http://howto.cactus.de/api.php?action=feedcontributions&feedformat=atom&user=Tim
Cactus Howto - User contributions [en]
2026-05-30T19:28:09Z
User contributions
MediaWiki 1.39.7
http://howto.cactus.de/index.php?title=Main_Page&diff=430
Main Page
2021-07-14T09:33:47Z
<p>Tim: </p>
<hr />
<div>* Security<br />
** Encryption<br />
*** [[OpenSwan VPN]]<br />
*** [[Letsencrypt Howto]]<br />
** Firewalling<br />
*** [[Migrate FortiGate 60D to FortiWiFi 60E]]<br />
* Webpublishing<br />
** [[MediaWiki Howto]]<br />
* Container<br />
** [[Docker.io Howto]]<br />
* Automation<br />
** [[Ansible Howto]]<br />
* Android<br />
** [[Android rsync App]]<br />
** [[Android VCF Import]]<br />
* [[Ubuntu Howtos]] (desktop, server)<br />
* [[Phone stuff]]<br />
* Development Tools<br />
** Anonymizer - Tool for anonymizing network config files: https://github.com/tpurschke/IP-anonymizer<br />
NB: this perl script <br />
- can be used to anonymize config files (router, firewall)<br />
- replaces IP addresses as well as strings<br />
- requires the non-standard module "NetAddr::IP"<br />
* Return to Cactus main page: https://www.cactus.de</div>
Tim
http://howto.cactus.de/index.php?title=Main_Page&diff=429
Main Page
2021-06-26T18:12:10Z
<p>Tim: Created page with "* Security ** Encryption *** OpenSwan VPN *** Letsencrypt Howto ** Firewalling *** Migrate FortiGate 60D to FortiWiFi 60E * Webpublishing ** MediaWiki Howto *..."</p>
<hr />
<div>* Security<br />
** Encryption<br />
*** [[OpenSwan VPN]]<br />
*** [[Letsencrypt Howto]]<br />
** Firewalling<br />
*** [[Migrate FortiGate 60D to FortiWiFi 60E]]<br />
* Webpublishing<br />
** [[MediaWiki Howto]]<br />
* Container<br />
** [[Docker.io Howto]]<br />
* Automation<br />
** [[Ansible Howto]]<br />
* Android<br />
** [[Android rsync App]]<br />
** [[Android VCF Import]]<br />
* [[Ubuntu Howtos]] (desktop, server)<br />
* [[Phone stuff]]<br />
* Development Tools<br />
** Anonymizer - Tool for anonymizing network config files: https://github.com/tpurschke/iso-anonymizer<br />
NB: this perl script <br />
- can be used to anonymize config files (router, firewall)<br />
- replaces IP addresses as well as strings<br />
- requires the non-standard module "NetAddr::IP"<br />
* Return to Cactus main page: https://www.cactus.de</div>
Tim
http://howto.cactus.de/index.php?title=Hauptseite&diff=428
Hauptseite
2020-01-15T21:00:26Z
<p>Tim: </p>
<hr />
<div>* Security<br />
** Encryption<br />
*** [[OpenSwan VPN]]<br />
*** [[Letsencrypt Howto]]<br />
** Firewalling<br />
*** [[Migrate FortiGate 60D to FortiWiFi 60E]]<br />
* Webpublishing<br />
** [[MediaWiki Howto]]<br />
* Container<br />
** [[Docker.io Howto]]<br />
* Automation<br />
** [[Ansible Howto]]<br />
* Android<br />
** [[Android rsync App]]<br />
** [[Android VCF Import]]<br />
* [[Ubuntu Howtos]] (desktop, server)<br />
* [[Phone stuff]]<br />
* Development Tools<br />
** Anonymizer - Tool for anonymizing network config files: https://github.com/tpurschke/iso-anonymizer<br />
NB: this perl script <br />
- can be used to anonymize config files (router, firewall)<br />
- replaces IP addresses as well as strings<br />
- requires the non-standard module "NetAddr::IP"<br />
* Return to Cactus main page: https://www.cactus.de</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=427
Ansible Howto
2019-09-22T15:39:51Z
<p>Tim: /* Restore */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml<br />
<br />
= ansible tower / AWX =<br />
<br />
== Documentation ==<br />
Documentation setting up AWX: https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx<br />
<br />
* prepare<br />
tower-cli config host http://<old-awx-host.example.com><br />
tower-cli config username <user><br />
tower-cli config password <pass><br />
<br />
== Backup & Restore ==<br />
Backup and restore (or migration): https://github.com/autops/awx-migrate, https://github.com/ansible/awx/blob/devel/DATA_MIGRATION.md<br />
<br />
=== Backup ===<br />
tower-cli receive --all > assets.json<br />
<br />
=== Restore ===<br />
tower-cli send backup.json<br />
<br />
Then add credentials manually as they are not part of the backup.</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=426
Ansible Howto
2019-09-22T15:38:57Z
<p>Tim: /* Restore */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml<br />
<br />
= ansible tower / AWX =<br />
<br />
== Documentation ==<br />
Documentation setting up AWX: https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx<br />
<br />
* prepare<br />
tower-cli config host http://<old-awx-host.example.com><br />
tower-cli config username <user><br />
tower-cli config password <pass><br />
<br />
== Backup & Restore ==<br />
