RHCE认证考试
1、安装并配置 Ansible
1、安装和配置 Ansible
# 按照下方所述,在控制节点 control.example.com 上安装和配置 Ansible:
1) 安装所需的软件包
2) 创建名为 /home/student/ansible/inventory 的静态
3) 清单文件,以满足以下要求:
4) servera 是 dev 主机组的成员
5) serverb 是 test 主机组的成员
6) serverc 和 serverd 是 prod 主机组的成员
7) workstation 是 balancers 主机组的成员
8) prod 组是 webservers 主机组的成员
9) 创建名为 /home/student/ansible/ansible.cfg 的配置文件,以满足以下要求:
10) 主机清单文件为:/home/student/ansible/inventory
11) playbook 中使用的角色的位置包括: /home/student/ansible/roles
# 解题
[student@bastion ansible]$ sudo yum -y install ansible #考试时需要安装
[student@bastion ansible]$ cat inventory
[dev]
servera
[test]
serverb
[prod]
serverc
serverd
[balancers]
workstation
[webservers:children]
prod
[student@bastion ansible]$ cat ansible.cfg
[student@bastion ~]$ vim /etc/ansible/ansible.cfg # 查找以下内容
[defaults]
inventory = /home/student/ansible/inventory
remote_user = student # ——自己所使用的用户
roles_path = /home/student/ansible/roles
host_key_checking = false 主机之前传输文件不需要密钥认证
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[student@bastion ansible]$ mkdir /home/student/ansible/roles
# 测试
[student@bastion ansible]$ ansible all -m ping
2、创建并运⾏ Ansible adhoc .sh命令
2、创建和运行 Ansible 临时命令
作为系统管理员,您需要在受管节点上安装软件。
照正文所述,创建一个名为/home/student/ansible/adhoc.sh 的 shell 脚本,该脚本将使用 Ansible 临时命令在各个受管节点上安装
yum 存储库:
# 储存库 1:
1)存储库的名称为 EX294_BASE
2)描述为 EX294 base software
3) 基础 URL 为 http://content.example.com/rhel8.0/x86_64/dvd/BaseOS
4) GPG 签名检查为:启用状态
5) GPG 密钥 URL 为 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
6) 存储库状态为:启用状态
# 存储库 2:
1)存储库的名称为 EX294_STREAM
2)描述为 EX294 stream software
3)基础 URL 为 http://content.example.com/rhel8.0/x86_64/dvd/AppStream
4)GPG 签名检查为:启用状态
5)GPG 密钥 URL 为 http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release
6)存储库状态为:启用状态
# 解题
[student@bastion ansible]$ ansible-doc yum_repository # 考试时可以开启两台终端,另一半负责查看模块帮助文档,在练习当中需记住模块的使用就好 搜索:/EXAMPLES
[student@bastion ansible]$ vim adhoc.sh
#!/bin/bash
ansible all -m yum_repository -a 'name="EX294_BASE" description="EX294 base software" baseurl="http://content.example.com/rhel8.0/x86_64/dvd/BaseOS" gpgcheck=yes gpgkey="http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release"'
ansible all -m yum_repository -a 'name="EX294_STREAM" description="EX294 stream software" baseurl="http://content.example.com/rhel8.0/x86_64/dvd/AppStream" gpgcheck=yes gpgkey="http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release"'
[student@bastion ansible]$ chmod +x adhoc.sh
[student@bastion ansible]$ ./adhoc.sh
# 测试
[student@bastion ansible]$ ansible all -a 'ls /etc/yum.repos.d'
[student@bastion ansible]$ ansible all -a "yum repolist"
3、安装软件包
3、安装软件包
创建一个名为 /home/student/ansible/packages.yml的 playbook :
1)将 php 和 mariadb 软件包安装到 dev、test 和prod 主机组中的主机上
2)将 RPM Development Tools 软件包组安装到 dev 主机组中的主机上
