Calgary RHCE

A linux and open source technology blog.

Connect

Ansible Workshop Materials

by Leave a Comment

Recently we had one of the largest and most interesting meetups I think the Calgary market has seen in quite a while. We were able to run an Ansible Workshop, which is a mix of presentation and hands-on lab content. What makes these workshops different (and a reason people love them) is we get to teach a concept, then implement it in a lab. Teach a concept, do a lab. So attendees get to do immediate application of the knowledge they just gained, and they walk away with real skills they could use in their day-to-day work right away. Attendence and feedback for this event were excellent:

Calgary RHUG

The second great thing about these workshops is that they’re 100% open source. The Red Hat Ansible team publishes all the training slides, the exercises, examples, and AWS lab provisioners in a git repo for easy consumption and repetition. There’s nothing stopping someone from spinning up one of these workshops internally for themselves for their own practice and training. The main git repo is located here for those who are interested.

There are also Networking specific workshops, and a Windows workshop available as well. I’m hoping to be able to bring these to Western Canada in the short term future.

Thanks to all who attended and helped run the event!

Create Azure VM with Ansible

by Leave a Comment

With a little googling this task isn’t very complex, however, for those wanting to consume this information easily – this post is for you.

There’s a lot of cloud provisioning tools out there; if you’re like me and prefer to leverage your existing knowledge wherever possible you might come to the conclusion that using the same tool to provision your VMs as you do to manage them makes sense. I already know Ansible, why not leverage it to create my infrastructure as well as manage it post-creation.

First, in your Azure account you will want to create a service principal. This is basically an authentication token that Ansible will use to access the Azure API. Using the Azure Active Directory component for identity management, Microsoft has a good how-to article guiding you through creating this service principal. In Azure the terminology gets a little confusing as this technically gets created as an “application”, but really what we’re doing here is creating a service account identity to use with the Azure API via Ansible modules.

Once you’ve got this service principal created, I prefer to create a ~/.azure/credentials file to store the identity information. This keeps the private auth details out of any public Ansible git repositories I may create and share with others. Microsoft publishes another good article on how to install Ansible and how-to create the Ansible credentials file.

I like to use python virtual environments to keep any installed python libraries from overwriting the ones that come with my linux distro (Fedora 29). So here I create a python virtual environment where I can install the Ansible Azure packages:

Now with the Azure dependencies for Ansible installed, and my ~/.azure/credentials file created, I can start writing a playbook to create a new virtual machine. I’ve previously created some virtual networks, security groups, and public IP addresses, etc. so I’m going to reference those in my playbook. If you don’t have these, you can create them in the playbook as well. The Ansible docs guide for Azure gives a good example playbook to do this.

Here’s my playbook:

So with that created, let’s run it:

Alright, that looks to have been successful. Let’s check the Azure Portal:

Azure VM

Nice. It’s showing my VM as created and now running. Let’s test a login:

There we have it! Note, you’ll of course need to make sure your security group allows inbound SSH.

 

PCI-DSS Compliance with Ansible Tower

by Leave a Comment

Compliance scanning and remediation with Ansible is a common question that comes up. How does Ansible do this? What are its capabilities? Within the Ansible Galaxy community, there’s been some significant investment in developing ansible roles for security and compliance. I’ll show you how to download this Ansible role and make use of it within Ansible Tower.

First off, you can view the available security roles. Here we’ll use the rhel7-role-pci-dss role:

Ansible security compliance

On the Tower host, let’s download and install this role using ansible-galaxy:

Download and install

Create a playbook that makes use of this role, here’s an example you can use and then modify to your liking:

github repo

I’ve created a job template in Ansible Tower to then run this playbook via a github project integration in Tower. A user can then just click launch:

Launch via Tower

Finally, we see the PCI-DSS compliance role run on the example host, and apply all the remediations contained in the role:

Compliance result