RH358 provides file based networked storage – automated provisioning of file based storage
This chapter describes how to use Ansible to provide file based network storage. This demonstration can also make better use of Ansible.
1. Deploy NFS server using Ansible
The following is a basic overview of the tasks required to deploy NFS servers and configure NFS mounts with Ansible
Install package
Install the NFS utils package using yum Ansible as follows:
- name: the package for NFS is installed
yum:
name: nfs-utils
state: present
Create export directory
You can use Ansible to prepare the directory to export. The file module with the state parameter set to directory creates the directory when it does not exist.
- name: the directory exists
file:
path: /srv/myshare
owner: root
group: operators
mode: '2770'
state: directory
Claim sharing
Multiple file modules can deploy / etc/exports and / etc/exports d/*. Exports file
You can use the copy module to deploy existing export files to NFS servers. You can use the template module to create an export file from the jinj2 template. Ansible uses ansible variables and facts to automatically customize the template for the managed system during deployment.
The following tasks use the copy module to create / etc / exports d/share. Exports export file
- name: the directory is shared
copy:
content: "/srv/myshare client1.example.com(rw,no_root_squash)\n"
dest: /etc/exports.d/share.exports
owner: root
group: root
mode: '0644'
notify: reload exports
**Important: * * if Ansible changes an export file, you should notify a handler to reload the NFS server service or run exportfs -r.
Enable and start services
In your play task, ensure that the NFS server service is enabled and started.
- name: NFS is started and enabled
service:
name: nfs-server
state: started
enabled: yes
Configure firewall rules
Use the Ansible firewalld module to ensure that access to nfs services is enabled.
- name: the firewall is opened for NFS
firewalld:
service: nfs
state: enabled
immediate: yes
permanent: yes
2. Configure NFS client with Ansible
On the client system, use the Ansible yum module to install the NFS utils package.
To mount NFS file systems persistently, use the Ansible mount module and set the fstype parameter to NFS. The following tasks use the mount module to mount the / srv/myshare share from the host. From host example. Com into the / data mount point. If the directory does not exist, the module creates the / data directory and adds an entry in / etc/fstab.
- name: the NFS share is mounted and in /etc/fstab
mount:
path: /data
src: host.example.com:/srv/myshare
state: mounted
fstype: nfs
3. Deploy Samba using Ansible
Deploying Samba using Ansible follows a standard process:
-
Install the samba package using the yum module.
-
Use the user module to create Linux users for Samba.
-
Use the shell or command module to add users to the Samba database.
-
Use the file module to prepare the directory to share.
-
Use the copy or template module to deploy / etc / Samba / SMB Conf configuration file.
-
Start and enable the smb service using the service module.
-
Use the firewalld module to open the firewall port.
Create a samba only user account
The user account you added to the Samba database requires an existing Linux user. To create these Linux users, use the Ansible user module:
- name: the Linux user for Samba exists
user:
name: "{{ item }}"
shell: /sbin/nologin
create_home: no
system: yes
loop:
- developer1
- developer2
- operator1
When you only need these accounts for SMB access, set the shell option to / sbin/nologin to prevent users from logging in to the Linux system.
There are no modules to add users to the Samba database. The smbpasswd command can be invoked using the command module.
If you just run smbpasswd -a blindly, the user's password will be reset at each run. If the user already exists and may have changed the SMB password from the initial setting, you may not want to do so.
The following example is more complex, using pdbedit and regex_ The search filter only adds users to the Samba database and sets the user's password (if the user does not exist):
- name: get the existing Samba users
# The task executes the pdbedit -L command. This command lists the users in the Samba database and their IDs, such as operator 1:900. This task captures the output in the samba db users variable.
command: pdbedit -L
changed_when: False
register: samba_db_users
- name: the users are in the Samba database
command: smbpasswd -s -a {{ item }}
# Using the - s option, the smbpasswd command reads the password from its input. Use the stdin command to provide a password for the command. You must enter the password twice.
args:
stdin: "redhat\nredhat"
loop:
- developer1
- developer2
- operator1
when: not samba_db_users['stdout'] | regex_search('^' + item + ':.*', multiline=True)
# The task uses the when condition and runs only for users who have not yet run in the Samba database. This condition checks for a match in the output of the pdbedit -L command.
