clase 03/03/23

database-auto/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=./inventory
+remote_user=devops
+
+[privilege_escalation]
+become=False
+become_method=sudo
+become_user=root
+become_ask_pass=False

database-auto/configure_mariadb_security.yml

@@ -0,0 +1,28 @@
+---
+- name: Securing MariaDB
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Assign password to MariaDB root user
+      mysql_user:
+        name: root
+        host_all: yes
+        update_password: always
+        password: "{{ pw }}"
+
+    - name: Authentication credentials copied to root home directory
+      copy:
+        src: files/my.cnf
+        dest: /root/.my.cnf
+
+    - name: Remove anonymous user accounts
+      mysql_user:
+        name: '' 
+        host_all: yes
+        state: absent
+
+    - name: Remove test database
+      mysql_db:
+        name: test
+        state: absent

database-auto/configure_users.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure users in MariaDB
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Create users and set password if not present
+      mysql_user:
+        name: "{{ item['name']  }}"
+        update_password: on_create
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"
+
+    - name: Configure users in MariaDB inventory
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host: "{{ item['host'] }}"
+        priv: "{{ item['priv'] }}"
+        state: "{{ item['state'] }}"
+      loop: "{{ mysql_users }}"
+
+    - name: Update users with password for all host
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host_all: yes
+        update_password: always
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"

database-auto/dump_inventory_db.yml

@@ -0,0 +1,11 @@
+---
+- name: Database backup
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Backup inventory database
+      mysql_db:
+        state: dump
+        name: inventory
+        target: /home/student/inventory.dump

database-auto/files/inventory-database.sql

@@ -0,0 +1,22 @@
+use inventory;
+
+create table manufacturer(id int not null auto_increment, name varchar(100) not null, seller varchar(100), phone_number varchar(17), primary key(id));
+create table category (id int not null auto_increment, name varchar(100) not null, primary key (id));
+create table product (id int not null auto_increment, name varchar(100) not null, price double not null, stock int not null, id_category int not null, id_manufacturer int not null, primary key(id));
+
+insert into category(name) values ('Networking');
+insert into category(name) values('Servers');
+insert into category(name) values('Ssd');
+insert into manufacturer(name,seller,phone_number) values ('SanDisk', 'John Miller','+1 (941) 555-8855');
+insert into manufacturer(name,seller,phone_number) values ('Kingston', 'Mike Taylor','+1 (341) 555-9999');
+insert into manufacturer(name,seller,phone_number) values ('Asus', 'Wilson Jackson','+1 (432) 555-8899');
+insert into manufacturer(name,seller,phone_number) values ('Lenovo', 'Allen Scott','+1 (876) 555-4439');
+insert into product(name,price,stock,id_category,id_manufacturer) values ('ThinkServer TS140', 539.88,20,2,4);
+insert into product(name,price,stock,id_category,id_manufacturer) values ('ThinkServer RD630', 2379.14,20,2,4);
+insert into product(name,price,stock,id_category,id_manufacturer) values ('RT-AC68U', 219.99,10,1,3);
+insert into product(name,price,stock,id_category,id_manufacturer) values ('X110 64GB',73.84 ,100,3,1);
+
+
+
+
+

database-auto/files/my.cnf

@@ -0,0 +1,3 @@
+[client]
+user=root
+password=redhat

database-auto/group_vars/db_servers/users.yml

@@ -0,0 +1,9 @@
+mysql_users:
+  - name: john
+    host: localhost
+    priv: 'inventory.*:INSERT,UPDATE,DELETE,SELECT'
+    state: present
+  - name: steve
+    host: '%'
+    priv: 'inventory.*:SELECT'
+    state: present

database-auto/group_vars/db_servers/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+39633336643665383763343734333138386338333234353136386562373338366462643361346238
+6461333863636339373762616162646361363133626338660a643432636163356132623161346165
+62346131376533626563356230323338353765366565653833326438666465356331316333653433
+6134353433636632340a393934396266313664666266626230323037356237313438333737393735
+64383561626564653238326366326633656530643765313261336434616439363331333539313066
+36336363363365386162373234383963366532356333636439623866383834613861323061643430
+62333932633632616566383065636636643934613962356466343238373561356136643036333439
+61393263343130363637663838613064613432313533346331646139383138366563383037303230
+37666462366631343137666231656534383766646662653165323230326330353538656361383266
+3434613233323765326635373037383839303466313536393433

database-auto/import_inventory_db.yml

@@ -0,0 +1,25 @@
+---
+- name: Import database
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure inventory database exists
+      mysql_db:
+        name: inventory
+        state: present
+      register: inventory_present
+
+    - name: Is inventory database backup present?
+      stat:
+        path: /home/student/inventory.dump
+      register: inventory_bkup
+
+    - name: Import inventory backup data
+      mysql_db:
+        name: inventory
+        state: import
+        target: /home/student/inventory.dump
+      when:
+        - inventory_present['changed'] == false
+        - inventory_bkup['stat']['exists'] == true

