Ansible Automation (SYS 265) - Chromosom3/TechNotes GitHub Wiki
Ansible Automation
Lab background
For this lab we used three new VMs, controller-dylan (Ubuntu 20.04), ansible1-dylan (CentOS7), and ansible2-dylan (CentOS8). As the name implies the Ubuntu controller was used to control the two ansible hosts and deploy playbooks. On each of the three systems in addition to their default accounts there was dylan user account and a deployer user account. The deployer account was used to run ansible scripts across the environment.
Ansible Environment Setup
When setting up ansible on a network you only need to install it on the controller. Ansible will send all of the commands over SSH. To install ansible on an Ubuntu 20.04 system run sudo apt install ansible sshpass python3-paramiko. Once ansible is installed you will need to configure SSH across all your systems to be able to work.
SSH Keys
You will want to use SSH keys for this. To create a new SSH key pair you will need to run ssh-keygen. This will bring up a few prompts for setting up the key pair. The first prompt will ask where you want to save the keys to. The default location is in ~/.ssh/. The next question is the passphrase for the SSH key, the passphrase will be required to use the SSH key. You will want to configure a passphrase for this SSH key pair as it will have sudo privilages on most of the systems in the environment. After setting the password you will need to confirm it. Your private key should be kept private and not shared with anyone. The public key (.pub) can and will in fact need to be shared to authenticate. Now that you have SSH keys created you will need to transfer the public key to the servers you are going to manage. To do this run ssh-copy-id and provide the information for the host you are trying to move they key to. When you go to use your key you will need to provide a password each time. To get around this run eval $(ssh-agent) and ssh-add -t 14400. This will unlock your keys for 14400 seconds (4 hours).
Sudo Configuration
Once SSH is working you will want to make sure sudo is configured for the deployer user. When creating the account you should have added the user to the wheel group (usermod -aG wheel deployer). Now we are going to configure the user to not need a password for sudo commands. Create a new file in /etc/sudoers.d/, you can name it what ever you want. For this lab that file was named sys265. In that file wtire the following deployer ALL=(ALL) NOPASSWD: ALL. This will make it so deployer will not need to provide a password. Though you could edit the /etc/sudoers file directly you can also make these specific config files. Either way works.
Using Ansible
Commands
In this lab we used three main ansible commands, ansible, ansible-playbook, and ansible-galaxy. The first command, ansible, is used to run basic built in ansible modules such as ping (ansible all -m ping -i inventory.txt). The all parameter specifies to use all the the sections in inventory file. The -m flag specifies the module you want to run, in this case ping. The playbook command, ansible-playbook, works similar to the ansible command but allows you to run a playbook. An example of that would be ansible-playbook -i inventory.txt roles/webmin.yml. The roles/webmin.yml file is the playbook that you are running. I will cover playbook setup latter. From both commands you see there is a common flag, -i. The -i flag specifies the inventory file, we will cover this soon. The ansbile-galaxy command allows you to download files from ansible's community repository. Check the galaxy section below for more information.
Playbooks
For in-depth information on playbooks view the documentation here. Ansible playbooks contain ansible configurations and commands to be executed. Below are a few sample playbooks. Formatting is important in ansible and you can not use tabs, instead you should use two spaces for indentation.
tomcat.yml
---
- name: tomcat SYS265
hosts: an1
become: true
vars:
tomcat_version: 8.5.23
tomcat_permissions_production: True
tomcat_users:
- username: "tomcat"
password: "deployer1"
roles: "tomcat,admin,manager,manager-gui"
roles:
- role: zaxos.tomcat-ansible-role
tasks:
- name: add firewall rule
firewalld:
port: 8080/tcp
permanent: true
state: enabled
webmin.yml
---
- name: webmin SYS265
hosts: webmin
become: true
vars:
install_utilities: false
firewalld_enable: true
roles:
- semuadmin.webmin
tasks:
- name: add firewall rule
firewalld:
port: 10000/tcp
permanent: true
state: enabled
windows_software.yml
---
- name: install windows applications
hosts: windows
tasks:
- name: Install Firefox and 7zip
win_chocolatey:
name:
- firefox
- 7zip
- notepadplusplus
state: present
Inventory Files
The inventory file contains a list of hosts which ansible will run on. The inventory file can be separated with [] as shown below. These sections allow you to target specific machines through an ansible playbook. Below is an example inventory file. The .values section applies those values to the above section.
[an1]
ansible1-dylan
[webmin]
ansible2-dylan
[windows]
mgmt01-dylan
wks01-dylan
[windows:vars]
ansible_shell_type=powershell
Galaxy
Ansible galaxy is a website where users can share roles and collections. You can use the ansible-galaxy command to install both roles and collections. For a role you would run ansible-galaxy install semuadmin.webmin -p roles/. That example would install the webmin role made by semuadmin. The example would download the role into the roles directory. For a collection you would run the same thing but you would add collection before the install option.
Windows SSH
To install SSH on Windows you would need to run Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0, Start-Service sshd, and Set-Service -Name sshd -StartupType 'Automatic'. Once you have the SSH service setup you will need to change PowerShell to be the default shell for SSH. To do this run Set-ItemProperty "HKLM:\Software\Microsoft\Powershell\1\ShellIds" -Name ConsolePrompting -Value $true and New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force.
To SSH into windows ensure that the time is synced between your AD server and your workstations.