目录
rhel-system-roles.selinux
此模块为为系统模块,可通过安装rhel-system-roles来获取。模块功能包括:
- 设置selinux模式(enforcing和permissive)
- 恢复文件默认上下文类型(restorecon)
- 设置获取上下文
- 管理登录以及端口
用法实例
设置/修改策略类型和模式
[root@localhost project2]# vim selinux.yml
---
- hosts: 192.168.190.134
vars:
selinux_policy: targeted
selinux_state: permissive
roles:
- role: roles/rhel-system-roles.selinux
注意:这种方式只是临时修改(相当于手动执行setenforce,然后在未重启的情况下,disable模式并不会生效。所以需要把reboot加入到任务中.
reboot受控机并修改模式
[root@localhost project2]# vim selinux.yml
---
- hosts: 192.168.190.134
vars:
selinux_policy: targeted
selinux_state: disabled
tasks:
- name: apply SElinux role
block:
- include_role:
name: roles/rhel-system-roles.selinux
rescue:
- name: check
fail:
when: not selinux_reboot_required
- name: reboot
reboot:
- name: changed
include_role:
name: roles/rhel-system-roles.selinux
......
[root@localhost ~]# getenforce 查看被控机的工作模式
Disabled
注意:selinux角色中有变量selinux_reboot_required,值默认为True,而selinux_role有一task,只要此变量值为True,则返回fail,所以playbook会执行rescue任务块。
修改targeted策略中规则的布尔值
开启samba_enable_home_dirs 和 ssh_sysadm_login 两个规则,并把ssh_sysadm_login设置为开机自启用。
[root@localhost project2]# !vim
vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_booleans:
- name: 'samba_enable_home_dirs'
state: on
- name: 'ssh_sysadm_login'
state: on
persistent: yes
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost ~]# getsebool -a | grep -e '^samba_enable_home*' 被控机查看状态已经改为了on
samba_enable_home_dirs --> on
[root@localhost ~]# getsebool -a | grep -e '^ssh_sysadm_*'
ssh_sysadm_login --> on
设置selinux上下文type
[root@localhost project2]# vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_fcontexts:
- target: /opt/www(/.*)?
setype: httpd_sys_content_t
state: present
selinux_restore_dirs:
- /opt/www
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost www]# ls -Z
unconfined_u:object_r:httpd_sys_content_t:s0 html 查看此目录下文件的selinux上下文的type变为了httpd_sys_content_t。
设置selinux端口
[root@localhost project2]# !vim
vim test.yml
---
- hosts: 192.168.190.134
vars:
selinux_ports:
- ports: '9528'
proto: tcp
setype: http_port_t 端口对应的上下文类型为httpd_port_t
state: present
roles:
- role: roles/rhel-system-roles.selinux
[root@localhost www]# semanage port -l | grep http_port_t 被控机查询发现9528端口已经添加进去
http_port_t tcp 9528, 80, 81, 443, 488, 8008, 8009, 8443, 9000
rhel-system-roles.network
运用network角色配置被控机的ipv4地址
步骤:
1.观察被控机上网卡信息,新加的网卡并没有添加连接,ip和相关信息都没有配置
[root@localhost ~]# ip a
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
2.主控机安装rhel-system-roles,将network角色包复制到项目文件目录下。
[root@localhost ~]# yum install -y rhel-system-roles
......
Installed:
rhel-system-roles-1.0-10.el8_1.noarch
Complete!
[root@localhost ~]# cd /usr/share/ansible/roles
[root@localhost roles]# ls
linux-system-roles.kdump linux-system-roles.storage rhel-system-roles.postfix
linux-system-roles.network linux-system-roles.timesync rhel-system-roles.selinux
linux-system-roles.postfix rhel-system-roles.kdump rhel-system-roles.storage
linux-system-roles.selinux rhel-system-roles.network rhel-system-roles.timesync
[root@localhost roles]# cp -a rhel-system-roles.network /project2/roles
3.编写playbook,并调用network角色,为被控机配置Ip地址
[root@localhost project2]# vim test.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
type: ethernet
ip:
route_metric4: 100
dhcp4: no
gateway4: 192.168.190.254
dns:
- 144.144.144.144
- 8.8.8.8
address:
- 192.168.190.136/24
roles:
- role: roles/rhel-system-roles.network
4.执行plybook,查看被控机ip配置
[root@localhost ~]# ip a
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 ip地址已经配置成功
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.190.136/24 brd 192.168.190.255 scope global noprefixroute ens224
valid_lft forever preferred_lft forever
inet6 fe80::ea28:75af:f8c8:fccb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens224 网卡配置文件已经生成
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
ETHTOOL_OPTS="-K ens224"
BOOTPROTO=none
IPADDR=192.168.190.136
PREFIX=24
GATEWAY=192.168.190.254
DNS1=144.144.144.144
DNS2=8.8.8.8
DEFROUTE=yes
停用此前新建的连接
步骤:
1.同样编写playbook,调用network角色
[root@localhost project2]# !vim
vim test2.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
state: down
roles:
- role: roles/rhel-system-roles.network
2.查看被控机上此网卡状态
[root@localhost project2]# ansible control2 -a 'ip a' -i inventory
control2 | CHANGED | rc=0 >>
......
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:2e:3b:d0 brd ff:ff:ff:ff:ff:ff
激活连接
步骤:
1.修改state值,执行playbook
[root@localhost project2]# vim test2.yml
---
- hosts: 192.168.190.134
vars:
network_connections:
- name: ens224
state: up
roles:
- role: roles/rhel-system-roles.network
2.查看被控机,ens224已经成功连接。
[root@localhost project2]# ansible control2 -a 'nmcli con show' -i inventory
control2 | CHANGED | rc=0 >>
NAME UUID TYPE DEVICE
ens160 88b8c211-3684-44b5-98b9-21a3f221177d ethernet ens160
ens224 e9f31206-1e35-414d-8262-76790a63f8ad ethernet ens224