clase 16/02/23

review/review-deploy/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory = ./inventory
+

review/review-deploy/inventory

@@ -0,0 +1,4 @@
+[dev]
+servera.lab.example.com
+serverb.lab.example.com
+

review/review-playbooks/ansible-vsftpd.yml

@@ -0,0 +1,44 @@
+- name: configure vsftpd
+  hosts: ftpservers
+  vars_files: 
+    - vars/vars.yml
+    - vars/defaults-template.yml
+  tasks:
+    - name: install vsftpd
+      yum:
+        name: "{{ vsftpd_package }}"
+        state: latest
+    - name: start and enable service
+      service:
+        name: "{{ vsftpd_service }}"
+        state: started
+        enabled: yes
+    - name: template config file
+      template:
+        src: vsftpd.conf.j2
+        dest: "{{ vsftpd_config_file }}"
+        owner: root
+        group: root
+        mode: 0600
+      notify: restart vsftpd
+    - name: firewalld installed
+      yum:
+        name: firewalld
+        state: latest
+    - name: open ftp port
+      firewalld:
+        service: ftp
+        state: enabled
+        permanent: yes
+        immediate: yes
+    - name: open passive ftp port
+      firewalld:
+        port: 21000-21020/tcp
+        state: enabled
+        permanent: yes
+        immediate: yes
+  handlers:
+    - name: restart vsftpd
+      service:
+        name: "{{ vsftpd_service }}"
+        state: restarted

review/review-playbooks/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory = inventory
+remote_user = devops
+
+[privilege_escalation]
+become = true
+become_user = root
+become_method = sudo
+become_ask_pass = false

review/review-playbooks/ftpclients.yml

@@ -0,0 +1,7 @@
+- name: configure ftp clients
+  hosts: ftpclients
+  tasks:
+    - name: install lftp
+      yum:
+        name: lftp
+        state: latest

review/review-playbooks/inventory

@@ -0,0 +1,5 @@
+[ftpclients]
+serverc.lab.example.com
+[ftpservers]
+serverb.lab.example.com
+serverd.lab.example.com

review/review-playbooks/review-deploy/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory = ./inventory
+

review/review-playbooks/review-deploy/inventory

@@ -0,0 +1,4 @@
+[dev]
+servera.lab.example.com
+serverb.lab.example.com
+

review/review-playbooks/site.yml

@@ -0,0 +1,4 @@
+- name: servidores
+  import_playbook: ansible-vsftpd.yml
+- name: clientes
+  import_playbook: ftpclients.yml

review/review-playbooks/templates/vsftpd.conf.j2

@@ -0,0 +1,27 @@
+# Vsftpd configuration
+# {{ ansible_managed }}
+
+connect_from_port_20={{ 'YES' if vsftpd_connect_from_port_20 else 'NO' }}
+listen={{ 'YES' if vsftpd_listen else 'NO' }}
+pam_service_name=vsftpd
+syslog_enable={{ 'YES' if vsftpd_syslog_enable else 'NO' }}
+
+anonymous_enable={{ 'YES' if vsftpd_anonymous_enable else 'NO' }}
+{% if vsftpd_anon_root is defined %}
+anon_root={{ vsftpd_anon_root }}
+{% endif %}
+
+local_enable={{ 'YES' if vsftpd_local_enable else 'NO' }}
+{% if vsftpd_local_root is defined %}
+local_root={{ vsftpd_local_root }}
+{% endif %}
+local_umask=022
+
+write_enable={{ 'YES' if vsftpd_write_enable else 'NO' }}
+
+chroot_local_user={{ 'YES' if vsftpd_chroot_local_user else 'NO' }}
+
+pasv_enable=Yes
+pasv_min_port=21000
+pasv_max_port=21020
+

review/review-playbooks/vars.yml

@@ -0,0 +1,5 @@
+---
+# vars file for ansible-vsftpd
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-playbooks/vars/defaults-template.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for ansible-vsftpd
+vsftpd_anonymous_enable: true
+vsftpd_connect_from_port_20: true
+vsftpd_listen: true
+vsftpd_local_enable: false
+vsftpd_setype: public_content_t
+vsftpd_syslog_enable: true
+vsftpd_write_enable: true
+vsftpd_chroot_local_user: true
+vsftpd_anon_root: /var/ftp
+vsftpd_local_root: /var/ftp

review/review-playbooks/vars/vars.yml

@@ -0,0 +1,3 @@
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-roles/ansible-vsftpd.yml

