Red Hat Enterprise Linux (RHEL) System Roles
RHEL System Roles Overview
RHEL System Roles is a collection of Ansible roles and modules that provide a stable and consistent configuration interface to automate and manage multiple releases of Red Hat Enterprise Linux. The effort is based on development of the Linux System Roles upstream project, and for the SAP related roles, the SAP LinuxLab upstream project.
The following roles are provided and supported as follows:
| Role Name | Description | Remote Host Management | Control Node | Role Initial Release |
|---|---|---|---|---|
| Security related roles | ||||
| selinux | SELinux | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.0 |
| nbde_client | Network bound disk encryption client | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| nbde_server | Network bound disk encryption server | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| certificate | Certificate issuance and renewal | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| tlog | Terminal session recording | RHEL 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| ssh | Secure Shell (SSH) client | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.4 |
| sshd | Secure Shell (SSH) server | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.4 |
| crypto_policies | System-wide cryptographic policies | RHEL 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.4 |
| vpn | Virtual private networks | RHEL 7, 8, 9 | RHEL 8, 9 | RHEL 8.5 |
| firewall | Firewall | RHEL 7, 8, 9 | RHEL 8, 9 | RHEL 8.6/9.0 |
| Configuration related roles | ||||
| timesync | Time synchronization | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.0 |
| network | Networking | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.0 |
| kdump | Kernel dumps | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.0 |
| storage | Storage | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.1 |
| postfix | Postfix (mail transfer agent) | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.6/8.0 |
| kernel_settings | Kernel settings | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| logging | Logging (rsyslog) | RHEL 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| metrics | Metrics (Performance Co-Pilot) | RHEL 6, 7, 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.3 |
| ha_cluster | High availability clustering | RHEL 8, 9 | RHEL 7, 8, 9 | RHEL 7.9/8.4 |
| cockpit | Web console | RHEL 7, 8, 9 | RHEL 8, 9 | RHEL 8.6/9.0 |
| Workload related roles | ||||
| microsoft.sql.server1 | Microsoft SQL Server | RHEL 7, 8 | RHEL 7, 8, 9 | RHEL 8.5 |
| sap_general_preconfigure2 | SAP general preconfiguration | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 7.7/8.2 |
| sap_netweaver_preconfigure2 | SAP NetWeaver preconfiguration | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 7.7/8.2 |
| sap_hana_preconfigure2 | SAP HANA preconfiguration | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 7.7/8.2 |
| sap_hana_install2 | SAP HANA installation | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 8.6/9.0 |
| sap_ha_install_hana_hsr2 (tech preview*) | set up HANA system replication | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 8.6.z/9.0.z |
| sap_ha_install_pacemaker2 (tech preview*) | set up RHEL HA pacemaker cluster | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 8.6.z/9.0.z |
| sap_ha_prepare_pacemaker2 (tech preview*) | RHEL HA cluster preconfiguration | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 8.6.z/9.0.z |
| sap_ha_set_hana2 (tech preview*) | set up RHEL HA solutions for SAP HANA | RHEL 7.6+, 8, 9 | RHEL 8, 9 | RHEL 8.6.z/9.0.z |
*Roles in Technology Preview status are tested as stable but the interface (role inputs) may receive future updates that could be incompatible with the current state. Additional Technology Preview content can be found in the upstream project and its respective project in Ansible Galaxy.
1. The microsoft.sql.server role is available in the ansible-collection-microsoft-sql package
2. The SAP related system roles are available in the rhel-system-roles-sap package, which is provided as part of the RHEL for SAP Solutions subscription.
RHEL System Roles are installed and run from a central node referred to as the control node (which can be Ansible Automation Platform, Red Hat Satellite, or a RHEL 9, 8 or 7 host). The control node connects to a list of RHEL hosts defined in the inventory, and performs the configuration on them. It is recommended that you use the latest major release of RHEL on the control node and use the latest version of the roles either from the rhel-system-roles RPM or from Red Hat Automation Hub. The RHEL System Roles and Ansible packages do not need to be installed on the systems that are being managed/configured.