database-auto/install_mariadb_client.yml

@@ -0,0 +1,10 @@
+---
+- name: Install MariaDB client
+  hosts: db_clients
+  become: yes
+
+  tasks:
+    - name: Install mariadb client package
+      yum:
+        name: mariadb
+        state: present

database-auto/install_mariadb_server.yml

@@ -0,0 +1,23 @@
+---
+- name: Install MariaDB server
+  hosts: db_servers
+  become: yes
+
+  tasks:
+  - name: Install mariadb-server package
+    yum:
+      name: mariadb-server
+      state: present
+
+  - name: Enable and start mariadb
+    service:
+      name: mariadb
+      state: started
+      enabled: yes
+
+  - name: Firewall permits mysql service
+    firewalld:
+      service: mysql
+      permanent: true
+      state: enabled
+      immediate: yes

database-auto/inventory

@@ -0,0 +1,8 @@
+[control_node]
+workstation.lab.example.com
+
+[db_servers]
+servera.lab.example.com
+
+[db_clients]
+serverb.lab.example.com

database-auto/restore_inventory_db.yml

@@ -0,0 +1,31 @@
+---
+- name: Restore inventory database if not present
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure inventory database exists
+      mysql_db:
+        name: inventory
+        state: present
+      register: inventory_present
+
+    - name: Is inventory database backup present?
+      stat:
+        path: /srv/inventory-database.sql
+      register: inventory_bkup
+
+    - name: Copy database backup file to host if not present
+      copy:
+        src: files/inventory-database.sql
+        dest: /srv
+      when:
+        - inventory_present['changed'] == true
+        - inventory_bkup['stat']['exists'] == false
+
+    - name: Restore inventory backup data
+      mysql_db:
+        name: inventory
+        state: import
+        target: /srv/inventory-database.sql
+      when: inventory_present['changed'] == true

database-auto/solutions/configure_mariadb_security.yml.solution

@@ -0,0 +1,28 @@
+---
+- name: Securing MariaDB
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Assign password to MariaDB root user
+      mysql_user:
+        name: root
+        host_all: yes
+        update_password: always
+        password: "{{ pw }}"
+
+    - name: Authentication credentials copied to root home directory
+      copy:
+        src: files/my.cnf
+        dest: /root/.my.cnf
+
+    - name: Remove anonymous user accounts
+      mysql_user:
+        name: ''
+        host_all: yes
+        state: absent
+
+    - name: Remove test database
+      mysql_db:
+        name: test
+        state: absent

database-auto/solutions/configure_users.yml.solution

@@ -0,0 +1,30 @@
+---
+- name: Configure users in MariaDB
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Create users and set password if not present
+      mysql_user:
+        name: "{{ item['name']  }}"
+        update_password: on_create
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"
+
+    - name: Configure users in MariaDB inventory
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host: "{{ item['host'] }}"
+        priv: "{{ item['priv'] }}"
+        state: "{{ item['state'] }}"
+      loop: "{{ mysql_users }}"
+
+    - name: Update users with password for all host
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host_all: yes
+        update_password: always
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"

database-auto/solutions/dump_inventory_db.yml.solution

@@ -0,0 +1,11 @@
+---
+- name: Database backup
+  hosts: db_servers
+  become: yes 
+
+  tasks:
+    - name: Backup inventory database
+      mysql_db:
+        state: dump
+        name: inventory
+        target: /home/student/inventory.dump

database-auto/solutions/import_inventory_db.yml.solution

@@ -0,0 +1,25 @@
+---
+- name: Import database
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure inventory database exists
+      mysql_db:
+        name: inventory
+        state: present
+      register: inventory_present
+
+    - name: Is inventory database backup present?
+      stat:
+        path: /home/student/inventory.dump
+      register: inventory_bkup
+
+    - name: Import inventory backup data
+      mysql_db:
+        name: inventory
+        state: import
+        target: /home/student/inventory.dump
+      when:
+        - inventory_present['changed'] == false
+        - inventory_bkup['stat']['exists'] == true

database-auto/solutions/install_mariadb_client.yml.solution

@@ -0,0 +1,10 @@
+---
+- name: Install MariaDB client
+  hosts: db_clients
+  become: yes 
+
+  tasks:
+    - name: Install MariaDB client package
+      yum:
+        name: mariadb
+        state: present

database-auto/solutions/install_mariadb_server.yml.solution

@@ -0,0 +1,23 @@
+---
+- name: Install MariaDB server
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Install mariadb-server package
+      yum:
+        name: mariadb-server
+        state: present
+
+    - name: Enable and start mariadb
+      service:
+        name: mariadb
+        state: started
+        enabled: yes
+
+    - name: Firewall permits mysql service
+      firewalld:
+        service: mysql
+        permanent: true
+        state: enabled
+        immediate: yes

