RH358 provides file based networked storage automated provisioning of file based storage

Posted by dubhcat on Thu, 20 Jan 2022 03:40:06 +0100

RH358 provides file based networked storage – automated provisioning of file based storage

This chapter describes how to use Ansible to provide file based network storage. This demonstration can also make better use of Ansible.

1. Deploy NFS server using Ansible

The following is a basic overview of the tasks required to deploy NFS servers and configure NFS mounts with Ansible

Install package

Install the NFS utils package using yum Ansible as follows:

- name: the package for NFS is installed
  yum:
    name: nfs-utils
    state: present

Create export directory

You can use Ansible to prepare the directory to export. The file module with the state parameter set to directory creates the directory when it does not exist.

- name: the directory exists
  file:
    path: /srv/myshare
    owner: root
    group: operators
    mode: '2770'
    state: directory

Claim sharing

Multiple file modules can deploy / etc/exports and / etc/exports d/*. Exports file

You can use the copy module to deploy existing export files to NFS servers. You can use the template module to create an export file from the jinj2 template. Ansible uses ansible variables and facts to automatically customize the template for the managed system during deployment.

The following tasks use the copy module to create / etc / exports d/share. Exports export file

- name: the directory is shared
  copy:
    content: "/srv/myshare client1.example.com(rw,no_root_squash)\n"
    dest: /etc/exports.d/share.exports
    owner: root
    group: root
    mode: '0644'
  notify: reload exports

**Important: * * if Ansible changes an export file, you should notify a handler to reload the NFS server service or run exportfs -r.

Enable and start services

In your play task, ensure that the NFS server service is enabled and started.

- name: NFS is started and enabled
  service:
    name: nfs-server
    state: started
    enabled: yes

Configure firewall rules

Use the Ansible firewalld module to ensure that access to nfs services is enabled.

- name: the firewall is opened for NFS
  firewalld:
    service: nfs
    state: enabled
    immediate: yes
    permanent: yes

2. Configure NFS client with Ansible

On the client system, use the Ansible yum module to install the NFS utils package.

To mount NFS file systems persistently, use the Ansible mount module and set the fstype parameter to NFS. The following tasks use the mount module to mount the / srv/myshare share from the host. From host example. Com into the / data mount point. If the directory does not exist, the module creates the / data directory and adds an entry in / etc/fstab.

- name: the NFS share is mounted and in /etc/fstab
  mount:
    path: /data
    src: host.example.com:/srv/myshare
    state: mounted
    fstype: nfs

3. Deploy Samba using Ansible

Deploying Samba using Ansible follows a standard process:

  • Install the samba package using the yum module.

  • Use the user module to create Linux users for Samba.

  • Use the shell or command module to add users to the Samba database.

  • Use the file module to prepare the directory to share.

  • Use the copy or template module to deploy / etc / Samba / SMB Conf configuration file.

  • Start and enable the smb service using the service module.

  • Use the firewalld module to open the firewall port.

Create a samba only user account

The user account you added to the Samba database requires an existing Linux user. To create these Linux users, use the Ansible user module:

- name: the Linux user for Samba exists
  user:
    name: "{{ item }}"
    shell: /sbin/nologin
    create_home: no
    system: yes
  loop:
    - developer1
    - developer2
    - operator1

When you only need these accounts for SMB access, set the shell option to / sbin/nologin to prevent users from logging in to the Linux system.

There are no modules to add users to the Samba database. The smbpasswd command can be invoked using the command module.

If you just run smbpasswd -a blindly, the user's password will be reset at each run. If the user already exists and may have changed the SMB password from the initial setting, you may not want to do so.

The following example is more complex, using pdbedit and regex_ The search filter only adds users to the Samba database and sets the user's password (if the user does not exist):

- name: get the existing Samba users
# The task executes the pdbedit -L command. This command lists the users in the Samba database and their IDs, such as operator 1:900. This task captures the output in the samba db users variable.
  command: pdbedit -L
  changed_when: False
  register: samba_db_users
  
- name: the users are in the Samba database
  command: smbpasswd -s -a {{ item }}
# Using the - s option, the smbpasswd command reads the password from its input. Use the stdin command to provide a password for the command. You must enter the password twice.
  args:
    stdin: "redhat\nredhat"
  loop:
    - developer1
    - developer2
    - operator1
  when: not samba_db_users['stdout'] | regex_search('^' + item + ':.*', multiline=True)
# The task uses the when condition and runs only for users who have not yet run in the Samba database. This condition checks for a match in the output of the pdbedit -L command.

