Calgary RHCE

A linux and open source technology blog.

Connect

PCI-DSS Compliance with Ansible Tower

By Leave a Comment

Compliance scanning and remediation with Ansible is a common question that comes up. How does Ansible do this? What are its capabilities? Within the Ansible Galaxy community, there’s been some significant investment in developing ansible roles for security and compliance. I’ll show you how to download this Ansible role and make use of it within Ansible Tower.

First off, you can view the available security roles. Here we’ll use the rhel7-role-pci-dss role:

Ansible security compliance

On the Tower host, let’s download and install this role using ansible-galaxy:

Download and install

Create a playbook that makes use of this role, here’s an example you can use and then modify to your liking:

github repo

I’ve created a job template in Ansible Tower to then run this playbook via a github project integration in Tower. A user can then just click launch:

Launch via Tower

Finally, we see the PCI-DSS compliance role run on the example host, and apply all the remediations contained in the role:

Compliance result

Using ansible to manage RHV/oVirt

By Leave a Comment

A common task most virtualization administrators will perform is installing the guest agent(s) among their guest VMs. Ansible has a nice module that allows an administrator to automate these common tasks, such as attaching/detaching a CDROM device to a VM, rebooting several VMs, etc. Combining this with ansible’s management of Windows devices and it makes it fairly trivial to automate a mass installation of guest agents in windows.

To get started with this, upload the relevant tools ISO to RHV:

Once this ISO is present, we can use the ovirt_vms ansible module to manipulate the VMs in RHV, saving lots of manual clicking. I wrote a couple basic playbooks and inventory file for reference, just change the authentication items username/password, RHV-M hostname, and inventory to suit your environment.  From here, you can extend this and use a WinRM specific playbook to auto-install the tools by running the specific EXE file mounted on the CDROM device.

Here we have the CDROM mounted among all the Windows guests, easy to install the tooling:

RHV guest agent tools install

And detach from the environment once we’re done:

 

Getting the most performance out of Openstack, and NFV

By Leave a Comment

By now, most IT staff has either had a chance to deploy OpenStack, or at least are familiar with what it is and what benefits it offers. We’ve moved past the installer race, the fragmentation of “as-a-service” components, and endless TCO calculators. The ecosystem and community has reached a maturity stage where the media and industry alike are calling OpenStack “boring“. Don’t be fooled, all of these are good things. They’re a product of fast-paced innovation seeing a settling of opinions and decision making. OpenStack has reached a maturity point that Linux also hit earlier on in its journey. As linux was (and still is) an incredibly capable and cost-effective option for an OS, OpenStack is also an incredibly capable and cost-effective option for private or public cloud. But now what? What’s next? The answer is deeper and more efficient capability, addressing more edge use-cases, and general polish and integration of all the development that’s happened to date. The low-hanging-fruit development is over, we’re deeper into the less exciting and less headline grabbing work; maximizing the assets as much as we can.

There’s been a lot of blog traffic regarding tips and tricks, technologies to consider for different use-cases, etc. Given the recent explosion in NFV development and adoption, I’ll highlight the ones that I think provide the most benefit in the area to try and cut down on the amount of reading needing to be done. Here we go:

  1. Getting the most out of your instances. This is a great summary on the options available to maximize function and performance of OpenStack instances.
  2. Helpful deployment and operations management tips. These are great suggestions on working smartly with new deployments, and maintaining them throughout the lifecycle.
  3. Operations must-have: dynamic ansible inventory for TripleO. If you’re doing ad-hoc maintenance on your cloud outside of tripleo, you’d be silly to not use ansible and its dynamic inventory.

NFV specific material:

  1. What OSP technologies should I look at to help scale and tune for network intensive workloads?
  2. Now that we know what technologies are available, if I have “x” workload, which options should I tune?
  3. OVS-DPDK with multi-queue, and further NFV performance tuning:
  4. Tuning for zero packet loss in Red Hat OpenStack Platform, 3 part series:

If you have any questions, or come across anything else that you think should be added – let me know! Happy management and tuning.