database-auto/solutions/restore_inventory_db.yml.solution

@@ -0,0 +1,31 @@
+---
+- name: Restore inventory database if not present
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure inventory database exists
+      mysql_db:
+        name: inventory
+        state: present
+      register: inventory_present
+
+    - name: Is inventory database backup present?
+      stat:
+        path: /srv/inventory-database.sql
+      register: inventory_bkup
+
+    - name: Copy database backup file to host if not present
+      copy:
+        src: files/inventory-database.sql
+        dest: /srv
+      when:
+        - inventory_present['changed'] == true
+        - inventory_bkup['stat']['exists'] == false
+
+    - name: Restore inventory backup data
+      mysql_db:
+        name: inventory
+        state: import
+        target: /srv/inventory-database.sql
+      when: inventory_present['changed'] == true

database-review/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=inventory
+remote_user=devops
+
+[privilege_escalation]
+become=False
+become_method=sudo
+become_user=root
+become_ask_pass=False

database-review/configure_mariadb_security.yml

@@ -0,0 +1,28 @@
+---
+- name: Securing MariaDB
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Assign password to MariaDB root user
+      mysql_user:
+        name: root
+        host_all: all
+        update_password: always
+        password: "{{ pw }}"
+
+    - name: Authentication credentials copied to root home directory
+      copy:
+        src: files/my.cnf
+        dest: /root/.my.cnf
+
+    - name: Remove anonymous user accounts
+      mysql_user:
+        name: ''
+        host_all: yes
+        state: absent
+
+    - name: Remove test database
+      mysql_db:
+        name: test
+        state: absent

database-review/configure_users.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure MariaDB users
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Create users and set password if not present
+      mysql_user:
+        name: "{{ item['user'] }}"
+        update_password: on_create
+        password: "{{ item['password'] }}"
+        state: FIXME
+      loop: "{{ mysql_user_passwords }}"
+
+    - name: Configure users in MariaDB
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host: "{{ item['host'] }}"
+        priv: "{{ item['priv'] }}"
+        state: "{{ item['state'] }}"
+      loop: "{{ mysql_users }}"
+
+    - name: Update missing passwords
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host_all: yes
+        update_password: always
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"

database-review/files/legacy-database.sql

@@ -0,0 +1,105 @@
+-- MySQL dump 10.14  Distrib 5.5.35-MariaDB, for Linux (x86_64)
+--
+-- Host: localhost    Database: inventory
+-- ------------------------------------------------------
+-- Server version	5.5.35-MariaDB
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `category`
+--
+
+DROP TABLE IF EXISTS `category`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `category` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `category`
+--
+
+LOCK TABLES `category` WRITE;
+/*!40000 ALTER TABLE `category` DISABLE KEYS */;
+INSERT INTO `category` VALUES (1,'Networking'),(2,'Servers'),(3,'Ssd');
+/*!40000 ALTER TABLE `category` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `manufacturer`
+--
+
+DROP TABLE IF EXISTS `manufacturer`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `manufacturer` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  `seller` varchar(100) DEFAULT NULL,
+  `phone_number` varchar(17) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `manufacturer`
+--
+
+LOCK TABLES `manufacturer` WRITE;
+/*!40000 ALTER TABLE `manufacturer` DISABLE KEYS */;
+INSERT INTO `manufacturer` VALUES (1,'SanDisk','John Miller','+1 (941) 555-8855'),(2,'Kingston','Mike Taylor','+1 (341) 555-9999'),(3,'Asus','Wilson Jackson','+1 (432) 555-8899'),(4,'Sony','Allen Scott','+1 (876) 555-4439');
+/*!40000 ALTER TABLE `manufacturer` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `product`
+--
+
+DROP TABLE IF EXISTS `product`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `product` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  `price` double NOT NULL,
+  `stock` int(11) NOT NULL,
+  `id_category` int(11) NOT NULL,
+  `id_manufacturer` int(11) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `product`
+--
+
+LOCK TABLES `product` WRITE;
+/*!40000 ALTER TABLE `product` DISABLE KEYS */;
+INSERT INTO `product` VALUES (1,'ThinkServer TS140',539.88,20,2,4),(2,'ThinkServer RD630',2379.14,20,2,4),(3,'RT-AC68U',219.99,10,1,3),(4,'X110 64GB',73.84,100,3,1);
+/*!40000 ALTER TABLE `product` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2014-06-02 11:41:13

database-review/files/my.cnf

@@ -0,0 +1,3 @@
+[client]
+user=root
+password=redhat

database-review/group_vars/db_servers/users.yml

@@ -0,0 +1,22 @@
+mysql_user_passwords:
+ 
+ 
+  - name: mary
+    password: mary_password
+    host: '%'
+    priv: 'inventory.*:SELECT'
+    state: present
+  
+  - name:
+    password:
+    host:
+    priv:
+    state:
+ 
+  - name: 
+    password:
+    host:
+    priv:
+    state:
+~                                                                                                       
+

