| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390 |
- ---
- # Download all the tools, set up registry credentials, ssh keys, and ensure the health of a DHCP and a DNS server on utility.
- #
- # XXX: If someone has gone beyond this point in the course and runs this playbook, it will revert the changes back to the original.
- #
- - name: Download all the tools we need on workstation, set up registry credentials, and a SSH keypair.
- hosts: workstation.lab.example.com
- gather_subset: min
- become: no
- vars:
- downloads:
- - baseurl: https://mirror.openshift.com/pub/openshift-v4/clients/butane/latest
- filename: butane-amd64
- dest_dir: /usr/local/bin
- deploy: yes
- extract: no
- extract_files: []
- target_filename: butane
- completion: no
- - baseurl: https://mirror.openshift.com/pub/openshift-v4/clients/coreos-installer/latest
- filename: coreos-installer_amd64
- dest_dir: /usr/local/bin
- deploy: yes
- extract: no
- extract_files: []
- target_filename: coreos-installer
- completion: no
- - baseurl: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.18.6
- filename: openshift-install-rhel9-amd64.tar.gz
- dest_dir: /usr/local/bin
- deploy: yes
- extract: yes
- extract_files:
- - openshift-install-fips
- target_filename: None
- completion: yes
- - baseurl: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.18
- filename: openshift-client-linux-amd64-rhel9.tar.gz
- dest_dir: /usr/local/bin
- deploy: yes
- extract: yes
- extract_files:
- - oc
- - kubectl
- target_filename: None
- completion: yes
- - baseurl: https://rhcos.mirror.openshift.com/art/storage/prod/streams/4.18-9.4/builds/418.94.202501221327-0/x86_64
- filename: rhcos-418.94.202501221327-0-live.x86_64.iso
- deploy: no
- tasks:
- - name: Download tools, if necessary.
- ansible.builtin.get_url:
- url: "{{ item.baseurl }}/{{ item.filename }}"
- dest: "{{ ansible_facts['user_dir'] }}/Downloads/{{ item.filename }}"
- mode: 0644
- owner: student
- group: student
- loop: "{{ downloads }}"
- loop_control:
- label: "{{ item.filename }}"
- - name: Extract tools, if necessary.
- become: yes
- ansible.builtin.unarchive:
- src: "{{ ansible_facts['user_dir'] }}/Downloads/{{ item.filename }}"
- remote_src: yes
- dest: "{{ item.dest_dir }}"
- include: "{{ item.extract_files }}"
- creates: "{{ item.extract_files[0] }}"
- mode: 0755
- owner: root
- group: root
- loop: "{{ downloads }}"
- loop_control:
- label: "{{ item.filename }}"
- when:
- - item.deploy
- - item.extract
- - name: Install tools, if necessary.
- become: yes
- ansible.builtin.copy:
- src: "{{ ansible_facts['user_dir'] }}/Downloads/{{ item.filename }}"
- remote_src: yes
- dest: "{{ item.dest_dir }}/{{ item.target_filename }}"
- mode: 0755
- owner: root
- group: root
- loop: "{{ downloads }}"
- loop_control:
- label: "{{ item.filename }}"
- when:
- - item.deploy
- - not item.extract
- - item.target_filename is defined
- - item.target_filename != None
- - name: Create command completion files, if necessary.
- become: yes
- ansible.builtin.shell:
- cmd: "{{ item.extract_files[0] }} completion bash > /etc/bash_completion.d/{{ item.extract_files[0] }}.completion"
- creates: "/etc/bash_completion.d/{{ item.extract_files[0] }}.completion"
- loop: "{{ downloads }}"
- loop_control:
- label: "{{ item.filename }}"
- when:
- - item.completion is defined
- - item.completion
- - name: Ensure .docker directory exists.
- ansible.builtin.file:
- path: "{{ ansible_facts['user_dir'] }}/.docker"
- state: directory
- mode: 0750
- owner: student
- group: student
- - name: Ensure mirror registry auth file is on standby.
