Author: admin

admin | May 25, 2021

How to create snapshots with Ansible (VMware)

Okay, so lots of folks ask me about this, and there are a number of ways you can do this.

But if you’re using vmware and redhat satellite for central patch management for your redhat environment.

Then depending on how you patch your systems. If you snapshot every group prior to patching. Then this post will be perfect for you.

Patching Processes:

1.Snapshot every vm in your group using ansible

2. Update your host content-views in satellite and clear yum caches –
– (these are not in this post) part 2

3.Patch all your servers using ansible – (these are not in this post) part 3

4..Reboot all your servers (these are not in this post) – part 4

5..Test to ensure they all came back up (these not in this post for now) part 5

Note: There is a step to change the content view of all your hosts and cleaning your yum repos on all the hosts. I have not written a post on this step yet, but you should obviously automate that. I will eventually get around to including it, when I have some time.

Pre-requisites: Assumed.

• Ansible 2.9 installed and configured with python3

• VMware Community modules configured

• VMware group variables previously defined for VMware deployments(Is helpful)

• VMware user/password configure with being able to create snaphots in either datacenters you have

Step by Step:

1.Create a roles directory inside /etc/ansible/roles

a.mkdir -p /etc/ansible/roles/create-snapshot/tasks

b.mkdir -p /etc/ansible/roles/create-snapshot/defaults

2.Now you want to create a task for the snapshots.

c.Inside /etc/ansible/roles/create-snapshot/tasks/

d.Create a file called main.yml

3.Add the following code and save the file

– name: Login into vCenter and get cookies

delegate_to: localhost

uri:

url: https://{{ vcenter_host }}/rest/com/vmware/cis/session

force_basic_auth: yes

validate_certs: no

method: POST

user: ‘{{ vcenter_username }}’

password: ‘{{ vcenter_password }}’

register: login

Note: Okay so what we want to do is find the virtual machine in vsphere by name and then grab its folder value and pass it as a variable so you don’t need to define it statically in your host_var. The main reason is, say you deployed a vm and months later moved it to another folder, your code will likely have the origin folder which would be annoying, and the ansible documentation doesn’t really cover this approach, you basically figure it out as you do it. So im going to save you all time. Here is how you do it. The below will gather vm_facts based on the inventory_hostname

– name: Find Guest’s Folder using name

vmware_guest_find:

hostname: “{{ vcenter_host }}”

username: “{{ vcenter_username }}”

password: “{{ vcenter_password }}”

validate_certs: no

name: “{{ inventory_hostname }}”

delegate_to: localhost

ignore_errors: true

register: vm_facts

Note: It will than gather those facts and find the folder value. You then register the facts to a variable “vm_facts” Now it will spit out what it finds when you do –vvvv when you do your play. From there you can see the folder setting. You now want to set that that folder setting as its own variable that you can pass to another task as indicated below.

ok: [ansible-server] => {

“changed”: false,

“folders”: [

“/SysUnix/Teststuff“

“invocation”: {

“module_args“: {

“datacenter“: null,

“hostname”: “vmware.nicktailor.com“,

“name”: “ ansible-server“,

“password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,

“port”: 443,

“proxy_host“: null,

“proxy_port“: null,

“use_instance_uuid“: false,

“username”: “admin“,

“uuid“: null,

“validate_certs“: false

}

– name: “vm_folder – setting folder value”

set_fact:

folder : “{{ vm_facts.folders }}”

Note: So you can see that the facts has a sub fact called “folders”. We want to pass that by setting that value as its own variable by making it a fact. Ansible way to set variables is setting facts. So we make that value above into a variable “vm_facts.folders” and then pass that into the next task where it asks for folders. This will get around the having to provide the exact folder the vm_resides to create snapshotting for an array of hosts.

– name: Create Snapshot

vmware_guest_snapshot:

hostname: “{{ vcenter_host }}”

username: “{{ vcenter_username }}”

password: “{{ vcenter_password }}”

datacenter: “{{ vcenter_dc }}”

validate_certs: no

name: “{{ inventory_hostname }}”

state: present

snapshot_name: “Ansible Managed Snapshot”

folder: “‘{{ vm_facts.folders }}'”

description: “This snapshot is created by Ansible Playbook”

delegate_to: localhost

4.Save the file

5.You can either have group_vars set up for individual datacenters, but for now just define the variables under /etc/ansible/roles/create-snapshot/defaults

Note: You will likely have a group_var from you vmdeploy role that you can use for here.

e.Create a file called main.yml and the following variables

vcenter_username: admin

vcenter_password: should be vault encrypted variable

vcenter_host: vmware.nicktailor.com

vcenter_dc: London

f.Save the file

• Note: Ensure your host “nicktest1” is listed in your inventory host file.
/etc/ansible/inventory/TEST/hosts

Run your playbook: from /etc/ansible

1.ansible-playbook –i inventory/TEST/hosts justcreatevmsnap.yml –ask-vault-pass –limit=’nicktest1‘

Playbook log:

[root@ansible–server]# ansible-playbook –i inventory/TEST/hosts justcreatevmsnap.yml –ask-vault-pass –limit=’nicktest1‘

Vault password:

PLAY [all] **********************************************************************************************************************************

TASK [create_snapshot : Login into vCenter and get cookies] *********************************************************************************

ok: [nicktest1]

TASK [create_snapshot : Find Guest’s Folder using name] *************************************************************************************

ok: [nicktest1]

TASK [create_snapshot : vm_folder – setting folder value] ***********************************************************************************

ok: [nicktest1]

TASK [create_snapshot : Create Snapshot] ****************************************************************************************************

ok: [nicktest1]

PLAY RECAP **********************************************************************************************************************************

nicktest1 : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

2.Go log into vsphere and check to see the vm has a snapshot name “ansible created snapshot” if it does it worked.

Note: This uses the snapshot name to create. If another snapshot exists with a different name it will ignore it entirely. If you pass snapshot variable with another name and run the book again, it will create another snapshot. The same applies to removing snapshots, it will remove based on the name. We will cover that in my post to remove snapshots.

admin May 25, 2021 Ansible, Snapshots, vmwareNo Comments »

admin | May 9, 2021

How to Create a New Host in Foreman with Ansible

Okay…this one was quite difficult to find online. Seems like the ansible documentation for the foreman module was seriously lacking or not kept up to date by anyone. I searched for awhile to see if anyone had an actual working model of it.
Not even in the ansible chat rooms did anyone know….which was weak.

