Chapter 1. Preparing a control node and managed nodes to use RHEL System Roles

Before you can use individual RHEL System Roles to manage services and settings, prepare the involved hosts.

1.1. Introduction to RHEL System Roles

RHEL System Roles is a collection of Ansible roles and modules. RHEL System Roles provide a configuration interface to remotely manage multiple RHEL systems. The interface enables managing system configurations across multiple versions of RHEL, as well as adopting new major releases.

On Red Hat Enterprise Linux 9, the interface currently consists of the following roles:

  • Certificate Issuance and Renewal
  • Kernel Settings (kernel_settings)
  • Metrics (metrics)
  • Network Bound Disk Encryption client and Network Bound Disk Encryption server (nbde_client and nbde_server)
  • Networking (network)
  • Postfix (postfix)
  • SSH client (ssh)
  • SSH server (sshd)
  • System-wide Cryptographic Policies (crypto_policies)
  • Terminal Session Recording (tlog)

All these roles are provided by the rhel-system-roles package available in the AppStream repository.

Additional resources

1.2. RHEL System Roles terminology

You can find the following terms across this documentation:

Ansible playbook
Playbooks are Ansible’s configuration, deployment, and orchestration language. They can describe a policy you want your remote systems to enforce, or a set of steps in a general IT process.
Control node
Any machine with Ansible installed. You can run commands and playbooks, invoking /usr/bin/ansible or /usr/bin/ansible-playbook, from any control node. You can use any computer that has Python installed on it as a control node - laptops, shared desktops, and servers can all run Ansible. However, you cannot use a Windows machine as a control node. You can have multiple control nodes.
A list of managed nodes. An inventory file is also sometimes called a “hostfile”. Your inventory can specify information like IP address for each managed node. An inventory can also organize managed nodes, creating and nesting groups for easier scaling. To learn more about inventory, see the Working with Inventory section.
Managed nodes
The network devices, servers, or both that you manage with Ansible. Managed nodes are also sometimes called “hosts”. Ansible is not installed on managed nodes.

1.3. Preparing a control node

RHEL includes Ansible Core in the AppStream repository with a limited scope of support. If you require additional support for Ansible, contact Red Hat to learn more about the Ansible Automation Platform subscription.


  • You registered the system to the Customer Portal.
  • You attached a Red Hat Enterprise Linux Server subscription to the system.
  • If available in your Customer Portal account, you attached an Ansible Automation Platform subscription to the system.


  1. Install the rhel-system-roles package:

    [root@control-node]# dnf install rhel-system-roles

    This command installs Ansible Core as a dependency.

  2. Create a user that you later use to manage and execute playbooks:

    [root@control-node]# useradd ansible
  3. Switch to the newly created ansible user:

    [root@control-node]# su - ansible

    Perform the rest of the procedure as this user.

  4. Create an SSH public and private key

    [ansible@control-node]$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/ansible/.ssh/id_rsa): password

    Use the suggested default location for the key file.

  5. Optional: Configure an SSH agent to prevent Ansible from prompting you for the SSH key password each time you establish a connection.
  6. Create the ~/.ansible.cfg file with the following content:

    inventory = /home/ansible/inventory
    remote_user = ansible
    become = True
    become_method = sudo
    become_user = root
    become_ask_pass = True

    With these settings:

    • Ansible manages hosts in the specified inventory file.
    • Ansible uses the account set in the remote_user parameter when it establishes SSH connections to managed nodes.
    • Ansible uses the sudo utility to execute tasks on managed nodes as the root user.

      For security reasons, configure sudo on managed nodes to require entering the password of the remote user to become root. By specifying the become_ask_pass=True setting in ~/.ansible.cfg, Ansible prompts for this password when you execute a playbook.

    Settings in the ~/.ansible.cfg file have a higher priority and override settings from the global /etc/ansible/ansible.cfg file.

  7. Create the ~/inventory file. For example, the following is an inventory file in the INI format with three hosts and one host group named US:
    [US] ansible_host=

    Note that the control node must be able to resolve the hostnames. If the DNS server cannot resolve certain hostnames, add the ansible_host parameter next to the host entry to specify its IP address.

1.4. Preparing a managed node

Ansible does not use an agent on managed hosts. The only requirements are Python, which is installed by default on RHEL, and SSH access to the managed host.

However, direct SSH access as the root user can be a security risk. Therefore, when you prepare a managed node, you create a local user on this node and configure a sudo policy. Ansible on the control node can then use this account to log in to the managed node and execute playbooks as different users, such as root.


  • You prepared the control node.


  1. Create a user:

    [root@managed-node-01]# useradd ansible

    The control node later uses this user to establish an SSH connection to this host.

  2. Set a password to the ansible user:

    [root@managed-node-01]# passwd ansible
    Changing password for user ansible.
    New password: password
    Retype new password: password
    passwd: all authentication tokens updated successfully.

    You must enter this password when Ansible uses sudo to perform tasks as the root user.

  3. Install the ansible user’s SSH public key on the managed node:

    1. Log into the control node as the ansible user, and copy the SSH public key to the managed node:

      [ansible@control-node]$ ssh-copy-id
      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ansible/.ssh/"
      The authenticity of host ' (' can't be established.
      ECDSA key fingerprint is SHA256:9bZ33GJNODK3zbNhybokN/6Mq7hu3vpBXDrCxe7NAvo.
      Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
      /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
      /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys's password: password
      Number of key(s) added: 1
      Now try logging into the machine, with:   "ssh ''"
      and check to make sure that only the key(s) you wanted were added.
    2. Remotely execute a command on the control node to verify the SSH connection:

      [ansible@control-node]$ ssh whoami
  4. Create a sudo configuration for the ansible user:

    1. Use the visudo command to create and edit the /etc/sudoers.d/ansible file:

      [root@managed-node-01]# visudo /etc/sudoers.d/ansible

      The benefit of using visudo over a normal editor is that this utility provides basic sanity checks and checks for parse errors before installing the file.

    2. Configure a sudoers policy in the /etc/sudoers.d/ansible file that meets your requirements, for example:

      • To grant permissions to the ansible user to run all commands as any user and group on this host after entering the ansible user’s password, use:

        ansible ALL=(ALL) ALL
      • To grant permissions to the ansible user to run all commands as any user and group on this host without entering the ansible user’s password, use:

        ansible ALL=(ALL) NOPASSWD: ALL

    Alternatively, configure a more fine-granular policy that matches your security requirements. For further details on sudoers policies, see the sudoers(5) man page.

Additional resources

1.5. Verifying access from the control node to managed nodes

After you configured the control node and prepared managed nodes, test that Ansible can connect to the managed nodes.

Perform this procedure as the ansible user on the control node.


  • You prepared the control node as described in Preparing a control node.
  • You prepared at least one managed node as described in Preparing a managed node.
  • If you want to run playbooks on host groups, the managed node is listed in the inventory file on the control node.


  1. Use the Ansible ping module to verify that you can execute commands on an all managed hosts:

    [ansible@control-node]$ ansible all -m ping
    BECOME password: password | SUCCESS => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        "changed": false,
        "ping": "pong"

    The hard-coded all host group dynamically contains all hosts listed in the inventory file.

  2. Use the Ansible command module to run the whoami utility on a managed host:

    [ansible@control-node]$ ansible -m command -a whoami
    BECOME password: password | CHANGED | rc=0 >>

    If the command returns root, you configured sudo on the managed nodes correctly, and privilege escalation works.