- ansible.builtin.copy:
- dest: "{{ ansible_facts['user_dir'] }}/.docker/config.json-mirror"
- mode: 0640
- owner: student
- group: student
- content: '{"auths":{"registry.ocp4.example.com":{"auth":"YWRtaW46cmVkaGF0MTIz"},"cloud.openshift.com":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfNGM4ZmZhZTI5ZjUzNGJiZjgyZDhlNWE0ZmZiYjRiY2Y6N0NER083UjM4TE1KTEJTN1EzVkVKQVkyTVVCUkpXQjNWNlUxR1BLVzRaN0tGTVpaSENVVTMwMVdaTzMxTDBPNQ==","email":"glsbugs-devops@redhat.com"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfNGM4ZmZhZTI5ZjUzNGJiZjgyZDhlNWE0ZmZiYjRiY2Y6N0NER083UjM4TE1KTEJTN1EzVkVKQVkyTVVCUkpXQjNWNlUxR1BLVzRaN0tGTVpaSENVVTMwMVdaTzMxTDBPNQ==","email":"glsbugs-devops@redhat.com"},"registry.connect.redhat.com":{"auth":"fHVoYy1wb29sLTlmMDA1Mzc2LTM2YTItNDJhMS1hNTQwLTA0NzNkYzg3MzYzMzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVPRGc1WVdFeFl6Qm1PV0kwWmpVM1lqazNObUk1WldFeU16SXdaalUwTUNKOS5zWmQ5VE1RbzBXREc2NUc5Qk1ObmtuYlBjRkIzNmhyRFhkMThfdTNLeHFaczdlOG1hQ19QeEFReGpwdVk0YVM2VERIbkxDNWpGYjRRNXFYVEpWbjJCOGE4cDFuY08tM24ySG5QdDg3NmktVUFDU3lldWtpb3k4aHI0V3d1ZkhReFVYMmxxWFhYdjN6blE3am1URUNBc25rWkNRSFU1dFNpRnNUZHhFZGZkeU42Z20xN3VqY2thZG5NbFBZcTZfU1I2bUtLaUpUdFQ3SFlDWXJBVk5zZ0tfNGFkZ2MtRXBlbEtHbGNERWkzNGhYbzFqbEIzRERyUWkxSUxCV0UwZkdXb1czZy1ZUzFGMFlEXzc0bm1XSU5mUE1jM25UOERaQWl0OEw0VlFPTnZnUE51YnVfTVVGUGhqX29VUjF3VUR0a1BRNktJdm82UWYyRkdwMndLM1B6YnRBRFFzRVZTZDlITzQ3a0RKdGFobk95YTFmRmdqZVk1bFNxLW1vT2RqUldCZ3U2XzNIX25lZExJR1lQRHRBZnp5cGJ1eHZ1cEd1M2hYWnVzeWN0aURtR203SkR5RW5KdjF1RFZmYVduU2EzSV9NcFRSVVcyZWU1RF9CanJleTdlU2I0bEpGcmp1eC1nY2JVaHFsWGJZc2l6azdXWHpvRmtrVFlMdXFDQ1FvS1J0OFdSN1UzTmh3c3Q2ckV3eEFOaWJFTlNzUVB3MGg4X0NDRm5qTHFSTl82cWpTc0tpeWRGT2tHVFliT0taTktaSVVhYkZFTjRhYVRVYmlYTVdPS2Eyak1xLUhwazBMNEowUmtOM2JkQVVqWmtERHE0ZFY1ZVFjdXNIeV9LY29nd1VKSjZ4MDNObnM4b0xBdjRJZ3RKeXlxcmE1YUJHSkxReHNjRXVSNzQwWQ==","email":"glsbugs-devops@redhat.com"},"registry.redhat.io":{"auth":"fHVoYy1wb29sLTlmMDA1Mzc2LTM2YTItNDJhMS1hNTQwLTA0NzNkYzg3MzYzMzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVPRGc1WVdFeFl6Qm1PV0kwWmpVM1lqazNObUk1WldFeU16SXdaalUwTUNKOS5zWmQ5VE1RbzBXREc2NUc5Qk1ObmtuYlBjRkIzNmhyRFhkMThfdTNLeHFaczdlOG1hQ19QeEFReGpwdVk0YVM2VERIbkxDNWpGYjRRNXFYVEpWbjJCOGE4cDFuY08tM24ySG5QdDg3NmktVUFDU3lldWtpb3k4aHI0V3d1ZkhReFVYMmxxWFhYdjN6blE3am1URUNBc25rWkNRSFU1dFNpRnNUZHhFZGZkeU42Z20xN3VqY2thZG5NbFBZcTZfU1I2bUtLaUpUdFQ3SFlDWXJBVk5zZ0tfNGFkZ2MtRXBlbEtHbGNERWkzNGhYbzFqbEIzRERyUWkxSUxCV0UwZkdXb1czZy1ZUzFGMFlEXzc0bm1XSU5mUE1jM25UOERaQWl0OEw0VlFPTnZnUE51YnVfTVVGUGhqX29VUjF3VUR0a1BRNktJdm82UWYyRkdwMndLM1B6YnRBRFFzRVZTZDlITzQ3a0RKdGFobk95YTFmRmdqZVk1bFNxLW1vT2RqUldCZ3U2XzNIX25lZExJR1lQRHRBZnp5cGJ1eHZ1cEd1M2hYWnVzeWN0aURtR203SkR5RW5KdjF1RFZmYVduU2EzSV9NcFRSVVcyZWU1RF9CanJleTdlU2I0bEpGcmp1eC1nY2JVaHFsWGJZc2l6azdXWHpvRmtrVFlMdXFDQ1FvS1J0OFdSN1UzTmh3c3Q2ckV3eEFOaWJFTlNzUVB3MGg4X0NDRm5qTHFSTl82cWpTc0tpeWRGT2tHVFliT0taTktaSVVhYkZFTjRhYVRVYmlYTVdPS2Eyak1xLUhwazBMNEowUmtOM2JkQVVqWmtERHE0ZFY1ZVFjdXNIeV9LY29nd1VKSjZ4MDNObnM4b0xBdjRJZ3RKeXlxcmE1YUJHSkxReHNjRXVSNzQwWQ==","email":"glsbugs-devops@redhat.com"}}}'
- - name: Ensure installation registry auth file is active.