So I spent some time getting this to work smoothly, and you will probably not find anywhere else on the web on how to do this. If you do show me….so I can kick myself.

Lets get dangerous then. 😊

Step by step:

Foreman – Already setup and your “computer resource” is hooked in (VMware)
Note: The compute profile(vmware) when hooked in, will also trigger a new vm creation in vsphere prepped to do DHCP. You can combine variables from vmware_guest module and this module as they require similar variables to be passed. To setup a one stop shop to deploy in foreman and vmware with just using ansible. Iv done this already…..

Special notes: The foreman I had setup did not have organisation or location configured. This caused the module to not function properly and I had to contact one of the developers who helped me patch the code so I didn’t require them to be configured or defined. Which I will show you all how to do.

Ansible – Assuming you have it setup and working with python 2.7 not sure this module will work with python 3. Havent tried that yet…..

Module – TheForeman Collection

1.To install it

a.ansible-galaxy collection install theforeman.foreman

b.edit ansible.cfg file and add the following lines.

Note: You can find the locations of these certs on foreman server. You will to copy them over to ansible for the callback to work properly. However, it is not needed to complete the host creation, you likely just see an error at the end of the play.

[callback_foreman]

url = ‘http://foreman-1.tdr.corp-apps.com’

ssl_cert = /etc/foreman-proxy/ssl-cert.pem

ssl_key = /etc/foreman-proxy/ssl-pvt.pem

verify_certs = /etc/foreman-proxy/ssl-ca

Okay once installed you. If you look at the ansible documentation on how to manage hosts using this module…from redhat.

It utterly useless…and will not work if you try to use the examples below.

https://people.redhat.com/evgeni/fam-antsibull/plugins/host_module.html

– name: “Create a host”

host:

username: “admin”

password: “changeme“

server_url: “https://foreman.example.com”

name: “new_host“

hostgroup: my_hostgroup

state: present

2.Okay now since my foreman is not configured with Organisation and Locations. I had to patch the python code with the help of one of contributing authors of the module.

3.Apply the following patch.

.The fix was to avoid trying to touch a specific resource that is only available when you have Org/Loc enabled.

diff –git plugins/module_utils/foreman_helper.py plugins/module_utils/foreman_helper.py

index 432c76df..c9a3abda 100644

— plugins/module_utils/foreman_helper.py

+++ plugins/module_utils/foreman_helper.py

@@ -396,8 +396,9 @@ class ForemanAnsibleModule(AnsibleModule):

_host_update = next(x for x in _host_methods if x[‘name’] == ‘update’)

for param in [‘location_id‘, ‘organization_id‘]:

– _host_update_taxonomy_param = next(x for x in _host_update[‘params’] if x[‘name’] == param)

– _host_update[‘params’].remove(_host_update_taxonomy_param)

+ _host_update_taxonomy_param = next((x for x in _host_update[‘params’] if x[‘name’] == param), None)

+ if _host_update_taxonomy_param is not None:

+ _host_update[‘params’].remove(_host_update_taxonomy_param)

@_check_patch_needed(fixed_version=’2.0.0′)

def _patch_templates_resource_name(self):

4.Once this patch is implemented. You will need a role that has all the correct variables to pass to your foreman in order for it to be able create a host without erroring.

Trick: with ansible you can write some of the code and run the playbook and if there are missing variables it will tell you what they are.

fatal: [testnick1]: FAILED! => {

“changed”: false,

“invocation”: {

“module_args“: {

“activation_keys“: null,

“architecture”: null,

“build”: null,

“comment”: null,

“compute_attributes“: null,

“compute_profile“: null,

“compute_resource“: null,

“config_groups“: null,

“content_source“: null,

“content_view“: null,

“domain”: null,

“enabled”: null,

“environment”: null,

“hostgroup“: “my_hostgroup“,

“image”: null,

“interfaces_attributes“: null,

“ip“: null,

“kickstart_repository“: null,

“lifecycle_environment“: null,

“location”: null,

“mac”: null,

“managed”: null,

“medium”: null,

“name”: “testnick1”,

“openscap_proxy“: null,

“operatingsystem“: null,

“organization”: null,

“owner”: null,

“owner_group“: null,

“parameters”: null,

“password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,

“provision_method“: null,

“ptable“: null,

“puppet_ca_proxy“: null,

“puppet_proxy“: null,

“puppetclasses“: null,

“pxe_loader“: null,

“realm”: null,

“root_pass“: null,

“server_url“: “http://foreman-1.nictailor.com/”,

“state”: “present”,

“subnet”: null,

“subnet6”: null,

“username”: “ntailor“,

“validate_certs“: true

}

“msg“: “The hostname must be FQDN”

}

PLAY RECAP ************************************************************************************************************************************************************************

testnick1 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

5.Okay so once you get all the variables. Its just a matter of playing around until you’re able to get to work.

c.Mkdir a directory inside /etc/ansible/roles

i.mkdir ansible-provision-foreman

d.Inside the directory create two directories (defaults & tasks)

ii.Mkdir defaults && mkdir tasks

6.Now inside the tasks directory, create a file called main.yml and insert the code below

e.vi main.yml

Create a Host: This code is what you need for this module to work.

– name: “Create a host”

theforeman.foreman.host:

username: “{{ foreman_user }}”

password: “{{ vcenter_password }}”

server_url: “{{ server_url }}”

name: “{{ inventory_hostname }}”

hostgroup: “{{ host_group }}”

managed: no

build: no

compute_profile: “{{ compute_profile }}”

compute_resource: “{{ computer_resource }}”

compute_attributes:

cpus: “{{ vm_cpu_count }}”

memory_mb: “{{ vm_memory }}”

interfaces_attributes:

– type: “interface”

primary: true

compute_attributes:

name: nic1

network: “{{ vm_vlan_name }}”

interface: “{{ vm_interface }}”

subnet: “{{ vm_subnet }}”

ip: “{{ vm_ip }}”

domain: “{{ domain }}”

provision: yes

operatingsystem: “{{ operating_system }}”

medium: “{{ medium }}”

architecture: x86_64

pxe_loader: PXELinux BIOS

puppet_ca_proxy: “{{ puppet_ca_proxy }}”

puppet_proxy: “{{ puppet_proxy }}”

root_pass: “{{ root_pass }}”

environment: tdr

# ptable: Centos – LVM – / , swap

ptable: “{{ ptable }}”

# owner: unix

state: present

validate_certs: false

delegate_to: localhost

– name: “Switch host on”

theforeman.foreman.host_power:

username: “{{ foreman_user }}”

password: “{{ foreman_password }}”

server_url: “{{ server_url }}”

hostname: “{{ inventory_hostname }}”

state: on

validate_certs: false

delegate_to: localhost

f.save file.

