ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge of RedHatGov/product-demos (#56)

Browse Source 
Co-authored-by: MKletz <michael.kletz.27@gmail.com>
Co-authored-by: Ajay Chenampara <ajay.chenampara@gmail.com>
Co-authored-by: dlemons-redhat <69318976+dlemons-redhat@users.noreply.github.com>
Co-authored-by: Nicolas Leiva <nicolasleiva@gmail.com>
Co-authored-by: benblasco <42140583+benblasco@users.noreply.github.com>
Co-authored-by: Benjamin Blasco <bblasco@redhat.com>
Co-authored-by: calvingsmith <4283930+calvingsmith@users.noreply.github.com>
Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com>
Co-authored-by: Hicham Mourad <43329991+HichamMourad@users.noreply.github.com>
This commit is contained in:
willtome
2023-03-17 09:07:02 -04:00
committed by GitHub
parent 8acff9c9b1
commit c18a206499
279 changed files with 5191 additions and 4649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
linux/README.md Normal file
View File

@@ -0,0 +1,91 @@
# Linux Demos
## Table of Contents
- [Linux Demos](#linux-demos)
- [Table of Contents](#table-of-contents)
- [About These Demos](#about-these-demos)
- [Jobs](#jobs)
- [Inventory](#inventory)
- [Post Setup Job Steps](#post-setup-job-steps)
- [Add Red Hat account details](#add-red-hat-account-details)
- [Update Credentials for Insights Inventory](#update-credentials-for-insights-inventory)
- [Add Variables for System Roles](#add-variables-for-system-roles)
- [Suggested Usage](#suggested-usage)
## About These Demos
This category of demos shows examples of linux operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
### Jobs
- [**Linux / Register**](ec2_register.yml) - Register a RHEL server with Red Hat Portal and Insights
- [**Linux / Troubleshoot**](tshoot.yml) - Run troubleshooting commands to find top CPU and memory users on the system
- [**Linux / Temporary Sudo**](temp_sudo.yml) - Grant temporary sudo access to a user on the system with time based cleanup
- [**Linux / Patching**](patching.yml) - Apply updates and/or generate patch report for linux systems
- [**Linux / Start Service**](service_start.yml) - Start a service on a system
- [**Linux / Stop Service**](service_stop.yml) - Stop a service on a system
- [**Linux / Run Shell Script**](run_script.yml) - Run a shell script or command on a system
- [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache
- [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page
- [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names.
- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline
- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com]
### Inventory
A dymanic inventory is created to pull inventory hosts from Red Hat Insights. The Systems will be added by their host name therefore adding duplicate systems will cause conflicts in the inventory. Only systems with the tag `purpose=demo` in Red Hat Insights will be added to this inventory. Groups will be created for other tags given to the system.
Groups will also be created for systems with missing security, enhancement and bug updates. The inventory configuration is governed by the [inventory.insights.yml](inventory.insights.yml) file.
> Remember to delete systems from your Red Hat account when you are done with the demo to avoid conflicts with future demos using the same names.
## Post Setup Job Steps
After running the setup job template, there are a few steps required to make the demos fully functional. See the post setup steps below.
> These steps may differ in your environment
### Add Red Hat account details
To register systems to the Red Hat portal and Insights, edit `extra_vars` on the `Linux / Register` job to include your org_id and an [activation key](https://access.redhat.com/management/activation_keys) to use when registering the systems.
### Update Credentials for Insights Inventory
Navigate to the Credentials section and update the `Insights Inventory` credential with your Red Hat Portal login.
### Add Variables for System Roles
Edit the `Linux / System Roles` job to include the list of roles that you wish to apply and the variables applicable for each role. See documentation [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles) for configuring System Roles.
## Suggested Usage
**Linux / Register** - Use this job to register systems to Red Hat Insights for showing Advisor recommendations and dynamic inventory. Note that the "Ansible Group" will create an AAP inventory group, as well as tag hosts with that group name in Insights.
**Linux / Troubleshoot** - Use this job to show incident response troubleshooting and basic running of commands with an Ansible Playbook.
**Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1)
**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template.
**Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`.
**Linux / Fact Scan** - Use this job to demonstrate the use of the Ansible Fact Cache, Ansible facts, and the ability to query installed packages and running services on a system.
**Linux / Podman Webserver** - Use this job show managing individual containers with Podman via an Ansible Playbook.
**Linux / System Roles** - This job demonstrates running [RHEL System Roles with AAP. See the documentation [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles) for how to configure system roles with variables by editing the extra_vars on the job template.
Example 1:
```
system_roles:
- selinux
selinux_state: enforcing
```
Example 2 (less invasive, and runs faster):
```
system_roles:
- timesync
timesync_ntp_servers:
- hostname: pool.ntp.org
pool: yes
iburst: yes
```
**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
**Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No".