Backup and restore (or migration): https://github.com/autops/awx-migrate, https://github.com/ansible/awx/blob/devel/DATA_MIGRATION.md<br />
<br />
=== Backup ===<br />
tower-cli receive --all > assets.json<br />
<br />
=== Restore ===<br />
<br />
tower-cli send backup.json</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=425
Ansible Howto
2019-09-22T15:36:54Z
<p>Tim: /* ansible tower / AWX */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml<br />
<br />
= ansible tower / AWX =<br />
<br />
== Documentation ==<br />
Documentation setting up AWX: https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx<br />
<br />
* prepare<br />
tower-cli config host http://<old-awx-host.example.com><br />
tower-cli config username <user><br />
tower-cli config password <pass><br />
<br />
== Backup & Restore ==<br />
Backup and restore (or migration): https://github.com/autops/awx-migrate, https://github.com/ansible/awx/blob/devel/DATA_MIGRATION.md<br />
<br />
=== Backup ===<br />
tower-cli receive --all > assets.json<br />
<br />
=== Restore ===<br />
./setup.sh -e 'restore_backup_file=/path/to/nondefault/backup.tar.gz' -r</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=424
Ansible Howto
2019-02-26T12:26:38Z
<p>Tim: /* ansible tower / AWX */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml<br />
<br />
= ansible tower / AWX =<br />
<br />
* documentation setting up AWX: https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx<br />
* backup and restore (or migration): https://github.com/autops/awx-migrate, https://github.com/ansible/awx/blob/devel/DATA_MIGRATION.md<br />
* prepare<br />
tower-cli config host http://<old-awx-host.example.com><br />
tower-cli config username <user><br />
tower-cli config password <pass><br />
* backup <br />
tower-cli receive --all > assets.json</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=423
Ansible Howto
2019-02-26T12:01:32Z
<p>Tim: </p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml<br />
<br />
= ansible tower / AWX =<br />
<br />
* documentation setting up AWX: https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx<br />
* backup and restore (or migration): https://github.com/autops/awx-migrate, https://github.com/ansible/awx/blob/devel/DATA_MIGRATION.md<br />
** prepare<br />
tower-cli config host http://<old-awx-host.example.com><br />
tower-cli config username <user><br />
tower-cli config password <pass><br />
** backup <br />
tower-cli receive --all > assets.json</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=422
Ansible Howto
2019-02-17T17:24:59Z
<p>Tim: /* ansible advanced topics */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===<br />
<br />
== using ansible via cron in pull mode ==<br />
<br />
see https://github.com/ansible/ansible-examples/blob/master/language_features/ansible_pull.yml</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=421
Ansible Howto
2019-02-04T21:52:13Z
<p>Tim: /* on ubuntu older than 18.04 and debian (up to 9/stretch) */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=420
Ansible Howto
2019-02-04T21:52:02Z
<p>Tim: /* on ubuntu older than 18.04 and debian (up to 9/stretch) */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
as root:<br />
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo sudo apt-key adv --keyserver-options http-proxy=http://10.5.1.10:3128/ --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=419
Ansible Howto
2019-01-25T20:13:37Z
<p>Tim: /* prepare a client for ansible usage */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
<br />
install sudo (as root, if sudo does not exist)<br />
apt-get install sudo<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=418
Ansible Howto
2019-01-25T20:12:29Z
<p>Tim: /* installation */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ansible host ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=417
Ansible Howto
2019-01-20T19:45:51Z
<p>Tim: /* setup ssh shell */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
then add<br />
eval `keychain --eval id_rsa`<br />
to $HOME/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=416
Ansible Howto
2018-12-23T17:27:53Z
<p>Tim: /* prepare a client for ansible usage */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
=== Install python (if it does not already exist) ===<br />
sudo apt install python<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=415
Ansible Howto
2018-12-23T17:21:19Z
<p>Tim: /* setup ssh shell */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
Make ssh timeout resistant:<br />
tim@spike-vm:~$ cat .ssh/config <br />
Host *<br />
ServerAliveInterval 240<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=414
Ansible Howto
2018-12-09T18:57:03Z