7.Okay so next want now want to pass the basic defaults for new host creating. How we do that is define what those are under defaults. These variables wont change

g.Cd ../defaults

h.Vi main.yml

Note: You can find all these variables inside foreman GUI with a bit of digging.

foreman_user: Reptilianfilth
foreman_password: { generally want a ansible vault password }
compute_profile: vmware
computer_resource: vcenter.nic.internal
domain: nic.internal
medium: 7.8-CentOS
puppet_ca_proxy: puppet-2.nic.internal
puppet_proxy: puppet-2.nic.internal

i.Save file

8.Okay now we want to pass the host specific variables for new host creations and or vm deployments.

j.Move into to your /etc/ansible/inventory/{{environment}}/host_vars directory

iii.CD /etc/ansible/inventory/{{environment}}/host_vars

iv.Create a file called testserver

v.Vi testserver

#VM creation variables

vm_network: niccorp-192.168.65_corp

vm_interface: VMXNET3

vm_subnet: 192.168.65.0

vm_ip: 192.168.65.103

domain: nic.internal

managed: no

host_group: Base-Server/Centos-7.8.2003

operating_system: Centos 7.8.2003

ptable: Centos – LVM – / , swap

root_pass: changemetwiceaday

medium: 7.8-CentOS

k.Past the above and save the file

Special Note: Now if you wanted to have it so you can use foreman module or vmware_guest module combining the variables names between the modules.

You can do as below. You will need to ensure the variables match but it works. You can get around having to rely on DHCP with this.

#VM creation variables foreman and vmware together

vm_vlan_name: nic_192.168.44_db_stor2

vm_datastore: esx_nicrcorp

vm_dvswitch: VDS-nic-Corporate

vm_interface: VMXNET3

vm_subnet: 192.1268.44.0

vm_ip: 192.168.44.14

vm_netmask: 255.255.255.0

vm_gateway: 192.168.44.254

vm_dns_servers: [192.168.1.1]

vm_dns_suffix: nic.internal

vm_cpu_count: 4

vm_memory: 16384

vm_state: poweredon

vm_connected: true

domain: tdr.internal

managed: no

host_group: Base-Server/Centos-7.8.2003

operating_system: Centos 7.8.2003

ptable: Centos – LVM – / , swap

root_pass: changemetwiceaday

medium: 7.8-CentOS

9.Next you need to ensure your host are listed in your inventory host file

l.vi ../hosts

m.testnick3.nic.internal

10.save file

Before you to start one last thing. If you remember in the defaults we outlined

compute_profile: vmware
(this is the foreman profile it will use, so whatever defaults you have set for network and disksize here is what will be used to trigger foreman to create a host in vcenter, so it good to go check this in foreman first.)

.Run playbook: from /etc/ansible

[root@nick ansible]# ansible-playbook –i inventory/TDR/hosts foremancreatehost.yml –ask-vault-pass –limit ‘testnick3.tdr.internal’

Vault password:

PLAY [all] **********************************************************************************************************************************************

TASK [ansible-provision-foreman : Create a host] ********************************************************************************************************

changed: [testnick3.tdr.internal]

PLAY RECAP *******************************************************************************************************************************************************************************

testnick3.tdr.internal : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

403 Client Error: Forbidden for url: http://foreman-1.nic.corp.com/api/v2/reports (if you see this, just ignore it) Its just callback report.

admin May 9, 2021 Ansible, Red Hat SatelliteNo Comments »

admin | April 30, 2021

HOW TO CHECK CPU, MEMORY, & DISKS THRESHHOLDS on an ARRAY of HOSTS.

So I was tinkering around as usual. I thought this will come in handy for other engineers

If you a large cluster of servers that can suddenly over night loose all its MEM,CPU,DISK due to the nature of your businesses. Its difficult to monitor that from a GUI and on an array of hosts more often than not.

Cloud Scenario……

Say you find a node that is dying because too many clients are using resources and you need migrate instances off to another node, only you don’t know which nodes have the needed resources without having to go look at all the nodes individually.

This tends be every engineers pain point. So I decide to come up with quick easy solution for emergency situations, where you don’t have time to sifting through alert systems that only show you data on a per host basis, that tend to load very slowly.

This bash script will check the CPU, MEM, DISK MOUNTS (including NFS) and tell which ones are okay and which ones are

CPU – calculated by the = 100MaxThrottle – Cpu-idle = CPU-usage
note: it also creates a log /opt/cpu.log on each host

MEM – calculate by Total Mem / Used Memory * 100 = Percentage of Used Memory
note: it also creates a log /opt/mem.log on each host

Disk – Any mount that reaches the warn threshold… COMPLAIN

Now, itemised the bash script so you can just comment out item you don’t want to use at the bottom of the script if you wanted to say just check CPU/MEM

#Written By Nick Tailor

#!/bin/bash

now=`date -u -d”+8 hour” +’%Y-%m-%d %H:%M:%S’`

#cpu use threshold

cpu_warn=’75’

#disk use threshold

disk_warn=’80’

#—cpu

item_cpu () {

cpu_idle=`top -b -n 1 | grep Cpu | awk ‘{print $8}’|cut -f 1 -d “.”`

cpu_use=`expr 100 – $cpu_idle`

echo “now current cpu utilization rate of $cpu_use $(hostname) as on $(date)” >> /opt/cpu.log

if [ $cpu_use -gt $cpu_warn ]

then

echo “cpu warning!!! $cpu_use Currently HIGH $(hostname)”

else

echo “cpu ok!!! $cpu_use% use Currently LOW $(hostname)”

}

#—mem

item_mem () {

#MB units

LOAD=’80.00′

mem_free_read=`free -h | grep “Mem” | awk ‘{print $4+$6}’`

MEM_LOAD=`free -t | awk ‘FNR == 2 {printf(“%.2f%”), $3/$2*100}’`

echo “Now the current memory space remaining ${mem_free_read} GB $(hostname) as on $(date)” >> /opt/mem.log

if [[ $MEM_LOAD > $LOAD ]]

then

echo “$MEM_LOAD not good!! MEM USEAGE is HIGH – Free-MEM-${mem_free_read}GB $(hostname)”

else

echo “$MEM_LOAD ok!! MEM USAGE is beLOW 80% – Free-MEM-${mem_free_read}GB $(hostname)”

}

#—disk

item_disk () {

df -H | grep -vE ‘^Filesystem|tmpfs|cdrom’ | awk ‘{ print $5 ” ” $1 }’ | while read output;

echo $output

usep=$(echo $output | awk ‘{ print $1}’ | cut -d’%’ -f1 )

partition=$(echo $output | awk ‘{ print $2 }’ )

if [ $usep -ge $disk_warn ]; then

echo “AHH SHIT!, MOVE SOME VOLUMES IDIOT…. \”$partition ($usep%)\” on $(hostname) as on $(date)”

done

}

item_cpu

item_mem

#item_disk – This is so you can comment out whole sections of the script without having to do the whole section by individual lines.