For additional security, instead of exposing the password in the task, define a variable with the password, store the variable in a file, and then encrypt the file with the ansible vault command.
Create shared directory
You can use Ansible to prepare directories to share. If the directory does not exist, use the file module with the state parameter set to directory to create the directory. Remember to set SELinux Samba on the directory_ share_ T context type
- name: the directory exists
file:
path: /srv/smbshare
owner: root
group: operators
mode: '2770'
state: directory
setype: samba_share_t
4. Configure SMB client with Ansible
On the client system, install the CIFS utils package using the Ansible yum module.
You can use the copy or template module to create and protect credential files. The following example creates / etc / Samba / credentials Txt file. Because the password is used in the task, no will be used_ The log instruction is set to true so that Ansible does not display it in the output.
- name: the credential file exists
copy:
content: "username={{ samba_usermount }}\n\
password={{ samba_passmount }}\n"
dest: /etc/samba/credentials.txt
owner: root
group: root
mode: '0600'
no_log: true
If you want to mount SMB shares persistently, use the Ansible mount module and set the fstype parameter to cifs. Use the opts parameter to declare credential files and other mount options. The following tasks mount the SMB data share from the host using the mount module. From host example. Com mount / smbdata mount point. If the directory does not exist, the module creates the / smbdata directory and adds an entry in / etc/fstab.
- name: the SMB share is mounted and in /etc/fstab
mount:
path: /smbdata
src: "//host.example.com/data"
opts: "credentials=/etc/samba/credentials.txt,multiuser,seal"
state: mounted
fstype: cifs
When users log in, they must manually run cifcreds and enter personal SMB credentials for the current session to authenticate to the SMB share.
5. Textbook exercises
[student@workstation ~]$ lab filestorage-automation start
-
In the first part of the exercise, you will complete and run Ansible Playbook, which uses NFS to export directories on serverd. Run a script to mount the NFS export to servera.
-
In the second part of the exercise, you will complete and run an Ansible Playbook that uses SMB to share a directory on serverd. Run a script to mount the SMB share on servera.
1. Be familiar with the project.
[student@workstation ~]$ cd /home/student/filestorage-automation
[student@workstation filestorage-automation]$ tree
.
├── ansible.cfg
├── inventory
├── nfs_client.yml
├── nfs_server.yml
├── smb_client.yml
├── smb_server.yml
├── smb_vars.yml
├── solution
│ ├── nfs_server.yml
│ └── smb_server.yml
└── templates
├── share.exports.j2
└── smb.conf.j2
2 directories, 11 files
[student@workstation filestorage-automation]$ cat inventory
[servers]
serverd.lab.example.com
[clients]
servera.lab.example.com
serverb.lab.example.com
serverc.lab.example.com
[student@workstation filestorage-automation]$ cat ansible.cfg
[defaults]
inventory=inventory
remote_user=devops
2. Check and complete NFS server YML ansible script.
Create the / nfsshare directory and export it using NFS.
[student@workstation filestorage-automation]$ cat nfs_server.yml
---
- name: Export a directory using NFS
hosts: serverd.lab.example.com
become: true
vars:
shared_dir: /nfsshare
tasks:
- name: the nfs-utils package is installed
yum:
name: nfs-utils
state: present
- name: the directory exists
file:
path: "{{ shared_dir }}"
owner: student
group: root
mode: '0755'
state: directory
- name: the directory is exported
template:
src: templates/share.exports.j2
dest: /etc/exports.d/share.exports
owner: root
group: root
mode: '0644'
notify: reload exports
- name: the nfs-server service is started and enabled
service:
name: nfs-server
state: started
enabled: yes
- name: the nfs firewall service is opened
firewalld:
service: nfs
state: enabled
immediate: yes
permanent: yes
handlers:
- name: reload exports
service:
name: nfs-server
state: reloaded
3. Check templates / share exports. J2 template.
# The template loops through the host names in the clients group in the list. The template grants read and write permission (rw) to each client in the group.
