Automation with Ansible Lab - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Pre-Lab Information
Your vSphere Environment
- Web, nmon and docker have been deleted
- VM's kept are ad01, mgmt01 and wks01
- You have new VMs,
controller(ubuntu),ansible1(centos), andansible2(rocky)Networking
- controller:
10.0.5.90- ansible1:
10.0.5.91- ansible2:
10.0.5.92
Linux Accounts
Create the following accounts:
- On
Controllercreated a named sudo user (hannelore) and another sudo user named deployer
sudo -i
adduser hannelore
usermod -aG sudo hannelore
adduser deployer
usermod -aG sudo deployer
- On
ansible1andansible2create a named sudo user named deployer
All deployer passwords should be the same
#ansible1
sudo adduser deployer
sudo passwd deployer
sudo usermod -aG wheel deployer
#ansible2
sudo adduser deployer
sudo passwd
usermod -aG wheel deployer
Regular Setup
- not domain joined
Controller (ubuntu)
-
Change host name of controller to `controller-hannelore
vi /etc/hostname- Preserve hostname in
vi /etc/cloud/cloud.cfg reboot
-
Configure IP address via
netplansudo vi /etc/netplan/00-installer-config.yamlsudo netplan apply
- Add IP address to DNS Server
ansible1 (centos)
- set hostname and IP address using
nmtuiansible2-hannelore10.0.5.91
- Add IP address to DNS Server
ansible2 (rocky)
- set hostname and IP address using
nmtuiansible2-hannelore10.0.5.92
- Add IP address to DNS Server
Disable SSH Root Login
sudo vi /etc/ssh/sshd_config
Check connection/dns via ssh, nslookup and ping
- SSH from
mgmt-hannevia PuTTY tocontroller-hannelore nslookup controller-hannelore ad01-hanneloreping -c1 ansible1-hanneloreping -c1 ansible2-hanneloreping -c1 champlain.edu
TROUBLESHOOTING: When I was doing the
nslookupofad01-hanneloreI kept getting this for the server:
I thought that this was an error, as it is not the server IP address, but it turns out Ubuntu is just wonky, and it has its own DNS services, so that it caches the IP address of the server I was querying with it's own DNS. That is what the
127.0.0.53address is.
SEE DELIVERABLE 1
Test deployer account on controller-hannelore
sudo su - deployersudo - i
SEE DELIVERABLE 2
Installing Ansible
- Install ansible via
root@controller-hanneloresudo apt install ansible sshpass python3-paramiko
SEE DELIVERABLE 3
Create /etc/sudoers.d/sys265 on all Linux systems
Create RSA Key pair on controller
- As the deployer user on controller, create an RSA keypair with a passphrase protected private key
ssh-keygen- use defualt directory to save key
- make passphrase
- using
ssh-copy-id, add deployer@controller's public key to the deployer accounts on ansible1 and ansible2.ssh-copy-id deployer@ansible1-hanneloressh-copy-id deployer@ansible2-hannelore
Link used: https://github.com/Hsanokklis/2023-2024-Tech-journal/wiki/Automation-Lab
Demonstrate passwordless login for ansible boxes
eval $(ssh-agent)ssh-add-t 14400
Passwordless SSH to ansible1 and ansible2
SEE DELIVERABLE 4
First run
Setup the following directory hierarchy and inventory file on controller-yourname. The assumption is that ansible1-yourname and ansible2-yourname resolve via DNS. Run the first ansible ping.
pwd
mkdir -p ansible/roles
cd ansible/
echo ansible1-hannelore >> inventory.txt
echo ansible2-hannelore >> inventory.txt
cat inventory.txt
ansible all -m ping -i inventory.txt
Ad-hoc commands
Ad-hoc commands
These are one-off commands that are executed on the command of an ansible control node. They don't need a playbook or any additional configuration.