Now the cool part.

Now if you have a centrally managed jump host that allows you to get out from your estate. Ideally you would want to setup ssh keys on the hosts and ensure you have sudo permissions on the those hosts.

We want to loop this script through an array of hosts and have it run and then report back all the findings in once place. This is extremely handy if your in resource crunch.

This assumes you have SSH KEYS SETUP & SUDO for your user setup.

Create the script

1.On your jump host as your “user” not root

a.vi coolchecks.sh

b.Copy the above code and paste

c.Save the file

2.Next chmod the permission to executable

d.chmod +x coolcheck.sh

3.Create a servers.txt file

e.vi servers.txt

f.List out servers in a column

Server1
Server2
Server3
Server4

g.Save the file.

4.Now we want to loop that through the list of servers and then have it spit out the results and pipe the information to a file on the jumps host.

Run your forloop with ssh keys and sudo already setup.

1.for HOST in $(cat servers.txt); do ssh $HOST “sudo bash -s” < coolcheck.sh; done 2>&1 | tee -a cpumem.status.DEV

Logfile – cpumem.status.DEV – will be the log file that has all the info

Output:

cpu ok!!! 3% use Currently dev1.nicktailor.com

17.07% ok!! MEM USAGE is beLOW 80% – Free-MEM-312.7GB dev1.nicktailor.com

5% /dev/mapper/VolGroup00-root

3% /dev/sda2

5% /dev/sda1

1% /dev/mapper/VolGroup00-var_log

72% 192.168.1.101:/data_1

28% 192.168.1.102:/data_2

80% 192.168.1.103:/data_3

AHH SHIT!, MOVE SOME VOLUMES IDIOT…. “192.168.1.104:/data4 (80%)” on dev1.nicktailor.com as on Fri Apr 30 11:55:16 EDT 2021

Okay so now I’m gonna show you a dirty way to do it, because im just dirty. So say your in horrible place that doesn’t use keys, because they’re waiting to be hacked by password. 😛

DIRTY WAY – So this assumes you have sudo permissions on the hosts.

Note: I do not recommend doing this way if you are a newb. Doing it this way will basically log your password in the bash history and if you don’t know how to clean up after yourself, well………………….you’re going to get owned.

I’m only showing you this because some cyber security “folks” believe that not using keys is easier to deal with in some parallel realities iv visited… You can do the exact same thing above, without keys. But leave massive trail behind you. Hence why you should use secure keys with passwords.

Not Recommended for Newbies:
Forloop AND passing your ssh password inside it.

2.for HOST in $(cat servers.txt); do sshpass -p’SHHPASSWORD!‘ ssh -o ‘StrictHostKeyChecking no’ -p 22 $HOST “sudo bash -s” < coolcheck.sh; done 2>&1 | tee -a cpumem.status.DEV

Log file – cpumem.status.DEV – will be the log file that has all the info

Output:

cpu ok!!! 3% use Currently dev1.nicktailor.com

17.07% ok!! MEM USAGE is beLOW 80% – Free-MEM-312.7GB dev1.nicktailor.com

5% /dev/mapper/VolGroup00-root

3% /dev/sda2

5% /dev/sda1

1% /dev/mapper/VolGroup00-var_log

72% 192.168.1.101:/data_1

28% 192.168.1.102:/data_2

80% 192.168.1.103:/data_3

AHH SHIT!, MOVE SOME VOLUMES IDIOT…. “192.168.1.104:/data4 (80%)” on dev1.nicktailor.com as on Fri Apr 30 11:55:16 EDT 2021

.

admin April 30, 2021 Centos, Linux, MonitoringNo Comments »

admin | January 9, 2021

How to deploy Open-AKC(Authorized Key Chain)

Acting as a centralised trust management platform:

By allowing the “authorized_keys” mechanism on the hosts to be completely disabled, OpenAKC

permits SSH trust across an entire estate to be managed (with rich control and monitoring features)

centrally by “systems administration” or “information security” staff. This means that users, or

application developers etc. cannot add or remove trust relationships, effectively enforcing any

whitelist or approval process you might want to establish for the creation of trust relationships

within an estate.

A practical ‘Jump Host’:

Having worked in many Linux environments, the author of the software has seen a number of ‘jump

host’ solutions using dubious mechanisms such as “sudo” and others used to map users from AD or

LDAP directories to SSH trust relationships using shared private keys etc. and these solutions are

almost universally highly insecure.

OpenAKC implements a new approach and acts as an “drop in” upgrade for a legacy solution by simply migrating users to personal rather than sharedkeys with a “self service” key management mechanism. Requiring personal keys have pass phrases ensures increased security, and avoids ad-hoc automation from user accounts. The system provides rich control and monitoring features, while users can use familiar tools with little to no disruption to their workflow.

The problems everyone thinks about, but never finds a good solution.

• Root access to my servers so that everything is auditable

• How to handle Identity Access Management(IAM) without joining every server to the domain.
The problem with joining every server to the domain:

◦ If I were to gain access using your AD user. I could then browse /home and find any user accounts that logged as admin, which I can then brute force attack to gain root.

◦ I can also use ‘id’ to see which groups this user is attached to leaving me open to other forms or attacks and holes.

◦ As soon as someone sudo’s to root. There is zero control on limiting what this root user can do. Which is a huge problem when getting compromised. Every key stroke is not logged and if you have multiple people sudo as root at the same time the logs can get blurry.

• Imagine…having the ability to give your admins root but also tying the root user’s hands from doing certain things that you deem too sensitive any one outside of the security team to do.

• Imagine not having to join every server to the domain but still have root access controls

• Imagine being able to eliminate user/pass login entirely

• Imagine being able to deploy this faster than ldap or sssd across multiple distros.