[student@workstation filestorage-automation]$ cat templates/share.exports.j2
{{ shared_dir }}{% for host in groups['clients'] %}
{{ host }}(rw)
{%- endfor %}
# Run the template and the output will be as follows:
/nfsshare servera.lab.example.com(rw) serverb.lab.example.com(rw) serverc.lab.example.com(rw)
# The template is not set to no_root_squash option. Without this option, NFS maps requests from root on the client to the nobody user account on the server. Nobody user does not have write permission to the / nfsshare directory. Therefore, on the client, the root user will not be able to write.
4. Check nfs_server.yml syntax and run.
[student@workstation filestorage-automation]$ ansible-playbook nfs_server.yml --syntax-check [student@workstation filestorage-automation]$ ansible-playbook nfs_server.yml
5. Check and run nfs_client.yml Ansible script.
[student@workstation filestorage-automation]$ cat nfs_client.yml
---
- name: Access an NFS export
hosts: servera.lab.example.com
become: true
vars:
shared_dir: /nfsshare
mount_point: /datanfs
tasks:
- name: the nfs-utils package is installed
yum:
name: nfs-utils
state: present
- name: the NFS export is mounted and in /etc/fstab
mount:
path: "{{ mount_point }}"
src: serverd.lab.example.com:{{ shared_dir }}
state: mounted
fstype: nfs
[student@workstation filestorage-automation]$ ansible-playbook nfs_client.yml --syntax-check
[student@workstation filestorage-automation]$ ansible-playbook nfs_client.yml
6. Log in to servera and confirm that NFS is accessible.
[student@servera ~]$ df /datanfs Filesystem 1K-blocks Used Available Use% Mounted on serverd.lab.example.com:/nfsshare 10474496 2285056 8189440 22% /datanf [student@servera ~]$ echo Hello World > /datanfs/test.txt [student@servera ~]$ ls /datanfs test.txt [student@servera ~]$ cat /datanfs/test.txt Hello World [student@servera ~]$ sudo -i [sudo] password for student: student [root@servera ~]# echo Hello World > /datanfs/root_test.txt -bash: /datanfs/root_test.txt: Permission denied
7. Check SMB vars YML file.
# This file defines the variable, smb_server.yml smb_client.yml script use. The file is encrypted because it contains a password.
# The ansible vault view command is used to display SMB_ vars. The contents of the YML file. The password is redhat.
[student@workstation filestorage-automation]$ ansible-vault view smb_vars.yml
Vault password: redhat
---
shared_dir: /smbshare
share_name: smbshare
mount_point: /developments
# User account for mounting the share
samba_usermount: sambamount
samba_passmount: redhat
# User accounts with write access to the share
allowed_group: developers
samba_users:
- name: developer1
password: redhat
- name: developer2
password: redhat
8. Check and complete smb_server.yml Ansible script.
The script creates the / smbshare directory, creates user accounts, and shares the directory using SMB.
[student@workstation filestorage-automation]$ cat smb_server.yml
---
- name: Share a directory with SMB
hosts: serverd.lab.example.com
become: true
vars_files:
- smb_vars.yml
tasks:
- name: the samba package is installed
yum:
name: samba
state: present
# Creating the Linux and Samba user for the multiuser mount.
# That user is only used to mount the share.
- name: the Linux user for Samba mount exists
user:
name: "{{ samba_usermount }}"
shell: /sbin/nologin
create_home: no
system: yes
- name: the Samba user for Samba mount exists
command: smbpasswd -s -a {{ samba_usermount }}
args:
stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
# Group and users with write access to the share
- name: the Linux group exists
group:
name: "{{ allowed_group }}"
system: yes
- name: the Linux users exist for Samba users
user:
name: "{{ item['name'] }}"
shell: /sbin/nologin
groups:
- "{{ allowed_group }}"
loop: "{{ samba_users }}"
no_log: true
- name: the Samba users exist
command: smbpasswd -s -a {{ item['name'] }}
args:
stdin: "{{ item['password'] }}\n{{ item['password'] }}"
loop: "{{ samba_users }}"
no_log: true
- name: the directory exists
file:
path: "{{ shared_dir }}"
owner: root
group: "{{ allowed_group }}"
mode: '2775'
state: directory
setype: samba_share_t
- name: the directory is shared
template:
src: templates/smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
setype: samba_etc_t
notify: reload smb
- name: the smb service is started and enabled
service:
name: smb
state: started
enabled: yes
- name: the samba firewall service is opened
firewalld:
service: samba
state: enabled
immediate: yes
permanent: yes
handlers:
- name: reload smb
service:
name: smb
state: reloaded
9. Check templates / SMB Conf.j2 template.
This template sets global SMB parameters and creates a share. There is no need to change anything in this file.
[student@workstation filestorage-automation]$ cat templates/smb.conf.j2
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
smb encrypt = required
server min protocol = SMB3
[{{ share_name }}]
path = {{ shared_dir }}
write list = @{{ allowed_group }}
# For scripts that create multiple shares, the template may use jinj2 loops to create shares.
10. Verify smb_server.yml script syntax and run.
[student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass --syntax-check smb_server.yml Vault password: redhat playbook: smb_server.yml [student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass smb_server.yml Vault password: redhat ...output omitted...
11. Check and run smb_client.yml Ansible script.
[student@workstation filestorage-automation]$ cat smb_client.yml
---
- name: Access an SMB share
hosts: servera.lab.example.com
become: true
vars_files:
- smb_vars.yml
tasks:
- name: the cifs-utils package is installed
yum:
name: cifs-utils
state: present
- name: the credential file exists
copy:
content: "username={{ samba_usermount }}\n\
password={{ samba_passmount }}\n"
dest: /etc/samba/creds.txt
owner: root
group: root
mode: '0600'
no_log: true
- name: the SMB share is mounted
mount:
path: "{{ mount_point }}"
src: "//serverd.lab.example.com/{{ share_name }}"
opts: "credentials=/etc/samba/creds.txt,multiuser,seal"
state: mounted
fstype: cifs
- name: the Linux users exist
user:
name: "{{ item.name }}"
shell: /bin/bash
password: "{{ item.password | \
password_hash('sha512', 'redhatsalt') }}"
loop: "{{ samba_users }}"
no_log: true
[student@workstation filestorage-automation]$ ansible-playbook --ask-vault-pass smb_client.yml
Vault password: redhat
...output omitted...
12. Log in to servera and confirm that the SMB share is accessible.
[student@servera ~]$ df /developments df: /developments: Permission denied [student@servera ~]$ mount | grep /developments //serverd.lab.example.com/smbshare on /developments type cifs(rw,...,multiuser,...,seal,...) [student@servera ~]$ su - developer1 Password: redhat [developer1@servera ~]$ cifscreds add serverd.lab.example.com Password: redhat [developer1@servera ~]$ echo Hello World > /developments/test.txt [developer1@servera ~]$ ls /developments test.txt [developer1@servera ~]$ cat /developments/test.txt Hello World
Complete the experiment
[student@workstation ~]$ lab filestorage-automation finish
summary
- Describes how to deploy NFS servers using Ansible.
- Describes deploying Samba using Ansible.
- Describes how to use Ansible to configure NFS clients and Samba clients.
- If you like a little girl's article, please give it a compliment. You can also pay attention, because the follow-up will continue to dry goods.