目錄
rhel-system-roles.selinux
此模塊為為系統模塊,可通過安裝rhel-system-roles來獲取。模塊功能包括:
- 設置selinux模式(enforcing和permissive)
- 恢復文件默認上下文類型(restorecon)
- 設置獲取上下文
- 管理登錄以及端口
用法實例
設置/修改策略類型和模式
[root@localhost project2]# vim selinux.yml
---
- hosts: 192.168.190.134
vars:
selinux_policy: targeted
selinux_state: permissive
roles:
- role: roles/rhel-system-roles.selinux
注意:這種方式只是臨時修改(相當於手動執行setenforce,然后在未重啟的情況下,disable模式並不會生效。所以需要把reboot加入到任務中.
reboot受控機並修改模式
[root@localhost project2]# vim selinux.yml
---
- hosts: 192.168.190.134
vars:
selinux_policy: targeted
selinux_state: disabled
tasks:
- name: apply SElinux role
block:
- include_role:
name: roles/rhel-system-roles.selinux
rescue:
- name: check
fail:
when: not selinux_reboot_required
- name: reboot
reboot:
- name: changed
include_role:
name: roles/rhel-system-roles.selinux
......
[root@localhost ~]# getenforce 查看被控機的工作模式
Disabled
注意:selinux角色中有變量selinux_reboot_required,值默認為True,而selinux_role有一task,只要此變量值為True,則返回fail,所以playbook會執行rescue任務塊。
修改targeted策略中規則的布爾值
開啟samba_enable_home_dirs 和 ssh_sysadm_login 兩個規則,並把ssh_sysadm_login設置為開機自啟用。
[root@localhost project2]# !vim
vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_booleans:
- name: 'samba_enable_home_dirs'
state: on
- name: 'ssh_sysadm_login'
state: on
persistent: yes
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost ~]# getsebool -a | grep -e '^samba_enable_home*' 被控機查看狀態已經改為了on
samba_enable_home_dirs --> on
[root@localhost ~]# getsebool -a | grep -e '^ssh_sysadm_*'
ssh_sysadm_login --> on
設置selinux上下文type
[root@localhost project2]# vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_fcontexts:
- target: /opt/www(/.*)?
setype: httpd_sys_content_t
state: present
selinux_restore_dirs:
- /opt/www
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost www]# ls -Z
unconfined_u:object_r:httpd_sys_content_t:s0 html 查看此目錄下文件的selinux上下文的type變為了httpd_sys_content_t。
設置selinux端口
[root@localhost project2]# !vim
vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_ports:
- ports: '9528'
proto: tcp
setype: http_port_t 端口對應的上下文類型為httpd_port_t
state: present
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost www]# semanage port -l | grep http_port_t 被控機查詢發現9528端口已經添加進去
http_port_t tcp 9528, 80, 81, 443, 488, 8008, 8009, 8443, 9000
rhel-system-roles.network
運用network角色配置被控機的ipv4地址
步驟:
1.觀察被控機上網卡信息,新加的網卡並沒有添加連接,ip和相關信息都沒有配置
[root@localhost ~]# ip a
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
2.主控機安裝rhel-system-roles,將network角色包復制到項目文件目錄下。
[root@localhost ~]# yum install -y rhel-system-roles
......
Installed:
rhel-system-roles-1.0-10.el8_1.noarch
Complete!
[root@localhost ~]# cd /usr/share/ansible/roles
[root@localhost roles]# ls
linux-system-roles.kdump linux-system-roles.storage rhel-system-roles.postfix
linux-system-roles.network linux-system-roles.timesync rhel-system-roles.selinux
linux-system-roles.postfix rhel-system-roles.kdump rhel-system-roles.storage
linux-system-roles.selinux rhel-system-roles.network rhel-system-roles.timesync
[root@localhost roles]# cp -a rhel-system-roles.network /project2/roles
3.編寫playbook,並調用network角色,為被控機配置Ip地址
[root@localhost project2]# vim test.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
type: ethernet
ip:
route_metric4: 100
dhcp4: no
gateway4: 192.168.190.254
dns:
- 144.144.144.144
- 8.8.8.8
address:
- 192.168.190.136/24
roles:
- role: roles/rhel-system-roles.network
4.執行plybook,查看被控機ip配置
[root@localhost ~]# ip a
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 ip地址已經配置成功
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.190.136/24 brd 192.168.190.255 scope global noprefixroute ens224
valid_lft forever preferred_lft forever
inet6 fe80::ea28:75af:f8c8:fccb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens224 網卡配置文件已經生成
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
ETHTOOL_OPTS="-K ens224"
BOOTPROTO=none
IPADDR=192.168.190.136
PREFIX=24
GATEWAY=192.168.190.254
DNS1=144.144.144.144
DNS2=8.8.8.8
DEFROUTE=yes
停用此前新建的連接
步驟:
1.同樣編寫playbook,調用network角色
[root@localhost project2]# !vim
vim test2.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
state: down
roles:
- role: roles/rhel-system-roles.network
2.查看被控機上此網卡狀態
[root@localhost project2]# ansible control2 -a 'ip a' -i inventory
control2 | CHANGED | rc=0 >>
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
激活連接
步驟:
1.修改state值,執行playbook
[root@localhost project2]# vim test2.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
state: up
roles:
- role: roles/rhel-system-roles.network
2.查看被控機,ens224已經成功連接。
[root@localhost project2]# ansible control2 -a 'nmcli con show' -i inventory
control2 | CHANGED | rc=0 >>
NAME UUID TYPE DEVICE
ens160 88b8c211-3684-44b5-98b9-21a3f221177d ethernet ens160
ens224 e9f31206-1e35-414d-8262-76790a63f8ad ethernet ens224