Well guess what….this is exactly what im talking about today. This architecture does take a few steps and time to understand its inner workings but security wise trumps anything out there currently being used by most folks.

This is a overview of a simplified architecture. This can be scaled out to new or legacy environment using many distros without interruption.

Combined jump host/security server architecture: This approach is generally used when it’s a small group managing things:

Benefits: The advantage here is your security server and your jumphost are on the same server. If you’re admin team is also managing the security then this approach is ideal because when diagnosing and editing role rules everything is in one place. Another key benefit… There are only couple client packages that are deployed on client machines upon deployment the client is already brought into the trust, so no additional work is required to bring it in.

Cons: If your jumphost goes down, so does your security server. Now this can be scaled out so there are two servers if one is unavailable it tries the second. But if you have one this could be a single point of failure. Keep in mind this is a VM and would takes seconds to bring back up, so durability is very good from a infrastructure stand point..

Or the alternative:

A Segregated jumphost/security server architecture: This approach is generally used when you have large groups and large infrastructure managing things.

Benefits: Now the advantage here is if you have a multiple groups and need to tighten the security. You can have a your security server and your jump hosts segregated. These two machines are the only two machines that talk you AD. You have roles setup on the security server. If your user is listed in the role on the security server and your apart the AD group that is allowed to login via ssh.

The security server will allow you to login as root via registered ssh keys. You can also strip away “roots” abilities, and every keystroke is logged per user on the security server. A key benefit here is that because the client machines are not joined to the domain. A hacker would never be able to determine information that leads to the heart of your network such as AD, the groups setup, and any of its users. The other benefit is the jump hosts are easily deployed as needed and ready to go if needed. Since the security stuff is not local, the jump host is also secured.

Cons: If your security servers are not functioning and you have disabled user/pass. You will be locked out unless you single user. However this is easily fixed by setting up a strong root/pass that can bypass all security and only give this to one person, such as your manager or someone in secureops. Which would be only used ever used in an extreme dire situation. I have yet to see this ever required once this is implemented correctly.

Special Features:

• You can setup incident logging for production machines. (eg, Service now ticketing).

◦ Incident#, RFC#, Jira, brief description.

• You can make it so that root can not change any file that an immutable flag. Thus protecting key files, this is just one of the many attributes you can give or remove from root.

How to deploy Segregated jumphost/security server architecture:

Okay so the first thing we want to do is setup our security server host to Active Directory. The reason for this is we want to be able to setup centralised user management coupled with using authorised keys to jump to client machines.

Centos 7

• This post assumes you have already deployed two centos 7 machines. Don’t use centos 8 because. Redhat recently decided to screw everyone and kill the centos project. Centos 7 will have updates till 2024.

• This post also assumes you have active directory setup and you have a user inside linuxgroups of somekind.

Note: make sure you disable firewalld and selinux on your machine. Just a extra layer that not needed and only serves to tie your own hands behind your own back.

1.Join centos 7 to an existing domain

Install the following packages will be be using sssd/kerebros

a.yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli

2.Next you want to edit your /etc/resolv.conf so that it has one of the nameservers as your AD server. This is so it can resolve the necessary dns records.

b.Vi /etc/resolv.conf

• Nameserver 192.168.1.300

• Nameserver 192.168.1.301

3.Now you need to discover the realm by searching for the name of your AD host

c. realm discover AD.NICKTAILOR.COM (this is case sensitive)

[root@securityack1 ~]# realm discover AD.NICKTAILOR.COM

ad.nicktailor.com

type: kerberos

realm-name: AD.NICKTAILOR.COM

domain-name: ad.nicktailor.com

configured: kerberos–member

server-software: active-directory

client-software: sssd

required-package: oddjob

required-package: oddjob-mkhomedir

required-package: sssd

required-package: adcli

required-package: samba-common-tools

4.You now want to join your jump host to the domain

d.realm join –user=admin ad.nicktailor.com
it will ask you for the AD admin password, enter it and it should go to the next prompt. This step will create the all the necessary files /etc/sssd/sssd.conf /etc/krb5.conf /etc/smb.conf file you need.

e.if it works you can check it by

• id nicktailor@ad.nicktailor.com

1.you can set it in the /etc/sssd/sssd.conf So you don’t need the @ad.nicktaior.com when your run your ‘id’

5.Now we want to add nicktailor user to sudo on the wheel

f.usermod –aG sudo nicktailor

6.Now you we want to install the openAKC repository

g.curl https://netlore.github.io/OpenAKC/repos/openakc-el7.repo | sudo tee /etc/yum.repos.d/openakc.repo

h.Now install the openakc package for the jump host

yum install openakc-server

i.Next change su to the user account your going to make admin on the security server

· Su nickatilor

j.You want to generate new ssh keys

• ssh-keygen -t rsa

k.Now you want to register that key to openakc security server

• openakc register

· cd /home/nicktailor/.openakc/

· ls -al /home/nicktailor/.openakc/

• check to see if the openakc-user-client-nicktailor–pubkey.pem is there

l.Copy the key to the security keys holding (might have do this as root

• cp openakc-user-client-nicktailor–pubkey.pem /var/lib/openakc/keys/

Example:

[nicktailor@security1 ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/nicktailor/.ssh/id_rsa):

/home/tailorn/.ssh/id_rsa already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/nictailor/.ssh/id_rsa.

Your public key has been saved in /home/nicktailor/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:udhNKEp0txzfup7IxhUwNA+VSviWP1mu/aKPA5vZb3w tailorn@jumphost1.nicktailor.com

The key’s randomart image is:

+—[RSA 2048]—-+

| o+… |

| . ++. |

| . .oo=. |

| . . o=*… |

| . ..S.o=. |

| . . +.+=.. |

| . ..oBo= |

| .*.++= E |

| .o.**o+. |

+—-[SHA256]—–+

[nicktailor@jumphost1 ~]$ openakc register

This program comes with ABSOLUTELY NO WARRANTY; see “license” option.

This is free software, and you are welcome to redistribute it

under certain conditions; See LICENSE file for further details.

Passphrase is requested to ensure you own this key.

Enter passphrase:

Escalating to perform API call

Connected to OpenAKC server. Sending key registration request

OK: Request processed

7.Now we want to setup a role on the security server for the new user while you are su’d to nicktailor still.

• openakc editrole root@DEFAULT

8.You will also need to copy the key you created to the jumphost or you can just create another on the jump host and then copy it over the security server.

m.ssh-copy-id –i ~/.ssh/id_rsa.pub root@192.168.1.200

Here you will create a role block that will allow said user to jump to any client so long as your key is registered the openakc security server.