3)将 dev 主机组中主机上的所有软件包更新为最新版本
#解答:
[student@bastion ansible]$ vim ~/.vimrc # 在写playbook前先定义一下vim,TAB一次表示两个空格
set ai ts=2
[student@bastion ansible]$ source ~/.vimrc # 生效vim,TAB一次表示两个空格
[student@bastion ansible]$ ansible-doc yum # 帮助
[student@bastion ansible]$ vim packages.yml
---
- name: yum install packages
hosts: dev,test,prod
tasks:
- name: install php and mariadb
yum:
name: php,mariadb
- name: install group
yum:
name: "@RPM Development Tools"
when: inventory_hostname in groups.dev
- name: update
yum:
name: "*"
state: latest
when: inventory_hostname in groups.dev
# 检查语法:
[student@workstation ansible]$ ansible-playbook --syntax-check packages.yml
playbook: packages.yml # 没有语法报错;执行playbook
# 执行playbook
[student@bastion ansible]$ ansible-playbook packages.yml
# 测试:
[student@bastion ansible]$ ansible dev,test,prod -m shell -a 'rpm -qa | grep mariadb'
4、使⽤RHEL系统角色
4、使用 RHEL 系统角色
安装 RHEL 系统⻆⾊软件包,并创建名称为:/home/student/ansible/timesync.yml,符合以下条件的playbook:
1.在所有受管节点上运⾏
2.使⽤ timesync ⻆⾊
3.配置该⻆⾊,以使⽤当前有效的 NTP 提供商
4.配置该⻆⾊,以使⽤时间服务器 172.25.254.254
5.配置该⻆⾊,以启⽤ iburst 参数
# 解答:
# 安装一下系统角色
[student@bastion ansible]$ sudo yum -y install rhel-system-roles #安装rhel-system-roles(下载系统角色)
[student@bastion ansible]$ rpm -ql rhel-sysetm-roles | less # 查看rhel-system-roles包的位置
[student@bastion ansible]$ cd /usr/share/ansible/roles/
[student@bastion roles]$ ls
rhel-system-roles.timesync
[student@bastion roles]$ cp -a /usr/share/ansible/roles/rhel-system-roles.timesync/ ./roles/timesync
# 是否认识角色
[student@bastion ansible]$ ansible-galaxy list
# /home/student/ansible/roles
- timesync, (unknown version)
[student@bastion ansible]$ vim roles/timesync/README.md #参数查找
[student@bastion ansible]$ cat timesync.yml
---
- name: timsync
hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- timesync
# 检查语法:
[student@workstation ansible]$ ansible-playbook --syntax-check timesync.yml
# 执行Playbook
[student@bastion ansible]$ ansible-playbook timesync.yml
# 测试
[student@bastion ansible]$ ansible all -a 'chronyc sources -v'
servera | CHANGED | rc=0 >> 210 Number of sources = 1
[student@bastion ansible]$ ansible all -m shell -a 'timedatectl | grep -B1 NTP'
5、使⽤ Ansible Galaxy 安装 角色
5、下载角色
使⽤ Ansible Galaxy 和要求⽂件 /home/greg/ansible/roles/requirements.yml。从以下URL 下载⻆⾊并安装到 /home/greg/ansible/roles :
http://materials.example.com/cd/exam_rhce8/haproxy.tar此角色的名称应当为balancer
http://materials.example.com/cd/exam_rhce8/phpinfo.tar此角色的名称应当为phpinfo
#解答:
[student@bastion roles]$ vim requirements.yml
[student@bastion roles]$ cat requirements.yml
---
- src: http://materials.example.com/cd/exam_rhce8/haproxy.tar
name: balancer
- src: http://materials.example.com/cd/exam_rhce8/phpinfo.tar
name: phpinfo
# 下载&安装角色
[student@bastion roles]$ ansible-galaxy install -r requirements.yml -p .
