Translated message

A translation of this page exists in English.

Red Hat Enterprise Linux (RHEL) System Roles

更新 -

RHEL System Roles is a collection of Ansible roles and modules that provide a stable and consistent configuration interface to automate and manage multiple releases of Red Hat Enterprise Linux. The effort is based on development of the Linux System Roles upstream project.

The following roles are provided and supported as follows:

Role Name Description Remote Host Management Control Node Role Initial Release
Security related roles
selinux SELinux RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.0
nbde_client Network bound disk encryption client RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
nbde_server Network bound disk encryption server RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
certificate Certificate issuance and renewal RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
tlog Terminal session recording RHEL 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
ssh Secure Shell (SSH) client RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.4
sshd Secure Shell (SSH) server RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.4
crypto_policies System-wide cryptographic policies RHEL 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.4
vpn Virtual private networks RHEL 7, 8, 9 RHEL 8, 9 RHEL 8.5
firewall Firewall RHEL 7, 8, 9 RHEL 8, 9 RHEL 8.6/9.0
Configuration related roles
timesync Time synchronization RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.0
network Networking RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.0
kdump Kernel dumps RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.0
storage Storage RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.1
postfix Postfix (mail transfer agent) RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.6/8.0
kernel_settings Kernel settings RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
logging Logging (rsyslog) RHEL 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
metrics Metrics (Performance Co-Pilot) RHEL 6, 7, 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.3
ha_cluster High availability clustering RHEL 8, 9 RHEL 7, 8, 9 RHEL 7.9/8.4
cockpit Web console RHEL 7, 8, 9 RHEL 8, 9 RHEL 8.6/9.0
Workload related roles
microsoft.sql.server Microsoft SQL Server RHEL 7, 8 RHEL 7, 8, 9 RHEL 8.5
sap_general_preconfigure SAP general preconfiguration RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 7.7/8.2
sap_netweaver_preconfigure SAP NetWeaver preconfiguration RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 7.7/8.2
sap_hana_preconfigure SAP HANA preconfiguration RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 7.7/8.2
sap_hana_install (tech preview*) SAP HANA installation RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 8.6/9.0
sap_ha_install_hana_hsr (tech preview*) set up HANA system replication RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 8.6.z/9.0.z
sap_ha_install_pacemaker (tech preview*) set up RHEL HA pacemaker cluster RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 8.6.z/9.0.z
sap_ha_prepare_pacemaker (tech preview*) RHEL HA cluster preconfiguration RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 8.6.z/9.0.z
sap_ha_set_hana (tech preview*) set up RHEL HA solutions for SAP HANA RHEL 7.6+, 8, 9 RHEL 8, 9 RHEL 8.6.z/9.0.z

*Roles in Technology Preview status are tested as stable but the interface (role inputs) may receive future updates that could be incompatible with the current state. Additional Technology Preview content can be found in the upstream project and its respective project in Ansible Galaxy.

RHEL System Roles are installed and run from a central node referred to as the control node (which can be Ansible Automation Platform, Red Hat Satellite, or a RHEL 9, 8 or 7 host). The control node connects to a list of RHEL hosts defined in the inventory, and performs the configuration on them. It is recommended that you use the latest major release of RHEL on the control node and use the latest version of the roles either from the rhel-system-roles RPM or from Red Hat Automation Hub. The RHEL System Roles and Ansible packages do not need to be installed on the systems that are being managed/configured.

The RHEL System Roles are supported as provided from the following methods:
- As an RPM package in the RHEL 7 Extras repository
- As an RPM package in the RHEL 9 or RHEL 8 Application Streams repositories
- As a supported collection in the Red Hat Automation Hub

Note 1: The RHEL subscription provides support for the implementation of the RHEL System Roles and compatibility with Ansible Core (RHEL 9.0/8.6 and later) or Ansible Engine (RHEL 8.5 and below, including RHEL 7). The Ansible Core package in the Application Streams repositories, and the Ansible Engine repositories are made accessible as a convenience for the use of RHEL System Roles, as well as other layered products in the Red Hat product portfolio. However, the RHEL subscription does not include support for Ansible Core or Ansible Engine outside of the limited scope of support (see Note 2 below for details on limited scope of support). RHEL System Roles in RHEL 8.5 and below (including RHEL 7) utilize Ansible Engine 2.9 which follows the life cycle dates of Ansible Automation Platform version 1.2 as specified on the Red Hat Ansible Automation Platform Life Cycle page.