RULE=2020/01/13 19:17,2030/01/13 20:17,user,nicktailor

DAY=any

TIM=any

SHELL=/bin/bash

CMD=any

SCP=s,^/,/data/,g

CAP=cap_linux_immutable

REC=yes

FROM=any

RULE=2020/01/13 19:17,2030/01/13 20:17,group,linuxusers

DAY=any

TIM=any

SHELL=/bin/bash

CMD=any

SCP=s,^/,/data/,g

CAP=cap_linux_immutable

REC=yes

FROM=any

• Save the file

Note: The CAP section allows you to disable root abilities there is a long list of things. This particular one. Disables root from being able to edit any file with an immutable flag. So all your root users can not change these types of file eve as root.

You starting to see why this is how you do shit? Think for yourselves not because someone else said that best practice. Jeez…

Note: this is just a development setup I am doing for you. It can be scaled with two security servers using gluster of nfs to share the files system. This server will be what all the clients check with before allowing anyone to enter. They will need to first exist in AD and then their root key will need to be registered here, and then they will need to be allowed in the appropriate role and sssd and ssh groups before they can get in. This also eliminate the need to join any clients to the domain and protects against any hacker from being able to query the domain controller for user groups and if users exist. The would of also needed to get on to the jump host, have your key and also know your root passphrase. Unlikely going to happen

Okay now were going to setup the jumphost jump1.nickatilor.com

Note: You can have as many jumphosts as you like. This should be the only entry point to your servers. The jump host also talks to the security server. So even if you tried to go directly the server. You couldn’t since its only allowed from here. This is how you set shit up so you don’t end up like solarwinds and so many other idiots who follow rules old and out of date rule blindly.

1.First thing we wan to do is add the the repository on the jump host.

Note: You also add this server to the domain. So please follow the joining of the domain setups from above and then carry on from here.

• curl https://netlore.github.io/OpenAKC/repos/openakc-el7.repo | sudo tee /etc/yum.repos.d/openakc.repo

2.Now you want to install the openakc-tools package on the jumphost

a.yum install openakc–tools

3.Now edit the /etc/openakc/openakc.conf

APIS=”nickack1.nicktailor.com“

PORT=”889″

4.Now login in as nicktailor or su as nicktailor to allow sssd to create the home directory.

b.su ntailor

c.copy over the key from the security server logged in from the security server

ssh-copy-id –i ~/.ssh/id_rsa.pub root@192.168.1.200

5.Now while you are nicktailor on the jump host your going to be a ping to ensure its communication is working:

[nicktailor@jumphost1 keys]$ openakc ping

This program comes with ABSOLUTELY NO WARRANTY; see “license” option.

This is free software, and you are welcome to redistribute it

under certain conditions; See LICENSE file for further details.

Connected to OpenAKC server. Sending Test Run Ping Message

Test Run Response – OK: Pong! – from server – securityakc1.nicktailor.com

If you see that above that is a good sign

Now were going to add a client machine so you jump to it. This is the easiest part. So say you have a bunch of legacy systems and you want to centralise login without joining to the domain, you want everyone who using root to be tracked by logging every keystroke and logging what incident they logged in for to use root.

1.Logged on to the client machine as root

• Add the openack repo

curl https://netlore.github.io/OpenAKC/repos/openakc-el7.repo | sudo tee

/etc/yum.repos.d/openakc.repo

2.Next install openakc client package, now this is confusing because he didn’t add client next to the package. If you install the wrong one it’s a bitch to clean up so get right the first time…lol

a.yum install openakc

3.Tell it where the security server lives by editing this file and saving it

vi /etc/openakc/openakc.conf

APIS=”192.168.1.200“

ENABLED=”yes”

PORT=”889″

CACHETIME=”60″

DEBUG=”no”

PERMITROOT=”yes”

AUDIT=”yes”

QUIZ=”no”

HIDE=”restrict”

FAKESUDO=”yes”

Note: Quiz if you set it to yes. When you log into root it will ask for a service now ticket number and description which will get logged on the security server.

4. save the file

That’s it!….

Now if you go back the jump host and try to log in

[@jumphost1 ~]$ ssh root@192.168.1.38

Enter passphrase for key ‘/home/nicktailor/.ssh/id_rsa‘:

OpenAKC (v1.0.0~alpha18-1.el7) – Interactive Session Initialized

[root@nickclient1 ~]#

This is session is now being logged and and you can not see if the user belongs to the domain

[root@nickclient1 ~]# id nickatilor

id: nicktailor: no such user

This is how you setup security like pro. Hope you enjoyed this.

Hope you enjoyed this.

Special thank you the author of the project “James Lewis” I enjoyed learning this and am a big fan of the innovation behind the open-akc project.

How to add new users:

1.Add user to the active directory and said linux group

2.Login vi ssh to the jump host

3.Create an ssh key as your new user

a.Ssh-keygen -t rsa with a passphrase

4.Register key to openakc while on the jumphost

b.Openakc register

That’s it your done. Now the new user is able to login into the estate via ssh from the jump host.

admin January 9, 2021 Linux, SecurityNo Comments »

admin | December 25, 2020

How to add a custom tomcat installation to SystemD with ansible.

Okay so say you have a custom install of tomcat and java, which is what a lot of people do because java update and tomcat updates can bring things down. So things need to be tested before updates and standard patch cycles can end up affecting the environment.

But you want to handle the startup and stopping via systemd to be able to get status outputs and let system handle the service on reboots. This is how to do it slick.

Ansible Setup:

• This post assumes you have ansible setup and running. If you don’t search through my blog and you should find a post on how to setup.

Role:

• We are going to setup a custom role to add your custom tomcat install system

Setup the new role:

• Create a new directory in /etc/ansible/role for your new role

◦ mkdir -p /etc/ansible/roles/AddtomcatSystemD/tasks/

• Now create a yaml file that will run a set of tasks to set this up for ya.

◦ vi main.yml

Main.yml

===========================================

Note: this will install the redhat tomcat version of tomcat. Do not worry we are not going to be using this tomcat. This is just so redhat automatically setups all the needed services and locations. We will then update the SystemD config for tomcat to use the custom version.

