Lab 04: Automation with Ansible - squatchulator/Tech-Journal GitHub Wiki

Lab 04: Automation with Ansible

  • Power off Docker01, Web01, and Nmon01 as we won't need them going forward.

  • The new VMs are Ansible01 (10.0.5.91/CentOS 7), Ansible02 (10.0.5.92/Rocky), and Controller (10.0.5.90/Ubuntu). Power all 3 of them on.

  • On Controller, make a new named sudo account, as well as another sudo account called deployer. Create the same sudo deployer user on both Ansible endpoints. The password should be the same for all! (NOTE: use adduser rather than useradd on Ubuntu as it will not create the home directory otherwise.)

  • Once logged in, elevate to root and change the password for all.

  • Networking info:

    • Addresses: (Listed above)/24
    • Gateway: 10.0.5.2
    • DNS: 10.0.5.5
    • Search domain: miles.local

  • You can use NMTUI on the two Ansible VMs but on the Controller, the netplan config should look like this: image

  • At this point, and after adding DNS A and PTR records for the new servers, you should be able to SSH into Controller from Mgmt01 and perform a domain search using the AD01-miles server. All the following queries should resolve:

image

  • Now while still logged into SSH on controller-miles, install Ansible with apt install -y ansible sshpass python3-paramiko. You can ensure the installation succeeded with ansible --version.
  • On all of your ansible systems create a new file in /etc/sudoers.d/sys265. Add the following:
deployer       ALL=(ALL)       NOPASSWD: ALL
  • Now as the deployer user on controller-miles, run the following:
ssh-keygen (add passkey protection)
ssh-copy-id deployer@ansible01-miles
ssh-copy-id deployer@ansible02-miles
eval $(ssh-agent)
ssh-add -t 14400
  • Should be able to ssh into either ansible controller without a password at this point. Try it on both to double-check that everything worked ok. Should also be able to elevate to root without password prompt.
  • If you want to test pinging with ansible, try the following:
cd /home/deployer
mkdir -p ansible/roles
cd ansible/
echo ansible01-miles >> inventory.txt
echo ansible02-miles >> inventory.txt
ansible all -m ping -i inventory.txt
  • This basically allows you to run terminal commands on multuple endpoints at once. For example, you can try ansible all -a pwd -i inventory.txt to run the pwd command on all endpoints. I installed tree on both of them and tried that too.
  • In the inventory.txt file, you can adjust your endpoints and categorize them by type. Making your file look like this will let you specify endpoints using that new tag:
ansible01-miles
[webmin]
ansible02-miles
  • Now running ansible webmin -m ping -i inventory.txt will only ping ansible02-miles.
  • Install ansible galaxy with:
ansible-galaxy install semuadmin.webmin -p roles/
ls roles/ (should return semuadmin.webmin)
  • Head into the roles directory and create a new playbook called webmin.yml. (NOTE: Don't use tabs, use 2 spaces for indentation.)
---
- name: webmin SYS265
  hosts: webmin
  become: true
  vars:
    install_utilities: false
    firewalld_enable: true
  roles:
  - semuadmin.webmin
  tasks:
  - name: add firewall rule
    firewalld:
      port: 10000/tcp
      permanent: true
      state: enabled
  • To execute it, hit em with a ansible-playbook -i inventory.txt webmin.yml
  • Once it's done, on WKS-01 go to ansible02-miles:10000 and log in using your root credentials.
  • Apache playbook (add Apache tag to ansible01-miles and run ansible-galaxy role install geerlingguy.apache):
---
- name: apache SYS265
  hosts: apache
  become: true
  roles:
    - geerlingguy.apache

  • Should be able to visit it right away!

  • Head to mgmt01 and make sure the OpenSSH server service is running. If not, run:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
  • NOTE: this service straight up does not exist on MGMT01. I tried installing it with different syntax, tried running wism.exe to see available features, and nothing even related to openssh existed.
  • Once it's set up, make the inventory.txt file look like this:
[apache]
ansible01-miles
[webmin]
ansible02-miles
[windows]
wks01-miles
[windows:vars]
ansible_shell_type=powershell
  • Try pinging using ansible windows -i inventory.txt -m win_ping -u [email protected] --ask-pass
  • Now make a new file in the roles folder called windows_software.yml. Add the following:
---
- name: Install Windows Applications
  hosts: windows
  tasks:
    - name: Install Firefox, 7zip, and Notepad++
      win_chocolatey:
        name:
        - firefox
        - 7zip
        - notepadplusplus
        state: present
  • For this to work, chocolatey needs to be manaully installed on the endpoint because chocolatey has a bug where it sometimes fails to add itself to the PATH variable when installed through Ansible.
  • Now if you SSH into the Windows box, you should be able to run C:\ProgramData\chocolatey\bin\choco.exelist to see the apps installed through chocolatey.