gestionar el sistema

• alternatives : gestionar alternativas (versiones) para comandos
  • /etc/alternatives/java
• at : programar ejecución de comandos
• authorized_keys : gestión ficheros claves
• cron : gestión de cron
• crypttab : cifrado de dispositivos
• filesystem : sistema de ficheros
• firewald : equivalente en CentOS/RedHat de iptables
• gluster-volume : gestión de volumenes GlusterFS
• group : gestión de grupos
• hostname : gestión nombre servidor
• iptables : gestión reglas firewall
• known_hosts : gestsionar claves de otros servidores
• lvg : LVM
• lvol : LVM
• mount : montaje de FS
• open_iscsi : gestión dispositivos icsci
• openwrt_init : gestionar servicios OpenWRT
• pam_limits : gestión límites PAM
• pamd : gestión módulos PAM
• ping : comprobar conexión
• seboolean
• selcontext
• selinux
• selinux_permisive
• seport : soporte SELinux
• service : gestión servicios
• setup : información del sistema
  • gather_facts: false
• sysctl : configurar /etc/sysctl/conf
• systemd : gestión de servicios
• timezone : zonas horarias
• user: gestión usuarios

gestión de /etc/alternatives
https://docs.ansible.com/ansible/latest/modules/alternatives_module.html#alternatives-module

• requerido
  • name = nombre
  • path = /ruta/al/fichero
• opcional
  • link = /ruta/al/fichero
  • priority = 50

- name: fijar la versión de Java a 8
  alternatives:
    name: java
    path: /usr/lib/jvm/java-8-openjdk-amd64/bin/java

/usr/bin/java → /etc/alternatives/java → /usr/lib/jvm/java-8-openjdk-amd64/bin/java

https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#authorized-key-module

• requerido
  • user = <usuario>
  • key = <clave.ssh>
• opcional
  • state = { present | absent }
  • path = ~/.ssh/authorized_keys
  • manage_dir = yes / no ← crea carpeta / fichero y ajusta permisos
  • key_options = opciones
  • exclusive = no / yes ← si ya existe no se añade

- name: autorizar clave pública
  authorized_keys:
    user: <user>
    key: "..."

https://docs.ansible.com/ansible/latest/modules/cron_module.html#cron-module

• name = nombre
• job = comando
• state = { present | absent }
• minute = [0 - 59]
• hour = [0 - 23]
• weekday = [0-6]
• month = [1-12]
• day = [1-31]
• special_time = { reboot | yearly | annualy | monthly | weekly | daily | hourly }
• cron_file = nombre ← crea el fichero en /etc/cron.d/
• backup = yes / no

https://docs.ansible.com/ansible/latest/modules/filesystem_module.html#filesystem-module

• requerido
  • dev = dispositivo
  • fstype = sistema de ficheros
• opcionales
  • force = no / yes
  • opts = opciones
  • resicefs = no /yes

- name: crear FS xfs
  filesystem:
    dev: /dev/sdX1
    fstype: xfs

control del firewall en sistemas CentOS/RH
https://docs.ansible.com/ansible/latest/modules/firewalld_module.html#firewalld-module

• requerido
  • state = { enabled | disabled }
  • permanent = true / false ← hace falta +reload (handler)
• opcional
  • servicio
  • zone
  • port
  • source
  • rol_rule
  • immediate = false / true

- name: permitir acceso http/https
  firewalld:
    state: present
    service: "{{ item }}"
    permanent: true
  with_items:
    - "http"
    - "https"

- name: permitir acceso http/https
  firewalld:
    state: present
    service: "{{ item }}"
    permanent: true
  with_items:
    - "http"
    - "https"

https://docs.ansible.com/ansible/latest/modules/group_module.html#group-module

• requerido
  • name = nombre
• opcional
  • state = { present | absent }
  • gid = idgrupo
  • system = yes / no

- name: crear grupo para aplicación
  group:
    name: jboss
    state: present
    gid: 185

https://docs.ansible.com/ansible/latest/modules/hostname_module.html#hostname-module

• name = nombre

- name: cambiar el nombre del servidor
  hostname:
    name: servidor.dominio.com

https://docs.ansible.com/ansible/latest/modules/ping_module.html#ping-module

- name: comprobar conexión
  ping:

https://docs.ansible.com/ansible/latest/modules/timezone_module.html#timezone-module