Links:
- https://www.tutorialspoint.com/ansible/ansible_ad_hoc_commands.htm#:~:text=Ad%20hoc%20commands%20are%20commands,usr%2Fbin%2Fansible'.
- https://medium.com/@saurabhdahibhate50/mastering-ad-hoc-commands-in-ansible-a-comprehensive-guide-506e81dcd9b2#:~:text=Ad%20hoc%20commands%20are%20one,service%20or%20installing%20a%20package.
Try a few ad-hoc operating system commands similar to the use of id below
This command executes the id command on all hosts in the inventory.txt file. The id command typically displays the user associated with the current process (UID)
ad-hoc ping servers in the inventory file
ansible all -m ping -i inventory.txt
SEE DELIVERABLE 5
Update your inventory to categorize your ansible2 host by type. Then test ping against just the hosts under the [webmin] tag.
Webmin playbook Installation
The playbook installation used in the lab does not work via ansible galaxy. So I used another playbook created by Matt Compton for playbook.
- Put the
.webmin.ymlfile in the /ansible/roles directory
Link: https://git.goober.cloud/matt/sys265-ansible/src/branch/main/webmin.yml
---
- name: Install Webmin on CentOS
hosts: webmin
become: yes
tasks:
- name: Install required packages
yum:
name:
- wget
- perl
- perl-Net-SSLeay
- openssl
- perl-Encode-Detect
- perl-Data-Dumper
state: present
- name: Download Webmin RPM
get_url:
url: http://www.webmin.com/download/rpm/webmin-current.rpm
dest: /tmp/webmin-current.rpm
- name: Install Webmin
yum:
name: /tmp/webmin-current.rpm
state: present
disable_gpg_check: yes
- name: Add fireall rule
firewalld:
port: 10000/tcp
permanent: true
state: enabled
- name: ReStart firewall Service
service:
name: firewalld
state: restarted
enabled: yes
- name: Start Webmin Service
service:
name: webmin
state: started
enabled: yes
Execute the playbook
ansible-playbook -i inventory.txt roles/webmin.yml
The reason that webmin only executes on
ansible2is because we labeled it as so in theinventory.txtfile with [webmin].
Login to webmin as root@ansible2
SEE DELIVERABLE 6
Install your own role with Ansible Galaxy
For this step I tried a variety of methods and playbooks. I first followed what @savannahc502 did and attempted to install wordpress via this role. After I wrote my wordpress.yml file, the playbook would start to run and then it would fail when it tried to start mariadb. I then uninstalled this role and installed this one, that does the exact same thing. When I ran this one, I was met with the exact same mariadb error.
Here are the steps I took for setting these up even tho they didn't work:
- installed role
- Set role for ansible 1 as
[wordpress]wordpress.ymlconfiguration
I use this role to install Git on Centos: https://galaxy.ansible.com/ui/standalone/roles/mauromedda/ansible_role_git/documentation/
SSH into ansible1 and running git commands
making a clone of my repo
Pushing the file AnsibleFun to my Github
SEE DELIVERABLE 7 & 8
Windows Automation
Preparing MGMT01 for Ansible
Start Windows Update Service
- Open the Services application as an administrator
- Go to Windows Update
- Change from disabled to Automatic
Install OpenSSH via Powershell Admin Prompt
- Check for Installation with command
- `Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH**'
You will see above that OpenSSH client is installed but OpenSSh server is not, so we must install that!