– name: Install the latest version of tomcat

package:

state: latest

Note: This symlink is important as tomcat default install by redhat is inside /opt/tomcat. Update the src to the custom location of your tomcat

– name: Create symbolic link for “tomcat” in /opt

file:

src: /custom/install/tomcat

path: /opt/tomcat

force: yes

state: link

Note: This will enable tomcat to start up on reboot

– name: Enable tomcat service on startup

shell: systemctl enable tomcat

Note: This is the tomcat systemd service file that systemd uses for the default install. We are going to empty.

– name: Null tomcat.service file

shell: “>/etc/systemd/system/tomcat.service“

Note: We are now going to add our custom block for tomcat into the tomcat.service file we just emptied above using the blockinfle module. This means that this whole section will also be managed by ansible as well. Make sure you adjust the java_home if your java isn’t location inside tomcat. Along with the user,group,umask for to your custom tomcat.

– name: Edit tomcat.service for systemd

blockinfile:

dest: /etc/systemd/system/tomcat.service

insertafter:

block: |

[Unit]

Description=Apache Tomcat Web Application Container

After=syslog.target network.target

[Service]

Type=forking

Environment=JAVA_HOME=/opt/tomcat

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment=’CATALINA_OPTS=-Xms512M -Xmx1024M -server –XX:+UseParallelGC‘

Environment=’JAVA_OPTS=-Djava.awt.headless=true –Djava.security.egd=file:/dev/./urandom‘

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/bin/kill -15 $MAINPID

User=tomcat

Group=tomcat

UMask=

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Note: This will then reload the custom tomcat via systemd

– name: Start tomcat service with Systemd

systemd:

daemon_reload: yes

Note: This will then check to see if the new tomcat is service running and out to the ansible playbook log.

– name: get service facts

service_facts:

– name: Check to see if tomcat is running

debug:

var: ansible_facts.services[“tomcat.service“]

Ansibe playbook log:

[root@nickansible]# ansible-playbook –i inventory/DEV/hosts justtomcatrole.yml –limit ‘nicktestvm‘ -k

SSH password:

PLAY [all] ************************************************************************************************************************************************************************************************

TASK [AddTomCatSystemD : Create symbolic link for “tomcat” in /opt] ***************************************************************************************************************************************

changed: nicktestvm]

TASK [AddTomCatSystemD : Enable tomcat service on startup] ************************************************************************************************************************************************

changed: nicktestvm]

TASK [AddTomCatSystemD : Null tomcat.service file] ********************************************************************************************************************************************************

changed: nicktestvm]

TASK [AddTomCatSystemD : Edit tomcat.service for systemd] *************************************************************************************************************************************************

changed: nicktestvm]

TASK [AddTomCatSystemD : Start tomcat service with Systemd] ***********************************************************************************************************************************************

ok: nicktestvm]

TASK [AddTomCatSystemD : get service facts] ***************************************************************************************************************************************************************

ok: nicktestvm]

TASK [AddTomCatSystemD : Check to see if tomcat is running] ***********************************************************************************************************************************************

ok: nicktestvm] => {

“ansible_facts.services[\”tomcat.service\”]”: {

“name”: “tomcat.service“,

“source”: “systemd“,

“state”: “running”,

“status”: “enabled”

}

PLAY RECAP ************************************************************************************************************************************************************************************************

nicktestvm : ok=7 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

==========================

[root@nicktestvm ~]# cat /etc/systemd/system/tomcat.service

# BEGIN ANSIBLE MANAGED BLOCK

[Unit]

Description=Apache Tomcat Web Application Container

After=syslog.target network.target

[Service]

Type=forking

Environment=JAVA_HOME=/opt/tomcat

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment=’CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC’

Environment=’JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom’

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/bin/kill -15 $MAINPID

User=tomcat

Group=tomcat

UMask=0028

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

# END ANSIBLE MANAGED BLOCK

SystemD Status:

root@nicktestvm ~]# systemctl status tomcat

● tomcat.service – Apache Tomcat Web Application Container

Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)

Active: active (running) since Thu 2020-12-24 05:11:21 GMT; 21h ago

Process: 6333 ExecStop=/bin/kill -15 $MAINPID (code=exited, status=0/SUCCESS)

Process: 6353 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)

Main PID: 6363 (java)

CGroup: /system.slice/tomcat.service

└─6363 /usr/local/java/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms1…

Dec 24 05:11:21 nicktestvm systemd[1]: Starting Apache Tomcat Web Application Container…

Dec 24 05:11:21 nicktestvm startup.sh[6353]: Existing PID file found during start.

Dec 24 05:11:21 nicktestvm startup.sh[6353]: Removing/clearing stale PID file.

Dec 24 05:11:21 nicktestvm systemd[1]: Started Apache Tomcat Web Application Container.

admin December 25, 2020 Ansible, Centos, LinuxNo Comments »

admin | December 21, 2020

How to generate new Network UUID’s with Ansible

Okay some of you might have deployed linux vm’s from clone templates using ansible by way of the vmware_guest module.

Now everybody goes about it differently, and from what I read online…. It would seem that lots of people over complicate the generation of the UUID with over complicated code to generate the UUID.

At the end of the day all a UUID is….is JUST A “UNIQUE IDENTIFIER”. It serves no other function other than being another form of labelling the network interface on the vm. There is no need to over complicate the creation of a UUID. This is also provided you defined UUID’s on your deployments.

Why…would you want to do this? Well if you cloned from a template. The new clone with have the same network UUID on every new machine you create. Now this wont impact your infrastructure in anyway, other than you *might* get duplicate UUID warning at some point. However, it can be problematic when doing backups, restores, migrations, and monitoring in some cases.

Ansible Setup:

• This post assumes that you have ansible setup and running

Role :

• Create a role called CreateNewNetworkUUID in /etc/ansible/roles

mkdir -p /etc/ansible/roles/CreateNewNetworkUUID/tasks

• Create a main.yml inside /etc/ansible/roles/CreateNewNetworkUUID/tasks/

vi /etc/ansible/roles/CreateNewNetworkUUID/tasks/main.yml

• Now add the following yaml code.

–

Note: This just runs the ‘uuidgen’ command on the linux vm and then registers the result into a variable that is passed to the next task.

– name: Generate new UUID

shell: uuidgen

– debug:

var: new_uuid_result

Note: This updates the network file on redhat and adds the UUID line with the newly generated UUID and shows a log of the new UUID that was added. This section will also be outlined in the file as managed by ansible

– name: Add New UUID to network config

blockinfile:

dest: /etc/sysconfig/network-scripts/ifcfg-ens192

insertafter: NAME=”ens192″

block: |

UUID=”{{ new_uuid_result[‘stdout‘] }}”

– debug: msg=”{{ filecontents }}”

• Save the file

Ansible playbook run:

• From inside /etc/ansible directory call your role inside your playbook or create a new playbook calling the role

 vi createnewUUID.yml

• Add the following to your playbook.