# 测试:
[student@bastion ansible]$ ansible-galaxy list #或者:ll ~/ansible/roles
# /home/student/ansible/roles
- timesync, (unknown version)
- balancer, (unknown version)
- phpinfo, (unknown version)
看看是不是多了balancer 和phpinfo 这两个角色。
6、创建和使⽤⻆⾊
根据下列要求,在 /home/student/ansible/roles 中创建名为 apache 的⻆⾊:
1.httpd 软件包已安装,设为在系统启动时启⽤并启动
2.防⽕墙已启⽤并正在运⾏,并使⽤允许访问 Web 服务器的规则
3.模板文件index.html.j2用于创建文件/var/www/html/index.html具有以下输出内容:Welcome to HOSTNAME on IPADDRESS 。HOSTNAME是受管节点的完全限定域名,IPADDRESS则是受管节点的IP地址
4.按照下方所属, 创建一个使用此角色playbook
/home/student/ansible/newrole.yml
该playbook在webservers主机组中的主机上运行
# 解答:
vim /tasks/main.yml
ansible-doc service
ansible-doc firewalld
# 创建角色:apache
[student@bastion roles]$ ansible-galaxy init apache
[student@bastion roles]$ ls
apache balancer phpinfo requirements.yml timesync
# 编写tasks
[student@bastion ansible]$ cd roles/apache/
[student@bastion apache]$ cat tasks/main.yml
---
# tasks file for apache
- name: install apache
yum:
name: httpd
- name: start httpd,firewalld and enable
service:
name: "{{item}}"
state: started
enabled: yes
loop:
- httpd
- firewalld
- name: add httpd to firewalld
firewalld:
service: http
permanent: yes
state: enabled
immediate: yes
- name: transfor j2 to www #写其它名字试下
template:
src: index.html.j2 # 要求的名字
dest: /var/www/html/index.html # 路径 题目已给出
# 编写j2文件
[student@bastion apache]$ vim templates/index.html.j2
[student@bastion apache]$ cat templates/index.html.j2
Welcome to {{ ansible_fqdn }} on {{ ansible_all_ipv4_addresses }}
[student@bastion ansible]$ ansible dev -m setup -a 'filter=*fqdn*'
## ansible_fqdn 查找
[student@bastion ansible]$ ansible dev -m setup -a 'filter=*ipv4*'
## ansible_all_ipv4.addresses} 查找
# 编写使用角色的playbook
[student@bastion apache]$ pwd
/home/student/ansible/roles/apache
[student@bastion apache]$ cd ../..
[student@bastion ansible]$ vim newrole.yml
[student@bastion ansible]$ cat newrole.yml
---
- name: user role apache
hosts: webservers # 主机名
roles:
- apache # 角色
# 检查语法:
[student@workstation ansible]$ ansible-playbook newrole.yml --syntax-check
# 执行playbook
[student@bastion ansible]$ ansible-playbook newrole.yml
# 检查
[student@bastion ansible]$ curl http://serverc
Welcome to serverc.lab.example.com on ['172.25.250.12']
[student@bastion ansible]$ curl http://serverd
Welcome to serverd.lab.example.com on ['172.25.250.13']
7、从 Ansible Galaxy 使⽤⻆⾊
1.根据下列要求,创建一个名为/home/student/ansible/roles.yml 的 playbook :
2.playbook 中包含一个 play, 该 play 在 balancers主机组中的主机上运行并将使用 balancer 角色。
3.此角色配置一项服务,以在 webservers 主机组中的主机之间平衡 Web 服务器请求的负载。
4.浏览到 balancers 主机组中的主机(例如 http://workstation.lab.example.com/)将生成以下输出:Welcom to serverc.example.com on 172.25.250.12
5.重新加载浏览器将从另一 Web 服务器生成输出:Welcom to serverd.example.com on 172.25.250.13
6.playbook 中包含一个 play, 该 play 在 webservers主机组中的主机上运行并将使用 phpinfo 角色。
7.通过 URL /hello.php 浏览到 webservers 主机组中的主机将生成以下输出:Hello PHP Worldfrom FQDN 其中,FQDN 是主机的完全限定名称。
8.例如,浏览到 http://serverc.lab.example.com/hello.php 会生成以下输出:Hello PHP Worldfrom serverc.example.com 另外还有 PHP 配置的各种详细信息,如安装的 PHP 版本等。