- Install OpenSSH server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
- Once finished you will see the output below:
Start-Service sshdSet-Service -Name sshd -StartupType 'Automatic'
Set Powershell to be the Default Shell for SSH
Set-ItemProperty "HKLM:\Software\Microsoft\Powershell\1\ShellIds" -Name ConsolePrompting -Value $trueNew-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
SSH into mgmt01-hanne
TROUBLESHOOTING: When I was attempting to ssh to
mgmt01-hannefromdeployer@controller-hanneloreI kept being met with a Permission Denied, try again message. I know that my credentials were correct, and I had signed into the Admin CMD/Services/Powershell with them successfully. Initially I didn't think it was an issue with OpenSSH. The OpenSSH client was already in Windows additional features, so all I had to was install the OpenSSH server via powershell. I had no issues doing this with the lab instructions and was able to install it successfully. You will see below I attempted many troubleshooting methods to try and figure out why I was getting a permission denied errors. My last method was to uninstall both the client and server and then reinstall it. Savannah Ciak used a different method to install the server, so I used the link she followed, and it ended up working!start/stop sshd
net stop sshdnet start sshdcreate new local account
view/change sshd file
notepad %programdata%\ssh\sshd_configUninstall client/server
- in Settings --> Manage Optional Features, I uninstalled the client and server
Reinstall with different method
- Download
OpenSSH-Win64zip (https://github.com/PowerShell/Win32-OpenSSH/releases)Unblock-File .\Downloads\OpenSSH-Win64.zipExpand-Archive .\Downloads\OpenSSH-Win64.zip -DestinationPath .Copy-Item -Recurse .\OpenSSH-Win64\ 'C:\'&icacls C:\OpenSSH-Win64\libcrypto.dll /grant Everyone:RXC:\OpenSSH-Win64\install-sshd.ps1
&sc.exe config sshd start= auto&sc.exe config ssh-agent start=auto&sc.exe start sshdMake sure Windows Defender Firewall is open for port 22
- New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 Program "C:\OpenSSH\sshd.exe"`
- make sure to make set powershell as the default to shh as seen above
SEE DELIVERABLE 9
reboot for windows
shutdown /t 0 /r
Update Inventory File with new group
Update your inventory file to add a new group called windows with mgmt01-yourname as the host in that group. Also include the variables associated with that group [windows:vars].
SEE DELIVERABLE 10
Add wks01-hannelore to inventory
Add wks1 to your inventory under the windows category and rerun the win_ping.
Add SSH Service on Windows with steps above
SSH services were no installed on Wks as seen in the screenshot below, so we have to install them, like we did above.
- Download
OpenSSH-Win64zip (https://github.com/PowerShell/Win32-OpenSSH/releases)
Unblock-File .\Downloads\OpenSSH-Win64.zip
Expand-Archive .\Downloads\OpenSSH-Win64.zip -DestinationPath .
Copy-Item -Recurse .\OpenSSH-Win64\ 'C:\'
&icacls C:\OpenSSH-Win64\libcrypto.dll /grant Everyone:RX C:\OpenSSH-Win64\install-sshd.ps1
&sc.exe config sshd start= auto
&sc.exe config ssh-agent start=auto
&sc.exe start sshd
Make sure Windows Defender Firewall is open for port 22
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 Program "C:\OpenSSH\sshd.exe"
Set powershell to be default shell for SSH
Set-ItemProperty "HKLM:\Software\Microsoft\Powershell\1\ShellIds" -Name ConsolePrompting -Value $true
New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "C\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
Fix the wks01-hannelore ping problem
- Add the lines below to a
ansible.cfgfile
I fixed the problem by waiting a week and then uninstalling and reinstalling things again and it worked!
Software deployment using win_chocolatey
Construct a new playbook within the roles directory called windows_software.yml. This is a simple playbook that uses built-in ansible functionality as opposed to a downloaded role. The list of tasks below will use a module called win_chocolatey which is a package manager for Windows similar to apt-get or yum that is becoming more popular in enterprises.
Creating the windows_software.yml file
Installing Chocolatey manually
Install on both
mgmt01-hanneandwks01-hannelore
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Link used: https://chocolatey.org/install
Run playbook
ansible-playbook -i inventory.txt roles/windows_software.yml -u [email protected] --ask-pass
Add Notepad++ to wks1 and mgmt01
See if you can figure out how to add the Notepad++ for windows package to wks1 and mgmt01. Rerun your playbook.
- to do this, I added a line in the yml file that said
notepadplusplus