For additional security, instead of exposing the password in the task, define a variable with the password, store the variable in a file, and then encrypt the file with the ansible vault command.

Create shared directory

You can use Ansible to prepare directories to share. If the directory does not exist, use the file module with the state parameter set to directory to create the directory. Remember to set SELinux Samba on the directory_ share_ T context type

- name: the directory exists
  file:
    path: /srv/smbshare
    owner: root
    group: operators
    mode: '2770'
    state: directory
    setype: samba_share_t

4. Configure SMB client with Ansible

On the client system, install the CIFS utils package using the Ansible yum module.

You can use the copy or template module to create and protect credential files. The following example creates / etc / Samba / credentials Txt file. Because the password is used in the task, no will be used_ The log instruction is set to true so that Ansible does not display it in the output.

- name: the credential file exists
  copy:
    content: "username={{ samba_usermount }}\n\
    password={{ samba_passmount }}\n"
    dest: /etc/samba/credentials.txt
    owner: root
    group: root
    mode: '0600'
    no_log: true

If you want to mount SMB shares persistently, use the Ansible mount module and set the fstype parameter to cifs. Use the opts parameter to declare credential files and other mount options. The following tasks mount the SMB data share from the host using the mount module. From host example. Com mount / smbdata mount point. If the directory does not exist, the module creates the / smbdata directory and adds an entry in / etc/fstab.

- name: the SMB share is mounted and in /etc/fstab
  mount:
    path: /smbdata
    src: "//host.example.com/data"
    opts: "credentials=/etc/samba/credentials.txt,multiuser,seal"
    state: mounted
    fstype: cifs

When users log in, they must manually run cifcreds and enter personal SMB credentials for the current session to authenticate to the SMB share.

5. Textbook exercises

[student@workstation ~]$ lab filestorage-automation start

  • In the first part of the exercise, you will complete and run Ansible Playbook, which uses NFS to export directories on serverd. Run a script to mount the NFS export to servera.

  • In the second part of the exercise, you will complete and run an Ansible Playbook that uses SMB to share a directory on serverd. Run a script to mount the SMB share on servera.

1. Be familiar with the project.

[student@workstation ~]$ cd /home/student/filestorage-automation
[student@workstation filestorage-automation]$ tree
.
├── ansible.cfg
├── inventory
├── nfs_client.yml
├── nfs_server.yml
├── smb_client.yml
├── smb_server.yml
├── smb_vars.yml
├── solution
│   ├── nfs_server.yml
│   └── smb_server.yml
└── templates
    ├── share.exports.j2
    └── smb.conf.j2

2 directories, 11 files
[student@workstation filestorage-automation]$ cat inventory 
[servers]
serverd.lab.example.com

[clients]
servera.lab.example.com
serverb.lab.example.com
serverc.lab.example.com
[student@workstation filestorage-automation]$ cat ansible.cfg 
[defaults]
inventory=inventory
remote_user=devops

2. Check and complete NFS server YML ansible script.

Create the / nfsshare directory and export it using NFS.

[student@workstation filestorage-automation]$ cat nfs_server.yml 
---
- name: Export a directory using NFS
  hosts: serverd.lab.example.com
  become: true
  vars:
    shared_dir: /nfsshare

  tasks:
    - name: the nfs-utils package is installed
      yum:
        name: nfs-utils
        state: present

    - name: the directory exists
      file:
        path: "{{ shared_dir }}"
        owner: student
        group: root
        mode: '0755'
        state: directory

    - name: the directory is exported
      template:
        src: templates/share.exports.j2
        dest: /etc/exports.d/share.exports
        owner: root
        group: root
        mode: '0644'
      notify: reload exports