- ansible.builtin.copy:
- dest: "{{ item }}"
- mode: 0640
- owner: student
- group: student
- content: '{"auths":{"registry.ocp4.example.com":{"auth":"YWRtaW46cmVkaGF0MTIz"}}}'
- loop:
- - "{{ ansible_facts['user_dir'] }}/.docker/config.json"
- - "{{ ansible_facts['user_dir'] }}/install-pull-secret"
- - name: Create a SSH keypair, if necessary.
- community.crypto.openssh_keypair:
- path: "{{ ansible_facts['user_dir'] }}/.ssh/openshift"
- type: rsa
- size: 2048
- state: present
- - name: Ensure DHCP server on utility is configured.
- hosts: utility.lab.example.com
- gather_subset: min
- become: yes
- tasks:
- - name: Ensure there is a DHCP server installed.
- ansible.builtin.yum:
- name: dhcp-server
- state: present
- - name: Fix the environment of the DHCP server a bit by ensuring the unit file specifies it.
- ansible.builtin.copy:
- dest: /etc/systemd/system/dhcpd.service
- mode: 0644
- owner: root
- group: root
- content: |
- [Unit]
- Description=DHCPv4 Server Daemon
- Documentation=man:dhcpd(8) man:dhcpd.conf(5)
- Wants=network-online.target
- After=network-online.target
- After=time-sync.target
-
- [Service]
- Type=notify
- Environment=DHCPDARGS=eth1
- EnvironmentFile=-/etc/sysconfig/dhcpd
- ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS
- StandardError=null
-
- [Install]
- WantedBy=multi-user.target
- notify: reload systemd
- - name: Ensure systemd is reloaded if it needs to be at this point.
- ansible.builtin.meta: flush_handlers
- - name: Ensure the DHCP config file has the correct content.
- ansible.builtin.copy:
- dest: /etc/dhcp/dhcpd.conf
- mode: 0640
- owner: root
- group: root
- content: |
- ddns-update-style interim;
- ignore client-updates;
- authoritative;
- allow booting;
- allow bootp;
- allow unknown-clients;
- # Set default and max IP lease time to infinite with -1 value
- default-lease-time -1;
- max-lease-time -1;
-
- # BEGIN ANSIBLE MANAGED DHCP CONFIG for ocp4.example.com
- subnet 192.168.50.0 netmask 255.255.255.0 {
- range 192.168.50.100 192.168.50.149;
- option routers 192.168.50.254;
- option ntp-servers 103.16.182.23,103.16.182.214;
- option domain-search "ocp4.example.com";
- filename "pxelinux.0";
- option domain-name-servers 192.168.50.254;
- next-server 192.168.50.254;
-
- host master01.ocp4.example.com { hardware ethernet 52:54:00:00:32:0A; fixed-address 192.168.50.10; option host-name "master01"; }
- host master02.ocp4.example.com { hardware ethernet 52:54:00:00:32:0B; fixed-address 192.168.50.11; option host-name "master02"; }
- host master03.ocp4.example.com { hardware ethernet 52:54:00:00:32:0C; fixed-address 192.168.50.12; option host-name "master03"; }
- host worker01.ocp4.example.com { hardware ethernet 52:54:00:00:32:0D; fixed-address 192.168.50.13; option host-name "worker01"; }
- host worker02.ocp4.example.com { hardware ethernet 52:54:00:00:32:0E; fixed-address 192.168.50.14; option host-name "worker02"; }
- }
- # END ANSIBLE MANAGED DHCP CONFIG for ocp4.example.com
- notify: restart dhcpd
- - name: Ensure DHCP server is enabled and running.
- ansible.builtin.systemd_service:
- name: dhcpd
- enabled: yes
- state: started
- - name: Ensure the Bind config file has the correct content.