database-review/install_mariadb_server.yml

@@ -0,0 +1,33 @@
+---
+- name: Install MariaDB server
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Install mariadb-server package
+      yum:
+        name: mariadb-server
+        state: present
+
+    - name: Enable and start mariadb
+      service:
+        name: mariadb
+        state: started
+        enabled: yes
+
+    - name: Firewall permits mysql service
+      firewalld:
+        service: mysql
+        permanent: yes
+        state: enabled
+        immediate: yes
+
+- name: Install MariaDB client
+  hosts: db_clients
+  become: yes
+
+  tasks:
+    - name: Install MariaDB client package
+      yum:
+        name: mariadb
+        state: present

database-review/inventory

@@ -0,0 +1,8 @@
+[control_node]
+workstation.lab.example.com
+
+[db_servers]
+servera.lab.example.com
+
+[db_clients]
+serverb.lab.example.com

database-review/restore_legacy_db.yml

@@ -0,0 +1,31 @@
+---
+- name: Restore legacy database if not present
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure legacy database exists
+      mysql_db:
+        name: legacy
+        state: present
+      register: legacy_present
+
+    - name: Is legacy database backup present?
+      stat:
+        path: /srv/legacy-database.sql
+      register: legacy_bkup
+
+    - name: Copy database backup file to host if not present
+      copy:
+        src: files/legacy-database.sql
+        dest: /srv
+      when:
+        - legacy_present['changed'] == true
+        - legacy_bkup['stat']['exists'] == false
+
+    - name: Restore legacy backup data
+      mysql_db:
+        name: legacy
+        state: import
+        target: /srv/legacy-database.sql
+      when: legacy_present['changed'] == true

database-review/solutions/configure_mariadb_security.yml.solution

@@ -0,0 +1,28 @@
+---
+- name: Securing MariaDB
+  hosts: db_servers
+  become: yes 
+
+  tasks:
+    - name: Assign password to MariaDB root user
+      mysql_user:
+        name: root
+        host_all: yes 
+        update_password: always
+        password: "{{ pw }}"
+
+    - name: Authentication credentials copied to root home directory
+      copy:
+        src: files/my.cnf
+        dest: /root/.my.cnf
+
+    - name: Remove anonymous user accounts
+      mysql_user:
+        name: ''
+        host_all: yes 
+        state: absent
+
+    - name: Remove test database
+      mysql_db:
+        name: test
+        state: absent

database-review/solutions/configure_users.yml.solution

@@ -0,0 +1,30 @@
+---
+- name: Configure MariaDB users
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Create users and set password if not present
+      mysql_user:
+        name: "{{ item['name'] }}"
+        update_password: on_create
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"
+
+    - name: Configure users in MariaDB
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host: "{{ item['host'] }}"
+        priv: "{{ item['priv'] }}"
+        state: "{{ item['state'] }}"
+      loop: "{{ mysql_users }}"
+
+    - name: Update missing passwords
+      mysql_user:
+        name: "{{ item['name'] }}"
+        host_all: yes
+        update_password: always
+        password: "{{ item['password'] }}"
+        state: present
+      loop: "{{ mysql_user_passwords }}"

database-review/solutions/install_mariadb_client.yml.solution

@@ -0,0 +1,10 @@
+---
+- name: Install MariaDB client
+  hosts: db_clients
+  become: yes
+
+  tasks:
+    - name: Install MariaDB client package
+      yum:
+        name: mariadb
+        state: present

database-review/solutions/install_mariadb_server.yml.solution

@@ -0,0 +1,33 @@
+---
+- name: Install MariaDB server
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Install mariadb-server package
+      yum:
+        name: mariadb-server
+        state: present
+
+    - name: Enable and start mariadb
+      service:
+        name: mariadb
+        state: started
+        enabled: yes
+
+    - name: Firewall permits mysql service
+      firewalld:
+        service: mysql
+        permanent: true
+        state: enabled
+        immediate: yes
+
+- name: Install MariaDB client
+  hosts: db_clients
+  become: yes
+
+  tasks:
+    - name: Install MariaDB client package
+      yum:
+        name: mariadb
+        state: present

database-review/solutions/restore_legacy_db.yml.solution

@@ -0,0 +1,31 @@
+---
+- name: Restore legacy database if not present
+  hosts: db_servers
+  become: yes
+
+  tasks:
+    - name: Make sure legacy database exists
+      mysql_db:
+        name: legacy
+        state: present
+      register: legacy_present
+
+    - name: Is legacy database backup present?
+      stat:
+        path: /srv/legacy-database.sql
+      register: legacy_bkup
+
+    - name: Copy database backup file to host if not present
+      copy:
+        src: files/legacy-database.sql
+        dest: /srv
+      when:
+        - legacy_present['changed'] == true
+        - legacy_bkup['stat']['exists'] == false
+
+    - name: Restore legacy backup data
+      mysql_db:
+        name: legacy
+        state: import
+        target: /srv/legacy-database.sql
+      when: legacy_present['changed'] == true

