of script state: added or deleted unique: set to yes to only run once/only runs job if similar job isn't scheduled at same time The COMMANDer tells his UNITS to COUNT to ten. The troop proceeds to count on their fingers. On the other end of the battlefield there are a group of CRIPS sharpening FILES. This is in the STATE of indiana. A UNIversity studies what is happening on the battlefield

Send the date once to /tmp/my-at-file in 5 minutes

at: command: "date > /tmp/my-at-file" count: 5 units: minutes unique: true state: present

show what cronjobs are stored using an adhoc command

ansible ansible2 -a 'crontab -l'

What module do you use to restart the system and pick up at the same locaiton?

reboot

Show default target without using systemctl

cat /etc/systemd/system/default.target

Create a symbolic link to make the graphical target the default

file: src: /usr/lib/systemd/system/graphical.target dest: /etc/systemd/system/default.target state: link

What options can you use with the reboot module and how do you use them? give 5 seconds before rebooting 15 second wait before attempting to connect Try logging in again if nothing for 10 seconds Give an error 1 minute after reboot if you have nothing

connect_timeout - max secs to wait for successful connection before trying again post_reboot_delay - secs to wait after reboot command tbefore trying to validate if available again pre_reboot_delay - secs to wait before actually issuing the reboot reboot_timeout - max seconds to wait for reboot matching to response to test command pre_reboot_delay: 5 post_reboot_delay: 15 connect_timout:10 reboot_timeout: 30 The playbook will wait 5 seconds before issueing reboot it will then wait for 15 seconds after reboot before trying to connect It will try to connect and if nothing for 10 seconds it will try again If at 30 seconds after the reboot it gets nothing it will give up This is all input in seconds The postman pre in the post office. The line was delayed because of this. He ignored the line and went to go connect some legos. After he was finished he went back to the line and had to reboot his computers due to errors

Reboot a host, test if it's back on with a command print a message to show it was successful

reboot: msg: reboot initiated by ansible test_command: whoami debug: msg: "Successful reboot"

Create a cron job to run upon a reboot

cron: name: "reboot" state: present special_time: reboot job: "echo rebooted at $(date) >> /tmp/rebooted"

how do you search docs for modules

ansible-doc -l

What storage modules can you use?

parted lvg lvol filesystem mount vdo

What are some ansible facts you can use to find storage information for

ansible_devices ansible_device_links ansible_mounts

Set a fact under disk2name: sdb if sdb exists Have the playbook make sure hosts without this disk not conitnue the playbook

- ignore_errors: true set_fact: dsk2name: sdb when: ansible_facts['devices']['sdb'] fail: msg: no second disk when: disk2name is not defined

What are the options for parted?

name - name for part label: mbr or gpt device: number: partition number state: present to create absent to delete part_start - starting part part_end - end of part flags - add LVM here if you're making an LVM part Moses PARTED the Red Sea His followers chanted his NAME when he did One of the followers scooped some water as he walked through it into a LADLE In Moses' staff there was actually a DEVICE that did the magic After taking a sip of water, the follower counted the fish he saw. After they had traversed the sea, they found that they were now in the STATE of indiana, they knew this because of the FLAG Just as the PARTING STARTED, the PARTING ENDED

Create multiple partitions for sdb

parted: name: files label: gpt device: /dev/sdb number: 1 state: present part_start: 1MiB part_end: 2GiB The next will go from 2GiB to 4GiB give it the lvm flag PG 365

Use a module to create a vg group Explain PEs

lvg: vg: vgdata pesize: "8" pvs: /dev/sdb1 PE - Physical Extents - Blocks of data that LVM uses. If the size were in bits then it would take it longer to find the end of the disk than it would with bigger chunks. So bigger chunks = better speed smaller chunks = you can give the appropriate amount of data more often On old lever sits in a mysterious room. Mario pulls it to find it lowers a window where he sees Peach showing her stuff. This make Mario feel a certain way and he measures to see. He turns around to see everyone peeing a V on his back

What is the module and its options you use for logical volumes

lvol lv - name of lv pvs: comma separated physical volumes, if this is a partition use the lvm option as set resizefs - resize automatically size: size of lv snapshot - name if this is a snapshot vg - vg to use

Create a logical volume

- name: this lvol: lv: lvdata size: 100%FREE vg: vgdata In Louisville Little Pete had been shrunk. He Resized himself then measured his SIZE afterword. He wanted to be sure he wasn't misreading the measurement and took a SNAPSHOT of himself. He believed this was due to the fact that he didn't eat his vegetables. size, by default is in mb

Create an XFS file system

filesystem: dev: /dev/vgdata/lvdata fstype: xfs

mount a file system

mount: src: /dev/vgdata/lvdata fstype: xfs state: mounted path: /mydir At he mountain's nadir there was a large SOURCE of water. A FiSh was near it TYPing on a computer about how beautiful this water that he found was. He declard this land the STATE of fishland and made it home. He even built a little PATH that led from his old home to the new one.

Configure a playbook that creates more swapspace if swap is below 256 MiB

blcok: - name: make swap filesystem: fstype: swap dev: /dev/sdb1 - name: activate swap space command: swapon /dev/sdb1 when: ansible_swaptotal_mb < 256 lineinfile: path: /etc/fstab regexp: "^/dev/sdb1" swap swap default 0 0 Don't forget to add the entry in fstab A computer made of files is in a room. Uncle FeSter is TPYing in code for a game. He thinks he's a genius DEV

Set up a GPT partition on sdb that's 2 gigs Create a second partition for use as an LVM phsysical volume Set up an LVM volume group add a task that creates a logical volume within the volume group on top of the logical volume create an XFS file system Mount the file system Create and activate swap space Ensure the sdb on target is empty via ad-hoc command

page 369

Perform Final Configuration on page 371

page 371