Working with Ansible Templates, Variables, and Facts

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

Besides being an objective on the Red Hat Certified Ansible Specialist Exam, a demonstrated ability to use Ansible templates, variables, and facts is essential to practical systems deployment through Ansible. Templates allow for a streamlined approach to configuration management that reduces configuration error and simplifies system upkeep. This learning activity starts a student on a path from basic Ansible knowledge to a strong working knowledge that is necessary for real-world application.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Template *sudoers* File in `/home/ansible/hardened.j2` That Produces a File with Appropriate Output for Each Host

touch /home/ansible/hardened.j2

The Deployed File Should Resemble the Example File Except with the *IP* and *hostnames* Customized Appropriately

Edit hardened.j2 to contain the following text:

    %sysops {{ ansible_default_ipv4.address }} = (ALL) ALL
    Host_Alias WEBSERVERS = {{ groups['web']|join(', ') }}
    Host_Alias DBSERVERS = {{ groups['database']|join(', ') }} 
    %httpd WEBSERVERS = /bin/su - webuser
    %dba DBSERVERS = /bin/su - dbuser
Create a Playbook in `/home/ansible/security.yml` That Uses the Template Module to Deploy the Template on All Servers in the Default Ansible Inventory After Validating the Syntax of the Generated File

Edit /home/ansible/security.yml to contain the following:

- hosts: all
  become: yes
  - name: deploy sudo template
      src: /home/ansible/hardened.j2
      dest: /etc/sudoers.d/hardened
      validate: /sbin/visudo -cf %s
Run the Playbook and Ensure the Files Are Correctly Deployed

ansible-playbook /home/ansible/security.yml

Check the local /etc/sudoers.d/hardened on the ansible control node for the correct contents.

Additional Resources

A colleague of yours was the unfortunate victim of a scam email, and their network account was compromised. Shortly after you finished helping them pack up their desk, your boss gave you the assignment to promote system security through deploying a hardened sudoers file. You will need to create an Ansible template of the sudoers file that meets the following criteria:

  • A file named /etc/sudoers.d/hardened to deploy on all ansible inventory servers. WARNING: Do NOT edit the default sudoers file, doing so may break your exercise environment. Additionally, always validate any file placed in /etc/sudoers.d with /sbin/visudo -cf <filename> prior to deployment!!
  • Grant users in the sysops group the ability to run all commands as root for each local system by IP address. This would be what the entry in your result file except with the target system's IP: %sysops = (ALL) ALL.
  • Define the host_alias group WEBSERVERS to contain all servers in the ansible web inventory group: Host_Alias WEBSERVERS = <host name>
  • Define the host_alias group DBSERVERS to contain all servers in the ansible database inventory group: Host_Alias DBSERVERS = <host name>
  • Grant users in the httpd group the ability to sudo su - webuser on the WEBSERVERS hosts: %httpd WEBSERVERS = /bin/su - webuser
  • Grant users in the dba group sudo su - dbuser on the DBSERVERS hosts: %dba DBSERVERS = /bin/su - dbuser
  • The file must be validated using /sbin/visudo -cf before deployment.

You will need to create an accompanying playbook in /home/ansible/security.yml that will deploy this template to all servers in the default inventory.

Summary tasks list:

  • Create a template sudoers file in /home/ansible/hardened.j2 that produces a file with appropriate output for each host.
  • The deployed file should resemble the following, except with the IP and hostnames customized appropriately:
    %sysops = (ALL) ALL
    Host_Alias WEBSERVERS = server1, server2
    Host_Alias DBSERVERS = serverA, serverB
    %httpd WEBSERVERS = /bin/su - webuser
    %dba DBSERVERS = /bin/su - dbuser
  • Create a playbook in /home/ansible/security.yml that uses the template module to deploy the template on all servers in the default ansible inventory after validating the syntax of the generated file.
    • Note: You may find it easier to have the play output to /home/ansible/test and validate manually using /sbin/visudo -cf <filename> before using the template module's validate.
    • IMPORTANT: Do not deploy any file to /etc/sudoers.d/ without first validating with visudo! A syntax error in a sudoers file will break sudo on the system and require starting the exercise over again!
    • Note: The video shows the use of join(' ') which is a typo. To support multiple hosts in the sudoers file it should instead be join(', ')
  • Run the playbook and ensure the files deployed correctly.

Important notes:

  • For your convenience, Ansible has been installed on the control node.
  • The user ansible has been already created on all servers with the appropriate shared keys for access to the necessary servers from the control node. It has the same password as cloud_user.
  • All necessary Ansible inventories have been created for you.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?