Note 2: For details on the limited scope of support for Ansible Core in RHEL, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. For details on the limited scope of support for Ansible Engine in RHEL, see the second note in How to download and Install Red Hat Ansible Engine?
Additional information can be found at Top Support Policies for Red Hat Ansible Automation.

Getting Started

RHEL 9.x and 8.6 and later: Installing RHEL System Roles and Ansible Core

On RHEL 9 systems, and on RHEL 8.6 and later systems that have not previously had Ansible Engine installed, run the following command to install RHEL System Roles and Ansible Core, both of which are included in the Application Streams repository:

# dnf install rhel-system-roles ansible-core

For systems that have been upgraded to RHEL 8.6 and have Ansible Engine installed, refer to Using Ansible in RHEL 8.6 and later for steps to migrate the system from Ansible Engine to Ansible Core.

RHEL 8.5 and below and RHEL 7.x: Installing RHEL System Roles and Ansible Engine

Perform the following steps to install RHEL System Roles and Red Hat Ansible Engine. The rhel-system-roles package is provided in the RHEL Extras repository on RHEL 7, and in the Application Streams repository on RHEL 8. The ansible RPM package is provided in the Ansible Engine repositories.

1) Use subscription-manager to list the Ansible Engine repositories available. Note that the generic "2" repository will always provide the latest release of the 2.X stream. RHEL System Roles are compatible with supported versions of Ansible. Unsupported versions of Ansible, such as Ansible Engine 2.8 and older are not supported for use with RHEL System Roles.
NOTE: The newest Ansible Engine version is recommended even when running on a RHEL 7 control node when managing RHEL 8 managed nodes to properly handle the transition to python3.

~~~
# subscription-manager refresh
# subscription-manager  repos  --list  | grep ansible
~~~

2) To persistently enable the Ansible Engine repository using Red Hat Subscription Manager:

  • In RHEL 8

    # subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms
    
  • In RHEL 7

    # subscription-manager  repos --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-ansible-2-rpms
    

3) Next, install RHEL System Roles and Ansible Engine packages:

~~~
# yum install  rhel-system-roles  ansible
~~~

Documentation

Additional information is provided in the Red Hat Enterprise Linux 8 documentation for Configuring basic system settings: 1. Getting started with RHEL System Roles.

By default, the rhel-system-roles package are installed to the following locations:

  • Documentation

    /usr/share/doc/rhel-system-roles-<version>/SUBSYSTEM/
    
  • Ansible Roles

     /usr/share/ansible/roles/rhel-system-roles.SUBSYSTEM/
    

Where SUBSYSTEM is the name of the subsystem that contains the individual role management.

Examples include: network, timesync, or other subsystems as they become supported. See RHEL System Roles Overview for more details. Each subsystem role will include a README file which documents how to use the role and supported parameter values, as well as the matching README in the linux-system-roles Ansible Galaxy landing space.

Example usage of the rhel-system-roles.network role

This example assumes the following

  • Generally, Ansible is not installed on every system, but rather on a single system designated as the Ansible management or control node whose purpose is to manage other systems via Ansible.
  • This example is executed from a RHEL 7.5 system used as the Ansible control node.
  • A target, or client test system with a hostname of rhel7.5-test
  • rhel7.5-test has a primary network interface to access (eth0), and a secondary interface for this example (eth1).
  • Either the rhel7.5-test FQDN or IP Address has been added to the Ansible Inventory file /etc/ansible/hosts on the control node.
  • The control node user ID running the test playbook has ssh access to, and sudo ability on rhel7.5-test. Alternatively, the -u option can be used to specify a user which does have this ability.
  • For further details, see the Ansible Getting Started or Quick Start Video at http://docs.ansible.com/ for further details on how to use Ansible.
  1. Using a text editor, create a file containing contents similar to the following:

    $ vim example-network-playbook.yml
    ---
    - hosts: rhel7.5-test
      vars:
        network_connections:
          - name: DBnic
            state: up
            type: ethernet
            interface_name: eth1
            autoconnect: yes
            ip:
              dhcp4: yes
              auto6: no
      roles:
        - role: rhel-system-roles.network
    
  2. Test that we have access to the machine. If not, refer to the Ansible documentation on how to enable Ansible to access a remote system.

