February 16, 2018

New challenge: design an automation jobs architecture

Posted in Ansible at 11:22 am by alessiodini

Customer often asks me to automate tasks on hundred Linux systems. Those tasks can be very simples as user creation or more complex as operating system customization.
I used ansible reaching the goal but I want to share ansible features with the customer and his colleagues. For this purpose I’m designing a simple architecture composited by:

– GIT as a SCCM
– Ansible as a dedicated automation host
– AWX as a orchestrator

The idea is to write code ( playbooks, perl, bash, python, etc.etc. ) and to publish it to GIT repository. AWX takes the code and let ansible executing it giving back each detail about the execution.
I want let the customer have a single button called “GO” for multiple tasks automation!
I’m playing with this architecture and I need to make a presentation explaining the details.
Let’s gooooo!! 🙂


February 2, 2018

Ansible: dealing with SSH vulnerabilities

Posted in Ansible at 3:57 pm by alessiodini

Today the customer asked to help him fixing a couple of issues on multiple Linux systems. Those vulnerabilities were:


The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

Contact the vendor or consult product documentation to remove the weak ciphers.       N/A       90317



“The remote SSH server is configured to allow MD5 and 96-bit MAC


“Contact the vendor or consult product documentation to disable MD5 and

96-bit MAC algorithms.”               N/A 71049

I was funny to fix both of them with a simple playbook called fixssh.yaml :

– name: MAC SSH Vulnerability FIX
hosts: all

– name: Backing up /etc/ssh/sshd_config
shell: cp -prf /etc/ssh/sshd_config /etc/ssh/sshd_config.02-02-18
become: true
become_method: sudo

– name: Updating MACs directive in /etc/ssh/sshd_config file
path: /etc/ssh/sshd_config
regexp: ‘^MACs’
line: ‘MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com’
become: true
become_method: sudo

– name: Updating ciphers directive in /etc/ssh/sshd_config file
path: /etc/ssh/sshd_config
regexp: ‘^Ciphers’
line: ‘Ciphers aes128-ctr,aes192-ctr,aes256-ctr’
become: true
become_method: sudo

– name: Restarting sshd service
service: name=sshd state=restarted
become: true
become_method: sudo



September 5, 2017

How to install ansible on CentOS 7 system

Posted in Ansible tagged , , , at 8:04 am by alessiodini

Starting from a minimal CentOS installation, following I share the steps I did for ansible installation:

1) System update
# yum -y update
# init 6

2) Epel repository configuration and ansible pkg installation
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm
# yum -y install ansible vim

3)In my case I’m using ansible for working on Vmware ESX environment so I also installed a python module:
# yum install python-pip
# pip install --upgrade pip
# pip install pyVmomi
# pip install --upgrade pyVmomi

4) On a user home directory I created .ansible.cfg for any local customization
$ touch .ansible.cfg
$ ansible --version
config file = /home/alex/.ansible.cfg
...output omitted...

5) On the same directory I created a .vimrc file automating the yaml indent spaces
$ cat .vimrc
autocmd FileType yaml setlocal ai ts=2 sw=2 et

Ansible now is ready to fire! 😀

August 22, 2017

Ansible and Vmware ESX

Posted in Ansible at 8:29 am by alessiodini

In these days I’m writing a couple of playbooks using vmware_guest module.
The goal is to deliver new virtual machines and to customize them.

I faced a strange issue during my tests:

[root@ansible ~]# ansible-playbook delivery.yaml
[WARNING]: provided hosts list is empty, only localhost is available

PLAY [devops rhel creation] ************************************************************************************************************************************

TASK [rhel cloning] ******************************************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “failed”: true, “msg”: “Network ‘1000 – – TEST (dvSwitch-Production)’ does not exists”}
to retry, use: –limit @/root/first.retry

PLAY RECAP *****************************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

I was surprised because I got that name browsing Vmware with my Vsphere Client.
I tried again and again changing the playbook code, but finally I was able to discover the real issue.
Vmware uses special characters!!
I found this detail trying to manually add a new network interface from Vsphere Client:

Here it is the network name as I passed to playbook:

Finally the solution!

I spoke about this with my colleagues and they said me Vmware also use special characters for his internal database.