<p>Tim: /* additional useful packages on (debian) clients */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on clients ===<br />
install acl package to make sure "become_user" works correctly in debian:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
install python (needed for Fedora clients):<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=413
Ansible Howto
2018-12-09T18:56:16Z
<p>Tim: /* additional useful packages on (debian) clients */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on (debian) clients ===<br />
install acl package to make sure "become_user" works correctly:<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=412
Ansible Howto
2018-12-09T18:29:24Z
<p>Tim: /* prepare a client for ansible usage */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
=== additional useful packages on (debian) clients ===<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
ansible debsrv1 -m package -a "name=python state=present" -b -K<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=411
Ansible Howto
2018-12-09T18:24:50Z
<p>Tim: /* Change setting: remove (deprecated) settings in config file only on specific os versions */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
== use case install package ==<br />
Install package "acl":<br />
ansible debsrv1 -m package -a "name=acl state=present" -b -K<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=410
Ansible Howto
2018-12-02T16:03:38Z
<p>Tim: /* Change setting: remove (deprecated) settings in config file only on specific os versions */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
pfad=44<br />
xcd=77<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
tim@spike-vm:~$ cat test.conf<br />
abc=123<br />
# removed deprecated config line "pfad=44"<br />
xcd=77<br />
<br />
playbook:<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=409
Ansible Howto
2018-12-02T16:01:47Z
<p>Tim: /* Change setting: remove (deprecated) settings in config file, on specific os version */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file only on specific os versions ===<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=408
Ansible Howto
2018-12-02T16:01:12Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
=== Add alias in .bashrc ===<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
=== Add new user "newuser" to sudo group ===<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
=== Change setting: remove (deprecated) settings in config file, on specific os version ===<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=407
Ansible Howto
2018-12-02T15:59:54Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove (deprecated) settings in config file, on specific os version:<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=406
Ansible Howto
2018-12-02T15:59:25Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove (deprecated) settings in config file:<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<pre><br />
tim@spike-vm:~$ cat /home/tim/ansi/comment-out-lines.yml <br />
---<br />
<br />
# expects variable regex to contain the string that matches the start of the config line<br />
# expects variable path to contain the filename<br />
# limited to debian version >= 9<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
<br />
- name: comment out config line<br />
lineinfile:<br />
backup=yes<br />
state=present<br />
path={{ path }}<br />
regexp='^({{ regex }}.*)'<br />
backrefs=yes<br />
line='# removed deprecated config line "\1"'<br />
when: ><br />
ansible_distribution == 'Debian'<br />
and<br />
ansible_lsb.major_release|int >= 9<br />
tim@spike-vm:~$ <br />
</pre><br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=405
Ansible Howto
2018-12-02T15:55:50Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove (deprecated) settings in config file:<br />
tim@spike-vm:~/ansi$ ansible-playbook -l debians /home/tim/ansi/comment-out-lines.yml -K -e "path=test.conf regex='pfad'"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=404
Ansible Howto
2018-12-02T13:16:26Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove deprecated settings in /etc/ssh/sshd_config file:<br />
ansible target-hostname -m lineinfile -a "state=absent backup=yes path=/etc/ssh/sshd_config regexp='^(ServerKeyBits.*)'" -K -b<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=403
Ansible Howto
2018-12-02T13:07:58Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove deprecated settings in /etc/ssh/sshd_config file:<br />
ansible "target host" -m lineinfile -a "backrefs=yes backup=yes dest=/etc/ssh/sshd_config regexp='^(ServerKeyBits.*)' line='# tmp, 2018-12-02, removed deprecated config line: \1'" -K -b<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=402
Ansible Howto