– hosts: all

gather_facts: no

roles:

– role: CreateNewNetworkUUID

• Save the file

Ansible playbook run:

• Run your new role against your hosts

Note: this run the role against all your hosts defined in inventory/DEV/hosts via ssh. You will need to know the root/pass for your ssh connection to be able to carry out the tasks.

ansible-playbook –i inventory/DEV/hosts createnewUUID.yml -k

Ansible playbook log:

SSH password:

TASK [CreateNewUUID : Generate new UUID] **********************************************************************************************************************************************************************

changed: [nicktestvm]

TASK [CreateNewUUID : debug] **********************************************************************************************************************************************************************************

ok: [nicktestvm] => {

“new_uuid_result“: {

“ansible_facts“: {

“discovered_interpreter_python“: “/usr/bin/python”

“changed”: true,

“cmd“: “uuidgen“,

“delta”: “0:00:00.010810”,

“end”: “2020-12-21 20:13:36.614154”,

“failed”: false,

“rc“: 0,

“start”: “2020-12-21 20:13:36.603344”,

“stderr”: “”,

“stderr_lines“: [],

“stdout“: “49242349-5168-4713-bcb6-a53840b2e1d6”,

“stdout_lines“: [

“49242349-5168-4713-bcb6-a53840b2e1d6”

]

}

TASK [CreateNewUUID : Add New UUID to network config] *********************************************************************************************************************************************************

changed: [nicktestvm]

ok: [nicktestvm] => {

“new_uuid_result.stdout“: “49242349-5168-4713-bcb6-a53840b2e1d6”

}

nicktestvm : ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Nicktestvm:

[root@nicktestvm ~]$ cat /etc/sysconfig/network-scripts/ifcfg-ens192

TYPE=”Ethernet”

PROXY_METHOD=”none”

BROWSER_ONLY=”no”

BOOTPROTO=”none”

DEFROUTE=”yes”

IPV4_FAILURE_FATAL=”no”

IPV6INIT=”yes”

IPV6_AUTOCONF=”yes”

IPV6_DEFROUTE=”yes”

IPV6_FAILURE_FATAL=”no”

IPV6_ADDR_GEN_MODE=”stable-privacy”

NAME=”ens192″

# BEGIN ANSIBLE MANAGED BLOCK

UUID=”49242349-5168-4713-bcb6-a53840b2e1d6″

# END ANSIBLE MANAGED BLOCK

DEVICE=”ens192″

ONBOOT=”yes”

IPADDR=”192.168.1.69″

PREFIX=”24″

GATEWAY=”192.168.1.254″

DNS1=”8.8.8.1″

DNS2=”8.8.8.2″

DOMAIN=”nicktailor.co.uk”

IPV6_PRIVACY=”no”

admin December 21, 2020 Ansible, Network StuffNo Comments »

admin | December 19, 2020

How to deploy Vmware VM’s using Ansible from Cloned Templates

QUICK OVERVIEW OF WHAT ANSIBLE IS..

Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.

Designed for multi-tier deployments since day one, Ansible models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.

It uses no agents and no additional custom security infrastructure, so it’s easy to deploy – and most importantly, it uses a very simple language (YAML, in the form of Ansible Playbooks) that allow you to describe your automation jobs in a way that approaches plain English.

On this page, we’ll give you a really quick overview so you can see things in context. For more detail, hop over to docs.ansible.com.

EFFICIENT ARCHITECTURE

Ansible works by connecting to your nodes and pushing out small programs, called “Ansible modules” to them. These programs are written to be resource models of the desired state of the system. Ansible then executes these modules (over SSH by default), and removes them when finished.

Your library of modules can reside on any machine, and there are no servers, daemons, or databases required. Typically you’ll work with your favorite terminal program, a text editor, and probably a version control system to keep track of changes to your content.

• Okay so what that actually is saying is. Ansible has a whole library of python modules that come out of the box coupled with a huge community of open source python modules to do all sorts of tasks to automate infrastructure.

• You can call these modules by writing yaml code, inside your yaml code when you call a specific module, you can the pass specific variables to that module to do specific things defined by the python module.
Example power on and off a vm, or connect or disconnect network, etc.

For the purposes of this post we are are going to dive into using “vmware_guest” module by way of using http api authentication session & cookies. There are many other python modules which you can search in the ansible documentation and or ansible-galaxy

https://docs.ansible.com/ansible/latest/collections/community/vmware/index.html

Now it definitely helps to be able to code in python or at least be able to read python code, however completely not necessary. Anyone with basic understanding of bash scripting can learn ansible. I could teach a newbie ansible in a couple days. Sharing is caring.

Anyone who says otherwise……don’t hire them.

Ansible Setup:

• Now this post assumes you already have ansible setup and are running a newer version. If not you will need to review post on how to setup ansible before you can proceed with this.

Pre-Module install Steps:

Requirements

The below requirements are needed on the host that executes this module.

• python >= 2.6

• PyVmomi

• PIP

• Community.vmware library of python modules

1.Okay so you if your on our ansible machine as root

• Run the following this should install the modules you need

ansible-galaxy collection install community.vmware

• Note: Depending on where you ran this from. If you ran this from /home/root. You can find all your python modules in ‘root/.ansible/collections/ansible_collections/community/vmware/plugins/modules’

• You will probably need to install python 2.6 or greater

Redhat : Yum install python (should get you the latest version)

• Okay you may also neeed to install pip

Note: Now on centos its not available out of the box

.Centos 7 PIP install:

1.sudo yum install epel-release

2.sudo yum install python-pip

3.pip –version (verify its installed)

4.sudo yum install python-devel (these are for building python modules)

5.sudo yum groupinstall ‘development tools’ (these are for building python modules(

.Install PyVmomi:

1.pip install –upgrade pyvmomi

It will look like…..

[root@nick roles]# pip install –upgrade pyvmomi

Collecting pyvmomi

Downloading https://files.pythonhosted.org/packages/ba/69/4e8bfd6b0aae49382e1ab9e3ce7de9ea6318eac007b3076e6006dbe5a7cd/pyvmomi-7.0.1.tar.gz (584kB)

100% |████████████████████████████████| 593kB 861kB/s