The RHEL System Roles are supported as provided from the following methods:
- As an RPM package in the RHEL 7 Extras repository
- As an RPM package in the RHEL 9 or RHEL 8 Application Streams repositories
- As a supported collection in the Red Hat Automation Hub
Note 1: The RHEL subscription provides support for the implementation of the RHEL System Roles and compatibility with Ansible Core (RHEL 9.0/8.6 and later) or Ansible Engine (RHEL 8.5 and below, including RHEL 7). The Ansible Core package in the Application Streams repositories, and the Ansible Engine repositories are made accessible as a convenience for the use of RHEL System Roles, as well as other layered products in the Red Hat product portfolio. However, the RHEL subscription does not include support for Ansible Core or Ansible Engine outside of the limited scope of support (see Note 2 below for details on limited scope of support). RHEL System Roles in RHEL 8.5 and below (including RHEL 7) utilize Ansible Engine 2.9 which follows the life cycle dates of Ansible Automation Platform version 1.2 as specified on the Red Hat Ansible Automation Platform Life Cycle page.
Note 2: For details on the limited scope of support for Ansible Core in RHEL, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. For details on the limited scope of support for Ansible Engine in RHEL, see the second note in How to download and Install Red Hat Ansible Engine?
Additional information can be found at Top Support Policies for Red Hat Ansible Automation.
Getting Started
RHEL 9.x and 8.6 and later: Installing RHEL System Roles and Ansible Core
On RHEL 9 systems, and on RHEL 8.6 and later systems that have not previously had Ansible Engine installed, run the following command to install RHEL System Roles and Ansible Core, both of which are included in the Application Streams repository:
# dnf install rhel-system-roles ansible-core
For systems that have been upgraded to RHEL 8.6 and have Ansible Engine installed, refer to Using Ansible in RHEL 8.6 and later for steps to migrate the system from Ansible Engine to Ansible Core.
RHEL 8.5 and below and RHEL 7.x: Installing RHEL System Roles and Ansible Engine
Perform the following steps to install RHEL System Roles and Red Hat Ansible Engine. The rhel-system-roles package is provided in the RHEL Extras repository on RHEL 7, and in the Application Streams repository on RHEL 8. The ansible RPM package is provided in the Ansible Engine repositories.
1) Use subscription-manager to list the Ansible Engine repositories available. Note that the generic "2" repository will always provide the latest release of the 2.X stream. RHEL System Roles are compatible with supported versions of Ansible. Unsupported versions of Ansible, such as Ansible Engine 2.8 and older are not supported for use with RHEL System Roles.
NOTE: The newest Ansible Engine version is recommended even when running on a RHEL 7 control node when managing RHEL 8 managed nodes to properly handle the transition to python3.
~~~
# subscription-manager refresh
# subscription-manager repos --list | grep ansible
~~~
2) To persistently enable the Ansible Engine repository using Red Hat Subscription Manager:
-
In RHEL 8
# subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms -
In RHEL 7
# subscription-manager repos --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-ansible-2-rpms
3) Next, install RHEL System Roles and Ansible Engine packages:
~~~
# yum install rhel-system-roles ansible
~~~
Documentation
Additional information is provided in the Red Hat Enterprise Linux 8 documentation for Configuring basic system settings: 1. Getting started with RHEL System Roles.
By default, the rhel-system-roles package are installed to the following locations:
-
Documentation
/usr/share/doc/rhel-system-roles-<version>/SUBSYSTEM/ -
Ansible Roles
/usr/share/ansible/roles/rhel-system-roles.SUBSYSTEM/
Where SUBSYSTEM is the name of the subsystem that contains the individual role management.
Examples include: network, timesync, or other subsystems as they become supported. See RHEL System Roles Overview for more details. Each subsystem role will include a README file which documents how to use the role and supported parameter values, as well as the matching README in the linux-system-roles Ansible Galaxy landing space.
Example usage of the rhel-system-roles.network role
This example assumes the following
- Generally, Ansible is not installed on every system, but rather on a single system designated as the Ansible management or control node whose purpose is to manage other systems via Ansible.
- This example is executed from a RHEL 7.5 system used as the Ansible control node.
- A target, or client test system with a hostname of rhel7.5-test
- rhel7.5-test has a primary network interface to access (eth0), and a secondary interface for this example (eth1).
- Either the rhel7.5-test FQDN or IP Address has been added to the Ansible Inventory file /etc/ansible/hosts on the control node.
- The control node user ID running the test playbook has ssh access to, and
sudoability on rhel7.5-test. Alternatively, the-uoption can be used to specify a user which does have this ability. - For further details, see the Ansible Getting Started or Quick Start Video at http://docs.ansible.com/ for further details on how to use Ansible.
-
Using a text editor, create a file containing contents similar to the following:
$ vim example-network-playbook.yml --- - hosts: rhel7.5-test vars: network_connections: - name: DBnic state: up type: ethernet interface_name: eth1 autoconnect: yes ip: dhcp4: yes auto6: no roles: - role: rhel-system-roles.network -
Test that we have access to the machine. If not, refer to the Ansible documentation on how to enable Ansible to access a remote system.