    $ ansible -m ping rhel7.5-test
    rhel7.5-test | SUCCESS => {
        "changed": false, 
        "ping": "pong"
    }
    
  3. Query the Ansible Facts to see the guests network configuration.

    $ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_interfaces' 
    
    rhel7.5-test | SUCCESS => {
        "ansible_facts": {
            "ansible_interfaces": [
                "lo", 
                "eth1", 
                "eth0"
            ]
        }, 
        "changed": false
    }
    
  4. Query the Ansible Facts to see the characteristics of eth1

    $ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_eth1' 
    rhel7.5-test | SUCCESS => {
        "ansible_facts": {
            "ansible_eth1": {
                "active": true, 
                "device": "eth1", 
                "features": {
                    "busy_poll": "off [fixed]", 
                    "fcoe_mtu": "off [fixed]", 
                    "generic_receive_offload": "on", 
                    "generic_segmentation_offload": "on", 
                    "highdma": "on [fixed]", 
                    "hw_tc_offload": "off [fixed]", 
                    "l2_fwd_offload": "off [fixed]", 
                    "large_receive_offload": "off [fixed]", 
                    "loopback": "off [fixed]", 
                    "netns_local": "off [fixed]", 
                    "ntuple_filters": "off [fixed]", 
                    "receive_hashing": "off [fixed]", 
                    "rx_all": "off [fixed]", 
                    "rx_checksumming": "on [fixed]", 
                    "rx_fcs": "off [fixed]", 
                    "rx_vlan_filter": "on [fixed]", 
                    "rx_vlan_offload": "off [fixed]", 
                    "rx_vlan_stag_filter": "off [fixed]", 
                    "rx_vlan_stag_hw_parse": "off [fixed]", 
                    "scatter_gather": "on", 
                    "tcp_segmentation_offload": "on", 
                    "tx_checksum_fcoe_crc": "off [fixed]", 
                    "tx_checksum_ip_generic": "on", 
                    "tx_checksum_ipv4": "off [fixed]", 
                    "tx_checksum_ipv6": "off [fixed]", 
                    "tx_checksum_sctp": "off [fixed]", 
                    "tx_checksumming": "on", 
                    "tx_fcoe_segmentation": "off [fixed]", 
                    "tx_gre_segmentation": "off [fixed]", 
                    "tx_gso_robust": "off [fixed]", 
                    "tx_ipip_segmentation": "off [fixed]", 
                    "tx_lockless": "off [fixed]", 
                    "tx_mpls_segmentation": "off [fixed]", 
                    "tx_nocache_copy": "off", 
                    "tx_scatter_gather": "on", 
                    "tx_scatter_gather_fraglist": "off [fixed]", 
                    "tx_sctp_segmentation": "off [fixed]", 
                    "tx_sit_segmentation": "off [fixed]", 
                    "tx_tcp6_segmentation": "on", 
                    "tx_tcp_ecn_segmentation": "on", 
                    "tx_tcp_segmentation": "on", 
                    "tx_udp_tnl_segmentation": "off [fixed]", 
                    "tx_vlan_offload": "off [fixed]", 
                    "tx_vlan_stag_hw_insert": "off [fixed]", 
                    "udp_fragmentation_offload": "on", 
                    "vlan_challenged": "off [fixed]"
                }, 
                "macaddress": "52:54:00:e1:c2:4c", 
                "module": "virtio_net", 
                "mtu": 1500, 
                "pciid": "virtio4", 
                "promisc": false, 
                "type": "ether"
            }
        }, 
        "changed": false
    }
    
  5. Execute your example playbook. Note: You may safely ignore the warning message for now that the “wait for activation” feature is not yet implemented.

