Ansible with su instead of sudo   October 13th, 2017

At TBits.net, we have decided to use Ansible for setting up our servers.

The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.

The call is quite easy:

ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass

Now we wanted to limit access only to users who have the actual password for root.

Finally, this worked on the command line:

ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass

Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.

[defaults]
remote_user=deploy
 
[privilege_escalation]
become = true
become_method = su
become_ask_pass = true

Two pitfalls that are solved by this:

  • You need to specify the become settings in section privilege_escalation, not just in defaults.
  • The command line parameter ask-become-pass becomes become_ask_pass in the config file.

This works with Ansible 2.3.2 on CentOS 7.4.

Tags: ,
Posted in Hosting, Software Development | Comments Closed

Setup an LXC host with Ansible   March 30th, 2016

This is my first go at Ansible. Ansible uses SSH to setup servers with a desired environment. The scripts can be run again and again, and only apply things that have changed since the previous run.

Please also see this good tutorial which helped me with my first steps: https://serversforhackers.com/an-ansible-tutorial

My environment is like this: my workstation is Fedora 23. The host that I want to configure is a CentOS7 server.

On my Fedora 23 workstation:

# Fedora 23 currently installs Ansible 1.9, but that will be soon Ansible 2.0
dnf install ansible
sudo vi /etc/ansible.cfg
  remote_user = root
# 123.123.123.10 is just an example IP address of my CentOS7 server.
sudo vi /etc/ansible/hosts
 [lxc_host_centos7]
 123.123.123.10

I need a private and a public ssh key. The public key has been installed on the target CentOS7 machine, in /root/.ssh/authorized_keys.

Loading the private ssh key on Fedora 23:

ssh-add

As a first test, I run:

ansible all -m ping

Some modules are not part of Ansible 1.9 in Fedora. see also http://docs.ansible.com/ansible/modules_extra.html

git clone https://github.com/ansible/ansible-modules-extras.git
mkdir -p /usr/share/my_modules/
cp ansible-modules-extras/packaging/os/yum_repository.py /usr/share/my_modules/
cp ansible-modules-extras/system/iptables.py /usr/share/my_modules/
sudo vi /etc/ansible.cfg
  library     = /usr/share/my_modules/

By the way, here are the links to the modules that I am using:

Here is my playbook for installing the lxc scripts:

---
- hosts: lxc_host_centos7
  vars:
     containerpwd: secretPWD
  tasks:
   - name: Configure the Epel Repo
     yum: name=epel-release state=installed
   - name: Configure the repo lbs-tpokorra-lbs
     yum_repository: name=lbs-tpokorra-lbs description="lxc scripts" baseurl=https://lbs.solidcharity.com/repos/tpokorra/lbs/centos/7
   - name: Install the public key for the signed lxc-scripts package
     shell: rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x4796B710919684AC"
   - name: Install LXC host on CentOS7
     yum: name=lxc-scripts state=installed
   - name: Enable and start libvirtd
     service: name=libvirtd state=started enabled=yes
   - name: Setup symbolic link
     shell: ln -s /usr/share/lxc-scripts scripts creates=/root/scripts
   - name: Create a SSH key pair for the containers
     shell: ssh-keygen -t rsa -C "root@localhost" -f /root/.ssh/id_rsa -N {{ containerpwd }} creates=/root/.ssh/id_rsa
   - name: Create a new, unique Diffie-Hellman group
     shell: mkdir -p /var/lib/certs && openssl dhparam -out /var/lib/certs/dhparams.pem 2048 creates=/var/lib/certs/dhparams.pem
   - name: Init LXC
     shell: ( ./initIPTables.sh && ./initLXC.sh ) > /root/lxc.installed chdir=/root/scripts creates=/root/lxc.installed
   - name: Install nginx
     yum: name=nginx state=installed
   - name: Enable and start nginx
     service: name=nginx state=started enabled=yes
   - name: Configure firewall port 80 for nginx
     iptables: chain=IN_public_allow protocol=tcp match=tcp destination_port=80 ctstate=NEW jump=ACCEPT
   - name: Configure firewall port 443 for nginx
     iptables: chain=IN_public_allow protocol=tcp match=tcp destination_port=443 ctstate=NEW jump=ACCEPT
   - name: store iptables
     shell: iptables-save > /etc/sysconfig/iptables

This is how I run the playbook:

ansible-playbook lxc.yml --extra-vars "containerpwd=topsecret"
Tags: ,
Posted in Hosting, Software Development | Comments Closed