- ansible.builtin.copy:
- dest: /etc/named.conf
- mode: 0640
- owner: root
- group: root
- content: |
- //
- // named.conf
- //
- // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
- // server as a caching only nameserver (as a localhost DNS resolver only).
- //
- // See /usr/share/doc/bind*/sample/ for example named configuration files.
- //
-
- options {
- #listen-on port 53 { 127.0.0.1; };
- #listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- secroots-file "/var/named/data/named.secroots";
- recursing-file "/var/named/data/named.recursing";
- allow-query { localhost; 192.168.50.0/24; 172.25.250.254; };
-
- /*
- - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- - If you are building a RECURSIVE (caching) DNS server, you need to enable
- recursion.
- - If your recursive DNS server has a public IP address, you MUST enable access
- control to limit queries to your legitimate users. Failing to do so will
- cause your server to become part of large scale DNS amplification
- attacks. Implementing BCP38 within your network would greatly
- reduce such attack surface
- */
- recursion yes;
-
- dnssec-enable no;
- dnssec-validation no;
-
- managed-keys-directory "/var/named/dynamic";
- geoip-directory "/usr/share/GeoIP";
-
- pid-file "/run/named/named.pid";
- session-keyfile "/run/named/session.key";
- # BEGIN ANSIBLE MANAGED FORWARDERS
- forwarders {
- 172.25.250.254;
- };
- # END ANSIBLE MANAGED FORWARDERS
-
- /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
- include "/etc/crypto-policies/back-ends/bind.config";
- };
-
- logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- };
- };
-
- zone "." IN {
- type hint;
- file "named.ca";
- };
-
- include "/etc/named.rfc1912.zones";
- include "/etc/named.root.key";
-
- # BEGIN ANSIBLE MANAGED DNS ZONE for ocp4.example.com
- zone "ocp4.example.com" {
- type master;
- file "ocp4.example.com.db";
- allow-update { none; };
- };
- # END ANSIBLE MANAGED DNS ZONE for ocp4.example.com
- # BEGIN ANSIBLE MANAGED DNS REVERSE ZONE for ocp4.example.com
- zone "50.168.192.in-addr.arpa" IN {
- type master;
- file "ocp4.example.com.reverse.db";
- allow-update { none; };
- };
- notify: restart named
- - name: Ensure the forward lookup zone file has the correct content.
- ansible.builtin.copy:
- dest: /var/named/ocp4.example.com.db
- mode: 0644
- owner: root
- group: root
- content: |
- $TTL 1D
- @ IN SOA dns.ocp4.example.com. root.example.com. (
- 2019022400 ; serial
- 3h ; refresh
- 15 ; retry
- 1w ; expire
- 3h ; minimum
- )
- IN NS dns.ocp4.example.com.
- dns IN A 192.168.50.254
- api IN A 192.168.50.254
- api-int IN A 192.168.50.254
- registry IN A 192.168.50.50
- git IN A 192.168.50.50
- *.apps IN A 192.168.50.254
- master01 IN A 192.168.50.10
- master02 IN A 192.168.50.11
- master03 IN A 192.168.50.12
- worker01 IN A 192.168.50.13
- worker02 IN A 192.168.50.14
- idm IN A 192.168.50.40
- notify: restart named
- - name: Ensure the reverse lookup zone file has the correct content.
- ansible.builtin.copy:
- dest: /var/named/ocp4.example.com.reverse.db
- mode: 0644
- owner: root
- group: root
- content: |
- $TTL 1D
- @ IN SOA dns.ocp4.example.com. root.example.com. (
- 2019022400 ; serial
- 3h ; refresh
- 15 ; retry
- 1w ; expire
- 3h ; minimum
- )
- IN NS dns.ocp4.example.com.
- 254 IN PTR api.ocp4.example.com.
- 254 IN PTR api-int.ocp4.example.com.
- 50 IN PTR registry.ocp4.example.com.
- 50 IN PTR git.ocp4.example.com.
- 10 IN PTR master01.ocp4.example.com.
- 11 IN PTR master02.ocp4.example.com.
- 12 IN PTR master03.ocp4.example.com.
- 13 IN PTR worker01.ocp4.example.com.
- 14 IN PTR worker02.ocp4.example.com.
- 40 IN PTR idm.ocp4.example.com.
- notify: restart named
- - name: Ensure Bind server is enabled and running.
- ansible.builtin.systemd_service:
- name: named
- enabled: yes
- state: started
- handlers:
- - name: restart dhcpd
- ansible.builtin.systemd_service:
- name: dhcpd
- state: restarted
- - name: restart named
- ansible.builtin.systemd_service:
- name: named
- state: restarted
- - name: reload systemd
- ansible.builtin.systemd_service:
- daemon_reload: true
- ...
|
