EX294 Red Hat Certified Engineer RHCE – Configuring Ansible Managed Node

  • By
  • January 19, 2023
0 Comment

1. Introduction

Hello. Welcome to section one. Configuring ansible manage nodes. During this section we’ll cover these listed objectives. We’ll learn how we can create user on the remote nodes and how we can distribute as such keys to manage nodes. We’ll do this section using ansible ad hoc commands. We’ll also learn how we can configure privilege escalation on remote nodes.

Again, we’ll do this section using ansible ad hoc commands. We’ll also learn how we can configure remote nodes to use Yum repository. And finally we’ll learn how we can validate working configuration using ansible Adobe command using command module. Let’s move ahead with the first lecture of this section.

2. Task: Configuring Remote node to listen on non-default SSH port

Hello, welcome to this lecture. In this lecture we’ll configure m host four to listen on nondefold SSH port using ansible ad hoc commands. Here is task description configure m host four to listen on nondefault SSH port triple five. Ansible should be able to connect to m host four on new SSH port as well as standard SSH port. So it means ansible should be able to use both 22 and five port to make SSH connection to m host four. Update the inventory file to tell ansible to use portfolio to connect to Mhost four. So here we will use host variable ensibel underscore port for Mhost four to tell ansible to use port triple five while connecting to Mhost four. So here is list of commands we need for this task. We’ll execute all these commands as root user.

Because this section is possible with root permissions only. So first ad hoc command is Ansible. Here is target m host four module we are using is line in file. So this module is used when we need to add or remove one line in some file in specific in some configuration file with dash e option will provide arguments required for this module. We’ll learn about this module while doing this task. Here I will tell you overall how it works. Using path directive will set the file we need to make changes in. So in our case we need to make changes in SSH daemon config file. So this is the path for this file. Using reg EXP, directive will specify line to be replaced. Reg EXP stands for regular expression. So here we’ll use this expression line starting with hash port should be replaced with this line port 22 so here we are specifying line directive. We need to execute this command as root user. We must use U option to tell ansible to use root user to connect to remote node. In second ad hoc command, we are adding one more line port triple five after this line. So here we are using insert after directive.

So line starting with port which will be line we added with this command. So port five will be added after this line. So here we are using insert after directive so it will not replace. It will insert one more line after this line. So we have two lines port 22 and in next line port triple five. In this way we have both ports defined in config file. Now next we must take care of Se Linux part. Here we will use se port module to set correct se Linux context on nondefold SSH port which is triple five. Using ports will specify port which is triple five. Proto which is TCP SC type SSH underscore port underscore t four SSH state is present. We need to set this context type again, we’ll use U option to tell ansible to execute command as root user. Next in this command we are adding firewall rule so that Mhost four will accept traffic on nondefault SSH port. We’ll use firewall. D module. Using port will specify port to be enabled on the firewall port proto protocol TCP state is enabled. Permanent is equal to yes for persistent changes. Then we know after making permanent changes to firewall we must reload firewall to make the changes effective. We are doing this section using service module. Using service module we are passing these arguments name which is Firewall D and state is reloaded. To reload firewall D then at last we need to restart Sshdman because we made changes to config file of Sshdman.

For this again we will use service module and here service name is SSHD state is restarted this is all we need to do after making these changes m host four will start listening on nondefault SSH port triple five it will also listen on port 22 then next as per task requirement we need to tell lensible to use port triple five to connect to Mhost four so here we’ll use host variable with Mhost four in ansible inventory file we’ll add ansible underscore port is equal to triple five this is all we need to do at last here we have important node we need to install policy core utilize package to use se port module which is not installed on all managed nodes because we installed them with minimum install option so connect the m host four to internet and install this before starting this task now let’s move to the system and start doing this task now we are on ansible control node and I am logged in as root before we start doing our task, I will display documentation for different modules we will be using during this task I will start with line in file module ansible dock line in file so here is description for this module this module is normally used when you need to change single line in a file when you need to change multiple similar lines we can use Bloke in file module here we need to change two lines we will be using this module only here is list of different arguments which can be used with this module we will discuss only important ones we need to know for this task by using backup directive or by setting backup to yes or true we can create backup of original file first match I will come to this later on group name of the group that should own file or directory we are not using this for this task next is insert .

