Ansible with su instead of sudo October 13th, 2017
At TBits.net, we have decided to use Ansible for setting up our servers.
The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.
The call is quite easy:
ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass |
Now we wanted to limit access only to users who have the actual password for root.
Finally, this worked on the command line:
ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass |
Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.
[defaults] remote_user=deploy [privilege_escalation] become = true become_method = su become_ask_pass = true |
Two pitfalls that are solved by this:
- You need to specify the become settings in section
privilege_escalation, not just indefaults. - The command line parameter
ask-become-passbecomesbecome_ask_passin the config file.
This works with Ansible 2.3.2 on CentOS 7.4.
Setup an LXC host with Ansible March 30th, 2016
This is my first go at Ansible. Ansible uses SSH to setup servers with a desired environment. The scripts can be run again and again, and only apply things that have changed since the previous run.
Please also see this good tutorial which helped me with my first steps: https://serversforhackers.com/an-ansible-tutorial
My environment is like this: my workstation is Fedora 23. The host that I want to configure is a CentOS7 server.
On my Fedora 23 workstation:
# Fedora 23 currently installs Ansible 1.9, but that will be soon Ansible 2.0 dnf install ansible sudo vi /etc/ansible.cfg remote_user = root # 123.123.123.10 is just an example IP address of my CentOS7 server. sudo vi /etc/ansible/hosts [lxc_host_centos7] 123.123.123.10 |
I need a private and a public ssh key. The public key has been installed on the target CentOS7 machine, in /root/.ssh/authorized_keys.
Loading the private ssh key on Fedora 23:
ssh-add |
As a first test, I run:
ansible all -m ping |
Some modules are not part of Ansible 1.9 in Fedora. see also http://docs.ansible.com/ansible/modules_extra.html
git clone https://github.com/ansible/ansible-modules-extras.git mkdir -p /usr/share/my_modules/ cp ansible-modules-extras/packaging/os/yum_repository.py /usr/share/my_modules/ cp ansible-modules-extras/system/iptables.py /usr/share/my_modules/ sudo vi /etc/ansible.cfg library = /usr/share/my_modules/ |
By the way, here are the links to the modules that I am using:
- http://docs.ansible.com/ansible/yum_module.html
- http://docs.ansible.com/ansible/yum_repository_module.html
- http://docs.ansible.com/ansible/shell_module.html
- http://docs.ansible.com/ansible/iptables_module.html
Here is my playbook for installing the lxc scripts:
--- - hosts: lxc_host_centos7 vars: containerpwd: secretPWD tasks: - name: Configure the Epel Repo yum: name=epel-release state=installed - name: Configure the repo lbs-tpokorra-lbs yum_repository: name=lbs-tpokorra-lbs description="lxc scripts" baseurl=https://lbs.solidcharity.com/repos/tpokorra/lbs/centos/7 - name: Install the public key for the signed lxc-scripts package shell: rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x4796B710919684AC" - name: Install LXC host on CentOS7 yum: name=lxc-scripts state=installed - name: Enable and start libvirtd service: name=libvirtd state=started enabled=yes - name: Setup symbolic link shell: ln -s /usr/share/lxc-scripts scripts creates=/root/scripts - name: Create a SSH key pair for the containers shell: ssh-keygen -t rsa -C "root@localhost" -f /root/.ssh/id_rsa -N {{ containerpwd }} creates=/root/.ssh/id_rsa - name: Create a new, unique Diffie-Hellman group shell: mkdir -p /var/lib/certs && openssl dhparam -out /var/lib/certs/dhparams.pem 2048 creates=/var/lib/certs/dhparams.pem - name: Init LXC shell: ( ./initIPTables.sh && ./initLXC.sh ) > /root/lxc.installed chdir=/root/scripts creates=/root/lxc.installed - name: Install nginx yum: name=nginx state=installed - name: Enable and start nginx service: name=nginx state=started enabled=yes - name: Configure firewall port 80 for nginx iptables: chain=IN_public_allow protocol=tcp match=tcp destination_port=80 ctstate=NEW jump=ACCEPT - name: Configure firewall port 443 for nginx iptables: chain=IN_public_allow protocol=tcp match=tcp destination_port=443 ctstate=NEW jump=ACCEPT - name: store iptables shell: iptables-save > /etc/sysconfig/iptables |
This is how I run the playbook:
ansible-playbook lxc.yml --extra-vars "containerpwd=topsecret" |