    $ ansible-playbook -l rhel7.5-test example-network-playbook.yml
    PLAY [rhel7.5-test] *********************************************************************
    
    TASK [Gathering Facts] *********************************************************
    ok: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Check which services are running] ************
    ok: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Check which packages are installed] **********
    ok: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Install packages] ****************************
    skipping: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Enable network service] **********************
    ok: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Print network provider] **********************
    ok: [rhel7.5-test] => {
        "msg": "Using network provider: nm"
    }
    
    TASK [rhel-system-roles.network : Configure networking connection profiles] ****
     [WARNING]: [003] <info>  #0, state:up persistent_state:present, 'DBnic': add
    connection DBnic, b62a7ea6-f1a4-408a-843e-ea292aa58b44
    
     [WARNING]: [004] <info>  #0, state:up persistent_state:present, 'DBnic': up
    connection DBnic, b62a7ea6-f1a4-408a-843e-ea292aa58b44 (is-modified)
    
    changed: [rhel7.5-test]
    
    TASK [rhel-system-roles.network : Re-test connectivity] ************************
    ok: [rhel7.5-test]
    
    PLAY RECAP *********************************************************************
    rhel7.5-test : ok=7    changed=1    unreachable=0    failed=0   
    
  6. Query again to see that eth1 is now online and has a IP Address assigned.

    $ ansible rhel7.5-test -m setup -a 'gather_subset=network filter=ansible_eth1' 
    
    rhel7.5-test | SUCCESS => {
        "ansible_facts": {
            "ansible_eth1": {
                "active": true, 
                "device": "eth1", 
                "features": {
                    "busy_poll": "off [fixed]", 
                    "fcoe_mtu": "off [fixed]", 
                    "generic_receive_offload": "on", 
                    "generic_segmentation_offload": "on", 
                    "highdma": "on [fixed]", 
                    "hw_tc_offload": "off [fixed]", 
                    "l2_fwd_offload": "off [fixed]", 
                    "large_receive_offload": "off [fixed]", 
                    "loopback": "off [fixed]", 
                    "netns_local": "off [fixed]", 
                    "ntuple_filters": "off [fixed]", 
                    "receive_hashing": "off [fixed]", 
                    "rx_all": "off [fixed]", 
                    "rx_checksumming": "on [fixed]", 
                    "rx_fcs": "off [fixed]", 
                    "rx_vlan_filter": "on [fixed]", 
                    "rx_vlan_offload": "off [fixed]", 
                    "rx_vlan_stag_filter": "off [fixed]", 
                    "rx_vlan_stag_hw_parse": "off [fixed]", 
                    "scatter_gather": "on", 
                    "tcp_segmentation_offload": "on", 
                    "tx_checksum_fcoe_crc": "off [fixed]", 
                    "tx_checksum_ip_generic": "on", 
                    "tx_checksum_ipv4": "off [fixed]", 
                    "tx_checksum_ipv6": "off [fixed]", 
                    "tx_checksum_sctp": "off [fixed]", 
                    "tx_checksumming": "on", 
                    "tx_fcoe_segmentation": "off [fixed]", 
                    "tx_gre_segmentation": "off [fixed]", 
                    "tx_gso_robust": "off [fixed]", 
                    "tx_ipip_segmentation": "off [fixed]", 
                    "tx_lockless": "off [fixed]", 
                    "tx_mpls_segmentation": "off [fixed]", 
                    "tx_nocache_copy": "off", 
                    "tx_scatter_gather": "on", 
                    "tx_scatter_gather_fraglist": "off [fixed]", 
                    "tx_sctp_segmentation": "off [fixed]", 
                    "tx_sit_segmentation": "off [fixed]", 
                    "tx_tcp6_segmentation": "on", 
                    "tx_tcp_ecn_segmentation": "on", 
                    "tx_tcp_segmentation": "on", 
                    "tx_udp_tnl_segmentation": "off [fixed]", 
                    "tx_vlan_offload": "off [fixed]", 
                    "tx_vlan_stag_hw_insert": "off [fixed]", 
                    "udp_fragmentation_offload": "on", 
                    "vlan_challenged": "off [fixed]"
                }, 
                "ipv4": {
                    "address": "192.168.122.216", 
                    "broadcast": "192.168.122.255", 
                    "netmask": "255.255.255.0", 
                    "network": "192.168.122.0"
                }, 
                "ipv6": [
                    {
                        "address": "fe80::5054:ff:fee1:c24c", 
                        "prefix": "64", 
                        "scope": "link"
                    }
                ], 
                "macaddress": "52:54:00:e1:c2:4c", 
                "module": "virtio_net", 
                "mtu": 1500, 
                "pciid": "virtio4", 
                "promisc": false, 
                "type": "ether"
            }
        }, 
        "changed": false
    }
    

More examples

The roles carry their own example playbooks under their respective documentation directories (see above).

Comments