@@ -0,0 +1,62 @@
+
+- name: FTP server is installed
+  hosts:
+    - ftpservers
+  vars_files:
+    - vars/defaults-template.yml
+    - vars/vars.yml
+
+  tasks:
+    - name: Packages are installed
+      yum:
+        name: '{{ vsftpd_package }}'
+        state: present
+
+    - name: Ensure service is started
+      service:
+        name: '{{ vsftpd_service }}'
+        state: started
+        enabled: true
+
+    - name: Configuration file is installed
+      template:
+        src: templates/vsftpd.conf.j2
+        dest: '{{ vsftpd_config_file }}'
+        owner: root
+        group: root
+        mode: '0600'
+        setype: etc_t
+      notify: restart vsftpd
+
+    - name: firewalld is installed
+      yum:
+        name: firewalld
+        state: present
+
+    - name: firewalld is started and enabled
+      service:
+        name: firewalld
+        state: started
+        enabled: yes
+
+    - name: FTP port is open
+      firewalld:
+        service: ftp
+        permanent: true
+        state: enabled
+        immediate: yes
+
+    - name: Passive FTP data ports allowed through the firewall
+      firewalld:
+        port: 21000-21020/tcp
+        permanent: yes
+        state: enabled
+        immediate: yes
+
+  handlers:
+    - name: restart vsftpd
+      service:
+        name: "{{ vsftpd_service }}"
+        state: restarted
+
+

review/review-roles/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+remote_user=devops
+inventory = ./inventory
+
+[privilege_escalation]
+become=True
+become_method=sudo
+become_user=root
+become_ask_pass=False

review/review-roles/defaults-template.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for ansible-vsftpd
+vsftpd_anonymous_enable: true
+vsftpd_connect_from_port_20: true
+vsftpd_listen: true
+vsftpd_local_enable: false
+vsftpd_setype: public_content_t
+vsftpd_syslog_enable: true
+vsftpd_write_enable: true
+vsftpd_chroot_local_user: true
+vsftpd_anon_root: /var/ftp
+vsftpd_local_root: /var/ftp

review/review-roles/ftpclients.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure FTP Client Configuration
+  hosts: ftpclients
+
+  tasks:
+    - name: latest version of lftp is installed
+      yum:
+        name: lftp
+        state: latest

review/review-roles/inventory

@@ -0,0 +1,7 @@
+[ftpservers]
+serverb.lab.example.com
+serverd.lab.example.com
+
+[ftpclients]
+servera.lab.example.com
+serverc.lab.example.com

review/review-roles/roles/ansible-vsftpd/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

review/review-roles/roles/ansible-vsftpd/README.md

@@ -0,0 +1,23 @@
+ansible-vsftpd
+=========
+Example ansible-vsftpd role from Red Hat's "Linux Automation" (RH294)
+course.
+Role Variables
+--------------
+* defaults/main.yml contains variables used to configure the vsftpd.conf template
+* vars/main.yml contains the name of the vsftpd service, the name of the RPM
+package, and the location of the service's configuration file
+Dependencies
+------------
+None.
+Example Playbook
+----------------
+- hosts: servers
+roles:
+- ansible-vsftpd
+License
+-------
+BSD
+Author Information
+------------------
+Red Hat (training@redhat.com)

review/review-roles/roles/ansible-vsftpd/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for ansible-vsftpd
+vsftpd_anonymous_enable: true
+vsftpd_connect_from_port_20: true
+vsftpd_listen: true
+vsftpd_local_enable: false
+vsftpd_setype: public_content_t
+vsftpd_syslog_enable: true
+vsftpd_write_enable: true
+vsftpd_chroot_local_user: true
+vsftpd_anon_root: /var/ftp
+vsftpd_local_root: /var/ftp

