2024年9月5日 星期四

【IT Notes】RHCE測驗第十五題 Create user accounts

  • Download a list of users to be created from http://example.classroom.com/cd/materials/user_list.yml and save it to /home/student/ansible

  • Using the password vault /home/student/ansible/locker.yml created elsewhere in this exam, create a playbook called /home/student/ansible/users.yml that creates user accounts as follows:

    • Users with a job description of developer should be:

      • created on managed nodes in the dev and test host groups
      • assigned the password from the pw_developer variable
      • a member of supplementary group devops

    • Users with a job description of manager should be:

      • created on managed nodes in the prod host group
      • assigned the password from the pw_manager variable
      • a member of supplementary group opsmgr

  • Passwords should use the SHA512 hash format.

  • Your playbook should work using the vault password file /home/student/ansible/secret.txt created elsewhere in this exam.

【題前說明】

這也是一個有相當難度的考題,運用到相當多的迴圈與變數的概念,首先要透過data主機提供的使用者訊資訊yml,內容有user的UID、名稱、群組和密碼變數,再來套用在上一題所創建的加密檔案,內容有變數所需要的帳號和密碼,最後會依照各node所屬群組,分批次方式部署各node索要建立的群組與使用者。難度在於要清楚地分辨哪些node要建立哪些使用者與群組。依據題目內容再解說更詳細一點,這題先要在dev和test的node上,建立devops群組,然後建立屬於devops的使用者與密碼;再於prod的node上,建立opsmgr群組,然後建立屬於opsmgr的使用者與密碼。這些user的密碼皆使用SHA512的加密方式。

一.解題過程:

[student@workstation ansible]$ wget http://example.classroom.com/cd/materials/user_list.yml
[student@workstation ansible]$ cat user_list.yml  \\user_list要先檢視清楚再開始
users:
- name: john
  uid: 1201
  password: "{{ pw_developer }}"
  group: devops
  job: developer
- name: james
  uid: 1202
  password: "{{ pw_manager }}"
  group: opsmgr
  job: manager
- name: mary
  uid: 2201
  password: "{{ pw_manager }}"
  group: opsmgr
  job: manager

[student@workstation ansible]$ vim users.yml

---
- name: create users and groups
  hosts: dev,test,prod
  vars_files:
    - /home/student/ansible/user_list.yml
    - /home/student/ansible/locker.yml
  tasks:
    - name: create group devops
      group:
        name: devops
        state: present
      loop: "{{ users }}"
      when: item.job == "developer" and (ansible_hostname in groups.dev or ansible_hostname in groups.test)
    - name: create users and password
      user:
        name: "{{ item.name }}"
        password: "{{ pw_developer | password_hash('sha512') }}"
        group: devops
      loop: "{{ users }}"
      when: item.job == "developer" and (ansible_hostname in groups.dev or ansible_hostname in groups.test)
    - name: create group opsmgr
      group:
        name: opsmgr
        state: present
      loop: "{{ users }}"
      when: item.job == "manager" and ansible_hostname in groups.prod
    - name: create users and password
      user:
        name: "{{ item.name }}"
        password: "{{ pw_manager | password_hash('sha512') }}"
        group: opsmgr
      loop: "{{ users }}"
      when: item.job == "manager" and ansible_hostname in groups.prod



二.驗證結果

題目要求部署user.yml需要先做好加密,而加密檔是前面做好的secret.txt。

[student@workstation ansible]$ ansible-playbook -C users.yml --vault-password-file=secret.txt


[student@workstation ansible]$ ansible-playbook -C users.yml --vault-password-file=secret.txt

[student@workstation ansible]$ ansible all -m shell -a 'tail -n 5 /etc/passwd';


三.恢復解題前的環境

[student@workstation ansible]$ vim 15-lab-users-stop.yml

---
- name: delete users
  hosts: dev,test,prod
  tasks:
    - name: delete user
      user:
        name: john
        state: absent
      when: inventory_hostname in groups.dev or inventory_hostname in groups.test

    - name: delete group
      group:
        name: student
        state: absent
      when: inventory_hostname in groups.dev or inventory_hostname in groups.test

    - name: delete user
      user:
        name: "{{ item }}"
        state: absent
      loop:
      - james
      - mary
      when: inventory_hostname in groups.prod

    - name: delete group
      group:
        name: opsmgr
        state: absent
      when: inventory_hostname in groups.prod

- name: remove users.yml
  hosts: 127.0.0.1
  tasks:
    - name: remove users.yml
      file:
        path: "{{ item }}"
        state: absent
      loop:
      - /home/student/ansible/users.yml
      - /home/student/ansible/user_list

[student@workstation ansible]$ ansible-playbook 15-lab-users-stop.yml

這題可以說是滿複雜的,老實說實用性上我是覺得不高,但考試就是要考,只能努力把步驟記熟了。

標籤: ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)

【IT Notes】透過api移轉Gmail到Exchange

 在雲端裡面串接api不是一件很好學的技術,第一次有機會學習到將GWS的Gmail信件全部轉移到M365的Exchange,其實方法很多種,像以前用的pst檔匯出轉移的方式等,但透過api串接,可以批次和排程轉移,是非常方便且準確的作法。唯一讓人感到困難的是學習成本不小,通常需要...

  • 30年前謠言?原來確有其事
    經常覺得自己小時候的記憶並不可靠,尤其是到了快要不惑之年,當回憶離現在愈來愈遙遠時,雖然還沒有到已經忘記或沒有印象的程度,但還是非常懷疑自己的記憶牢不牢靠,甚至會覺得當時一定是聽錯或記錯。
  • 【IT Notes】Windows製作登入Linux金鑰
    一直以來都是用帳號密碼來登入Linux,雖然已經知道可以用金鑰登入的方式,可是始終沒有養成習慣,主因是金鑰要好好保管有點麻煩,有時候重灌或是偷懶就會找不到,但最近覺得如果需要安全又方便的話,還是多練一下用金鑰登入主機會比較好。
  • 【IT Notes】GCP Compute Engine和Cloud SQL建置
     自從用過AWS的EC2和RDS以後,就難避免也要學會一些GCP的技術,有了AWS基礎後,頭一次用GCP的難度也就沒有那麼高了,不過在一些細節的地方還是有所不同,很多東西用起來可能還不是很習慣,但摸索之後很快還是能理解,這篇就作一些首次建置Compute Engine和Cloud...