    - name: the nfs-server service is started and enabled
      service:
        name: nfs-server
        state: started
        enabled: yes

    - name: the nfs firewall service is opened
      firewalld:
        service: nfs
        state: enabled
        immediate: yes
        permanent: yes

  handlers:
    - name: reload exports
      service:
        name: nfs-server
        state: reloaded

3. Check templates / share exports. J2 template.

# The template loops through the host names in the clients group in the list. The template grants read and write permission (rw) to each client in the group.
[student@workstation filestorage-automation]$ cat templates/share.exports.j2 
{{ shared_dir }}{% for host in groups['clients'] %}
 {{ host }}(rw)
{%- endfor %}

# Run the template and the output will be as follows:
/nfsshare servera.lab.example.com(rw) serverb.lab.example.com(rw) serverc.lab.example.com(rw)

# The template is not set to no_root_squash option. Without this option, NFS maps requests from root on the client to the nobody user account on the server. Nobody user does not have write permission to the / nfsshare directory. Therefore, on the client, the root user will not be able to write.

4. Check nfs_server.yml syntax and run.

[student@workstation filestorage-automation]$ ansible-playbook nfs_server.yml --syntax-check
[student@workstation filestorage-automation]$ ansible-playbook nfs_server.yml

5. Check and run nfs_client.yml Ansible script.

[student@workstation filestorage-automation]$ cat nfs_client.yml
---
- name: Access an NFS export
  hosts: servera.lab.example.com
  become: true
  vars:
    shared_dir: /nfsshare
    mount_point: /datanfs

  tasks:
    - name: the nfs-utils package is installed
      yum:
        name: nfs-utils
        state: present

    - name: the NFS export is mounted and in /etc/fstab
      mount:
        path: "{{ mount_point }}"
        src: serverd.lab.example.com:{{ shared_dir }}
        state: mounted
        fstype: nfs

[student@workstation filestorage-automation]$ ansible-playbook nfs_client.yml --syntax-check
[student@workstation filestorage-automation]$ ansible-playbook nfs_client.yml

6. Log in to servera and confirm that NFS is accessible.

[student@servera ~]$ df /datanfs
Filesystem                        1K-blocks    Used Available Use% Mounted on
serverd.lab.example.com:/nfsshare  10474496 2285056   8189440  22% /datanf
[student@servera ~]$ echo Hello World > /datanfs/test.txt
[student@servera ~]$ ls /datanfs
test.txt
[student@servera ~]$ cat /datanfs/test.txt
Hello World

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# echo Hello World > /datanfs/root_test.txt
-bash: /datanfs/root_test.txt: Permission denied

7. Check SMB vars YML file.

# This file defines the variable, smb_server.yml smb_client.yml script use. The file is encrypted because it contains a password.
# The ansible vault view command is used to display SMB_ vars. The contents of the YML file. The password is redhat.
[student@workstation filestorage-automation]$ ansible-vault view smb_vars.yml
Vault password: redhat
---
shared_dir: /smbshare
share_name: smbshare
mount_point: /developments

# User account for mounting the share
samba_usermount: sambamount
samba_passmount: redhat

# User accounts with write access to the share
allowed_group: developers
samba_users:
  - name: developer1
    password: redhat
  - name: developer2
    password: redhat

8. Check and complete smb_server.yml Ansible script.

The script creates the / smbshare directory, creates user accounts, and shares the directory using SMB.

[student@workstation filestorage-automation]$ cat smb_server.yml 
---
- name: Share a directory with SMB
  hosts: serverd.lab.example.com
  become: true
  vars_files:
    - smb_vars.yml

  tasks:
    - name: the samba package is installed
      yum:
        name: samba
        state: present

    # Creating the Linux and Samba user for the multiuser mount.
    # That user is only used to mount the share.

    - name: the Linux user for Samba mount exists
      user:
        name: "{{ samba_usermount }}"
        shell: /sbin/nologin
        create_home: no
        system: yes

    - name: the Samba user for Samba mount exists
      command: smbpasswd -s -a {{ samba_usermount }}
      args:
        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"

    # Group and users with write access to the share

    - name: the Linux group exists
      group:
        name: "{{ allowed_group }}"
        system: yes