15
linux/compliance.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Apply compliance profile
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
compliance_profile: undef
tasks:
- name: Check os type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"
- name: Run compliance profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"

33
linux/deploy_application.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Application deployment
hosts: "{{ _hosts | default('web') }}"
gather_facts: false
become: true
tasks:
- name: Make sure application is not empty
ansible.builtin.assert:
that:
- "application != ''"
- name: Printing to terminal application information
ansible.builtin.debug:
msg: "This Ansible Playbook will install {{ application }}"
- name: Install application
ansible.builtin.dnf:
name: "{{ application }}"
allow_downgrade: true
register: result
notify: Printing to terminal application information
- name: Printing to terminal application information # noqa: no-handler
ansible.builtin.debug:
msg: "The application: {{ application }} was already installed"
when: not result.changed | bool
handlers:
- name: Printing to terminal application information
ansible.builtin.debug:
msg: "The application: {{ application }} has been installed"
when: result.changed | bool

112
linux/ec2_register.yml
View File

@@ -1,61 +1,73 @@
---
- hosts: "{{ HOSTS }}"
become: yes
- name: Register ec2 instance with subscription mangler
hosts: "{{ _hosts | default(omit) }}"
become: true
tasks:
- name: set hostname
hostname:
name: "{{ inventory_hostname | regex_replace('_','-')}}"
- name: Check for vars
ansible.builtin.assert:
that:
- org_id is defined
- activation_key is defined
- org_id != ''
- activation_key != ''
- org_id != 'undef'
- activation_key != 'undef'
- name: remove rhui client packages
yum:
name: rh-amazon-rhui-client*
state: removed
- name: Set hostname
ansible.builtin.hostname:
name: "{{ inventory_hostname | regex_replace('_', '-') }}"
- name: get current repos
command:
cmd: ls /etc/yum.repos.d/
register: repos
changed_when: False
# Install subscription-manager if it's not there
- name: Install subscription-manager
ansible.builtin.yum:
name: subscription-manager
state: present
- name: remove existing rhui repos
file:
path: "/etc/yum.repos.d/{{ item }}"
state: absent
loop: "{{ repos.stdout_lines }}"
when: "'rhui' in item"
- name: Remove rhui client packages
ansible.builtin.yum:
name: rh-amazon-rhui-client*
state: removed
- name: install katello package
yum:
name: "https://{{ sat_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
state: present
validate_certs: no
when: sat_url is defined
- name: Get current repos
ansible.builtin.command:
cmd: ls /etc/yum.repos.d/
register: repos
changed_when: false
- name: manage repos with subscription mangler
ansible.builtin.lineinfile:
path: /etc/rhsm/rhsm.conf
regexp: '^manage_repos'
line: 'manage_repos = 1'
- name: Remove existing rhui repos
ansible.builtin.file:
path: "/etc/yum.repos.d/{{ item }}"
state: absent
loop: "{{ repos.stdout_lines }}"
when: "'rhui' in item"
- name: register subscription mangler
community.general.redhat_subscription:
state: present
activationkey: "{{ activation_key }}"
org_id: "{{ org_id }}"
- name: Install katello package
ansible.builtin.yum:
name: "https://{{ sat_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
state: present
validate_certs: false
disable_gpg_check: true
when: sat_url is defined
- name: disable htb repo
community.general.rhsm_repository:
name: rhel-7-server-htb*
state: disabled
ignore_errors: yes
- name: Manage repos with subscription mangler
ansible.builtin.lineinfile:
path: /etc/rhsm/rhsm.conf
regexp: '^manage_repos'
line: 'manage_repos = 1'
- name: configure Red Hat insights
import_role:
name: redhat.insights.insights_client
vars:
insights_display_name: "{{ inventory_hostname }}"
insights_tags:
env: "{{ env }}"
purpose: demo
group: "{{ ansible_group }}"
- name: Register subscription mangler
community.general.redhat_subscription:
state: present
activationkey: "{{ activation_key }}"
org_id: "{{ org_id }}"
- name: Configure Red Hat insights
ansible.builtin.import_role:
name: redhat.insights.insights_client
vars:
insights_display_name: "{{ inventory_hostname }}"
insights_tags:
env: "{{ env }}"
purpose: demo
group: "{{ insights_tag }}"