2018-12-02T13:05:17Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add alias in .bashrc<br />
ansible "target host" -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
Add new user "newuser" to sudo group:<br />
ansible "target host" -m lineinfile -a "backrefs=yes dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
<br />
Change setting: remove deprecated settings in /etc/ssh/sshd_config file:<br />
ansible "target host" -m lineinfile -a "dest=/etc/ssh/sshd_config regexp='^(ServerKeyBits.*)' line='# tmp, 2018-12-02, removed deprecated config line: \1'" -K -b<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=401
Ansible Howto
2018-11-21T19:44:37Z
<p>Tim: /* restarrt service */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restart service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=400
Ansible Howto
2018-11-21T19:38:22Z
<p>Tim: /* prepare a client for ansible usage */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
this can be automated later (with ansible working) using the following adhoc command:<br />
ansible all -m lineinfile -a "dest=/etc/sudoers state=present line='secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'" -b -K<br />
<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restarrt service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=399
Ansible Howto
2018-11-21T16:42:19Z
<p>Tim: /* ansible ad-hoc commands */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== restarrt service ==<br />
ansible spiegel -m service -a "name=puppet state=restarted" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=398
Ansible Howto
2018-11-21T16:36:36Z
<p>Tim: /* display os version */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=397
Ansible Howto
2018-11-21T16:36:25Z
<p>Tim: /* execute commands on remote hosts */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=396
Ansible Howto
2018-11-21T16:35:55Z
<p>Tim: /* ansible ad-hoc commands */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== execute commands on remote hosts ==<br />
=== execute simple command ===<br />
tim@spike-vm:~$ ansible spiegel -m command -a "ls -la"<br />
<br />
=== execute command as root via sudo ===<br />
tim@spike-vm:~$ ansible spiegel -m command -a "checkrestart" -b -K<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=395
Ansible Howto
2018-11-21T16:20:39Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <target> -m lineinfile -a "dest=/home/tim/.bashrc create=yes state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=394
Ansible Howto
2018-11-21T16:16:54Z
<p>Tim: /* use case edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
Add new user "newuser" to sudo group:<br />
ansible <target> -m lineinfile -a "dest=/etc/group regexp='^(sudo:x:27:)(.*)' line='\1newuser,\2'"<br />
Add alias in .bashrc<br />
ansible <traget> -m lineinfile -a "dest=/home/tim/.bashrc state=present line='alias ll=\'ls -l\''"<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=393
Ansible Howto
2018-11-21T15:27:36Z
<p>Tim: /* use case append to file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case add public key to authorized_keys ==<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=392
Ansible Howto
2018-11-20T21:16:51Z
<p>Tim: /* use case install apt package */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: "{{ package }}"<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=391
Ansible Howto
2018-11-20T21:15:03Z
<p>Tim: /* reboot / restart services that need it */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
For use of checkrestart, install package:<br />
sudo apt install needrestart<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=390
Ansible Howto
2018-11-20T21:14:25Z
<p>Tim: /* prepare a client for ansible usage */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
make sure root path is set correctly when executing command via sudo:<br />
grep secure_path /etc/sudoers<br />
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=389
Ansible Howto
2018-11-20T20:28:47Z
<p>Tim: /* use case gather system information */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== gather system information ==<br />
<br />
=== display os version ===<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=388
Ansible Howto
2018-11-19T22:20:26Z
<p>Tim: /* update and upgrade packages */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
<br />
=== reboot / restart services that need it ===<br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=387
Ansible Howto
2018-11-19T21:46:20Z
<p>Tim: /* ansible playbooks */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= simple ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=386
Ansible Howto
2018-11-19T21:45:08Z
