Calgary RHCE

A linux and open source technology blog.

  • Home
  • About
  • GPG Key
  • GitLab

Connect

  • GitHub
  • LinkedIn
  • Twitter

Powered by Genesis

Ansible Workshop Materials

February 28, 2019 by Andrew Ludwar Leave a Comment

Recently we had one of the largest and most interesting meetups I think the Calgary market has seen in quite a while. We were able to run an Ansible Workshop, which is a mix of presentation and hands-on lab content. What makes these workshops different (and a reason people love them) is we get to teach a concept, then implement it in a lab. Teach a concept, do a lab. So attendees get to do immediate application of the knowledge they just gained, and they walk away with real skills they could use in their day-to-day work right away. Attendence and feedback for this event were excellent:

Calgary RHUG

The second great thing about these workshops is that they’re 100% open source. The Red Hat Ansible team publishes all the training slides, the exercises, examples, and AWS lab provisioners in a git repo for easy consumption and repetition. There’s nothing stopping someone from spinning up one of these workshops internally for themselves for their own practice and training. The main git repo is located here for those who are interested.

There are also Networking specific workshops, and a Windows workshop available as well. I’m hoping to be able to bring these to Western Canada in the short term future.

Thanks to all who attended and helped run the event!

Filed Under: devops, enterprise, open source Tagged With: ansible, configuration management, devops, open source, server provisioning

Create Azure VM with Ansible

January 3, 2019 by Andrew Ludwar Leave a Comment

With a little googling this task isn’t very complex, however, for those wanting to consume this information easily – this post is for you.

There’s a lot of cloud provisioning tools out there; if you’re like me and prefer to leverage your existing knowledge wherever possible you might come to the conclusion that using the same tool to provision your VMs as you do to manage them makes sense. I already know Ansible, why not leverage it to create my infrastructure as well as manage it post-creation.

First, in your Azure account you will want to create a service principal. This is basically an authentication token that Ansible will use to access the Azure API. Using the Azure Active Directory component for identity management, Microsoft has a good how-to article guiding you through creating this service principal. In Azure the terminology gets a little confusing as this technically gets created as an “application”, but really what we’re doing here is creating a service account identity to use with the Azure API via Ansible modules.

Once you’ve got this service principal created, I prefer to create a ~/.azure/credentials file to store the identity information. This keeps the private auth details out of any public Ansible git repositories I may create and share with others. Microsoft publishes another good article on how to install Ansible and how-to create the Ansible credentials file.

I like to use python virtual environments to keep any installed python libraries from overwriting the ones that come with my linux distro (Fedora 29). So here I create a python virtual environment where I can install the Ansible Azure packages:

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ python3 -m virtualenv azure
Using base prefix '/usr'
New python executable in /home/aludwar/code/azure/bin/python3
Also creating executable in /home/aludwar/code/azure/bin/python
Installing setuptools, pip, wheel...done.
 
$ source azure/bin/activate
 
(azure) $ which python
/home/aludwar/code/azure/bin/python
 
(azure) $ pip install 'ansible[azure]'
Collecting ansible[azure]
  Downloading https://files.pythonhosted.org/packages/56/fb/b661ae256c5e4a5c42859860f59f9a1a0b82fbc481306b30e3c5159d519d/ansible-2.7.5.tar.gz (11.8MB)
    100% |████████████████████████████████| 11.8MB 2.6MB/s
Collecting jinja2 (from ansible[azure])
  Downloading https://files.pythonhosted.org/packages/7f/ff/ae64bacdfc95f27a016a7bed8e8686763ba4d277a78ca76f32659220a731/Jinja2-2.10-py2.py3-none-any.whl (126kB)
    100% |████████████████████████████████| 133kB 14.3MB/s
...
<snip>
...
 