9.同样,浏览到 http://serverd.example.com/hello.php 会生成以下输出:Hello PHP World fromserverd.example.com 另外还有 PHP 配置的各种详细信息,如安装的 PHP 版本等
#解答:
[student@bastion ansible]$ cat roles.yml
---
- name: balancers # 描述 ,写个其它试下
hosts: webservers # 主机组
- name: ha
hosts: balancers # 主机组
roles:
- balancer # 角色
- name: use role phpinfo # 描述: phpinfo
hosts: webservers
roles:
- phpinfo # 角色2
# 检查语法:
[student@workstation ansible]$ ansible-playbook roles.yml --syntax-check
# 执行playbook
[student@bastion ansible]$ ansible-playbook roles.yml
# 检查:
[[student@bastion ansible]$ curl http://workstation
Welcome to serverc.lab.example.com on ['172.25.250.12']
[student@bastion ansible]$ curl http://workstation
Welcome to serverd.lab.example.com on ['172.25.250.13']
8、创建和使⽤逻辑卷
8、创建和使用逻辑卷
创建一个名为 /home/student/ansible/lv.yml 的playbook ,它将在所有受管节点上运行以执行下列任务:
1.创建符合以下要求的逻辑卷:
1)逻辑卷创建在 research 卷组中
2)逻辑卷名称为 data
3)逻辑卷大小为 6000 MiB
2.使用 ext4 文件系统格式化逻辑卷
3.如果无法创建请求的逻辑卷大小,应显示错误信息 Could not create logical volume of that size,并且应改为使用大小 800 MiB
4.如果卷组 research 不存在,应显示错误信息Volume group done not exist
5.不要以任何方式挂载逻辑卷
# 练习环境4台机器都没有这个VG,所以在servera/serverb上我创建了两个research卷组,其中servera的卷组大于6000M,serverb小于6000M
# 解答:
ansible-doc -l | grep lv
ansible-doc lvol
ansible-doc filesystem
[student@bastion ansible]$ cat lv.yml
---
- name: create lv
hosts: all
tasks:
- block:
- name: create lv 6000m
lvol:
vg: research
lv: data # 逻辑卷名称
size: 6000
rescue:
- name: error 6000 # 报错 写法
debug:
msg: "Could not create logical volume of that size" # 报错信息;题目给出的
- name: create lv 800
lvol:
vg: research # 逻辑卷
lv: data
size: 800
always:
- name: format filesystem
filesystem:
fstype: ext4 # 硬盘类型
dev: /dev/research/data
when: ansible_lvm.vgs.research is defined
- name: research is not exist
debug:
msg: "Volume group done not exist" # 错误信息;题目给出的
when: ansible_lvm.vgs.research is not defined
# ansible all -m setup -a 'filter=*lvm*'
# 检查语法:
[student@workstation ansible]$ ansible-playbook lv.yml --syntax-check
# 执行playbook
[student@bastion ansible]$ ansible-playbook lv.yml
# 检查
# 假设考试时要求在vdb上分区,完成后检查vdb1的情况:
[student@bastion ansible]$ ansible servera,serverb -a 'lvs'
servera | CHANGED | rc=0 >>
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 800.00m
serverb | CHANGED | rc=0 >>
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data research -wi-a----- 800.00m
9、⽣成主机⽂件
9、生成主机文件
将一个初始模板文件从 http://materials.example.com/cd/exam_rhce8/hosts.j2 下载到/home/student/ansible完成该模板,以便用它生成以下文件:针对每个清单主机包含一行内容,其格式与 /etc/hosts 相同
创建名为 /home/student/ansible/hosts.yml 的playbook ,它将使用此模板在 dev 主机组中的主机上生成文件 /etc/myhosts 。
该 playbook 运行后, dev 主机组中主机上的文件/etc/myhosts 应针对每个受管主机包含一行内容:
127.0.0.1 localhost localhost.localdomain
localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
172.242.6 servera.realm8.example.com servera
172.242.7 serverb.realm8.example.com serverb
172.242.8 serverc.realm8.example.com serverc
172.242.9 serverd.realm8.example.com serverd
172.242.10 workstation.realm8.example.com
workstation
