ANSIBLE

By Mostafa Yehia
 „What is Ansible
„Why Ansible
„SSH overview
„Ansible & SSH
DAY 1
„Installing Ansible & preparing SSH
AGENDA „Ad-hoc commands
„Inventory file
„Ansible.cfg file
„Ad-hoc commands escalation
WHAT IS ANSIBLE ?
v Ansible is a software tool that provides simple but powerful
automation for cross-platform computer support.
v It is used for updates on workstations and servers, cloud
provisioning, configuration management, and nearly anything a
systems administrator does on a daily basis.
 server server server

server server server

server server server

server server server

C2 General
WHY ANSIBLE ?
v Idempotent: An operation is idempotent if the result of performing
it once is exactly the same as the result of performing it repeatedly
without any intervening actions.
v Agentless: Other tools like (Puppet & Chef) require an agent to be
installed on the target device. Ansible only requires an SSH
connection to the target device.
v Open-source: Ansible is an open-source community project
sponsored by Red Hat.
SSH OVERVIEW
v OpenSSH is the premier connectivity tool for remote login with the
SSH protocol.
v It encrypts all traffic to eliminate connection hijacking and other
attacks.
 PC 2

SSH

PC 1

C2 General
ANSIBLE & SSH
How Ansible connects to servers ?
 server server server

SSH

Ansible control machine

C2 General
 „ Install ansible
„ Create a new user on control machine and new user on host 1
„ Make sure you can ssh into host 1 (using password)
„ Generate SSH key pair on control machine
„ Copy the public key to host 1
„ Make sure you can ssh into host 1 (using prv/pub)

INSTALLING ANSIBLE & PREPARING SSH

C2 General
 SSH My pc

SSH

Controller (Master) Host 1 (ubuntu)

C2 General
 AD-HOC COMMANDS
Ad-hoc: Running Ansible to perform some quick command.
An example of an ad hoc command might be rebooting 50 machines in your infrastructure.

Structure:
ansible [pattern] -i [inventory] --private-key [/path/to/private/key] -u [remote_user] -m [module_name]

Example:
ansible all -i 3.87.24.251, --private-key ~/.ssh/devops -u ubuntu -m ping

SSH equivalent:
ssh [email protected] -i ~/.ssh/devops -o 'RemoteCommand echo pong;' -t
 INVENTORY FILE
inventory file: A file that describes Hosts and Groups in Ansible.

Examples:

[web_servers]
3.87.24.251

[database_servers]
3.87.24.252
3.87.24.253
 „ Create the inventory file
„ Put the IP of host 1 in the inventory file
„ Use the inventory file path in your ad-hoc command instead of using
the IP hard-coded
„ Example:
ansible all -i inventory --private-key ~/.ssh/devops -u ubuntu -m ping

INVENTORY FILE

C2 General
 CONFIGURATION FILE
ansible.cfg file: This is the brain and the heart of Ansible.
The file that governs the behavior of all interactions performed by the control machine.

Locations: Example:
ANSIBLE_CONFIG (environment variable if set)
ansible.cfg (in the current directory) [defaults]
~/.ansible.cfg (in the home directory) inventory = ./inventory
/etc/ansible/ansible.cfg private_key_file = ~/.ssh/devops
remote_user = ubuntu
 „ Create the configuration file
„ Insert some values in the configuration file
„ Run the minimized ad-hoc command
„ Example: ansible all -m ping

CONFIGURATION FILE

C2 General
 AD-HOC COMMANDS ESCALATION
Ad-hoc: Running Ansible to perform some quick command with SUDO permissions.

Structure:
ansible [pattern] -m [module_name] --become Example ansible.cfg:

Example: [privilege_escalation]
ansible all -m command -a "whoami" --become become = true
 „ Insert the correct values in the configuration file
„ Example: ansible all -m command -a "whoami"
„ What is the output of the command ?

AD-HOC COMMAND ESCALATION

USING ROOT USER

C2 General
 „Ansible playbook
DAY 2 „Ansible modules

AGENDA „Tags

„Variables
 PLAYBOOK
• A playbook is a list of plays.
• playbook: Playbook is the language Ansible uses to orchestrate, configure, administer, or deploy systems.
• Play: is a mapping between a set of hosts (groups, hostnames, or IPs) and the tasks which run on those hosts
to define the role that those systems will perform.
• There can be one or many plays in a playbook.