11
linux/fact_scan.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Scan host for facts
hosts: "{{ _hosts | default(omit) }}"
become: true
tasks:
- name: Get packages
ansible.builtin.package_facts:
- name: Get services
ansible.builtin.service_facts:

31
linux/hardening.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Harden linux systems
hosts: "{{ _hosts | default('web') }}"
become: true
vars:
harden_firewall: false
harden_time: false
harden_ssh: false
harden_pci: false
tasks:
- name: Configure Firewall
when: harden_firewall | bool
ansible.builtin.include_role:
name: linux-system-roles.firewall
- name: Configure Timesync
when: harden_time | bool
ansible.builtin.include_role:
name: redhat.rhel_system_roles.timesync
- name: SSH Hardening
when: harden_ssh | bool
ansible.builtin.include_role:
name: dev-sec.ssh-hardening
# run with --skip-tags accounts_passwords_pam_faillock_deny
- name: Apply PCI Baseline
when: harden_pci | bool
ansible.builtin.include_role:
name: redhatofficial.rhel8_pci_dss

25
linux/insights_compliance_scan.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Run compliance scan with Red Hat Insights
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
compliance_profile_configured: undef
tasks:
- name: Check OS Type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"
- name: Check variable values
ansible.builtin.debug:
msg: "Value of compliance_profile_configured is {{ compliance_profile_configured }}"
- name: Run Insights Compliance scan
ansible.builtin.import_role:
name: redhat.insights.compliance
when: compliance_profile_configured == "Yes"
- name: Notify user that Compliance scan is not being attempted
ansible.builtin.debug:
msg: "User has not confirmed that all hosts are associated with an Insights Compliance profile. Scan aborted."
when: compliance_profile_configured == "No"

4
linux/inventory.insights.yml
View File

@@ -1,11 +1,11 @@
---
plugin: redhat.insights.insights
get_patches: yes
get_patches: true
groups:
patch_bugs: insights_patching.rhba_count > 0
patch_enhancements: insights_patching.rhea_count > 0
patch_security: insights_patching.rhsa_count > 0
get_tags: yes
get_tags: true
selection: none
filter_tags:
- insights-client/purpose=demo

66
linux/patching.yml
View File

@@ -1,38 +1,46 @@
---
- hosts: "{{ HOSTS }}"
become: yes
- name: Linux server patching
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
report_server: node1
tasks:
- include_role:
name: demo.patching.patch_linux
# Install yum-utils if it's not there
- name: Install yum-utils
ansible.builtin.yum:
name: yum-utils
state: installed
- block:
- yum:
name: httpd
state: latest
check_mode: no
- name: Include patching role
ansible.builtin.include_role:
name: demo.patching.patch_linux
- file:
path: /var/www/html/reports/
state: directory
check_mode: no
- name: Tell user when Insights Client is not configured
ansible.builtin.debug:
msg: "Insights client does not appear to be configured. Scan will be skipped"
when:
- ansible_local.insights.system_id is not defined
- copy:
dest: /var/www/html/reports/.htaccess
content: Options +Indexes
check_mode: no
- name: Run the Insights Client Scan # noqa: no-changed-when
ansible.builtin.command: insights-client
when:
- not ansible_check_mode
- ansible_local.insights.system_id is defined
- service:
name: httpd
state: started
check_mode: no
- name: Deploy report server
delegate_to: "{{ report_server }}"
run_once: true # noqa: run-once[task]
block:
- name: Build report server
ansible.builtin.include_role:
name: "{{ item }}"
loop:
- demo.patching.report_server
- demo.patching.report_linux
- demo.patching.report_linux_patching
- include_role:
name: demo.patching.report_linux
- include_role:
name: demo.patching.report_linux_patching
delegate_to: "{{ report_server }}"
run_once: yes
- name: Publish landing page
ansible.builtin.include_role:
name: demo.patching.report_server
tasks_from: linux_landing_page