After we are using this directive in our task this is used to insert a new line after a line containing a specific regular expression this is used with state is equal to present this makes sense if specified, the line will be inserted after the last match of specified regular expression so if there are multiple line containing same regular expression so line will be added only after last match so here is the role of first match directive so if you will set first match directive to yes or true so line will be added when first match will be found but by default line will be added only when after match is found the next is insert before so this is similar to insert after but in this case line is added before the line containing specific regular expression again it will insert the line when last match is found we can change this behavior by using first match directive next line which is important one we are going to use in our task.

The line to insert or replace into the file required for state is equal to present mode to set permissions. We don’t need this for this task honor to set ownership path which is mandatory with equal to sign the file to modify. In our case, we are modifying SSH daemon config file reg EXP to replace line. The regular expression to look for in every line of the file for state is equal to present the pattern to replace if found. So it means if there will be line containing pattern specified by reg EXP directive, line will be replaced with the line specified by line directive. Here we have some directives related to se linux state. This is important which is default present. However, we are using this in our task even if we skip this. So by default line will be added or replaced validate to validate file after making the changes, just to make sure there are no errors, we’ll discuss about this directive while making changes in Sudwar’s file to configure per village escalation. Now, here are some examples. We will be using this example in our ad hoc command. These examples are for playbook but we can get all the information we need to use to execute ad hook command. We’ll set par directive to the file we need to modify.

In our case, this is SSH daemon file then we’ll specify regular expression using reg EXP to replace the line then to add a new line, we’ll use insert after again we’ll specify expression so that line is added after the line matching the expression. Now I will quit this I will clear the screen now I will display documentation four se port manages Se Linux network port type definitions so here is list of arguments we will be using ports which is mandatory we’ll specify port, triple, five. Proto is also mandatory. Proto is TCP reload, which is, by default, true. We don’t need to specify next se type. To specify Se Linux context type we need to set on the port which is again mandatory state which is by default present however will specify state is equal to present.

So here is simple example we’ll set ports to triple five proto to TCP SC type SSH underscore port underscore T for SSH state is equal to present. So here you must keep in mind, while providing arguments to ensure addo command, we must use equal to sign. But in case of playbooks, we use colon space. Then argument I will quit. I will clear the screen. Now I will display information about firewall D module. This module allows for addition and deletion of services and ports on firewall we will be discussing only important arguments permanent to make persistent changes we must set this to yes for permanent changes by default this is no use port port to be added or enabled on the firewall in our case port is triple five.

Next important directive is State which is also mandatory for ports it can be enabled or disabled. We need to add port will use enabled to accept traffic this is enough for us to know at this moment. Here are some examples, you can just go through them. Now I will display documentation for service module. By using enabled we can enable a disabled service we can enable to start service at boot name which is mandatory. To specify name of service we will reload firewall D using named directive set to firewall D. Then here state which is important. This can be reloaded, restarted, started and stopped. In case of firewall D we’ll use reloaded because we need to reload firewall D in case of Sshdon we’ll use restarted because we need to restart Sshdon. So this is enough for us to know at this moment again we have some examples here now I will clear the screen. Now we’ll execute our first ad hook command. But before executing this command, I will display SSH daemon config file one and civil control node just for reference because this file is same on all the machines.

So what we are doing here we are replacing this line with port space 22 then we’ll add one more line port space triple five after this line this is all we are going to do in this file here we have some information about Se Linux. If you want to change port on Se Linux system you will have to tell Se Linux about this change or another way I would say we must set correct Se Linux context type on the nondefault port. For this we are using Se port module. We know we can use this command on Linux terminal to set context type but here objective is to use only an sybil. So I shown you this file just for reference. Of course we’ll make change its own m host four only now I will clear the screen an sybil Mhost four which is our target m linein file A to provide arguments path file path to be modified reg EXP will use here carrot hash port will enclose this expression inside single quotation marks this is mandatory and important. Then here we’ll specify line which will replace the line containing this regular expression or I would say line starting with hash port. So this symbol means line starting with this expression port 22 so this line will replace the line starting with this expression. State is equal to present will enclose list of arguments inside, double quotation marks. Here we must use Utopian to tell ansible to execute this command as root user.

