Using RHEL System roles
Using RHEL System Roles
- Allows for a uniform approach while managing multiple RHEL versions
- Red Hat provides RHEL System Roles.
- RHEL System Roles make managing different parts of the operating system easy.
RHEL System Roles:
rhel-system-roles.kdump
- Configures the kdump crash recovery service rhel system-roles.network
- Configures network interfaces rhel system-roles.postfix
- Configures hosts as a Mail Transfer Agent using Postfix rhel system-roles.selinux
- Manages SELinux settings rhel system-roles.storage
- Configures storage rhel system-roles.timesync
- Configures time synchronization
Understanding RHEL System Roles
- RHEL System Roles are based on the community Linux System Roles
- Provide a uniform interface to make configuration tasks easier where significant differences may exist between versions of the managed operating system.
- RHEL System Roles can be used to manage Red Hat Enterprise Linux 6.10 and later, as well as RHEL 7.4 and later, and all versions of RHEL 8.
- Linux System Roles are not supported by RHEL technical support.
Installing RHEL System Roles
-
To use RHEL System Roles, you need to install the rhel-system-roles package on the control node by using
sudo yum install rhel-system-roles. -
This package can be found in the RHEL 8 AppStream repository.
-
After installation, the roles are copied to the /usr/share/ansible/roles directory, a directory that is a default part of the Ansible roles_path setting.
-
If a modification to the roles_path setting has been made in ansible.cfg, the roles are applied to the first directory listed in the roles_path.
-
With the roles, some very useful documentation is installed also; you can find it in the /usr/share/doc/rhel-system-roles directory.
-
To pass configuration to the RHEL System Roles, variables are important.
-
In the documentation directory, you can find information about variables that are required and used by the role.
-
Some roles also contain a sample playbook that can be used as a blueprint when defining your own role.
-
It’s a good idea to use these as the basis for your own RHEL System Roles–based configuration.
-
The next two sections describe the SELinux and the TimeSync System Roles, which provide nice and easy-to-implement examples of how you can use the RHEL System Roles.
Using the RHEL SELinux System Role
-
You learned earlier how to manage SELinux settings using task definitions in your own playbooks.
-
Using the RHEL SELinux System Role provides an easy-to-use alternative.
-
To use this role, start by looking at the documentation, which is in the /usr/share/doc/rhel-system-roles/selinux directory.
-
A good file to start with is the README.md file, which provides lists of all the ingredients that can be used.
-
The SELinux System Role also comes with a sample playbook file.
-
The most important part of this file is the vars: section, which defines the variables that should be applied by SELinux.
Variable Definition in the SELinux System Role:
---
- hosts: all
become: true
become_method: sudo
become_user: root
vars:
selinux_policy: targeted
selinux_state: enforcing
selinux_booleans:
- { name: ’samba_enable_home_dirs’, state: ’on’ }
- { name: ’ssh_sysadm_login’, state: ’on’, persistent: ’yes’ }
selinux_fcontexts:
- { target: ’/tmp/test_dir(/.*)?’, setype: ’user_home_dir_t’, ftype: ’d’ }
selinux_restore_dirs:
- /tmp/test_dir
selinux_ports:
- { ports: ’22100’, proto: ’tcp’, setype: ’ssh_port_t’, state: ’present’ }
selinux_logins:
- { login: ’sar-user’, seuser: ’staff_u’, serange: ’s0-s0:c0.c1023’, state: ’present’ }SELinux Variables Overview
selinux_policy
-
Policy to use, usually set to targeted selinux_state
-
SELinux state, as managed with setenforce selinux_booleans
-
List of Booleans that need to be set selinux_fcontext
-
List of file contexts that need to be set, including the target file or directory to which they should be applied. selinux_restore_dir
-
List of directories at which the Linux restorecon command needs to be executed to apply new context. selinux_ports
-
List of ports and SELinux port types selinux_logins
-
A list of SELinux user and roles that can be created
-
Most of the time while configuring SELinux, you need to apply the correct state as well as file context.
-
To set the appropriate file context, you first need to define the selinux_fcontext variable.
-
Next, you have to define selinux_restore_dirs also to ensure that the desired context is applied correctly.
Lab: Sets the httpd_sys_content_t context type to the /web directory.
- Sample doc is used and unnecessary lines are removed and the values of two variables have been set
- When you use the RHEL SELinux System Role, some changes require the managed host to be rebooted.
- To take care of this, a block structure is used, where the System Role runs in the block.
- When a change that requires a reboot is applied, the SELinux System Role sets the variable selinux_reboot_required and fails.
- As a result, the rescue section in the playbook is executed.
- This rescue section first makes sure that the playbook fails because of the selinux_reboot_required variable being set to true.
- If that is the case, the reboot module is called to reboot the managed host.
- While rebooting, playbook execution waits for the rebooted host to reappear, and when that happens, the RHEL SELinux System Role is called again to complete its work.
---
- hosts: ansible2
vars:
selinux_policy: targeted
selinux_state: enforcing
selinux_fcontexts:
- { target: ’/web(/.*)?’, setype: ’httpd_sys_content_t’, ftype: ’d’ }
selinux_restore_dirs:
- /web
# prepare prerequisites which are used in this playbook
tasks:
- name: Creates directory
file:
path: /web
state: directory
- name: execute the role and catch errors
block:
- include_role:
name: rhel-system-roles.selinux
rescue:
# Fail if failed for a different reason than selinux_reboot_required.
- name: handle errors
fail:
msg: "role failed"
when: not selinux_reboot_required
- name: restart managed host
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
- name: wait for managed host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: reapply the role
include_role:
name: rhel-system-roles.selinuxUsing the RHEL TimeSync System Role
timesync_ntp_servers variable
-
most important setting
-
specifies attributes to indicate which time servers should be used.
-
The hostname attribute identifies the name of IP address of the time server.
-
The iburst option is used to enable or disable fast initial time synchronization using the timesync_ntp_servers variable.
-
The System Role finds out which version of RHEL is used, and according to the currently used version, it either configures NTP or Chronyd.
Lab: Using an RHEL System Role to Manage Time Synchronization
1. Copy the sample timesync playbook to the current directory:
cp /usr/share/doc/rhel-system-roles/timesync/example-single-pool-playbook.yml timesync.yaml
2. Add the target host, NTP hostname pool.ntp.org, and remove pool true in the file timesync.yaml:
---
- name: Configure NTP
hosts: "{{ host }}"
vars:
timesync_ntp_servers:
- hostname: pool.ntp.org
iburst: true
roles:
- rhel-system-roles.timesync3. Add the timezone module and the timezone variable to the playbook to set the timezone as well. The complete playbook should look like the following:
---
- hosts: ansible2
vars:
timesync_ntp_servers:
- hostname: pool.ntp.org
iburst: yes
timezone: UTC
roles:
- rhel-system-roles.timesync
tasks:
- name: set timezone
timezone:
name: "{{ timezone }}"4. Use ansible-playbook timesync.yaml to run the playbook. Observe its output. Notice that some messages in red are shown, but these can safely be ignored.
5. Use ansible ansible2 -a "timedatectl show" and notice that the timezone variable is set to UTC.