<p>Tim: /* Change password for your own user on all targets */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=385
Ansible Howto
2018-11-19T21:44:08Z
<p>Tim: /* use cases edit file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use case edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== Change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=384
Ansible Howto
2018-11-19T21:43:55Z
<p>Tim: /* use cases append to file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use case append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use cases edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== Change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=383
Ansible Howto
2018-11-19T21:43:42Z
<p>Tim: /* use cases add file */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use case add file ==<br />
<br />
== use cases append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use cases edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== Change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=382
Ansible Howto
2018-11-19T21:43:23Z
<p>Tim: /* ansible playbooks */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible ad-hoc commands =<br />
<br />
== use case gather system information ==<br />
<br />
display os version:<br />
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"<br />
<br />
== use cases add file ==<br />
== use cases append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use cases edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
= ansible playbooks =<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== Change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim
http://howto.cactus.de/index.php?title=Ansible_Howto&diff=381
Ansible Howto
2018-11-19T21:42:39Z
<p>Tim: /* use case gather system information */</p>
<hr />
<div>= ansible first steps = <br />
<br />
== documentation ==<br />
* https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html<br />
* changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html<br />
<br />
== installation ==<br />
=== on ubuntu >= 18.04 ===<br />
sudo apt install ansible<br />
<br />
=== on ubuntu older than 18.04 and debian (up to 9/stretch) ===<br />
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.<br />
<br />
<pre><br />
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list<br />
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367<br />
sudo apt update<br />
sudo apt upgrade<br />
sudo apt install ansible<br />
</pre><br />
<br />
== prepare a client for ansible usage ==<br />
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth<br />
<br />
as root user<br />
useradd -m tim -s /bin/bash<br />
passwd tim<br />
add user to sudo group<br />
grep sudo /etc/group<br />
sudo:x:<id>:tim<br />
allow sudo group to use all commands via sudo<br />
grep sudo /etc/sudoers<br />
%sudo ALL=(ALL:ALL) ALL<br />
<br />
from here in user context<br />
su - tim<br />
mkdir /home/tim/.ssh<br />
chmod 700 /home/tim/.ssh<br />
echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys<br />
chmod 600 /home/tim/.ssh/authorized_keys<br />
<br />
== initial ansible serverconfig == <br />
=== fill /etc/ansible/hosts ===<br />
add all your hosts/groups to your /etc/ansible/hosts file<br />
<br />
<br />
=== setup ssh shell ===<br />
<br />
tim@spike-vm:~/ansi$ ssh-agent bash<br />
tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa<br />
Enter passphrase for /home/tim/.ssh/id_rsa: <br />
Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa)<br />
tim@spike-vm:~/ansi$<br />
<br />
or better:<br />
sudo apt install keychain<br />
echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc<br />
<br />
=== test client connectivity ===<br />
<br />
tim@spike-vm:~/ansi$ ansible itchy -m ping<br />
itchy | SUCCESS => {<br />
"changed": false, <br />
"ping": "pong"<br />
}<br />
tim@spike-vm:~/ansi$<br />
<br />
<br />
=== Logging ===<br />
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:<br />
<br />
[defaults] <br />
log_path=/var/log/ansible.log<br />
<br />
and then run<br />
tim@spike-vm:~$ sudo touch /var/log/ansible.log<br />
tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log<br />
<br />
This simply logs the command line output to the file<br />
<br />
=== Debugging ===<br />
<br />
Use -v switch to see playbook stdout:<br />
<pre><br />
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v<br />
Using /etc/ansible/ansible.cfg as config file<br />
SUDO password: <br />
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected<br />
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected<br />
<br />