Because in ansible config file we have set remote underscore user as Ansible. So by default, ansible will execute all the commands as ansible user. But here we need to execute this command as root user. We have error. We know why we have this error. Because we need to execute all the commands on the path where ansible config file is present. Now I will navigate to path where ansible config file is present. Again we’ll execute same command. This time we have yellow output. This is good sign change. So here we can see message line replaced. Now, using command module, we’ll verify changes. We’ll execute ansible MHST four A to provide argument which is cat, etc. SSH then config file name u then user. We will move on the top. Here we can see our line. So line hash port 22 has been replaced with port 22 or port space 22. I will clear the screen now. Next we’ll use insert after. And here I will remove this hash. And we need to add the line port triple five. So it will find line starting with this expression. Starting with port, we know we have only one line port space 22.

And when this line is found, it will add port space triple five. After this line, we’ll execute this command. So here we are not replacing line. We are adding line after the line with regular expression defined by insert after. Now again I will display this file. We’ll move on the top, we have this line. So now we have both 22 and triple five ports defined in SSH daemon config file. Now we’ll set correct se Linux context type one known default SSH port using Se port module ansible M host four. This is module name a to provide arguments. And here we’ll use ports, which is triple five proto, which is TCP. Se type which is SSH underscore port underscore T, state is equal to present. Enclose all the arguments in double quotation mark marks u to specify user. This is all we need to do. It can take some time now. Next we need to configure firewall to allow traffic cone triple five port. For this we’ll use firewall D module. Ansible target is M host four, m module name a.

By using port directive, we specify port to be enabled on firewall. Triple five forward slash TCP then space state is equal to enabled. Permanent is equal to yes for permanent changes. U then user. It’s completed. Now we know. After making permanent changes to firewall, we must reload firewall to make the changes effective. For this, we’ll use service module. But before reloading the firewall, I will display firewall configs on M host four. We’ll use command module. For this. Ancible M host four A. And here we’ll provide command to be executed firewall Cmdlist. All here we need to specify user. So here we don’t see any port on ports list. Now I will reload firewall. And after reloading firewall we’ll again execute this command. To verify port is there on this list. We’ll execute ansible M host four. We’ll use service module using named directive will specify firewall day state is equal to reloaded. Then here we need to specify user. This is all we need to do. It’s completed. I will clear the screen. Again, we’ll execute firewall configs on amhost four.

Now, this time we can see portal five on the ports list. Now finally we need to restart Sshdman to make the changes we made in config file. Effective, we’ll use ansible M host four. Again we’ll use service module. But here service name is SSHD and state is equal to restarted. Again, don’t forget to specify user. Now we have completed all our configurations. I will clear the screen. I will check if Mhost four is reachable on both ports. Using SSH M host four we are connected. So this is default port. Now I will specify port using P which is triple five. Again we are connected. So now we are able to connect. Or I would say we are able to make connection to M host four on both ports. So this was task requirement. Now, next task requirement is we need to update inventory file to tell ensible to use triple five port to connect to Mhost four. We’ll exit from here.

Now we are back on ansible control node. Here we’ll open inventory file in editing mode. And here we need to set host variable for M host four. We’ll change this to M host three. And here we’ll add M host four. Space and siebel underscore port will set this to five. Now ansible will use triple five port to connect to Mhost four. I will execute this command just to verify fancy ball is able to reach. Everything is fine. Now what I will do, I will make click change. One year I will put port some other port. Now this command should fail. See we have the errors. No route to host on this port. So from this this is clear. All our definitions are valid. This is all.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img