filestorage-automation/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory=inventory
+remote_user=devops

filestorage-automation/inventory

@@ -0,0 +1,7 @@
+[servers]
+serverd.lab.example.com
+
+[clients]
+servera.lab.example.com
+serverb.lab.example.com
+serverc.lab.example.com

filestorage-automation/nfs_client.yml

@@ -0,0 +1,20 @@
+---
+- name: Access an NFS export
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    shared_dir: /nfsshare
+    mount_point: /datanfs
+
+  tasks:
+    - name: the nfs-utils package is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the NFS export is mounted and in /etc/fstab
+      mount:
+        path: "{{ mount_point }}"
+        src: serverd.lab.example.com:{{ shared_dir }}
+        state: mounted
+        fstype: nfs

filestorage-automation/nfs_server.yml

@@ -0,0 +1,48 @@
+---
+- name: Export a directory using NFS
+  hosts: serverd.lab.example.com
+  become: true
+  vars:
+    shared_dir: /nfsshare
+
+  tasks:
+    - name: the nfs-utils package is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: student
+        group: root
+        mode: '0755'
+        state: directory
+
+    - name: the directory is exported
+      template:
+        src: templates/share.exports.j2
+        dest: /etc/exports.d/share.exports
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload exports
+
+    - name: the nfs-server service is started and enabled
+      service:
+        name: nfs-server
+        state: started
+        enabled: yes
+
+    - name: the nfs firewall service is opened
+      firewalld:
+        service: nfs
+        state: enabled
+        permanent: yes
+        immediate: yes
+      
+  handlers:
+    - name: reload exports
+      service:
+        name: nfs-server
+        state: reloaded

filestorage-automation/smb_client.yml

@@ -0,0 +1,39 @@
+---
+- name: Access an SMB share
+  hosts: servera.lab.example.com
+  become: true
+  vars_files:
+   - smb_vars.yml
+
+  tasks:
+    - name: the cifs-utils package is installed
+      yum:
+        name: cifs-utils
+        state: present
+
+    - name: the credential file exists
+      copy:
+        content: "username={{ samba_usermount }}\n\
+                  password={{ samba_passmount }}\n"
+        dest: /etc/samba/creds.txt
+        owner: root
+        group: root
+        mode: '0600'
+      no_log: true
+
+    - name: the SMB share is mounted
+      mount:
+        path: "{{ mount_point }}"
+        src: "//serverd.lab.example.com/{{ share_name }}"
+        opts: "credentials=/etc/samba/creds.txt,multiuser,seal"
+        state: mounted
+        fstype: cifs
+
+    - name: the Linux users exist
+      user:
+        name: "{{ item.name }}"
+        shell: /bin/bash
+        password: "{{ item.password | \
+                   password_hash('sha512', 'redhatsalt') }}"
+      loop: "{{ samba_users }}"
+      no_log: true

filestorage-automation/smb_server.yml

@@ -0,0 +1,87 @@
+---
+- name: Share a directory with SMB
+  hosts: serverd.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the samba package is installed
+      yum:
+        name: samba
+        state: present
+
+    # Creating the Linux and Samba user for the multiuser mount.
+    # That user is only used to mount the share.
+
+    - name: the Linux user for Samba mount exists
+      user:
+        name: "{{ samba_usermount }}"
+        shell: /sbin/nologin
+        create_home: no
+        system: yes
+
+    - name: the Samba user for Samba mount exists
+      command: smbpasswd -s -a {{ samba_usermount }}
+      args:
+        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
+
+    # Group and users with write access to the share
+
+    - name: the Linux group exists
+      group:
+        name: "{{ allowed_group }}"
+        system: yes
+
+    - name: the Linux users exist for Samba users
+      user:
+        name: "{{ item['name'] }}"
+        shell: /sbin/nologin
+        groups:
+          - "{{ allowed_group }}"
+      loop: "{{ samba_users }}"
+      no_log: true
+
+    - name: the Samba users exist
+      command: smbpasswd -s -a {{ item['name'] }}
+      args:
+        stdin: "{{ item['password'] }}\n{{ item['password'] }}"
+      loop: "{{ samba_users }}"
+      no_log: true
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: root
+        group: "{{ allowed_group }}"
+        mode: '2775'
+        state: directory
+        setype: samba_share_t
+
+    - name: the directory is shared
+      template:
+        src: templates/smb.conf.j2
+        dest: /etc/samba/smb.conf
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload smb
+
+    - name: the smb service is started and enabled
+      service:
+        name: smb
+        state: started
+        enabled: yes
+
+    - name: the samba firewall service is opened
+      firewalld:
+        service: samba
+        state: enabled
+        permanent: yes
+        immediate: yes
+
+  handlers:
+    - name: reload smb
+      service:
+        name: smb
+        state: reloaded

