New challenge: design an automation jobs architecture


Customer often asks me to automate tasks on hundred Linux systems. Those tasks can be very simples as user creation or more complex as operating system customization.
I used ansible reaching the goal but I want to share ansible features with the customer and his colleagues. For this purpose I’m designing a simple architecture composited by:

– GIT as a SCCM
– Ansible as a dedicated automation host
– AWX as a orchestrator

The idea is to write code ( playbooks, perl, bash, python, etc.etc. ) and to publish it to GIT repository. AWX takes the code and let ansible executing it giving back each detail about the execution.
I want let the customer have a single button called “GO” for multiple tasks automation!
I’m playing with this architecture and I need to make a presentation explaining the details.
Let’s gooooo!! 🙂

Advertisements

Ansible: dealing with SSH vulnerabilities


Today the customer asked to help him fixing a couple of issues on multiple Linux systems. Those vulnerabilities were:

Medium

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

Contact the vendor or consult product documentation to remove the weak ciphers.       N/A       90317

 

Low

“The remote SSH server is configured to allow MD5 and 96-bit MAC

algorithms.”

“Contact the vendor or consult product documentation to disable MD5 and

96-bit MAC algorithms.”               N/A 71049

I was funny to fix both of them with a simple playbook called fixssh.yaml :


– name: MAC SSH Vulnerability FIX
hosts: all
tasks:

– name: Backing up /etc/ssh/sshd_config
shell: cp -prf /etc/ssh/sshd_config /etc/ssh/sshd_config.02-02-18
become: true
become_method: sudo

– name: Updating MACs directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: ‘^MACs’
line: ‘MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com’
become: true
become_method: sudo

– name: Updating ciphers directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: ‘^Ciphers’
line: ‘Ciphers aes128-ctr,aes192-ctr,aes256-ctr’
become: true
become_method: sudo

– name: Restarting sshd service
service: name=sshd state=restarted
become: true
become_method: sudo

 

 

How to install ansible on CentOS 7 system


Starting from a minimal CentOS installation, following I share the steps I did for ansible installation:

1) System update
# yum -y update
# init 6

2) Epel repository configuration and ansible pkg installation
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm
# yum -y install ansible vim

3)In my case I’m using ansible for working on Vmware ESX environment so I also installed a python module:
# yum install python-pip
# pip install --upgrade pip
# pip install pyVmomi
# pip install --upgrade pyVmomi

4) On a user home directory I created .ansible.cfg for any local customization
$ touch .ansible.cfg
$ ansible --version
ansible 2.0.1.0
config file = /home/alex/.ansible.cfg
...output omitted...

5) On the same directory I created a .vimrc file automating the yaml indent spaces
$ cat .vimrc
autocmd FileType yaml setlocal ai ts=2 sw=2 et

Ansible now is ready to fire! 😀

Ansible and Vmware ESX


In these days I’m writing a couple of playbooks using vmware_guest module.
The goal is to deliver new virtual machines and to customize them.

I faced a strange issue during my tests:

[root@ansible ~]# ansible-playbook delivery.yaml
[WARNING]: provided hosts list is empty, only localhost is available

PLAY [devops rhel creation] ************************************************************************************************************************************

TASK [rhel cloning] ******************************************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “failed”: true, “msg”: “Network ‘1000 – 10.13.128.0/24 – TEST (dvSwitch-Production)’ does not exists”}
to retry, use: –limit @/root/first.retry

PLAY RECAP *****************************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

I was surprised because I got that name browsing Vmware with my Vsphere Client.
I tried again and again changing the playbook code, but finally I was able to discover the real issue.
Vmware uses special characters!!
I found this detail trying to manually add a new network interface from Vsphere Client:

Here it is the network name as I passed to playbook:

Finally the solution!

I spoke about this with my colleagues and they said me Vmware also use special characters for his internal database.