注:清单主机名称的显示顺序不重要。
#解答:
# 下载模版文件
[student@bastion ansible]$ wget http://materials.example.com/cd/exam_rhce8/hosts.j2
# 编辑hosts.j2文件
[student@bastion ansible]$ cat hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups['all'] %}
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }} {{ hostvars[host]['ansible_facts']['fqdn'] }} {{ hostvars[host]['ansible_facts']['hostname']}}
{% endfor %}
# ansible dev -m setup -a "filter=*address*"
# ansible dev -m setup -a "filter=*fqdn*"
# ansible dev -m setup -a "filter=*hostname*"
# 编写playbook
# ansible-doc template
[student@bastion ansible]$ cat hosts.yml
---
- name: #自己随便写 # 描述J2 copy hosts
hosts: all
tasks:
- name: #自己随便写
template:
src: hosts.j2
dest: /etc/myhosts
when: inventory_hostname in groups.dev
# 检查语法:
[student@workstation ansible]$ ansible-playbook hosts.yml --syntax-check
# 执行playbook
[student@bastion ansible]$ ansible-playbook hosts.yml
# 测试
[student@bastion ansible]$ ansible dev -a 'cat /etc/myhosts'
servera | CHANGED | rc=0 >>
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.9 workstation.lab.example.com workstation
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
10、修改⽂件内容
按照下⽅所述,创建⼀个名为 /home/student/ansible/issue.yml的playbook:
1. 该 playbook 将在所有清单主机上运⾏
2. 该 playbook 会将 /etc/issue 的内容替换为下⽅所示的⼀⾏⽂本:
$1 在 dev 主机组中的主机上,这⾏⽂本显示 为: Development
$2 在 test 主机组中的主机上,这⾏⽂本显示 为: Test
$3 在 prod 主机组中的主机上,这⾏⽂本显示 为: Production
#解答:
[student@bastion ansible]$ vim issue.yml
[student@bastion ansible]$ cat issue.yml
---
- name: issue # 描述
hosts: all # 所有主机
tasks:
- name: change dev issue
copy:
content: "Development"
dest: /etc/issue
when: inventory_hostname in groups['dev']
- name: change test issue
copy:
content: "Test"
dest: /etc/issue
when: inventory_hostname in groups['test']
- name: change prod issue
copy:
content: "Production"
dest: /etc/issue
when: inventory_hostname in groups['prod']
# 查看各主机内容:
[student@bastion ansible]$ ansible dev -a "cat /etc/issue"
# 检查语法:
[student@workstation ansible]$ ansible-playbook issue.yml --syntax-check
# 执行playbook
[student@bastion ansible]$ ansible-playbook issue.yml
# 测试
[student@bastion ansible]$ ansible server[a-d] -a 'cat /etc/issue'
servera | CHANGED | rc=0 >>
Development
serverc | CHANGED | rc=0 >>
Production
serverd | CHANGED | rc=0 >>
Production
serverb | CHANGED | rc=0 >>
Test
11、创建 Web 内容⽬录
按照下⽅所述,创建⼀个名为 /home/student/ansible/webcontent.yml的playbook :
该 playbook 在 dev 主机组中的受管节点上运⾏创建符合下列要求的⽬录/webdev:
1.webdev 组具有常规权限: owner=read+write+execute, group=read+write+execute,other=read+execute
2.具有特殊权限:设置SGID
3. ⽤符号链接将 /var/www/html/webdev 链接到 /webdev
4. 创建⽂件 /webdev/index.html ,其中包含如下所示的单⾏⽂件: Development
5. 在 dev 主机组中主机上浏览此目录(例如 http://servera.lab.example.com/webdev)将⽣成以下输出:Development
#解答:
# 查看se类型 ansible dev -m shell -a 'semanage fcontext --list |grep var/www|head'
# ansible dev -m shell -a 'ls -lZd /var/www/html' #查:setype
# ansible-doc file
# ansible-doc copy
[student@bastion ansible]$ vim webcontent.yml
---
- name: create web directory
