使用 RHEL 系统角色
安装 RHEL 系统角色软件包,并创建符合以下条件的 playbook
/home/greg/ansible/selinux.yml:
在 所有受管节点 上运行
使用 selinux 角色
配置该角色,配置被管理节点的 selinux 为 enforcing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| [greg@control ansible]$ yum search rhel
...
rhel-system-roles.noarch : Set of interfaces for unified system management
[greg@control ansible]$ sudo yum install -y rhel-system-roles.noarch
...
Installed:
rhel-system-roles-1.0.1-1.el8.noarch
[greg@control ansible]$ rpm -ql rhel-system-roles
...
/usr/share/ansible/roles
...
[greg@control ansible]$ vim ansible.cfg
...
# additional paths to search for roles in, colon separated
roles_path = /etc/ansible/roles:/home/greg/ansible/roles:/usr/share/ansible/roles
...
[greg@control ansible]$ cat /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml
[greg@control ansible]$ vim /home/greg/ansible/selinux.yml
---
- name: 使用 RHEL 系统角色(NEW)
hosts: all
vars:
selinux_policy: targeted
selinux_state: enforcing
tasks:
- name: execute the role and catch errors
block:
- include_role:
name: rhel-system-roles.selinux
rescue:
# Fail if failed for a different reason than selinux_reboot_required.
- name: handle errors
fail:
msg: "role failed"
when: not selinux_reboot_required
- name: restart managed host
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
- name: wait for managed host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: reapply the role
include_role:
name: rhel-system-roles.selinux
[greg@control ansible]$ ansible-playbook selinux.yml
[greg@control ansible]$ ansible all -a 'getenforce'
node3 | CHANGED | rc=0 >>
Enforcing
node4 | CHANGED | rc=0 >>
Enforcing
node2 | CHANGED | rc=0 >>
Enforcing
node5 | CHANGED | rc=0 >>
Enforcing
node1 | CHANGED | rc=0 >>
Enforcing
|