Ansible setup notes - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki
In this page I describe how we configured a few VMs and used Ansible to manage them and other VMs in our environment.
Notes
Ansible with Linux
First I configured all of the new machines (controller-oliver, ansible1-oliver, ansible2-oliver) to be on LAN. I then used Ubuntu setup/docker setup notes to setup controller-oliver. Only differences from the setup notes are: changing the hostname to "controller-oliver", IP address set to 10.0.5.90, and making two sudo accounts ("olivermustoe" and "deployer"). THE DEPLOYER PASSWORD MUST BE USED IN LATER DEPLOYER USERS!!!
Then I booted up ansible1-oliver, entered the login information found here, and used the command "nmtui" where I did the following :
(NOTE: All information in BOLD in the setup of ansible1-oliver is what has to be changed for ansible2-oliver. This is possible since the process is the same for both systems just with different IPs, hostnames, etc.)
I followed the path Edit the path > selected the first option > set the following information:
- Pressed show for IPV4 Configuration
- Set "Automatic" to "Manual"
- IP Address and Netmask - 10.0.5.91/24 10.0.5.92/24 (should be entered in exactly like this)
- Gateway - 10.0.5.2
- DNS - 10.0.5.5
- Search Domain - oliver.local
I then scrolled down and clicked "OK", and navigated back to the initial nmtui screen. I then clicked on "Set system hostname" where I set it to ansible1-oliver ansible2-oliver > pressed ok > then exit.
I then used the following command to add the deployer user:
- "useradd -mk /etc/skel -s /bin/bash -d /home/deployer -G wheel deployer"
on both ansibles(ansible1-oliver, ansible2-oliver) to add a new local admin user to the system.
After this I used the command:
- "passwd deployer"
and SET THE SAME PASSWORD AS SET ABOVE FOR DEPLOYER ON CONTROLLER-OLIVER.
I then rebooted the machine I was working on, and when it restarted logged in with "deployer" set above. To double check everything was working I pinged ad01, google.com, and used the command "ip a" to check my IP was what it was supposed to be.
On mgmt01-oliver, I would give an A record in DNS manager to all of the newly configured machines. I would then ping them from mgmt01, and perform nslookups of the set A records.
(NOTE: From here I was using PuTTY on mgmt01 to SSH into controller logged in as the "deployer" user)
On controller-oliver, I would run the following command to install Ansible and it's prerequisites:
- sudo apt install ansible sshpass python3-paramiko
I would then use the command "ansible --version" to check that ansible is installed.
I would then create a file named "sys265" and fill it with the following contents:
deployer ALL=(ALL) NOPASSWD: ALL
I the copied it to "/etc/sudoers.d/sys265" and SCP'd it to both ansibles with the following commands:
- cp sys265 /etc/sudoers.d/sys265
- scp sys265 deployer@ansibl1-oliver:/etc/sudoers.d/sys265
- scp sys265 deployer@ansibl2-oliver:/etc/sudoers.d/sys265
("sys265" and its contents will allow the deployer user to elevate to root without a password.)
I then created a RSA keypair, with a password, with the command ("-c" is for comment):
- ssh-keygen -t rsa -C "controller"
Then I copied my private key to the ansibles with the following commands:
- ssh-copy-id -i ~/.ssh/mykey deployer@ansible1-oliver
- ssh-copy-id -i ~/.ssh/mykey deployer@ansible2-oliver
I would then run the following commands in sequence to make sure my ssh-agent is running, and have my private key decrypted for 4 hours:
- eval $(ssh-agent)
- ssh-add -t 14400
(NOTE: From here it is recommended to SSH into each of the ansibles(ansible1-oliver, ansible2-oliver) and elevate to a root user, "sudo -i", to ensure that the above process has gone smoothly.)
Then I created the needed directory structure, ansible/roles with the command (after creation, navigate to ansible/):
- mkdir -p ansible/roles
Afterwards I added a file "inventory.txt" with the following content (this file will essentially be the list that ansible uses to execute commands against):
ansible1-oliver
ansible1-oliver
From here I ran the following command to ping all of the hosts in inventory.txt:
- ansible all -m ping -i inventory.txt
(NOTE: If any of the hosts do not have a success, then something in the above configuration has gone wrong.)