hosts: dev
roles:
- apache
tasks: #如下:创建任务
- name: ensure webdev group exist # 创建组
group:
name: webdev
- name: create webdev directiry
file: # file模块
path: /webdev # 目录
state: directory
group: webdev
mode: '2775'
setype: httpd_sys_content_t
- name: create soft links # 创建软连接
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: create file
copy:
content: "Development"
dest: /webdev/index.html
setype: httpd_sys_content_t
# 执行playbook
[student@bastion ansible]$ ansible-playbook webcontent.yml
# 网页测试
http://servera.lab.example.com/webdev
Development
[student@bastion ansible]$ curl http://servera.lab.example.com/webdev/
Welcome to servera.lab.example.com on ['172.25.250.10']
12、⽣成硬件报告
创建⼀个名为 /home/student/ansible/hwreport.yml 的 playbook ,它将在所有受管节点上⽣成含有以下信息的输出⽂件 /root/hwreport.txt :
1. 清单主机名称:
2. 以 MB 表示的总内存⼤⼩
3. BIOS 版本
4. 磁盘设备 vda 的⼤⼩
5. 磁盘设备 vdb 的⼤⼩
6. 输出⽂件中的每⼀⾏含有⼀个 key=value 对。
# 您的 playbook 应当:
7. 从http://materials.example.com/cd/exam_rhce8/hwreport.empty下载⽂件,并将它保存为 /root/hwreport.txt
8. 使⽤正确的值更改 /root/hwreport.txt
9. 如果硬件项不存在,相关的值应设为 NONE
#解答:
# ansible dev -m setup -a "filter=*hostname*"
# ansible dev -m setup -a "filter=*device*"
vim hwreport.empty # 确定大小写
[student@bastion ansible]$ vim hwreport.yml
---
- name: hw roport
hosts: all
tasks:
- name: download
get_url:
url: http://materials.example.com/cd/exam_rhce8/hwreport.empty
dest: /root/hwreport.txt
- name: download lineinfile
lineinfile:
path: /root/hwreport.txt
line: "inventory_hostname = {{ ansible_hostname | default('NONE') }}"
- name: set total lineinfile
lineinfile:
path: /root/hwreport.txt
line: "Total_Mem = {{ ansible_memtotal_mb | default('NONE') }}"
- name: lineinfile bios version
lineinfile:
path: /root/hwreport.txt
line: "BIOS_ver = {{ ansible_bios_version | default('NONE') }}"
- name: devices vda size
lineinfile:
path: /root/hwreport.txt
line: "vda_size = {{ ansible_devices.vda.size | default('NONE') }}"
- name: devices vdb size
lineinfile:
path: /root/hwreport.txt
line: "vdb_size = {{ ansible_devices.vdb.size | default('NONE') }}"
上面下面都可使用
---
- name:
hosts: all
tasks:
- name:
get_url:
url: http://materials.example.com/laoma/hwreport.empty
dest: /root/hwreport.txt
force: yes
- name:
lineinfile:
path: /root/hwreport.txt
regexp: '^hostname='
line: 'hostname={{ inventory_hostname }}'
- name:
lineinfile:
path: /root/hwreport.txt
regexp: '^memory='
line: 'memory={{ ansible_memtotal_mb }}'
- name:
lineinfile:
path: /root/hwreport.txt
regexp: '^bios_version='
line: 'bios_version={{ ansible_bios_version }}'
- name:
lineinfile:
path: /root/hwreport.txt
regexp: '^vdasize='
line: 'vdasize={{ ansible_devices.vda.size | default("NONE") }}'
when: ansible_devices.vda is defined
- name: vdb size
lineinfile:
path: /root/hwreport.txt
regexp: '^vdbsize='
line: 'vdbsize={{ ansible_devices.vdb.size | default("NONE")}}'
# 执行playbook
[student@bastion ansible]$ ansible-playbook hwreport.yml
# 测试
[student@bastion ansible]$ ansible all -a 'cat /root/hwreport.txt'
serverb | CHANGED | rc=0 >>
