RHCE 9.0 Practice Exam: Automating User Account Creation with Ansible
π Introduction
In this RHCE 9.0 Ansible exam practice guide, we will automate user account creation across multiple managed nodes using Ansible. We will securely store and retrieve passwords using Ansible Vault and password hashing.
This guide includes:
- How to fetch a user list from an external source
- How to create users dynamically with the
usermodule - How to assign secure passwords using
password_hash - How to automate group creation
- How to verify that users have been created correctly
- Common troubleshooting techniques
π‘ What You Will Learn
β
How to download and use an external user list in Ansible
β
How to retrieve encrypted passwords from an Ansible Vault
β
How to assign users to groups and set password policies
β
How to verify user creation and troubleshoot issues
π 1. Task Requirements
π 1.1. Problem Statement
- Download a user list from
http://classroom/materials/user_list.ymland store it at/home/greg/ansible/user_list.yml. - Create an Ansible playbook named
/home/greg/ansible/users.ymlthat:- Uses
/home/greg/ansible/locker.yml(previously created Ansible Vault) for password storage. - Uses
/home/greg/ansible/secret.txtas the vault password file.
- Uses
- Users should be created as follows:
- Developers (
developerrole):- Created in dev and test host groups.
- Assigned the devops group.
- Password sourced from
pw_developerinlocker.yml. - Password maximum validity: 30 days.
- Password stored as SHA512 hash.
- Managers (
managerrole):- Created in prod host group.
- Assigned the opsmgr group.
- Password sourced from
pw_managerinlocker.yml. - Password maximum validity: 30 days.
- Password stored as SHA512 hash.
- Developers (
π 2. Download the User List
$ wget http://classroom/materials/user_list.yml -O /home/greg/ansible/user_list.yml
π Explanation:
- Fetches a pre-defined user list from the classroom materials.
- Saves it as
user_list.ymlin the Ansible working directory.
π Example user_list.yml Content:
users:
- name: bob
job: developer
password_expire_max: 30
- name: fred
job: developer
password_expire_max: 30
- name: sally
job: manager
password_expire_max: 30
β This file defines the users, their roles, and password policies.
π 3. Writing the Ansible Playbook
π 3.1. Create the Playbook File
$ vim /home/greg/ansible/users.yml
π Playbook Breakdown (Step-by-Step)
---
- name: Create Developer Users
hosts: dev,test
become: yes
vars_files:
- /home/greg/ansible/locker.yml
- /home/greg/ansible/user_list.yml
tasks:
- name: Ensure devops group exists
ansible.builtin.group:
name: devops
state: present
- name: Create developer users
ansible.builtin.user:
name: "{{ item.name }}"
groups: devops
password: "{{ pw_developer | password_hash('sha512') }}"
password_expire_max: "{{ item.password_expire_max }}"
state: present
loop: "{{ users }}"
when: item.job == 'developer'
π Explanation:
vars_files:β Loads user list and encrypted passwords.group:β Ensures devops group exists before adding users.user:β Adds developer users from the list.
π 3.2. Create Manager Users
- name: Create Manager Users
hosts: prod
become: yes
vars_files:
- /home/greg/ansible/locker.yml
- /home/greg/ansible/user_list.yml
tasks:
- name: Ensure opsmgr group exists
ansible.builtin.group:
name: opsmgr
state: present
- name: Create manager users
ansible.builtin.user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
password_expire_max: "{{ item.password_expire_max }}"
state: present
loop: "{{ users }}"
when: item.job == 'manager'
π Explanation:
- Creates managers in the
prodgroup. - Ensures
opsmgrgroup exists before assigning users. - Uses
pw_managerpassword fromlocker.yml.
β This ensures that all users are created with correct roles and password settings.
π 4. Running the Playbook
$ ansible-navigator run /home/greg/ansible/users.yml -m stdout
π Expected Output
PLAY [Create Developer Users] ****************************************************
TASK [Ensure devops group exists] ***********************************************
changed: [node1]
changed: [node2]
TASK [Create developer users] ****************************************************
changed: [node1] => (item=bob)
changed: [node1] => (item=fred)
changed: [node2] => (item=bob)
changed: [node2] => (item=fred)
PLAY [Create Manager Users] ******************************************************
TASK [Ensure opsmgr group exists] ************************************************
changed: [node3]
changed: [node4]
TASK [Create manager users] ******************************************************
changed: [node3] => (item=sally)
changed: [node4] => (item=sally)
PLAY RECAP ************************************************************************
node1 : ok=3 changed=3 unreachable=0 failed=0
node2 : ok=3 changed=3 unreachable=0 failed=0
node3 : ok=3 changed=3 unreachable=0 failed=0
node4 : ok=3 changed=3 unreachable=0 failed=0
β All users have been successfully created across the correct host groups.
π 5. Verifying User Creation
$ ansible dev,test -m shell -a 'id bob; id fred'
$ ansible prod -m shell -a 'id sally'
π Expected Output
uid=1001(bob) gid=1001(devops) groups=1001(devops)
uid=1002(fred) gid=1001(devops) groups=1001(devops)
uid=1003(sally) gid=1002(opsmgr) groups=1002(opsmgr)
β Users have been assigned to the correct groups.
π 6. Common Issues & Troubleshooting
π΄ Issue 1: Password Not Working
β Solution:
If incorrect, regenerate the users:
$ ansible-playbook /home/greg/ansible/users.yml --force-handlers
Ensure passwords are hashed correctly:
$ ansible dev,test,prod -m shell -a 'grep bob /etc/shadow'
π Congratulations! You have successfully automated user creation with Ansible for RHCE 9.0! π
π’ If you found this guide helpful, share it with your RHCE 9.0 study group! π’
π₯ Good luck on your RHCE 9.0 exam! π₯