PLAY [all] *******************************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] *******************************************************************************************************************************<br />
ok: [itchy]<br />
...<br />
TASK [.deb do dist-upgrade] **************************************************************************************************************************<br />
ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}<br />
</pre><br />
<br />
= ansible playbooks =<br />
<br />
== use cases add file ==<br />
== use cases append to file ==<br />
<br />
e.g. add public key to authorized_keys<br />
<br />
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"<br />
<br />
== use cases edit file ==<br />
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2<br />
<br />
== use cases debian/ubuntu sys management using apt ==<br />
<br />
=== update and upgrade packages ===<br />
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml <br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: .deb do dist-upgrade<br />
apt: ><br />
update_cache=yes<br />
cache_valid_time=1200<br />
upgrade=dist<br />
autoremove=yes<br />
purge=yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== autoremove unused packages ===<br />
This only works for ansible >=2.4.<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K<br />
<br />
tim@spike-vm:~/ansi$ cat apt-autoremove.yml<br />
<br />
<pre><br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: assert ansible version<br />
assert:<br />
that:<br />
- "{{ ansible_version.string is version_compare('2.4', '>=') }}"<br />
msg: Ansible 2.4 or above is required<br />
- name: Autoremove unused packages<br />
apt:<br />
autoremove: yes<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
</pre><br />
<br />
=== use case install apt package ===<br />
<br />
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2"<br />
SUDO password: <br />
<br />
PLAY [all] *********************************************************************<br />
<br />
TASK [setup] *******************************************************************<br />
ok: [puppet]<br />
<br />
TASK [install package "apache2"] ***********************************************<br />
ok: [puppet]<br />
<br />
PLAY RECAP *********************************************************************<br />
puppet : ok=2 changed=0 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ cat apt-install.yml <br />
---<br />
<br />
- hosts: all<br />
become: yes<br />
tasks:<br />
- name: install package "{{ package }}"<br />
apt:<br />
name: apache2<br />
when: ><br />
ansible_distribution == 'Debian'<br />
or<br />
ansible_distribution == 'Ubuntu'<br />
<br />
== use case change passwords for linux systems ==<br />
<br />
To make password encryption work:<br />
apt install python-passlib <br />
<br />
=== Change password for your own user on all targets ===<br />
<pre><br />
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K<br />
SUDO password: <br />
Enter New Password: <br />
confirm Enter New Password: <br />
<br />
PLAY [all] ******************************************************************************************************************************<br />
<br />
TASK [Gathering Facts] ******************************************************************************************************************<br />
ok: [spike]<br />
<br />
TASK [Change password of calling user] **************************************************************************************************<br />
changed: [spike]<br />
<br />
PLAY RECAP ******************************************************************************************************************************<br />
spike : ok=2 changed=1 unreachable=0 failed=0 <br />
<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
playbook:<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-user-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of calling user<br />
user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
=== change root password ===<br />
<br />
<pre><br />
tim@spike-vm:~/ansi$ cat change-root-password.yml <br />
---<br />
- hosts: all<br />
become: yes<br />
gather_facts: yes<br />
<br />
vars_prompt:<br />
- name: "new_password"<br />
prompt: "Enter New Password"<br />
private: yes<br />
encrypt: "sha512_crypt"<br />
confirm: yes<br />
salt_size: 7<br />
<br />
tasks:<br />
- name: Change password of root user<br />
user: name=root update_password=always password={{new_password}}<br />
tim@spike-vm:~/ansi$ <br />
</pre><br />
<br />
call with:<br />
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K<br />
<br />
<br />
= ansible advanced topics =<br />
<br />
== use case add firewall rule == <br />
<br />
=== iptables ===<br />
<br />
=== check point R80 API ===</div>
Tim