hostname = serverb
memory = 821
bios_version = 1.11.1-3.module+el8+2529+a9686a4d
vdasize = 10.00 GB
vdbsize = 5.00 GB
13、创建密码库
# 按照下⽅所述,创建⼀个 Ansible 库来存储⽤户密码:
1. 库名称为 /home/greg/ansible/locker.yml
2. 库中含有两个变量,名称如下:
$1 pw_developer ,值为 Imadev
$2 pw_manager ,值为 Imamgr
3. ⽤于加密和解密该库的密码为 retent
4. 密码存储在⽂件 /home/student/ansible/secret.txt 中
# 解答:
[student@bastion ansible]$ echo retent > /home/student/ansible/secret.txt
[student@bastion ansible]$ ansible-vault create --vault-password-file=secret.txt locker.yml
---
pw_developer: Imadev
pw_manager: Imamgr
# 查看密码库文件
[student@bastion ansible]$ ansible-vault view locker.yml
Vault password:
---
pw_developer: Imadev
pw_manager: Imamgr
# 现在再看密码库文件locker是加密后的内容
[student@bastion ansible]$ cat locker.yml
$ANSIBLE_VAULT;1.1;AES256
626664303739353330643261646433616434333036373561646237313230643662373961613732653838616537353934613865376261343763336463356234340a353835313835653739626335373635
14、创建⽤户帐户
1.从http://materials.example.com/cd/exam_rhce8/user_list.yml 下载要创建的用户的列表,并将它保存到 /home/student/ansible目录
2.在本次考试中使用在其他位置创建的密码库/home/student/ansible/locker.yml。创建名为/home/student/ansible/users.yml 的 playbook ,从而按以下所述创建用户帐户:
3.职位描述为 developer 的用户应当:
1)在 dev 和 test 主机组中的受管节点上创建
2)从 pw_developer 变量分配密码
3)是补充组 student 的成员
4.职位描述为 manager 的用户应当:
1)在 prod 主机组中的受管节点上创建
2)从 pw_manager 变量分配密码
3)是补充组 opsmgr 的成员
5.密码采用 SHA512 哈希格式。
6.您的 playbook 应能够在本次考试中使用在其他位置创建的库密码文件/home/student/ansible/secret.txt 正常运行
# 解答:
# vim user_list.yml
[student@bastion ansible]$ wget http://materials.example.com/cd/exam_rhce8/user_list.yml
[student@bastion ansible]$ vim users.yml
---
- name: create users
hosts: dev,test,prod
vars_files:
- /home/student/ansible/locker.yml
- /home/student/ansible/user_list.yml
tasks:
- name: ensure group student exist
group:
name: student
loop: "{{users}}"
when: item.job == 'developer' and (inventory_hostname in groups.dev or inventory_hostname in groups.test)
- name: create job user developer
user:
name: "{{item.name}}"
password: "{{pw_developer | password_hash('sha512')}}"
groups: student
loop: "{{users}}"
when: item.job == 'developer' and (inventory_hostname in groups.dev or inventory_hostname in groups.test)
- name: ensure gorup opsmgr exist
group:
name: opsmgr
loop: "{{users}}"
when: item.job == 'manager' and inventory_hostname in groups.prod
- name: create job user opsmgr
user:
name: "{{item.name}}"
password: "{{pw_manager | password_hash('sha512')}}"
groups: opsmgr
loop: "{{users}}"
when: item.job == 'manager' and inventory_hostname in groups.prod
---
- name:
hosts: dev,test,prod
vars_files:
- userlist.yml
- locker.yml
tasks:
- name: dev and test
group:
name: devops
state: present
when: ansible_hostname in groups.dev or ansible_hostname in groups.test
- name: for prod
group:
name: opsmgr
state: present
when: ansible_hostname in groups.prod
- name: uset dev and test
user:
name: "{{ item.name }}"
groups: devops
password: "{{ pw_developer | password_hash('sha512') }}"
comment: "{{ item.job }}"