38
linux/patching_report.yml
View File

@@ -1,38 +0,0 @@
---
- hosts: "{{ HOSTS }}"
become: yes
vars:
report_server: node1
tasks:
- include_role:
name: demo.patching.patch_linux
- block:
- yum:
name: httpd
state: latest
check_mode: no
- file:
path: /var/www/html/reports/
state: directory
check_mode: no
- copy:
dest: /var/www/html/reports/.htaccess
content: Options +Indexes
check_mode: no
- service:
name: httpd
state: started
check_mode: no
- include_role:
name: demo.patching.report_linux
- include_role:
name: demo.patching.report_linux_patching
delegate_to: "{{ report_server }}"
run_once: yes

80
linux/podman.yml
View File

@@ -1,51 +1,55 @@
---
- name: Podman
hosts: "{{ HOSTS }}"
hosts: "{{ _hosts | default(omit) }}"
vars:
volume_path: podman
message: undef
tasks:
- name: Install Podman
ansible.builtin.dnf:
name: podman
state: latest
become: yes
- name: Install Podman
ansible.builtin.dnf:
name: podman
state: installed
become: true
- name: Create volume dir
ansible.builtin.file:
path: "{{ volume_path }}"
state: directory
- name: Create volume dir
ansible.builtin.file:
path: "{{ volume_path }}"
state: directory
mode: "0775"
- name: Create index.html
ansible.builtin.copy:
dest: "{{ volume_path }}/index.html"
content: "{{ message }}"
- name: Create index.html
ansible.builtin.copy:
dest: "{{ volume_path }}/index.html"
content: "{{ message }}"
mode: "0664"
- name: Run httpd container
containers.podman.podman_container:
name: apache
image: docker.io/httpd
state: started
volume:
- "{{ volume_path }}:/usr/local/apache2/htdocs"
ports:
- "8080:80"
- name: Run httpd container
containers.podman.podman_container:
name: apache
image: docker.io/httpd
state: started
volume:
- "./{{ volume_path }}/:/usr/local/apache2/htdocs:z"
ports:
- "8081:80"
- name: Check Web Page
ansible.builtin.uri:
url: http://127.0.0.1:8080
return_content: yes
register: web_output
changed_when: false
- name: Check Web Page
ansible.builtin.uri:
url: http://127.0.0.1:8081
return_content: true
register: web_output
changed_when: false
- name: podman ps
shell: podman ps
register: podman_output
changed_when: false
- name: Podman ps
ansible.builtin.command: podman ps
register: podman_output
changed_when: false
- name: Output
ansible.builtin.debug:
msg:
- "{{ podman_output.stdout_lines }}"
- "{{ web_output.content }}"
- name: Output
ansible.builtin.debug:
msg:
- "Output of podman ps command:"
- "{{ podman_output.stdout_lines }}"
- "Contents of web page:"
- "{{ web_output.content }}"

19
linux/run_script.yml
View File

@@ -1,15 +1,22 @@
---
- name: Run Shell Script
hosts: "{{ HOSTS }}"
become: yes
gather_facts: no
hosts: "{{ _hosts | default(omit) }}"
become: true
gather_facts: false
vars:
shell_script: undef
tasks:
- name: Run Shell Script
shell: "{{ shell_script }}"
ansible.builtin.shell: "{{ shell_script }}"
register: shell_output
tags:
- skip_ansible_lint # provided variable could require shell modele
- debug:
- name: Print script output
ansible.builtin.debug:
var: shell_output.stdout_lines
- name: Print message
ansible.builtin.debug:
msg: You should really consider converting this script to a playbook!
run_once: yes

18
linux/service_start.yml
View File

@@ -1,14 +1,16 @@
---
- hosts: "{{ HOSTS }}"
- name: Start service
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
service_name: undef
tasks:
- name: Check Service
service_facts:
- name: Check Service
ansible.builtin.service_facts:
- name: Start Service
service:
name: "{{ service_name }}"
state: started
when: service_name + '.service' in services
- name: Start Service
ansible.builtin.service:
name: "{{ service_name }}"
state: started
when: service_name + '.service' in services