Examples:

- name: your play name

hosts: all
tasks:
- name: your task name
ping:
 „ Write your first playbook file
„ Stop gather_facts and update cache

PLAYBOOK

C2 General
 MODULES
Modules: are units of code that can control system resources or execute system commands.
Ansible provides a module library that you can execute directly on remote hosts or through playbooks.

Playbook example: Ad-hoc command example:

- name: your play name ansible all –m ping

hosts: all
tasks:
- name: your task name
ping:
 „ Explore some built-in modules like:
(apt, dnf, package, service, command, copy, user, group, lineinfile, authorized_key, etc.)
ansible-builtin modules
„ Update cache
„ Install latest nginx
„ Copy index.html from controller to host 1
„ Restart nginx service
„ Can you see your index.html file when you hit host 1 on port 80 ?

MODULES

C2 General
 TAGS
Tags: Running only specific parts of a playbook instead of running the entire playbook.

Example:

- name: my play with tags

hosts: all
tasks:

- name: my task1 with tags

tags: my_first_tag
ping:

- name: my task2 with tags

tags: my_second_tag
ping:

ansible-playbook my-playbook.yml --tags my_first_tag

 „ Write simple playbook file
„ Add two tasks (apt update – apt install nginx)
„ Add tags to first task: update
„ Add tags to second task: install
„ Run only the (apt update) task
„ Example: ansible-playbook my-playbook.yml --tags update
„ Add one task with “tags: always” and run the previous command again

TAGS

C2 General
 VARIABLES
Variables: Ansible uses variables to manage differences between systems.

example:
Locations:

- name: my play with variables

Ø Playbooks hosts: all
Ø Inventory vars:
package: nginx
Ø Command Line
version: latest
Ø Register tasks:
Ø Files or Roles
- name: my task with variables
apt:
name: "{{ package }}"
state: "{{ varsion }}"
 Define these variables (package_name, package_version)
„ on playbook level
„ on inventory level
„ on command line level
Use apt module with the package name and version from your variables

VARIABLES

C2 General
 „Loops

DAY 3 „When

„Register
AGENDA „Handlers

„Templates “.j2”
 LOOPS
Loops: Ansible uses loops to execute a task multiple times.

example: example:

- name: my play with loops - name: my play with loops

hosts: all hosts: all
tasks: tasks:

- name: my task with loops - name: my task with loops

apt: apt:
name: "{{ item }}" name: "{{ item.package_name }}"
state: latest state: "{{ item.package_state }}"
loop: loop:
- nginx - { package_name: "nginx", package_state: “present"}
- mariadb-server - { package_name: “mariadb-server", package_state: “latest"}
- curl - { package_name: “curl", package_state: “absent"}
 „ Loop over a list of packages and install latest versions.
„ Loop over a list of packages and use different states as per input.

LOOPS

C2 General
 WHEN
When: You want to execute different tasks depending on the value of a fact, a variable, or the result of a previous task.

Example:

- name: my play with conditions

hosts: all
tasks:

- name: my task1 with conditions

apt:
name: nginx
when: ansible_facts['distribution'] == “Ubuntu“

- name: my task2 with conditions

package:
name: httpd
when: ansible_facts['distribution'] == “CentOS“
 „ Install nginx or httpd depending on distribution
„ Restart nginx service if distribution is ubuntu.
„ Restart httpd service if distribution is centos.

WHEN

C2 General
 REGISTER
Register: Ansible register is a way to capture the output from task execution and store it in a variable.

Example:

- name: my play with register

hosts: all
tasks:

- name: my task1 with register

command: cat /var/www/html/index.html
register: my_result

- name: my task2 with register

debug:
var: my_result
 „ View the value of your register variable using debug module
„ Restart service if the installation task was changed or was not failed

REGISTER & WHEN

C2 General
 HANDLERS
Handlers: Handlers are tasks that only run when notified.

