From lathama
Jump to: navigation, search

Bootstrapping Ansible

If the host you are trying to administer does not have Python then Ansible will not be useful. Just add Python via this bootstrap in your playbook site.yml. Remember to gather facts next after this so your playbook can rock and roll.

- name: Ansible Bootstrapping Debian
  hosts: debian
  gather_facts: no
    - name: Ensure Python on Debian
      raw: which python || (apt -y update && apt -y install python)

Portable Ansible with Vault Security

So you want to develop a complex playbook and share it with a team. The team may or may not currently use Ansible. To ease usage for all try a portable setup starting with Documentation in a project directory. One issue is getting a root or sudo password for inventory items which we will cover.

mkdir -p project/playbook/roles/base/tasks && cd project/playbook && touch README hosts.yml site.yml roles/base/tasks/main.yml
Portable Ansible and Playbook Howto

1. Create an Ansible Vault password file:
    1. $ echo "thepassword" > ~/.vault
2. In the project directory where this README is we will get Ansible 2.4 Stable branch
    1. $ git clone -b stable-2.4 --single-branch ansible
    2. $ cd ansible
    3. $ source ./hacking/env-setup
3. We can run the playbook with the Ansible Vault
    1. $ ./bin/ansible-playbook --vault-id ~/.vault -e @../playbook/secret.yml -i ../playbook/hosts.yml ../playbook/site.yml
4. Enjoy
- hosts: group_a
  remote_user: production
  become: yes
  become_method: su
  become_user: root
    - base
secret.yml (./bin/ansible-vault edit --vault-id ~/.vault ../playbook/secret.yml)
ansible_become_pass: one2three4five6seven8nine10
app1password: qwertyuiop
shortkey: TF1DaAFxfeJ9zcVdE

- name: do stuffs
    name: vlan
    state: latest

- name: install key
    name: /root/.privatekey
    contents: {{ shortkey }}

Security tasks in Ansible to ban services

I was playing around and just wrote the following playbook task to keep people off of production hardware.

  - screen
  - tmux
security.yml task
- name: Kill banned services
  shell: "pkill -f {{ item }}"
  with_items: "{{ banned_services }}"
  ignore_errors: yes
  changed_when: False
  failed_when: False

Which will run pkill against a list of names which is both dangerous and effective at the same time. This will look like:

TASK [common : Kill banned services] **********************************
ok: [] => (item=screen)
ok: [] => (item=screen)
ok: [] => (item=screen)
ok: [] => (item=tmux)
ok: [] => (item=tmux)
ok: [] => (item=tmux)

Which should be all green and evil at the same time.

Ansible task for libvirt setup

Playing with some libvirt stuffs and setup a quick task to get my HVM nodes working the way I want. Will update with some fine tuning over time.


- name: HVM Packages to install 
    name: "{{ item }}"
    state: latest
    - qemu-kvm
    - libvirt-clients 
    - libvirt-daemon-system

- name: Add user to group
    name: hvm
    groups: libvirt-qemu,libvirt
    append: yes

One Liners

Example from a local ansible source tree without using any install to run adhoc commands

Assume key works

./bin/ansible all -i, -a "uname -a" | SUCCESS | rc=0 >>
Linux nodeone 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

Set key

 ./bin/ansible all -i, -a "uname -a" --private-key=~/.ssh/id_rsa | SUCCESS | rc=0 >>
Linux nodeone 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux


./bin/ansible all -i, -a "whoami" --private-key=~/.ssh/id_rsa | SUCCESS | rc=0 >>

become root via su

 ./bin/ansible all -i, --private-key=~/.ssh/id_rsa -b --become-method=su -K -a "whoami"
SU password: | SUCCESS | rc=0 >>

Sponsorship and Advertising space here. Please contact me if interested.