  Stored in directory: /home/aludwar/.cache/pip/wheels/f2/9a/90/de94f8556265ddc9d9c8b271b0f63e57b26fb1d67a45564511
Successfully built ansible PyYAML tabulate pycparser
Installing collected packages: MarkupSafe, jinja2, PyYAML, pyasn1, pycparser, cffi, idna, asn1crypto, six, cryptography, pynacl, bcrypt, paramiko, pyparsing, packaging, chardet, certifi, urllib3, pyOpenSSL, requests, applicationinsights, azure-nspkg, azure-cli-nspkg, pygments, argcomplete, humanfriendly, colorama, entrypoints, jeepney, secretstorage, keyring, isodate, oauthlib, requests-oauthlib, msrest, python-dateutil, PyJWT, adal, msrestazure, jmespath, wheel, tabulate, knack, azure-cli-core, azure-common, azure-mgmt-nspkg, azure-mgmt-batch, azure-mgmt-compute, azure-mgmt-containerinstance, azure-mgmt-containerregistry, azure-mgmt-containerservice, azure-mgmt-dns, azure-mgmt-keyvault, azure-mgmt-marketplaceordering, azure-mgmt-monitor, azure-mgmt-network, azure-mgmt-rdbms, azure-mgmt-resource, azure-mgmt-sql, azure-mgmt-storage, azure-mgmt-trafficmanager, azure-mgmt-web, azure-storage, azure-keyvault, azure-graphrbac, ansible
  Found existing installation: wheel 0.32.3
    Uninstalling wheel-0.32.3:
      Successfully uninstalled wheel-0.32.3
Successfully installed MarkupSafe-1.1.0 PyJWT-1.7.1 PyYAML-3.13 adal-1.2.0 ansible-2.7.5 applicationinsights-0.11.7 argcomplete-1.9.4 asn1crypto-0.24.0 azure-cli-core-2.0.35 azure-cli-nspkg-3.0.2 azure-common-1.1.11 azure-graphrbac-0.40.0 azure-keyvault-1.0.0a1 azure-mgmt-batch-4.1.0 azure-mgmt-compute-2.1.0 azure-mgmt-containerinstance-0.4.0 azure-mgmt-containerregistry-2.0.0 azure-mgmt-containerservice-3.0.1 azure-mgmt-dns-1.2.0 azure-mgmt-keyvault-0.40.0 azure-mgmt-marketplaceordering-0.1.0 azure-mgmt-monitor-0.5.2 azure-mgmt-network-1.7.1 azure-mgmt-nspkg-2.0.0 azure-mgmt-rdbms-1.2.0 azure-mgmt-resource-1.2.2 azure-mgmt-sql-0.7.1 azure-mgmt-storage-1.5.0 azure-mgmt-trafficmanager-0.50.0 azure-mgmt-web-0.32.0 azure-nspkg-2.0.0 azure-storage-0.35.1 bcrypt-3.1.5 certifi-2018.11.29 cffi-1.11.5 chardet-3.0.4 colorama-0.4.1 cryptography-2.4.2 entrypoints-0.2.3 humanfriendly-4.17 idna-2.8 isodate-0.6.0 jeepney-0.4 jinja2-2.10 jmespath-0.9.3 keyring-17.1.1 knack-0.3.3 msrest-0.4.29 msrestazure-0.4.31 oauthlib-2.1.0 packaging-18.0 paramiko-2.4.2 pyOpenSSL-18.0.0 pyasn1-0.4.5 pycparser-2.19 pygments-2.3.1 pynacl-1.3.0 pyparsing-2.3.0 python-dateutil-2.7.5 requests-2.21.0 requests-oauthlib-1.0.0 secretstorage-3.1.0 six-1.12.0 tabulate-0.8.2 urllib3-1.24.1 wheel-0.30.0

Now with the Azure dependencies for Ansible installed, and my ~/.azure/credentials file created, I can start writing a playbook to create a new virtual machine. I’ve previously created some virtual networks, security groups, and public IP addresses, etc. so I’m going to reference those in my playbook. If you don’t have these, you can create them in the playbook as well. The Ansible docs guide for Azure gives a good example playbook to do this.

Here’s my playbook:

YAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(azure) $ cat create-vm-azure.yml
---
- name: Create Azure VM
  hosts: localhost
  connection: local
  tasks:
 
  - name: Create VM
    azure_rm_virtualmachine:
      profile: default
      resource_group: rgDefault
      name: tower
      vm_size: Standard_B1s
      admin_username: aludwar
      ssh_password_enabled: false
      ssh_public_keys:
        - path: /home/aludwar/.ssh/authorized_keys
          key_data: <public SSH key>
      network_interfaces: nicTest
      image:
        offer: CentOS
        publisher: OpenLogic
        sku: '7.5'
        version: latest

So with that created, let’s run it:

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(azure) $ ansible-playbook create-vm-azure.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
 
 
PLAY [Create Azure VM] ********************************************************************************************************************************************************************************************
 
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [localhost]
 
TASK [Create VM] **************************************************************************************************************************************************************************************************
changed: [localhost]
 
PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0  
 
(azure) $

Alright, that looks to have been successful. Let’s check the Azure Portal:

Azure VM

Nice. It’s showing my VM as created and now running. Let’s test a login:

Shell
1
2
3
4
5
6
7
(azure) $ ssh 13.88.235.189
Warning: Permanently added '13.88.235.189' (ECDSA) to the list of known hosts.
[aludwar@tower ~]$ hostname
tower
[aludwar@tower ~]$ exit
logout
Connection to 13.88.235.189 closed.

There we have it! Note, you’ll of course need to make sure your security group allows inbound SSH.

 

Filed Under: cloud, devops, open source Tagged With: ansible, azure, devops, public cloud

PCI-DSS Compliance with Ansible Tower

January 2, 2019 by Andrew Ludwar Leave a Comment

Compliance scanning and remediation with Ansible is a common question that comes up. How does Ansible do this? What are its capabilities? Within the Ansible Galaxy community, there’s been some significant investment in developing ansible roles for security and compliance. I’ll show you how to download this Ansible role and make use of it within Ansible Tower.

First off, you can view the available security roles. Here we’ll use the rhel7-role-pci-dss role:

Ansible security compliance

On the Tower host, let’s download and install this role using ansible-galaxy:

Download and install

Create a playbook that makes use of this role, here’s an example you can use and then modify to your liking:

github repo

I’ve created a job template in Ansible Tower to then run this playbook via a github project integration in Tower. A user can then just click launch:

Launch via Tower

Finally, we see the PCI-DSS compliance role run on the example host, and apply all the remediations contained in the role:

Compliance result

Filed Under: cloud, devops, security Tagged With: configuration management, devops, open source, Security

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • 5
  • …
  • 7
  • Next Page »