Webmin install
(NOTE: This walks through the manual installation, using git to clone my repository will have all of the files used inside Automation_ansible directory.)
First I changed my "inventory.txt" file to include a Webmin header:
ansible1-oliver
[webmin]
ansible1-oliver
Then I downloaded the Webmin role with the following command:
- ansible-galaxy install semuadmin.webmin -p roles/
I then created a file "webmin.yml" and filled it with the following:
- name: webmin SYS265
hosts: webmin
become: true
vars:
install_utilities: false
firewall_enable: true
roles:
- semuadmin.webmin
tasks:
- name: add firewall rule
firewalld:
port: 10000/tcp
permanent: true
state: enabled
After saving this file I then went into the "tasks" directory of the role (ansible/roles/semuadmin.webmin/tasks) and edited the "webmin.yml" file (NOT THE NEWLY CREATED ONE, ansible/roles/semuadmin.webmin/tasks/webmin.yml) and changed the instances of "Redhat" to "Rocky" (since the playbook is only being used on ansible2-oliver I only set it for Rocky.) I have attached below a screenshot of what the section currently looks like in my file (I also changed the "- name" Redhat to reflect the change.)
(This is a needed step since ansible2-oliver is Rocky linux, and ansible does not recognize it as a part of the Redhat family of linux.)
I then ran the following command (from ansible/) to install the role:
- ansible-playbook -i inventory.txt roles/webmin.yml
(NOTE: On the first time running the installation may be met with an error on task "Stop running instance before restarting under systemd." Running the playbook again will not have this issue and result in a successful installation.)
Using the online interface, https://ansible-oliver.oliver.local:10000, and logging with the credentials below I was able to access and use webmin:
- Username: root
- Password: Ch@mpl@1n!22
Ansible with Windows
First I prepped mgmt01-oliver and wks01-oliver (Install OpenSSH and setting Powershell to be the Default Shell for SSH), this can be done in one of two ways.
Way 1: Script
For each machine:
Install git using the section in Git/SSH setup notes, then clone my repository (git clone https://github.com/Oliver-Mustoe/Oliver-Mustoe-Tech-Journal.git).
From a administrative PowerShell prompt, set the execution policy to unrestrictive with the command:
- set-executionpolicy unrestricted
The navigate to the repository and run the script labeled "OpenSSH_Configer".
- .\OpenSSH_Configer
Way 2: Manual
For each machine: From an administrative Powershel prompt, run the following commands in order:
- Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
- Start-Service sshd
- Set-Service -Name sshd -StartupType Automatic
- Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds" -Name ConsolePrompting -Value $true
- New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name Defaultshell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
After prep, I SSH'd into both mgmt01-oliver and wks01-oliver as a domain admin with the following command (CHANGE "&HOST&" TO EITHER "mgmt01-oliver" OR "wks01-oliver"):
- ssh [email protected]@&HOST&
I then added the following lines to inventory.txt:
[windows]
mgmt01-oliver
wks01-oliver
[windows:vars]
ansible_shell_type=powershell
I then used the following command to ping hosts in the windows header:
- ansible windows -i inventory.txt -m win_ping -u [email protected] --ask-pass
Win_chocolatey example
First I created a new file "windows_software.yml" and filled it with the following content (will install win_chocolatey and certain programs: firefox, 7zip, notepad++):
- name: Install Windows Applications
hosts: windows
tasks:
- name: Install Firefox, 7zip, Notepad++
win_chocolatey:
name:
- firefox
- 7zip
- notepadplusplus
state: present
I then installed the programs with the command:
- ansible-playbook -i inventory.txt roles/windows_software.yml -u [email protected] --ask-pass
I could then SSH into either of the windows machines and see the newly installed packages with the command:
- C:\ProgramData\chocolatey\bin\choco.exe list --local-only
Sources
https://www.ssh.com/academy/ssh/copy-id
https://computercarriage.com/2020/06/09/ansible-2-9-ad-hoc-commands/
https://forums.rockylinux.org/t/ansible-os-family-question/3320/8
https://linuxhint.com/list_open_ports_firewalld/
https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/source/converge.yml
https://galaxy.ansible.com/nginxinc/nginx
https://stackoverflow.com/questions/60487848/how-to-reload-firewalld-service-using-ansible
https://gist.github.com/eby/740dd7ccc6bba8cd73004d33a25f10e0
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse