Automation with Ansible

💡 Systems Administration 1 featured a very short introduction to Automation of Linux Administration using Ansible. We will extend this in Systems Administration 2, to include more advanced topics as well as the inclusion of Windows. We will control our heterogeneous server environment using Ansible on Ubuntu. (from lab)

Prerequisetes

Please power down and say goodbye to web, nmon, and docker.

Parts

• Networking
  • Controller
  • Ansible 1
  • Ansible 2
• Installing ansible
• Adjusting Sudoers
• RSA Keypairs
• First Run
• Webmin Install
• Ansible Galaxy
• Preparing mgmt
• Preparing wks01
• Win-choclatey

Networking

To start we have three new VMs, they are on the LAN. Not joined to AD.

Controller

To start I configured the netplan with nano /etc/netplan/00-installer-config.yaml After I applied the netplan

Next I set the hostname using sudo hostnamectl set-hostname controller-elizabeth. I made my sudo user Elizabeth with sudo add user elizabeth and sudo add Elizabeth sudo. After I made another sudo user called deployer.

After editing hostname I opened /etc/cloud/cloud.cfg to make sure hostname will not be changed

I needed to make sure that I can ssh into conroller to start I did sudo nano /etc/ssh/sshd_config and changed PermitRootLogin

Ansible 1

To start I opened nmtui and configured as followed:

I changed the hostname to ansible01-elizabeth and created a sudo user called deployer using: sudo useradd deployer, passwd deployer and usermod -aG wheel deployer.

Ansible 2

Following the same proccess as above I configured with the IP address 10.0.5.92 and hostname ansible02-elizabeth instead.

Installing Ansible

To start I installed ansible using sudo apt install ansible sshpass python3-paramiko

Adjusting Sudoers

To start I created the directory /etc/sudoers.d/sys265 in all three new systems.

I then added the following to each. The following line allows the deployer sudo user to elevate without a password.

RSA keypair

Next, as deployer on controller, create an RSA keypair with a passphrase protected private key and using ssh-copy-id, add deployer@controller's public key to the deployer accounts on ansible01 and ansible02.

I started as deployer on controller, with creating the keys with ssh-keygen. I then copied the key to my two ansible boxes with ssh-copy-id -i ~/.ssh/id_rsa.pub deployer@ansible01-elizabeth. (Replacing ansible01 with 2). I then started the agent with ssh-add -t 14400 to adjust the time.

Now I'm able to ssh without a password.

First Run

Setup the following directory hierarchy and inventory file on controller-yourname. The assumption is that ansible1-yourname and ansible2-yourname resolve via DNS. Run the first ansible ping. (from lab)

pwd
mkdir -p ansible/roles
cd ansible/
echo ansible1-hermione >> inventory.txt
echo ansible2-hermione >> inventory.txt
cat inventory.txt
ansible all -m ping -i inventory.txt

Output of last command:

Try a few ad-hoc operating system commands similar to the use of id below:

Next I updated my inventory to categorize ansible02 host by type. Then tested ping against just the hosts under the [webmin] tag.

Webmin Playbook Installation

Ansible Galaxy is similar to Docker Hub, and contains a rich set of Ansible scripts. We are going to use a relatively simple script that installs an administration tool on Rocky server.

ansible-galaxy install semuadmin.webmin -p roles
ls roles/

Next I configured the inventory so that ansible02 is in the webmin group. Created a playbook called webmin.yml within the roles directory that has the displayed content:

The playbook didn't work so I used one from a fellow student created by Matt Compton. Link: https://git.goober.cloud/matt/sys265-ansible/src/branch/main/webmin.yml

---
- name: Install Webmin on CentOS
  hosts: webmin
  become: yes
  tasks:
    - name: Install required packages
      yum:
        name:
          - wget
          - perl
          - perl-Net-SSLeay
          - openssl
          - perl-Encode-Detect
          - perl-Data-Dumper
        state: present

    - name: Download Webmin RPM
      get_url:
        url: http://www.webmin.com/download/rpm/webmin-current.rpm
        dest: /tmp/webmin-current.rpm

    - name: Install Webmin
      yum:
        name: /tmp/webmin-current.rpm
        state: present
        disable_gpg_check: yes

    - name: Add fireall rule
      firewalld:
        port: 10000/tcp
        permanent: true
        state: enabled

    - name: ReStart firewall Service
      service:
        name: firewalld
        state: restarted
        enabled: yes

    - name: Start Webmin Service
      service:
        name: webmin
        state: started
        enabled: yes

To install I ran ansible-playbook -i inventory.txt roles/webmin.yml. I was able to login to it with root. HTTP://ansible02-elizabeth.elizabeth.elizabeth.local:10000.

Ansible Galaxy

To start, I had to look at the ansible website: galaxy.ansible.com. I was having some issues and decided to follow a classmates documentation on this step ( Lily Poulits techjournal ).

First I got rid of ansible02 in inventory.txt(for deliverable 7).

Next I needed to install a Ansible role. ansible-galaxy role install allanroque.deploy_apache_server

In the roles directory I created a new file apache.yml and added:

I deployed the role successfully using.: ansible-playbook -i inventory.txt roles/apache.yml.

Preparing MGMT01 for Ansible

After having issues trying to install openssh I had to change the Windows Update to automatic in services. After I was able to install with Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0.

After I was able to!

Next I needed to update the inventory file to add a new group called windows with mgmt1-elizabeth as the host in that group. I edited the inventory file as shown.

Successful win_ping

Preparing wks01

Now I needed to prepare workstation for ssh. I did the same configuration as below but had difficukties. Heres how I troubleshooted:

• Added a Firewall rule by going to firewall defender and adding port 22 as a rule.
• Changed the Windows SSH default command line, with New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force (source)
• SSH into wks01 before I did the ansible

Software deployment using win_chocolatey

Construct a new playbook within the roles directory called windows_software.yml. This is a simple playbook that uses built-in ansible functionality as opposed to a downloaded role. The list of tasks below will use a module called win_chocolatey which is a package manager for Windows similar to apt-get or yum that is becoming more popular in enterprises. (from Lab)

Playbook:

Had this error:

Troubleshooting:

• Downloaded choclatey on each system from the website https://chocolatey.org/install
• Spelling errors in the playbook
• Restarting the systems