filestorage-automation/smb_vars.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+35623432323135336535396635333034613066646137303063396331383065623135626261353636
+3532373238313061363332353664326261353032613563620a303632316234633133353163373963
+37376431613533333830373765623364303066353132623132313463663931656238333530663330
+3536326131653261380a373135643130386237646237386431643163643466376635663733356231
+31303838316637386166373035633364333335346532643036666537326463663733376636306665
+62346536333764316466353963363765623063643939643832353530373862363162663332346136
+37646539633739396535663966336238383564666664363134363433396637393038393738616532
+62343366353132303637653962656465626163633130623634386563636166643538333262643731
+34306639313931353061303837633133383564383463616236613539396562306164646164333538
+31383566366365363837343434343738346633626630306333313835663433353266373831646464
+38623338663835333133626130303062303837653939313366306462313831313931333237363038
+66306634333665663339653662646130326438666231613835643133326330643764333261333565
+64656166386133623834663435626638313766653539373733376439373762616337306433663238
+30623633316330663064306138333933623666646436386233336264373664353635323364353631
+61646233653935333063633066663533373631306363656435363431316133303065356236653635
+35643063663562383730653361393237313535616234393231343364333436346536363564666137
+66326631306263336461636363656563366334356566616132353934313235383762616331323035
+34383833336433666237323361393765343733366563373562313065343161373637393663646330
+32663365353637366336633938623937393761393839316231396132333334633662393866303731
+62306662383530636439353036373761653833646563363562633661616266343436656334333134
+61326530653966643666353065306463386363633961373263636533633561356135

filestorage-automation/solution/nfs_server.yml

@@ -0,0 +1,48 @@
+---
+- name: Export a directory using NFS
+  hosts: serverd.lab.example.com
+  become: true
+  vars:
+    shared_dir: /nfsshare
+
+  tasks:
+    - name: the nfs-utils package is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: student
+        group: root
+        mode: '0755'
+        state: directory
+
+    - name: the directory is exported
+      template:
+        src: templates/share.exports.j2
+        dest: /etc/exports.d/share.exports
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload exports
+
+    - name: the nfs-server service is started and enabled
+      service:
+        name: nfs-server
+        state: started
+        enabled: yes
+
+    - name: the nfs firewall service is opened
+      firewalld:
+        service: nfs
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload exports
+      service:
+        name: nfs-server
+        state: reloaded

filestorage-automation/solution/smb_server.yml

@@ -0,0 +1,88 @@
+---
+- name: Share a directory with SMB
+  hosts: serverd.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the samba package is installed
+      yum:
+        name: samba
+        state: present
+
+    # Creating the Linux and Samba user for the multiuser mount.
+    # That user is only used to mount the share.
+
+    - name: the Linux user for Samba mount exists
+      user:
+        name: "{{ samba_usermount }}"
+        shell: /sbin/nologin
+        create_home: no
+        system: yes
+
+    - name: the Samba user for Samba mount exists
+      command: smbpasswd -s -a {{ samba_usermount }}
+      args:
+        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
+
+    # Group and users with write access to the share
+
+    - name: the Linux group exists
+      group:
+        name: "{{ allowed_group }}"
+        system: yes
+
+    - name: the Linux users exist for Samba users
+      user:
+        name: "{{ item['name'] }}"
+        shell: /sbin/nologin
+        groups:
+          - "{{ allowed_group }}"
+      loop: "{{ samba_users }}"
+      no_log: true
+
+    - name: the Samba users exist
+      command: smbpasswd -s -a {{ item['name'] }}
+      args:
+        stdin: "{{ item['password'] }}\n{{ item['password'] }}"
+      loop: "{{ samba_users }}"
+      no_log: true
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: root
+        group: "{{ allowed_group }}"
+        mode: '2775'
+        state: directory
+        setype: samba_share_t
+
+    - name: the directory is shared
+      template:
+        src: templates/smb.conf.j2
+        dest: /etc/samba/smb.conf
+        owner: root
+        group: root
+        mode: '0644'
+        setype: samba_etc_t
+      notify: reload smb
+
+    - name: the smb service is started and enabled
+      service:
+        name: smb
+        state: started
+        enabled: yes
+
+    - name: the samba firewall service is opened
+      firewalld:
+        service: samba
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload smb
+      service:
+        name: smb
+        state: reloaded

filestorage-automation/templates/share.exports.j2

@@ -0,0 +1,3 @@
+{{ shared_dir }}{% for host in groups['clients'] %}
+ {{ host }}(rw)
+{%- endfor %}

filestorage-automation/templates/smb.conf.j2

@@ -0,0 +1,12 @@
+[global]
+        workgroup = SAMBA
+        security = user
+
+        passdb backend = tdbsam
+
+        smb encrypt = required
+        server min protocol = SMB3
+
+[{{ share_name }}]
+        path = {{ shared_dir }}
+        write list = @{{ allowed_group }}

filestorage-review/.solution/nfs_client.yml

@@ -0,0 +1,20 @@
+---
+- name: Access an NFS share
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+    mount_point: /operators_data
+
+  tasks:
+    - name: the package for NFS client is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the NFS share is mounted and in /etc/fstab
+      mount:
+        path: "{{ mount_point }}"
+        src: serverd.lab.example.com:{{ shared_dir }}
+        state: mounted
+        fstype: nfs

filestorage-review/.solution/nfs_server.yml

@@ -0,0 +1,48 @@
+---
+- name: Share a directory with NFS
+  hosts: serverd.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+
+  tasks:
+    - name: the package for NFS server is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: root
+        group: operators
+        mode: '2770'
+        state: directory
+
+    - name: the directory is shared
+      copy:
+        content: "{{ shared_dir }} servera.lab.example.com(rw)\n"
+        dest: /etc/exports.d/share.exports
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload exports
+
+    - name: NFS is started and enabled
+      service:
+        name: nfs-server
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for NFS
+      firewalld:
+        service: nfs
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload exports
+      service:
+        name: nfs-server
+        state: reloaded

filestorage-review/.solution/smb.conf.j2

@@ -0,0 +1,9 @@
+[global]
+        workgroup = MYWORKGROUP
+        server min protocol = SMB3
+        smb encrypt = required
+
+[{{ share_name }}]
+        path = {{ shared_dir }}
+        valid users = {{ samba_usermount }}, @{{ allowed_group }}
+        write list = @{{ allowed_group }}

filestorage-review/.solution/smb_client.yml

@@ -0,0 +1,30 @@
+---
+- name: Access an SMB share
+  hosts: servera.lab.example.com
+  become: true
+  vars_files:
+   - smb_vars.yml
+
+  tasks:
+    - name: the package to mount SMB shares is installed
+      yum:
+        name: cifs-utils
+        state: present
+
+    - name: the credential file exists
+      copy:
+        content: "username={{ samba_usermount }}\n\
+                  password={{ samba_passmount }}\n"
+        dest: /etc/samba/creds.txt
+        owner: root
+        group: root
+        mode: '0600'
+      no_log: true
+
+    - name: the SMB share is mounted
+      mount:
+        path: "{{ mount_point }}"
+        src: "//serverd.lab.example.com/{{ share_name }}"
+        opts: "credentials=/etc/samba/creds.txt,multiuser,seal"
+        state: mounted
+        fstype: cifs

filestorage-review/.solution/smb_server.yml

@@ -0,0 +1,62 @@
+---
+- name: Share a directory with SMB
+  hosts: serverd.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the package for a Samba server is installed
+      yum:
+        name: samba
+        state: present
+
+    - name: the Linux user for Samba mount exists
+      user:
+        name: "{{ samba_usermount }}"
+        shell: /sbin/nologin
+        create_home: no
+        system: yes
+
+    - name: the Samba user for Samba mount exists
+      command: smbpasswd -s -a {{ samba_usermount }}
+      args:
+        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: "{{ samba_usermount }}"
+        group: "{{ allowed_group }}"
+        mode: '2570'
+        state: directory
+        setype: samba_share_t
+
+    - name: the directory is shared
+      template:
+        src: templates/smb.conf.j2
+        dest: /etc/samba/smb.conf
+        owner: root
+        group: root
+        mode: '0644'
+        setype: samba_etc_t
+      notify: reload smb
+
+    - name: the SMB service is started and enabled
+      service:
+        name: smb
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for SMB
+      firewalld:
+        service: samba
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload smb
+      service:
+        name: smb
+        state: reloaded

filestorage-review/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory=inventory
+remote_user=devops

filestorage-review/inventory

@@ -0,0 +1,7 @@
+[servers]
+serverd.lab.example.com
+
+[clients]
+servera.lab.example.com
+serverb.lab.example.com
+serverc.lab.example.com

filestorage-review/nfs_client.yml

@@ -0,0 +1,15 @@
+---
+- name: Access an NFS share
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+    mount_point: /operators_data
+
+  tasks:
+    - name: the package for NFS client is installed
+      #FIXME: install the required package for an NFS client
+
+    - name: the NFS share is mounted and in /etc/fstab
+      #FIXME: persistently mount {{ shared_dir }} from serverd.lab.example.com
+      #       into the {{ mount_point }} directory