loop: "{{ users }}"
when: (ansible_hostname in groups.test and item.job == 'developer' ) or ( ansible_hostname in groups.dev and item.job == 'developer' )
- name: create for prod
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{pw_namager | password_hash('sha512') }}"
comment: "{{ item.job }}"
loop: "{{ users }}"
when: ansible_hostname in groups.prod and item.job == 'manager'
# 执行playbook
[student@bastion ansible]$ ansible-playbook users.yml --vault-password-file=secret.txt
# ERROR! Attempting to decrypt but no vault secrets found
# 测试
[student@bastion ansible]$ ansible dev,test,prod -a 'tail -3 /etc/passwd'
serverd | CHANGED | rc=0 >>
nginx:x:990:986:Nginx web server:/var/lib/nginx:/sbin/nologin
james:x:1002:1003::/home/james:/bin/bash
mary:x:1003:1004::/home/mary:/bin/bash
serverb | CHANGED | rc=0 >>
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:990:986:Nginx web server:/var/lib/nginx:/sbin/nologin
john:x:1002:1002::/home/john:/bin/bash
serverc | CHANGED | rc=0 >>
nginx:x:990:986:Nginx web server:/var/lib/nginx:/sbin/nologin
james:x:1002:1003::/home/james:/bin/bash
mary:x:1003:1004::/home/mary:/bin/bash
servera | CHANGED | rc=0 >>
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:990:986:Nginx web server:/var/lib/nginx:/sbin/nologin
john:x:1002:1003::/home/john:/bin/bash
15、更新 Ansible 库的密钥
# 按照下⽅所述,更新现有 Ansible 库的密钥:
1. 从http://materials.example.com/cd/exam_rhce8/salaries.yml 下载 Ansible 库到/home/student/ansible目录
2. 当前的库密码为 retent
3. 新的库密码为 redhat
4. 库使⽤新密码保持加密状态
#解答:
[student@bastion ansible]$ wget http://materials.example.com/cd/exam_rhce8/salaries.yml
[student@bastion ansible]$ ansible-vault view salaries.yml
Vault password: # 输入老密码
RH-294
[student@bastion ansible]$ ansible-vault rekey salaries.yml
Vault password: # 输入老密码
New Vault password: # 输入新密码
Confirm New Vault password: # 输入新密码
Rekey successful
[student@bastion ansible]$ ansible-vault view salaries.yml
Vault password: # 使用新的密码
RH-294
16、配置 cron 作业(随机题)
1. 创建⼀个名为 /home/greg/ansible/cron.yml 的 playbook ,配置 cron 作业,该作业每隔 2 分钟运⾏并执⾏以下命令:
2. logger “EX294 in progress”,以⽤户 natasha 身份运⾏
## 解答:
[student@bastion ansible]$ cat cron.yml
---
- name: create cron
hosts: all
tasks:
- name: create user
user:
name: natasha
state: present
- name: create cron for all
cron:
name: crontab
minute: '*/2'
job: logger "EX294 in progress"
user: natasha
# 执行playbook
[student@bastion ansible]$ ansible-playbook cron.yml
[student@bastion ansible]$ ansible all -a 'crontab -u natasha -l'
serverd | CHANGED | rc=0 >>
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"
serverb | CHANGED | rc=0 >>
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"
serverc | CHANGED | rc=0 >>
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"
servera | CHANGED | rc=0 >>
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"
workstation | CHANGED | rc=0 >>
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"
总结
了解为主、熟练为辅。
RHCE考试环境
链接:https://pan.baidu.com/s/1uK6A-QgGnkT1RLWk_VtteA
提取码:y9gk