    - name: the Linux users exist for Samba users
      user:
        name: "{{ item['name'] }}"
        shell: /sbin/nologin
        groups:
          - "{{ allowed_group }}"
      loop: "{{ samba_users }}"
      no_log: true

    - name: the Samba users exist
      command: smbpasswd -s -a {{ item['name'] }}
      args:
        stdin: "{{ item['password'] }}\n{{ item['password'] }}"
      loop: "{{ samba_users }}"
      no_log: true

    - name: the directory exists
      file:
        path: "{{ shared_dir }}"
        owner: root
        group: "{{ allowed_group }}"
        mode: '2775'
        state: directory
        setype: samba_share_t

    - name: the directory is shared
      template:
        src: templates/smb.conf.j2
        dest: /etc/samba/smb.conf
        owner: root
        group: root
        mode: '0644'
        setype: samba_etc_t
      notify: reload smb

    - name: the smb service is started and enabled
      service:
        name: smb
        state: started
        enabled: yes

    - name: the samba firewall service is opened
      firewalld:
        service: samba
        state: enabled
        immediate: yes
        permanent: yes

  handlers:
    - name: reload smb
      service:
        name: smb
        state: reloaded

9. Check templates / SMB Conf.j2 template.

This template sets global SMB parameters and creates a share. There is no need to change anything in this file.

[student@workstation filestorage-automation]$ cat templates/smb.conf.j2
[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        smb encrypt = required
        server min protocol = SMB3

[{{ share_name }}]
        path = {{ shared_dir }}
        write list = @{{ allowed_group }}
# For scripts that create multiple shares, the template may use jinj2 loops to create shares.

10. Verify smb_server.yml script syntax and run.

[student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass --syntax-check smb_server.yml
Vault password: redhat

playbook: smb_server.yml
[student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass smb_server.yml
Vault password: redhat
...output omitted...

11. Check and run smb_client.yml Ansible script.

[student@workstation filestorage-automation]$ cat smb_client.yml
---
- name: Access an SMB share
  hosts: servera.lab.example.com
  become: true
  vars_files:
   - smb_vars.yml

  tasks:
    - name: the cifs-utils package is installed
      yum:
        name: cifs-utils
        state: present

    - name: the credential file exists
      copy:
        content: "username={{ samba_usermount }}\n\
                  password={{ samba_passmount }}\n"
        dest: /etc/samba/creds.txt
        owner: root
        group: root
        mode: '0600'
      no_log: true

    - name: the SMB share is mounted
      mount:
        path: "{{ mount_point }}"
        src: "//serverd.lab.example.com/{{ share_name }}"
        opts: "credentials=/etc/samba/creds.txt,multiuser,seal"
        state: mounted
        fstype: cifs

    - name: the Linux users exist
      user:
        name: "{{ item.name }}"
        shell: /bin/bash
        password: "{{ item.password | \
                   password_hash('sha512', 'redhatsalt') }}"
      loop: "{{ samba_users }}"
      no_log: true

[student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass smb_client.yml
Vault password: redhat
...output omitted...

12. Log in to servera and confirm that the SMB share is accessible.

[student@servera ~]$ df /developments
df: /developments: Permission denied
[student@servera ~]$ mount | grep /developments
//serverd.lab.example.com/smbshare on /developments type cifs(rw,...,multiuser,...,seal,...)

[student@servera ~]$ su - developer1
Password: redhat
[developer1@servera ~]$ cifscreds add serverd.lab.example.com
Password: redhat
[developer1@servera ~]$ echo Hello World > /developments/test.txt
[developer1@servera ~]$ ls /developments
test.txt
[developer1@servera ~]$ cat /developments/test.txt
Hello World

Complete the experiment

[student@workstation ~]$ lab filestorage-automation finish

summary

  • Describes how to deploy NFS servers using Ansible.
  • Describes deploying Samba using Ansible.
  • Describes how to use Ansible to configure NFS clients and Samba clients.
  • If you like a little girl's article, please give it a compliment. You can also pay attention, because the follow-up will continue to dry goods.

Topics: Linux Operation & Maintenance server RHCA