Ansible

Ansible and Local Execution

How can I execute an Ansible task on the local Ansible controller server?

The key is to use the “delegate_to” or “local_action” key words on your task.

So lets say we want to use Ansible to monitor an end point and perform some action if the response is not equal to 200.

  1. Create task to check URL using the URI module and “delegate_to” or do step #2

    • – name: Endpoint Validator
      uri:
      url: “{{ url }}”
      delegate_to: 127.0.0.1
      register: response
  2. Create task to check URL using the URI module and “local_action

    • – name: Endpoint Validator
      uri:
      local_action: url “{{ url }}”
      register: response
  3. Create task to perform action (e.g. fail) if response it not 200

    • – name: Endpoint Error Action
      fail:
      when: response.status != 200

Ansible_Linux_www.hackthesec.co_.in_

Ansible – Dryrun and Limit Hosts

Here are a couple of useful Ansible playbook CLI switches I tend to use frequently.

Dry-run mode – Add this switch if you want to see what Ansible will do, without actually doing it.

  • –check

Limit target hosts – Add this switch to specify what host(s) you want to run the playbook against.

  • –limit
  • –limit “host1, host2, host3”
  • –limit “myGroup”

Ansible_Linux_www.hackthesec.co_.in_

New Docker\Ansible container per Playbook execution?

dockericon

What would it look like to setup a job in Jenkins that calls out to a Linux server, starts an Ansible Docker container that executes a playbook, and then shuts down the docker container like it never existed?  Time to find out…..

For this exercise, we are going to have a Jenkins slave installed on the same Linux server that we’re going to use to launch our Ansible Docker container.  Also, in our Jenkins job, we are going to configure Git as our source code repo, which is where out playbook and host files will be stored.  So when the Jenkins job is executed, the playbooks\host files will be copied to the slave.

We are going to follow these steps to setup the docker piece of this puzzle.

  1. Install docker on your Jenkins slave server and then verify your version.
    • (docker -v) = Docker version 17.03.1-ce, build c6d412e
  2. Download the following Ansible Docker image.  This image has an ENTRYPOINT of “ansible-playbook” and a WORKDIR of “/ansible/playbooks/.  (This is key!!!)
  3. Now we need to make note of the location Jenkins downloads the Git files to on the slave.
    • Example: /home/build/ansible_git/myPlayBook.yml
    • We will use this location when starting up the docker container.  (-v)
  4. Running the following command on the Jenkins slave, should then start up the Docker container that has Ansible installed, link the local folder “/home/build/ansible_git” to the container folder “/ansible/playbooks”, execute the playbook, and then shut everything down.
    • docker run –rm -it -v /home/build/ansible_git:/ansible/playbooks <image_id> myPlayBook.yml
      • –rm = cleanup
      • -it = interative and ttl
      • -v = volume (local host:container)

Ansible, App Pool, and Specific Identity

Is it possible to create an IIS Application Pool that uses a custom identity with Ansible?

I asked the question on the Ansible forums and got the following response.

  1. Create the Application Pool first using “win_iis_webapppool
  2. Then switch the pools Identity using module “win_command” and the “appcmd.exe” command.

Here are the results and notes from my implementation.

  1. Create playbook that creates pool and then updates (Example below)

    • – hosts: windows
      remote_user: buildadmin
      tasks:
      – name: Create new application pool
      win_iis_webapppool:
      name: “{{ apppool }}”
      state: started
      attributes: ‘managedRuntimeVersion:v4.0|autoStart:false’
      – name: Update application pool identity
      win_command: ‘C:\Windows\System32\inetsrv\appcmd set config /section:applicationPools /[name=”{{ apppool }}”].processModel.identityType:SpecificUser /[name=”{{ apppool }}”].processModel.userName:buildadmin /[name=”{{ apppool }}”].processModel.password:myPassword’
  2. Run the playbook against my windows machines with a command line variable
    • ansible-playbook -v installWebsiteApplication.yml -i hosts –extra-vars “apppool=devopsWebsite_1_1_2017”

appPool

Ansible and Windows – Setup Notes

Using Ansible to manage Windows hosts gives sys admins the ability to use the same tool-set between Linux and Windows hosts.

Below are some notes, issues, and resolutions, you may find useful during your Windows setup.

  1. On the Ansible controller instance, you will want to install the Python library for Windows Remote Management (WinRM).
    • sudo pip install pywinrm
  2. Configure Ansible to work with Windows hosts.  Follow the links below for configuring Ansible to work with your Windows host.
  3. On the Windows host, you will want to execute the bootstrap WinRM powershell script.  This script will setup WinRM on the Windows host(s)
  4. On your Windows host, you will want to configure a new user with Admin privileges.  This username and password will be added to your windows.yml file.
  5. If you encounter the following error, you will want to set “ansible_winrm_server_cert_validation: ignore” in the windows.yml file.
    • msg”: “ssl: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)”
  6. Finish your testing with a quick win ping test.
    • ansible windows -i hosts -m win_ping
  7. If you encounter issues pinging your Windows host, you can manually try to access the Windows host WinRM endpoint with curl.
    • curl -vk -d “” -u ‘<username>:<password>’ https://host:5986/wsman
      • “…the default ports used for WS-Management and PowerShell remoting have been changed to 5985 an 5986 for connections over HTTP and HTTPS, respectively.” Source
    • You can also verify your WinRM configuration on the host as needed using this command.
      • winrm g winrm/config

If all goes well, you should get the following output back from your ping command.

[myUser@myServer]$ ansible windows -i hosts -m win_ping
1.1.1.1 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

VirtualBox and Ansible

If you are interested in learning Ansible and\or just creating an Ansible test environment, VirtualBox can help you.

Steps to spinning up a VirtualBox Ansible test environment.  So easy!!!!

  1. Download and install VirtualBox
  2. Download your preferred Linux flavor.  In my case, I decided to us Red Hat Enterprise Linux (RHEL) 7.  The following link will show you how to download and install a RHEL iso with VirtualBox.  Remember the Ansible “controller” is not supported on Windows yet.
  3. Since I used RHEL in step #2, I needed to perform the following command before proceeding with the Ansible install.  (Based on my experience)
    • Run the dhclient command to reconfigure the network interfaces
      • After this command, verify the contents of /etc/resolv.conf
    • Next, I needed to register and apply a subscription to my new test server.  The login\pw I used in step #2 will be used here when prompted.
      • subscription-manager register
      • subscription-manager attach –auto
  4. Net you will need to install Ansible on your new VM.  The following commands will prep your server and then install Ansible as needed.

Its really that easy!  I executed my commands via root, but if I were to have used another account, I may have needed to sudo the commands.

Another gotcha I an encountered was around proxy servers, so be aware that if your rpm\yum commands fail, you may need set your specific proxy server accordingly.

va