Example:

- name: my play with handlers

hosts: all
tasks:
- name: my task1 with handlers
apt:
name: nginx
notify: my_handler

handlers:
- name: my_handler
service:
name: nginx
state: restarted
 1. install a package
(get the package name from vars)
2. copy a list of files (index.html & file.css & file.js) from controller to host using loop
(get the list of file names from vars)
(the actual files will be stored in ./your_current_directory)
(will be defined as Handler)
(will be triggered by step 1)
3. Restart the service of the installed package
(will be defined as Handler)
(will be triggered by step 2)

HANDLERS

C2 General
 TEMPLATES
Templates: Ansible uses Jinja2 templates to create dynamic content at the controller end, and render it
as static content at the host end.

index.html.j2 index.html
index.html.j2

<html> <html>
<body> <body>
<h1> {{ my_message }} </h1> <h1> {{
Hello
my_message
from ansible
}} <h1>
<h1>
</body> </body>
</html> </html>
 1. installing a package
(get the package name from vars)
2. Copying index.html from controller to host using template
(get the template name & template message from vars)
(the actual template file will be stored in ./your_current_directory)
(will trigger step 4)
3. copying a list of files (file.css & file.js) from controller to host using loop
(get the list of file names from vars)
(the actual files will be stored in ./your_current_directory)
(will be defined as Handler)
(will be triggered by step 1)
4. Restart the service of the installed package
(will be defined as Handler)
(will be triggered by step 3)

TEMPLATES

C2 General
QUESTIONS ?
THANK YOU
DAY 4 „Roles

„Ansible-Vault
AGENDA „Ansible-Galaxy
 ROLES
Roles: pack related vars, files, templates, tasks, and handlers, based on a known file structure so you can
easily reuse them and share them with other users.
 roles

web db

tasks vars files

main.yml main.yml
 „ Create your first role with name (web)

„ The task book will include:

1. installing a package
(get the package name from vars)
2. copying a list of files from controller to host using loop
(get the list of file names from vars)
(the actual files will be stored in ./roles/web/files)
(will be executed only when the install task is in state: changed)

„ Restart the service of the installed package

(will be executed only when the copy task is in state: changed)

ROLES

C2 General
 HANDLERS
Handlers: Handlers are tasks that only run when notified.

Example:

- name: my play with handlers

hosts: all
tasks:
- name: my task1 with handlers
apt:
name: nginx
notify: my_handler

handlers:
- name: my_handler
service:
name: nginx
state: restarted
 roles

web db

rs
tasks vars files an dle
h

main.yml main.yml main.yml

 „ Create your first role with name (web)

„ The task book will include:

1. installing a package
(get the package name from vars)
2. copying a list of files from controller to host using loop
(get the list of file names from vars)
(the actual files will be stored in ./roles/web/files)
(will be executed using Handlers)

„ Restart the service of the installed package

(will be executed using Handlers chaining)

HANDLERS

C2 General
 TEMPLATES
Templates: Ansible uses Jinja2 templates to create dynamic content at the controller end, and render it
as static content at the host end.

index.html.j2 index.html
index.html.j2

<html> <html>
<body> <body>
<h1> {{ my_message }} </h1> <h1> {{
Hello
my_message
from ansible
}} <h1>
<h1>
</body> </body>
</html> </html>
 roles

web db

rs s
dle late
tasks vars files h an
tem
p

main.yml main.yml main.yml Index.html.j2

 „ Create your first role with name (web)

„ The task book will include:

1. installing a package
(get the package name from vars)
2. Copying a file from controller to host using template
(get the template name & template message from vars)
(the actual template file will be stored in ./roles/web/templates)
(will also notify the restart handler)
3. copying a list of files from controller to host using loop
(get the list of file names from vars)
(the actual files will be stored in ./roles/web/files)
(will be executed using Handlers)
„ Restart the service of the installed package
(will be executed using Handlers chaining)

TEMPLATES

C2 General
 ANSIBLE-VAULT
Ansible-Vault: provides a way to encrypt and manage sensitive data such as passwords.

Example:
passwords.yml
- name: my play with vault user_pass: 123456
hosts: all
vars:
user_name: ahmed
Commands:
var_files:
- ./passwords.yml $ ansible-vault encrypt ./passwords.yml
tasks: $ ansible-playbook my-playbook.yml --ask-vault-pass
- name: my task1 with vault
user:
name: "{{ user_name }}"
password: "{{ user_pass }}"
 ANSIBLE-GALAXY
Ansible-Galaxy: refers to the Galaxy website, a free site for finding, downloading, and sharing
community developed roles and collections.

Commands:

$ ansible-galaxy info username.role_name

$ ansible-galaxy install username.role_name
$ ansible-galaxy install username.role_name,1.0.0
$ ansible-galaxy list
$ ansible-galaxy remove username.role_name
QUESTIONS ?
FEEDBACK!
THANK YOU