filestorage-review/nfs_server.yml

@@ -0,0 +1,62 @@
+---
+- name: Share a directory with NFS
+  hosts: serverd.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+
+  tasks:
+    - name: the package for NFS server is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the directory exists
+      file:
+        name: "{{ shared_dir }}"
+        owner: root
+        group: operators
+        mode: 2770
+        state: directory
+
+      #FIXME: create the {{ shared_dir }} directory as follows:
+      #             Directory ownership: root
+      #       Directory group ownership: operators
+      #                    Group access: read/write
+      #              Other users access: none
+      #       All contents created in the directory must automatically
+      #       belong to the operators group.
+
+    - name: the directory is shared
+      copy:
+        content: "{{ shared_dir }} servera.lab.example.com(rw)\n"
+        dest: /etc/exports.d/operators.exports
+        owner: root
+        group: root
+        mode: 0644
+
+      #FIXME: declare the {{ shared_dir }} directory as an NFS share.
+      #       Only servera.lab.example.com must be able to access the share.
+      #       servera has read/write access to the share.
+      #       The root user on servera must have no access to the share.
+      notify: reload exports
+
+    - name: NFS is started and enabled
+      service: 
+        name: nfs-server
+        state: started
+        enabled: yes
+
+      #FIXME: the service must be started and enabled
+
+    - name: the firewall is opened for NFS
+      firewalld:
+        service: nfs
+        state: enabled
+        permanent: yes
+        immediate: yes
+      #FIXME: configure the firewall to allow NFS traffic
+
+  handlers:
+    - name: reload exports
+      #FIXME: reload the NFS service

filestorage-review/smb_client.yml

@@ -0,0 +1,23 @@
+---
+- name: Access an SMB share
+  hosts: servera.lab.example.com
+  become: true
+  vars_files:
+   - smb_vars.yml
+
+  tasks:
+    - name: the package to mount SMB shares is installed
+      #FIXME: install the required package to mount SMB shares
+
+    - name: the credential file exists
+      #FIXME: create the /etc/samba/creds.txt credential file for the
+      #       multiuser mount option.
+      #       Use the sambamount user account with redhat for
+      #       the password.
+
+    - name: the SMB share is mounted
+      #FIXME: persistently mount the devdata SMB share from
+      #       serverd.lab.example.com into the /devs_data
+      #       directory.
+      #       Use the credential file, the multiuser option, and activate
+      #       traffic encryption.

filestorage-review/smb_server.yml

@@ -0,0 +1,54 @@
+---
+- name: Share a directory with SMB
+  hosts: serverd.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the package for a Samba server is installed
+      #FIXME: install the required package for a Samba server
+
+    - name: the Linux user for Samba mount exists
+      #FIXME: create the sambamount system user account as follows:
+      #       - Prevent login
+      #       - No home directory
+
+    - name: the Samba user for Samba mount exists
+      #FIXME: add the sambamount user to the Samba database.
+      #       Use redhat for the password.
+
+    - name: the directory exists
+      #FIXME: create the /srv/developers directory as follows:
+      #             Directory ownership: sambamount
+      #       Directory group ownership: developers
+      #                    Owner access: read
+      #                    Group access: read/write
+      #              Other users access: none
+      #       All contents created in the directory must automatically
+      #       belong to the developers group.
+      #       Set the correct SELinux context type.
+
+    - name: the directory is shared
+      #FIXME: declare the /srv/developers directory as an SMB share
+      #       in the Samba configuration file as follows:
+      #                          Work group: MYWORKGROUP
+      #        SMB minimum protocol version: 3
+      #                  Traffic encryption: Always required
+      #                          Share name: devdata
+      #                   Access allowed to: sambamount and the
+      #                                      members of the developers group
+      #                   Read/write access: Members of the developers group
+      #       For your convenience, the default Samba configuration file is
+      #       available under the templates/ directory.
+      notify: reload smb
+
+    - name: the SMB service is started and enabled
+      #FIXME: the service must be started and enabled
+
+    - name: the firewall is opened for SMB
+      #FIXME: configure the firewall to allow SMB traffic
+
+  handlers:
+    - name: reload smb
+      #FIXME: reload the SMB service

filestorage-review/smb_vars.yml

@@ -0,0 +1,10 @@
+---
+shared_dir: /srv/developers
+share_name: devdata
+mount_point: /devs_data
+
+# User account for mounting the share
+samba_usermount: sambamount
+samba_passmount: redhat
+
+allowed_group: developers

filestorage-review/templates/smb.conf.j2

@@ -0,0 +1,37 @@
+# See smb.conf.example for a more detailed config file or
+# read the smb.conf manpage.
+# Run 'testparm' to verify the config is correct after
+# you modified it.
+
+[global]
+        workgroup = SAMBA
+        security = user
+
+        passdb backend = tdbsam
+
+        printing = cups
+        printcap name = cups
+        load printers = yes
+        cups options = raw
+
+[homes]
+        comment = Home Directories
+        valid users = %S, %D%w%S
+        browseable = No
+        read only = No
+        inherit acls = Yes
+
+[printers]
+        comment = All Printers
+        path = /var/tmp
+        printable = Yes
+        create mask = 0600
+        browseable = No
+
+[print$]
+        comment = Printer Drivers
+        path = /var/lib/samba/drivers
+        write list = @printadmin root
+        force group = @printadmin
+        create mask = 0664
+        directory mask = 0775