review/review-roles/roles/ansible-vsftpd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart vsftpd
+  service:
+    name: "{{ vsftpd_service }}"
+    state: restarted

review/review-roles/roles/ansible-vsftpd/meta/main.yml

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: Red Hat Training
+  description: example role for RH294
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: BSD
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

review/review-roles/roles/ansible-vsftpd/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: Packages are installed
+  yum:
+    name: '{{ vsftpd_package }}'
+    state: present
+
+- name: Ensure service is started
+  service:
+    name: '{{ vsftpd_service }}'
+    state: started
+    enabled: true
+
+- name: Configuration file is installed
+  template:
+    src: templates/vsftpd.conf.j2
+    dest: '{{ vsftpd_config_file }}'
+    owner: root
+    group: root
+    mode: '0600'
+    setype: etc_t
+  notify: restart vsftpd
+
+- name: firewalld is installed
+  yum:
+    name: firewalld
+    state: present
+
+- name: firewalld is started and enabled
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+- name: FTP port is open
+  firewalld:
+    service: ftp
+    permanent: true
+    state: enabled
+    immediate: yes
+
+- name: Passive FTP data ports allowed through the firewall
+  firewalld:
+    port: 21000-21020/tcp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+

review/review-roles/roles/ansible-vsftpd/templates/vsftpd.conf.j2

@@ -0,0 +1,27 @@
+# Vsftpd configuration
+# {{ ansible_managed }}
+
+connect_from_port_20={{ 'YES' if vsftpd_connect_from_port_20 else 'NO' }}
+listen={{ 'YES' if vsftpd_listen else 'NO' }}
+pam_service_name=vsftpd
+syslog_enable={{ 'YES' if vsftpd_syslog_enable else 'NO' }}
+
+anonymous_enable={{ 'YES' if vsftpd_anonymous_enable else 'NO' }}
+{% if vsftpd_anon_root is defined %}
+anon_root={{ vsftpd_anon_root }}
+{% endif %}
+
+local_enable={{ 'YES' if vsftpd_local_enable else 'NO' }}
+{% if vsftpd_local_root is defined %}
+local_root={{ vsftpd_local_root }}
+{% endif %}
+local_umask=022
+
+write_enable={{ 'YES' if vsftpd_write_enable else 'NO' }}
+
+chroot_local_user={{ 'YES' if vsftpd_chroot_local_user else 'NO' }}
+
+pasv_enable=Yes
+pasv_min_port=21000
+pasv_max_port=21020
+

review/review-roles/roles/ansible-vsftpd/vars/defaults-template.yml

@@ -0,0 +1,5 @@
+---
+# vars file for ansible-vsftpd
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-roles/roles/ansible-vsftpd/vars/main.yml

@@ -0,0 +1,5 @@
+---
+# vars file for ansible-vsftpd
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-roles/site.yml

@@ -0,0 +1,5 @@
+#FTP Servers playbook
+- import_playbook: ansible-vsftpd.yml
+#FTP Clients playbook
+- import_playbook: ftpclients.yml
+

review/review-roles/templates/vsftpd.conf.j2

@@ -0,0 +1,27 @@
+# Vsftpd configuration
+# {{ ansible_managed }}
+
+connect_from_port_20={{ 'YES' if vsftpd_connect_from_port_20 else 'NO' }}
+listen={{ 'YES' if vsftpd_listen else 'NO' }}
+pam_service_name=vsftpd
+syslog_enable={{ 'YES' if vsftpd_syslog_enable else 'NO' }}
+
+anonymous_enable={{ 'YES' if vsftpd_anonymous_enable else 'NO' }}
+{% if vsftpd_anon_root is defined %}
+anon_root={{ vsftpd_anon_root }}
+{% endif %}
+
+local_enable={{ 'YES' if vsftpd_local_enable else 'NO' }}
+{% if vsftpd_local_root is defined %}
+local_root={{ vsftpd_local_root }}
+{% endif %}
+local_umask=022
+
+write_enable={{ 'YES' if vsftpd_write_enable else 'NO' }}
+
+chroot_local_user={{ 'YES' if vsftpd_chroot_local_user else 'NO' }}
+
+pasv_enable=Yes
+pasv_min_port=21000
+pasv_max_port=21020
+