$ ansible -m ping rhel7.5-test rhel7.5-test | SUCCESS => { "changed": false, "ping": "pong" } -
Query the Ansible Facts to see the guests network configuration.
$ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_interfaces' rhel7.5-test | SUCCESS => { "ansible_facts": { "ansible_interfaces": [ "lo", "eth1", "eth0" ] }, "changed": false } -
Query the Ansible Facts to see the characteristics of eth1
$ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_eth1' rhel7.5-test | SUCCESS => { "ansible_facts": { "ansible_eth1": { "active": true, "device": "eth1", "features": { "busy_poll": "off [fixed]", "fcoe_mtu": "off [fixed]", "generic_receive_offload": "on", "generic_segmentation_offload": "on", "highdma": "on [fixed]", "hw_tc_offload": "off [fixed]", "l2_fwd_offload": "off [fixed]", "large_receive_offload": "off [fixed]", "loopback": "off [fixed]", "netns_local": "off [fixed]", "ntuple_filters": "off [fixed]", "receive_hashing": "off [fixed]", "rx_all": "off [fixed]", "rx_checksumming": "on [fixed]", "rx_fcs": "off [fixed]", "rx_vlan_filter": "on [fixed]", "rx_vlan_offload": "off [fixed]", "rx_vlan_stag_filter": "off [fixed]", "rx_vlan_stag_hw_parse": "off [fixed]", "scatter_gather": "on", "tcp_segmentation_offload": "on", "tx_checksum_fcoe_crc": "off [fixed]", "tx_checksum_ip_generic": "on", "tx_checksum_ipv4": "off [fixed]", "tx_checksum_ipv6": "off [fixed]", "tx_checksum_sctp": "off [fixed]", "tx_checksumming": "on", "tx_fcoe_segmentation": "off [fixed]", "tx_gre_segmentation": "off [fixed]", "tx_gso_robust": "off [fixed]", "tx_ipip_segmentation": "off [fixed]", "tx_lockless": "off [fixed]", "tx_mpls_segmentation": "off [fixed]", "tx_nocache_copy": "off", "tx_scatter_gather": "on", "tx_scatter_gather_fraglist": "off [fixed]", "tx_sctp_segmentation": "off [fixed]", "tx_sit_segmentation": "off [fixed]", "tx_tcp6_segmentation": "on", "tx_tcp_ecn_segmentation": "on", "tx_tcp_segmentation": "on", "tx_udp_tnl_segmentation": "off [fixed]", "tx_vlan_offload": "off [fixed]", "tx_vlan_stag_hw_insert": "off [fixed]", "udp_fragmentation_offload": "on", "vlan_challenged": "off [fixed]" }, "macaddress": "52:54:00:e1:c2:4c", "module": "virtio_net", "mtu": 1500, "pciid": "virtio4", "promisc": false, "type": "ether" } }, "changed": false } -
Execute your example playbook. Note: You may safely ignore the warning message for now that the “wait for activation” feature is not yet implemented.
$ ansible-playbook -l rhel7.5-test example-network-playbook.yml PLAY [rhel7.5-test] ********************************************************************* TASK [Gathering Facts] ********************************************************* ok: [rhel7.5-test] TASK [rhel-system-roles.network : Check which services are running] ************ ok: [rhel7.5-test] TASK [rhel-system-roles.network : Check which packages are installed] ********** ok: [rhel7.5-test] TASK [rhel-system-roles.network : Install packages] **************************** skipping: [rhel7.5-test] TASK [rhel-system-roles.network : Enable network service] ********************** ok: [rhel7.5-test] TASK [rhel-system-roles.network : Print network provider] ********************** ok: [rhel7.5-test] => { "msg": "Using network provider: nm" } TASK [rhel-system-roles.network : Configure networking connection profiles] **** [WARNING]: [003] <info> #0, state:up persistent_state:present, 'DBnic': add connection DBnic, b62a7ea6-f1a4-408a-843e-ea292aa58b44 [WARNING]: [004] <info> #0, state:up persistent_state:present, 'DBnic': up connection DBnic, b62a7ea6-f1a4-408a-843e-ea292aa58b44 (is-modified) changed: [rhel7.5-test] TASK [rhel-system-roles.network : Re-test connectivity] ************************ ok: [rhel7.5-test] PLAY RECAP ********************************************************************* rhel7.5-test : ok=7 changed=1 unreachable=0 failed=0 -
Query again to see that eth1 is now online and has a IP Address assigned.
$ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_eth1' rhel7.5-test | SUCCESS => { "ansible_facts": { "ansible_eth1": { "active": true, "device": "eth1", "features": { "busy_poll": "off [fixed]", "fcoe_mtu": "off [fixed]", "generic_receive_offload": "on", "generic_segmentation_offload": "on", "highdma": "on [fixed]", "hw_tc_offload": "off [fixed]", "l2_fwd_offload": "off [fixed]", "large_receive_offload": "off [fixed]", "loopback": "off [fixed]", "netns_local": "off [fixed]", "ntuple_filters": "off [fixed]", "receive_hashing": "off [fixed]", "rx_all": "off [fixed]", "rx_checksumming": "on [fixed]", "rx_fcs": "off [fixed]", "rx_vlan_filter": "on [fixed]", "rx_vlan_offload": "off [fixed]", "rx_vlan_stag_filter": "off [fixed]", "rx_vlan_stag_hw_parse": "off [fixed]", "scatter_gather": "on", "tcp_segmentation_offload": "on", "tx_checksum_fcoe_crc": "off [fixed]", "tx_checksum_ip_generic": "on", "tx_checksum_ipv4": "off [fixed]", "tx_checksum_ipv6": "off [fixed]", "tx_checksum_sctp": "off [fixed]", "tx_checksumming": "on", "tx_fcoe_segmentation": "off [fixed]", "tx_gre_segmentation": "off [fixed]", "tx_gso_robust": "off [fixed]", "tx_ipip_segmentation": "off [fixed]", "tx_lockless": "off [fixed]", "tx_mpls_segmentation": "off [fixed]", "tx_nocache_copy": "off", "tx_scatter_gather": "on", "tx_scatter_gather_fraglist": "off [fixed]", "tx_sctp_segmentation": "off [fixed]", "tx_sit_segmentation": "off [fixed]", "tx_tcp6_segmentation": "on", "tx_tcp_ecn_segmentation": "on", "tx_tcp_segmentation": "on", "tx_udp_tnl_segmentation": "off [fixed]", "tx_vlan_offload": "off [fixed]", "tx_vlan_stag_hw_insert": "off [fixed]", "udp_fragmentation_offload": "on", "vlan_challenged": "off [fixed]" }, "ipv4": { "address": "192.168.122.216", "broadcast": "192.168.122.255", "netmask": "255.255.255.0", "network": "192.168.122.0" }, "ipv6": [ { "address": "fe80::5054:ff:fee1:c24c", "prefix": "64", "scope": "link" } ], "macaddress": "52:54:00:e1:c2:4c", "module": "virtio_net", "mtu": 1500, "pciid": "virtio4", "promisc": false, "type": "ether" } }, "changed": false }
More examples
The roles carry their own example playbooks under their respective documentation directories (see above).
25 Comments
This article needs an update as RHEL 7.4 is now out of beta and the rhel-server-roles packages are available in the following channel (not beta):
The rhel-7-server-ansible-2-rpms contains all of the last 5 releases (currently 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4 and 2.5.0 releases, as of 2018 April). In most cases, the supporting packages are several releases behind what is available on extras and epel.
What is the value in maintaining all of these version specific channels? Administration should not need to know the release levels to enable, but rather select a general application set, and pick "latest", which is the entire point of ansible. This version specific channel idea is the exact opposite of what the product itself is intending to promote.
I'd like to see this article updated (or another separate article) for RHEL 8 (8.0 and above, not beta).
tried these:
Yet neither of these provided the rpm ansible for rhel 8.
I did an rpm search as well, and easily found the rhel7 anisble rpm, but not the rhel8 ansible rpm.
RJ
I, too, would like to see this document updated. But I have a quick question, R. Hinton: Ansible 2.8 is the first version to run on RHEL 8, and it was not released until May 21st. What happens, now, if you execute
(Or
ansible-2-for-rhel-8-x86_64-rpmsif you always want the latest 2.y version.)I have updated this document to reflect the updates for RHEL 8 and Ansible Engine 2.8. Thank you for the feedback and apologies for the technical delay in release Ansible 2.8 a few weeks after RHEL 8.
I'm relatively new to Ansible and Ansible Tower. How do I use the rhel-system-roles from Ansible Tower?
Hello Colin, Yes, with either Tower or Satellite installed on top of RHEL, you can simply install the rhel-system-roles package. Then you can execute them from playbooks just like any other role.
Can you tell me where "rhel-7-workstation-ansible-2-rpms" might be found, if it even exists? What if I want to run Ansible (2.9.13 for example) on my workstation, rather than a server?
