Ansible

From lathama
Jump to: navigation, search

Bootstrapping Ansible

If the host you are trying to administer does not have Python then Ansible will not be useful. Just add Python via this bootstrap in your playbook site.yml. Remember to gather facts next after this so your playbook can rock and roll.

- name: Ansible Bootstrapping Debian
  hosts: debian
  gather_facts: no
  tasks:
    - name: Ensure Python on Debian
      raw: which python || (apt -y update && apt -y install python)

Portable Ansible with Vault Security

So you want to develop a complex playbook and share it with a team. The team may or may not currently use Ansible. To ease usage for all try a portable setup starting with Documentation in a project directory. One issue is getting a root or sudo password for inventory items which we will cover.

mkdir -p project/playbook/roles/base/tasks && cd project/playbook && touch README hosts.yml site.yml roles/base/tasks/main.yml
README
Portable Ansible and Playbook Howto

1. Create an Ansible Vault password file:
    1. $ echo "thepassword" > ~/.vault
2. In the project directory where this README is we will get Ansible 2.4 Stable branch
    1. $ git clone -b stable-2.4 --single-branch https://github.com/ansible/ansible.git ansible
    2. $ cd ansible
    3. $ source ./hacking/env-setup
3. We can run the playbook with the Ansible Vault
    1. $ ./bin/ansible-playbook --vault-id ~/.vault -e @../playbook/secret.yml -i ../playbook/hosts.yml ../playbook/site.yml
4. Enjoy
hosts.yml
group_a:
  hosts:
    host1.example.com
site.yml
---
- hosts: group_a
  remote_user: production
  become: yes
  become_method: su
  become_user: root
  roles:
    - base
secret.yml (./bin/ansible-vault edit --vault-id ~/.vault ../playbook/secret.yml)
---
ansible_become_pass: one2three4five6seven8nine10
app1password: qwertyuiop
shortkey: TF1DaAFxfeJ9zcVdE
roles/base/tasks/main.yml
---

- name: do stuffs
  apt:
    name: vlan
    state: latest

- name: install key
  copy:
    name: /root/.privatekey
    contents: {{ shortkey }}

Security tasks in Ansible to ban services

I was playing around and just wrote the following playbook task to keep people off of production hardware.

group_vars/all
banned_services:
  - screen
  - tmux
security.yml task
- name: Kill banned services
  shell: "pkill -f {{ item }}"
  with_items: "{{ banned_services }}"
  ignore_errors: yes
  changed_when: False
  failed_when: False

Which will run pkill against a list of names which is both dangerous and effective at the same time. This will look like:

TASK [common : Kill banned services] **********************************
ok: [192.168.15.12] => (item=screen)
ok: [192.168.15.13] => (item=screen)
ok: [192.168.15.11] => (item=screen)
ok: [192.168.15.12] => (item=tmux)
ok: [192.168.15.11] => (item=tmux)
ok: [192.168.15.13] => (item=tmux)

Which should be all green and evil at the same time.

Ansible task for libvirt setup

Playing with some libvirt stuffs and setup a quick task to get my HVM nodes working the way I want. Will update with some fine tuning over time.

---

- name: HVM Packages to install 
  apt: 
    name: "{{ item }}"
    state: latest
  with_items:
    - qemu-kvm
    - libvirt-clients 
    - libvirt-daemon-system

- name: Add user to group
  user:
    name: hvm
    groups: libvirt-qemu,libvirt
    append: yes

One Liners

Example from a local ansible source tree without using any install to run adhoc commands

Assume key works

./bin/ansible all -i 192.168.15.11, -a "uname -a"
192.168.15.11 | SUCCESS | rc=0 >>
Linux nodeone 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

Set key

 ./bin/ansible all -i 192.168.15.11, -a "uname -a" --private-key=~/.ssh/id_rsa
192.168.15.11 | SUCCESS | rc=0 >>
Linux nodeone 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

whoami

./bin/ansible all -i 192.168.15.11, -a "whoami" --private-key=~/.ssh/id_rsa
192.168.15.11 | SUCCESS | rc=0 >>
lathama

become root via su

 ./bin/ansible all -i 192.168.15.11, --private-key=~/.ssh/id_rsa -b --become-method=su -K -a "whoami"
SU password: 
192.168.15.11 | SUCCESS | rc=0 >>
root

Sponsorship and Advertising space here. Please contact me if interested.