review/review-roles/vars.yml

@@ -0,0 +1,5 @@
+---
+# vars file for ansible-vsftpd
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-roles/vars/defaults-template.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for ansible-vsftpd
+vsftpd_anonymous_enable: true
+vsftpd_connect_from_port_20: true
+vsftpd_listen: true
+vsftpd_local_enable: false
+vsftpd_setype: public_content_t
+vsftpd_syslog_enable: true
+vsftpd_write_enable: true
+vsftpd_chroot_local_user: true
+vsftpd_anon_root: /var/ftp
+vsftpd_local_root: /var/ftp

review/review-roles/vars/vars.yml

@@ -0,0 +1,5 @@
+---
+# vars file for ansible-vsftpd
+vsftpd_package: vsftpd
+vsftpd_service: vsftpd
+vsftpd_config_file: /etc/vsftpd/vsftpd.conf

review/review-roles/vsftpd-configure.yml

@@ -0,0 +1,47 @@
+- name: Install and configure vsftpd
+  hosts: ftpservers
+  vars:
+    vsftpd_anon_root: /mnt/share/
+    vsftpd_local_root: /mnt/share/
+  roles:
+    - ansible-vsftpd
+  tasks:
+    - name: /dev/vdb1 is partitioned
+      parted:
+        device: /dev/vdb
+        number: 1
+        label: gpt
+        part_start: 1MiB
+        part_end: 100%
+        state: present
+    - name: XFS file system exists on /dev/vdb1
+      filesystem:
+        dev: /dev/vdb1
+        fstype: xfs
+        force: yes
+    - name: anon_root mount point exists
+      file:
+        path: '{{ vsftpd_anon_root }}'
+        state: directory
+    - name: /dev/vdb1 is mounted on anon_root
+      mount:
+        path: '{{ vsftpd_anon_root }}'
+        src: /dev/vdb1
+        fstype: xfs
+        state: mounted
+        dump: '1'
+        passno: '2'
+      notify: restart vsftpd
+    - name: Make sure permissions on mounted fs are correct
+      file:
+        path: '{{ vsftpd_anon_root }}'
+        owner: root
+        group: root
+        mode: '0755'
+        setype: "{{ vsftpd_setype }}"
+        state: directory
+    - name: Copy README to the ftp anon_root
+      copy:
+        dest: '{{ vsftpd_anon_root }}/README'
+        content: "Welcome to the FTP server at {{ ansible_fqdn }}\n"
+        setype: '{{ vsftpd_setype }}'

review/review-roles/vsftpd.conf.j2

@@ -0,0 +1,27 @@
+# Vsftpd configuration
+# {{ ansible_managed }}
+
+connect_from_port_20={{ 'YES' if vsftpd_connect_from_port_20 else 'NO' }}
+listen={{ 'YES' if vsftpd_listen else 'NO' }}
+pam_service_name=vsftpd
+syslog_enable={{ 'YES' if vsftpd_syslog_enable else 'NO' }}
+
+anonymous_enable={{ 'YES' if vsftpd_anonymous_enable else 'NO' }}
+{% if vsftpd_anon_root is defined %}
+anon_root={{ vsftpd_anon_root }}
+{% endif %}
+
+local_enable={{ 'YES' if vsftpd_local_enable else 'NO' }}
+{% if vsftpd_local_root is defined %}
+local_root={{ vsftpd_local_root }}
+{% endif %}
+local_umask=022
+
+write_enable={{ 'YES' if vsftpd_write_enable else 'NO' }}
+
+chroot_local_user={{ 'YES' if vsftpd_chroot_local_user else 'NO' }}
+
+pasv_enable=Yes
+pasv_min_port=21000
+pasv_max_port=21020
+