Hello Ben,
There is no workstation variant, so just use the Server repo version which should be available to the Workstation subscription. If you have any trouble with this, you can open a support case for further assistance.
I would like to use the system roles in azure, however the ansible repository is not accessible there: https://bugzilla.redhat.com/show_bug.cgi?id=1870674 Could you please clarify internally that this is part of the rhel subscription?
I am looking for the ipa server and ipa client roles. Are they not available in RHEL 8?
Hi Joanna, The Identity Management server and client roles are available in the ansible-freeipa package in RHEL 8. For more information, please refer to these documentation links:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-identity-management-server-using-an-ansible-playbook_installing-identity-management
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-identity-management-client-using-an-ansible-playbook_installing-identity-management
Hey everyone,
I would like to have a system role for configuring a password policy across different RHEL major releases. In case you like that idea too, please support the RFE filed at: Bug 2038620 - [RFE] [RHEL7/8] Create and provide RHEL System Role for managing a Password Policy
You can present your idea to the linux system roles developers here: https://github.com/linux-system-roles/linux-system-roles.github.io/issues and you can start implementing it using their template https://github.com/linux-system-roles/template
the pwquality stuff I do like this:
Hi Klaas,
I'll think about it. Since I'd have to write some role anyway I could try and contribute to the upstream project and see how it goes. In case my code is not worthy someone might act as mentor or I could still use my code for myself.
Best regards,
Joerg
Hello,
The following link in section "Documentation" first paragraph is broken: 1. Getting started with RHEL System Roles.
Could you fix it, please?
Thanks in advance,
Joerg
Thanks for noticing this. I fixed it and published the draft for review. Not sure when it will be live.
Hi, as it seems the fixed version is already live. Thank your very much for the quick fix.
I cannot get ansible-doc to work against modules provided by rhel_system_roles. This does not help: ANSIBLE_LIBRARY=/usr/share/ansible/plugins/modules:/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/plugins
neither does adding -M "path to plugins" to ansible-docs.
Collections are a nightmare to those of us trained on ansible <2.9
Hello Damon,
I'm not sure if I understand your trouble.
As of my knowledge the package ˋrhel-system-rolesˋ provides a collection of ansible roles. If I recall correctly they don't provide any new modules, do they? In case you're looking for the documentation on the roles you could find these in ˋ/usr/share/doc/rhel-system-roles//README.md.
Could you provide an example of an module provided by the collection, the version of your ˋrhel-system-rolesˋ package and the RHEL version youˋre working with?
Best regards,
Joerg
rhel-system-roles provides no modules, only roles. And
ansible-docdoes not work for roles. The documentation for each role should be under /usr/share/doc/rhel-system-roles if you are using the RPM, or look in the collection root directory if you are using the collection installed from Automation Hub.If you install the rhel-system-roles RPM package, you can use the "legacy" role format.
If you have to use the collection installed from Automation Hub (or for some other reason), then simply change
to
Hello RHEL System Roles Team,
Most of the roles are shipped with good examples you could find in
/usr/share/doc/rhel-system-roles/*/example*-playbook.yml. I like these playbooks very much as they provide decent examples for common use cases. You could adapt them easily via copy, paste, and modify for your own environment.However,
/usr/share/doc/rhel-system-roles/firewall/does not contain any example playbook although the/usr/share/doc/rhel-system-roles/firewall/README.mdcontains several snippets for playbooks. Since the README.md is quite long, and you have to search it for examples IMHO it would be more convenient to have example playbooks like in the other roles, i.e. sshd, timesync, and selinux.Could you create these example playbooks and ship them with an update? In case it's possible, I could contribute some examples, but I'm not sure how to do so. Should I raise a Bugzilla for it to provide some examples? Please tell me where to send them or where to open a pull request for them?
Best regards,
Jörg
You can submit pull requests here - https://github.com/linux-system-roles/firewall/pulls - and from there they will eventually end up in the Red Hat product.
Thanks for the quick reply. I was not sure if the Linux System Roles project is the right place, because I didn't see any references to files in
/usr/share/doc/there. I guess during the transfer to the packaging for therhel-system-roles.rpmthe examples are brought into place, right?Anyway, I'll put together some examples and send a pull request.
Have a nice weekend.
Thanks,
Jörg
Yes, exactly. You can see most of that here - https://src.fedoraproject.org/rpms/linux-system-roles/blob/rawhide/f/linux-system-roles.spec - we mostly use that same spec file to build the RHEL RPM rhel-system-roles packages (and for Automation Hub)