18
linux/service_stop.yml
View File

@@ -1,14 +1,16 @@
---
- hosts: "{{ HOSTS }}"
- name: Stop service
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
service_name: undef
tasks:
- name: Check Service
service_facts:
- name: Check Service
ansible.builtin.service_facts:
- name: Stop Service
service:
name: "{{ service_name }}"
state: stopped
when: service_name + '.service' in services
- name: Stop Service
ansible.builtin.service:
name: "{{ service_name }}"
state: stopped
when: service_name + '.service' in services

257
linux/setup.yml
View File

@@ -1,8 +1,8 @@
---
user_message: |
Be sure to update the 'activation_key' and 'org_id' extra variables for 'LINUX / Register'. https://access.redhat.com/management/activation_keys
Update Credential for Insights Inventory with Red Hat account.
user_message:
- Update the 'activation_key' and 'org_id' extra variables for 'LINUX / Register with Insights'. https://access.redhat.com/management/activation_keys
- Update Credential for Insights Inventory with Red Hat account.
- Add variables for system_roles. https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles
controller_components:
- projects
- credential_types
@@ -10,14 +10,8 @@ controller_components:
- inventory_sources
- job_templates
controller_projects:
- name: Fact Scan
organization: Default
scm_type: git
scm_url: 'https://github.com/ansible/awx-facts-playbooks.git'
controller_credential_types:
- name: "Insights Collection"
- name: Insights Collection
kind: cloud
inputs:
fields:
@@ -49,27 +43,28 @@ controller_inventory_sources:
source_path: linux/inventory.insights.yml
credential: Insights Inventory
controller_templates:
- name: "LINUX / Register"
- name: "LINUX / Register with Insights"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/ec2_register.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
extra_vars:
activation_key: undef
org_id: undef
activation_key: !unsafe "RHEL{{ ansible_distribution_major_version }}_{{ env }}"
org_id: REPLACEME
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: Choose Environment
type: multiplechoice
@@ -79,19 +74,26 @@ controller_templates:
- QA
- Prod
required: true
- question_name: Ansible Group
- question_name: Ansible Inventory Group (and Insights tag) to be created
type: text
variable: ansible_group
variable: insights_tag
required: true
- question_name: Org ID
type: text
variable: org_id
required: true
- name: "LINUX / Troubleshoot"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/tshoot.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -99,16 +101,19 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- name: "LINUX / Temporary Sudo"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/temp_sudo.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -116,7 +121,7 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: User Name
type: text
@@ -127,17 +132,20 @@ controller_templates:
variable: sudo_time
default: 10
required: true
- name: "LINUX / Patching"
job_type: run
job_type: check
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
job_type: check
ask_job_type_on_launch: yes
ask_job_type_on_launch: true
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -145,17 +153,20 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- name: "LINUX / Start Service"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/service_start.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -163,21 +174,24 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: Service Name
type: text
variable: service_name
required: true
- name: "LINUX / Stop Service"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/service_stop.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -185,20 +199,23 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: Service Name
type: text
variable: service_name
required: true
- name: "LINUX / Run Shell Script"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/run_script.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -206,29 +223,44 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: Shell Script
type: textarea
variable: shell_script
required: true
- name: "LINUX / Fact Scan"
project: Fact Scan
playbook: scan_facts.yml
project: "Ansible official demo project"
playbook: linux/fact_scan.yml
inventory: Workshop Inventory
execution_environment: Default execution environment
ask_limit_on_launch: true
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
credentials:
- Workshop Credential
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- name: "LINUX / Podman Webserver"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/podman.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -236,24 +268,31 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
variable: _hosts
required: true
- question_name: Web Page Message
type: textarea
variable: message
required: true
default: "This is Apache webserver running in a container with podman"
- name: "LINUX / System Roles"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/system_roles.yml"
execution_environment: Default execution environment
diff_mode: yes
ask_job_type_on_launch: yes
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
diff_mode: true
ask_job_type_on_launch: true
extra_vars:
system_roles: undef
system_roles:
- selinux
selinux_policy: targeted
selinux_state: enforcing
credentials:
- "Workshop Credential"
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
@@ -261,5 +300,117 @@ controller_templates:
spec:
- question_name: Server Name or Pattern
type: text
variable: HOSTS
required: true
variable: _hosts
required: true
- name: "LINUX / Install Web Console (cockpit)"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/system_roles.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
diff_mode: true
ask_job_type_on_launch: true
extra_vars:
system_roles:
- cockpit
credentials:
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Cockpit package load
type: multiplechoice
variable: cockpit_packages
default: minimal
choices:
- default
- minimal
- full
required: true
- name: "LINUX / Compliance Enforce"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Workshop Credential"
extra_vars:
sudo_remove_nopasswd: false
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- stig
- name: "LINUX / Insights Compliance Scan"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/insights_compliance_scan.yml"
credentials:
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Have you associated a compliance profile in the Insights Console for all hosts to be scanned? If not, then the scan will fail.
type: multiplechoice
variable: compliance_profile_configured
required: true
choices:
- "Yes"
- "No"
default: "No"
- name: "LINUX / Deploy Application"
job_type: run
inventory: "Workshop Inventory"
project: "Ansible official demo project"
playbook: "linux/deploy_application.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
credentials:
- "Workshop Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Application Package Name
type: text
variable: application
required: true