• hwclock = true / false
• name = Area/Ciudad

- name definir huso horario
  timezone:
    name: Europe/Barcelona

https://docs.ansible.com/ansible/latest/modules/iptables_module.html#iptables-module

• state = { present | absent }
• chain = { INPUT | FORWARD | OUTPUT | PREROUTING | POSTROUTING | SECMARK | CONNSEMARK }
• source = dirección
• jump = { ACCEPT | DROP | … }
• in_interface
• out_interface
• protocol = { tcp | udp | icmp }
• destination_port = puerto
• to_ports = puerto
• cstate = { INVALID | NEW | ESTABLISHED | RELATED | UNTRACKED | SNAT | DNAT }

- name: permitir acceso puerto 80
  iptables:
    chain: INPUT
    source: 0.0.0.0
    destination_port: 80
    jump: ACCEPT
    protocol: tcp

https://docs.ansible.com/ansible/latest/modules/lvg_module.html#lvg-module

• requerido
  • vg = grupo de volumen
• opcional
  • state = { present | absent }
  • pvs = /dev/vbX
  • pesize = 4 (Mb)
  • vg_options = opciones vgcreate
  • force = yes / no

- name: crear grupo de volúmenes
  lvg:
    vg: datavg
    pvs: /dev/vda1
    state: present

vgs vgdisplay pvdisplay

https://docs.ansible.com/ansible/latest/modules/lvol_module.html#lvol-module

• requerido
  • vg = nombre VG existente
  • lv = nombre volumen lógico
• opcional
  • state = { present | absent }
  • size = tamaño
  • pvs = /dev/vg1
  • opts = opciones
  • active = yes / no
  • force = yes / no

- name: creación volumen lógico
  lvol: vg=datavg lv=web size=2G state=present

lvscan

https://docs.ansible.com/ansible/latest/modules/mount_module.html#mount-module

• requerido
  • name =
  • state = { present | absent | mounted |unmounted }
• opcional
  • pstype = tipo FS
  • opts = opciones
  • src = dispositivo
  • dump = 0
  • passno = 0

- name: montar partición WWW
  - filesystem: dev=/dev/datavg/web fstype=xfs # formatea
  - mount: src=/dev/datavg/web name=/var/www fstype=xfs # monta

https://docs.ansible.com/ansible/latest/modules/service_module.html#service-module

• requerido
  • name
• opcional
  • state = { started | stopped | restarted | reloaded }
  • enabled = yes / no
  • arguments = argumentos
  • sleep = segundos

- name: iniciar y habilitar servicio
  service:
    name: apache2
    state: started
    enabled: true

https://docs.ansible.com/ansible/latest/modules/setup_module.html#setup-module

• fact_path = /etc/ansible/fact.d ← información propia que almacenamos en ese path
• filter = *
• gather_subset = { all | hardware | network | virtual }
• gather_timeout = 10

- name: obtiene facts
  setup
   gather_subset: all

cambios en el kernel
https://docs.ansible.com/ansible/latest/modules/sysctl_module.html#sysctl-module

• requerido
  • name
• opcional
  • value = valor
  • state { PRESENT | absent }
  • reload = yes / no ← sysctl -p
  • systcl_file = /etc/sysctl.conf
  • sysctl_set = yes / no ← establecer valores
  • ignoreerrors = no / yes

- name: permitir redirigir el tráfico
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_set: yes
    state: present
    reload: yes

sysctl -a | grep ip_forward

https://docs.ansible.com/ansible/latest/modules/systemd_module.html#systemd-module

• name = nombre
• state = {started | stopped | restarted | reloaded }
• enabled = yes / no
• daemon_reload = no /yes
• masked = yes / no

- name: habilitar servicio y recargar systemd
  systemd:
    name: apache2
    enabled: yes
    state: started
    daemon_reload: yes

https://docs.ansible.com/ansible/latest/modules/user_module.html#user-module

• requerido
  • name = nombre
• opcional
  • state = { PRESENT | absent }
  • group = grupo
  • groups = grupo1,grupo2
  • append = yes / no ← añadir a los grupos existentes
  • createhome = yes / no
  • uid = id_usuario
  • home = directorio
  • shell = /bin/sh
  • password = clave
  • remove = yes / no ← eliminar direcotorio al hacer un absent
  • system = yes / no

- name: crear usuario
  user:
    name: pepito
    id: 1001
    home: /home/pepito
    shell: /bin/false
    state: present