Milestone 6: Blue Network and VyOS with Ansible - squatchulator/Tech-Journal GitHub Wiki

Milestone 6: Blue Network and VyOS Provisioning with Ansible

  • This module required a few updates to the .psm1 file we created in the last module. Specifically, we need to create functions that allow us to do the following:
    • Create a new virtual switch/port group
    • Get the IP, name, and MAC address from the 1st interface of a VM
    • Start/Stop VMs
    • Set the network for VM interfaces
  • Modified script can be found here. This includes all the requirements above. All of the functions were starting to get overwhelming and there was no way to visualize what I was doing, so I created 2 new functions to manage a UI for all of these PowerCLI functions called Main, which runs the menu that branches out to the other functions, and Show-Menu which handles per-VM options like creating a linked clone and power management based on what VM you picked.

Ansible

  • To get Ansible installed and configured for our environmnet, the following commands need to be run:
sudo apt install sshpass python3-paramiko git
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansible
ansible --version
cat >> ~/.ansible.cfg << EOF                                                               
[defaults]
host_key_checking = false
EOF
  • Now we need to modify our directory structure a bit. Create folders and files so that it mirrors the following:

image

  • The new file config.boot.j2 is going to be the actual configuration for our blue network firewall. The easiest way to get a baseline configuration for a VyOS firewall is to SSH into our 480-fw VM, and run a show configuration to get all our commands. Copy this into the blank file.
  • Now, we need to edit the file called fw-blue1-vars.txt to match our environment. It should look like the following:
[vyos]
<your fw-blue1 DHCP address> hostname=fw-blue1 mac=00:50:56:8a:27:17 wan_ip=10.0.17.200 lan_ip=10.0.5.2 lan=10.0.5.0/24 name_server=10.0.17.4 gateway=10.0.17.2

[vyos:vars]
ansible_python_interpreter=/usr/bin/python3
  • Save this, and now edit the vyos-config.yml file. Add the following:
- name: vyos network config
  hosts: vyos
  vars_prompt:

  - name: password
    prompt: enter your new vyos password
    private: true
  tasks:
    - name: set the password hash fact
      set_fact:
        password_hash: "{{ password | password_hash('sha512') }}"
    - name:  load vyos config from template
      become: yes
      template:
        src: files/vyos/config.boot.j2
        dest: /config/config.boot
        mode: "0775"
        owner: root
        group: vyattacfg
    - name: bounce and end
      become: yes
      shell: nohup bash -c "/usr/bin/sleep 5 && /usr/sbin/shutdown -r now" &
  • At this point, we are almost ready to customize our fw-blue1 machine using Ansible. However, we need to make it so that our new VM is actually customized with the new configuration settings outlined in our fw-blue1-vars.txt file. This file essentially establishes variables that we can call in our VyOS config file. This can be done by replacing fields containing plain addresses like 10.0.17.3/24 with a variable like {{ wan_ip }}/24. After you have changed all the static numbers and names to variable references, it should look similar to the following:

image

  • cd into your Ansible directory now, and run the command ansible-playbook -i ./inventory/fw-blue1-vars.txt --user vyos --ask-pass vyos-config.yml. It will prompt you for your current SSH password, and then will allow you to create a new one. Assuming this all runs correctly, the VM should shut itself down and reboot with your new config running! You can check this by running a ping as soon as the command finishes and watching it until it resolves, or going into the actual VM and running an ip a.