7
linux/system_roles.yml
View File

@@ -1,13 +1,14 @@
---
- name: Apply RHEL System Roles
hosts: "{{ HOSTS }}"
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
system_roles: undef
tasks:
- name: Apply System Roles
include_role:
ansible.builtin.include_role:
name: "redhat.rhel_system_roles.{{ item }}"
loop: "{{ system_roles }}"
when:
- system_roles | d("") | length > 0
- system_roles | d("") | length > 0

22
linux/temp_sudo.yml
View File

@@ -1,8 +1,8 @@
---
- name: Temporary Sudo
hosts: "{{ HOSTS }}"
become: yes
gather_facts: no
hosts: "{{ _hosts | default(omit) }}"
become: true
gather_facts: false
vars:
sudo_cleanup: true
sudo_user: undef
@@ -11,31 +11,31 @@
tasks:
- name: Check if sudo user exists on system
getent:
ansible.builtin.getent:
database: passwd
key: "{{ sudo_user }}"
- name: Check Cleanup package
yum:
ansible.builtin.yum:
name: at
state: latest
state: present
- name: Check Cleanup Service
service:
ansible.builtin.service:
name: atd
state: started
- name: Create Sudo Rule
copy:
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ sudo_user }}"
owner: root
group: root
mode: 0640
mode: "0640"
content: "{{ sudo_user }} ALL=(ALL) NOPASSWD:ALL"
- name: Set Permission Cleanup
at:
ansible.posix.at:
command: "rm /etc/sudoers.d/{{ sudo_user }}"
count: "{{ sudo_time }}"
units: "{{ sudo_units }}"
when: sudo_cleanup|bool
when: sudo_cleanup | bool

36
linux/tshoot.yml
View File

@@ -1,29 +1,29 @@
---
- name: gather debug info
hosts: "{{ HOSTS }}"
become: yes
- name: Gather debug info
hosts: "{{ _hosts | default(omit) }}"
become: true
tasks:
- name: Gather recent vmstat info
command: /bin/vmstat 1 5
- name: Gather recent vmstat info # noqa: no-changed-when
ansible.builtin.command: /bin/vmstat 1 5
register: vmstat
- name: Gather top CPU hogs
command: ps -eo user,pid,size,pcpu,cmd --sort=-pcpu
- name: Gather top CPU hogs # noqa: no-changed-when
ansible.builtin.command: ps -eo user,pid,size,pcpu,cmd --sort=-pcpu
register: pscpu
- name: Gather top memory hogs
command: ps -eo user,pid,size,pcpu,cmd --sort=-size
- name: Gather top memory hogs # noqa: no-changed-when
ansible.builtin.command: ps -eo user,pid,size,pcpu,cmd --sort=-size
register: pssize
- name: Swap + wait states
debug:
ansible.builtin.debug:
var: vmstat.stdout_lines
- name: Top 3 CPU hogs
debug:
ansible.builtin.debug:
var: pscpu.stdout_lines[:4]
- name: Top 3 memory hogs
debug:
var: pssize.stdout_lines[:4]
ansible.builtin.debug:
var: pssize.stdout_lines[:4]