Ansible - jrwhetse/jrwhetse.github.io GitHub Wiki
Ansible is an open-source software provisioning, configuration management, and application-deployment tool. It runs on many Unix-like systems, and can configure both Unix-like systems as well as Microsoft Windows. It includes its own declarative language to describe system configuration. Wikipedia
Website: https://www.ansible.com/
Docs: https://docs.ansible.com/
Best Practices: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
# enable amazon epel repository
sudo yum-config-manager --enable epel
sudo yum install -y ansible
# boto related python modules are required for aws api interaction
sudo yum list installed | grep boto
sudo yum install -y python2-boto3
sudo yum install -y python2-botocore
# amazon linux is missing boto, install using pip
sudo yum install -y python-pip
sudo pip install boto
# enable rhel epel repository
sudo yum install -y http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# install ansible
sudo yum install -y ansible
# install python modules to interact with aws api
sudo yum install -y python2-pip
sudo yum install -y python2-botocore
sudo yum install -y python-boto3
sudo yum install -y python3-pip
# add trusted python repositories
sudo bash -c 'cat << EOF > /etc/pip.conf
[install]
trusted-host =
pypi.python.org pypi.org
files.pythonhosted.org
EOF'
# for the specified user, upgrade the pip installation to 20.3.4 (the last pip version that supports python 2)
sudo /usr/bin/python -m pip install --upgrade pip==20.3.4
# set versions of ansible and python modules that are known to work together
su - <user> -c "/usr/bin/python -m pip install --user --upgrade cryptography==2.4.2"
su - <user> -c "/usr/bin/python -m pip install --user --upgrade ansible==2.9.16"
su - <user> -c "/usr/bin/python -m pip install --user --upgrade botocore==1.15.45"
su - <user> -c "/usr/bin/python -m pip install --user --upgrade boto==2.49.0"
su - <user> -c "/usr/bin/python -m pip install --user --upgrade boto3==1.12.25"
# run the following to upgrade ansible to a newer version that what is supported by the OS
sudo pip install --upgrade ansible==<version>
# example
sudo pip install --upgrade ansible==2.9.16
# to install for a specific user only use the --user flag
sudo pip install --upgrade --user ansible==2.9.16
Setup SSH and turn off Strict Host Key Checking
mkdir ~/.ssh
vim ~/.ssh/config
Host *
StrictHostKeyChecking no
Run a simple ping test against localhost
# check version
ansible --version
ansible 2.9.16
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.9.16 (unknown, Nov 2 2017, 19:21:21) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)]
ansible localhost -m ping
localhost | SUCCESS => {
"changed": false,
"ping": "pong"
}
References
Setup
Windows Destination Host
The windows destination host should include https://docs.microsoft.com/en-us/powershell/ . It is preferred that PowerShell 7 is installed and the default PowerShell version, but it is not required as both 5.x and 7.x can be installed and utilized side by side on the host. PowerShell 5 has some limitations, such as the inability to download a file larger than 2GB, where this has been fixed in PowerShell 7. If desired and the option is available, you can migrate from PowerShell 5 to 7.
Ansible offers the ability to specify which executable to run for any given task by using by passing the vars argument. By default, Ansible will use the default PowerShell installation (powershell.exe). To specify that a task be executed by PowerShell 7 (pwsh.exe), the executable argument can be specified in the task
In Ansible, the vars argument can be utilized to tell the remote Windows host which executable to use. By default, the powershell.exe is utilized which is PowerShell 5. The example below shows how to download an artifact using PowerShell 7, which avoids the 2G limitation mentioned above.
- name: download artifact
win_get_url:
url: https://foo.com/bar.zip
dest: c:/windows/temp/bar.zip
force: True
vars: executable: pwsh.exe register: win_get_url
The destination Windows Host must have Enable-PSRemoting option configured, to allow Ansible to connect and execute tasks. To enable this feature, use the link above which explains options for enabling PSRemoting with PowerShell cmdlet command. Please verify that both 5985 and 5986 are open on the host and can be connected to remotely.
Connections
Ansible connects to Windows using Windows Remote Management (WinRM) or PSRP (PowerShell Remote Protocol). This document covers PSRP as it appears to be the superior option.
Direct Access
I haven’t had the luxury of testing Ansible and connections to Windows hosts in which Ansible has direct access to the Windows host. This needs to be tested, but a direct connection would be easier than through a Linux Bastion host.
Proxy Access through Linux Bastion Host
** This needs to be fully worked out. It works, but I haven’t tested if all information is required
Ansible provides a
Define the windows hosts in the host file
foobarhost ansible_host=192.168.1.3 ansible_user=Administrator
Modify the Ansible hosts file and setup a Windows group
[windows] foobarhost
Add the following group variables which will be applied to all hosts in the [windows] host group.
[windows:vars] ansible_user=Administrator ansible_password=TempPassword123! ansible_connection=psrp ansible_psrp_protocol=http ansible_psrp_proxy=socks5h://localhost:1234 ansible_psrp_port=5985
Notes:
Socks Proxy
ssh -o ServerAliveInterval=15 -o ControlMaster=auto -o ControlPersist=no -o ControlPath=/home/jwhetsell/.ssh/ssh-%r@%h:%p -CfNq -D 127.0.0.1:1234 -p 22 [email protected]
RDP Tunnel
ssh -L 3389:10.203.1.124:3389 10.203.0.10 -l ec2-user -fNq
Dependencies
ansible-galaxy collection install ansible.windows
ansible-galaxy collection install community.windows
I run ssh -o "ControlMaster=auto" -o "ControlPersist=no" -o "ControlPath=~/.ssh/cp/ssh-%r@%h:%p" -CfNq -D 127.0.0.1:1234 -p 22 [email protected] to create the socks p
pip3 install pypsrp requests[socks]
pip3 install boto