DevOps Classroom Series – 23/Aug/2020

Ansible Dynamic Inventory

  • Dynamic inventory can be a script written in any language which returns the inventory in a specific json format suggested by Ansible
  • Refer Here for examples
  • There are lot of community scripts developed for different clouds Refer Here

Ansible Collections (contd)

  • Ansible content:
    • Documentations
    • Modules
    • Plugins
    • Playbooks
    • Roles
  • Ansible code is opensource & is hosted at Refer Here
  • As an ansible contributor if you develop any custom modules/plugins you typically have to submit the code to git repository and wait for the next release to use modules.
  • As there is a lot of delay Ansible had came up with collections.
  • Ansible Collection is a Ansible packaging format which can include
    • Documentations
    • Modules
    • Plugins
    • Playbooks
    • Roles
  • Ansible recommends the content developers to use collections as they can be included external to Ansible release cycle.
  • How to use Ansible collections Refer Here
  • How to develop Ansible collections Refer Here

Ansible Tower

  • Ansible offers a UI/API Based orchestration tool called as Ansible Tower.
  • Ansible Tower is a Paid version.
  • In Ansible Tower execution of a playbook is considered as Job
  • Jobs can be scheduled to be executed on a particular time
  • Jobs related to certain activities/teams etc.. are called as projects

Ansible with Windows

  • In Windows we don’t have ssh based logins, but windows supports winrm based logins. So ansible uses this technology to login into windows & execute the tasks.
  • WINRM will work on any windows version that support the following
    • Powershell 3.0 & above
    • .NET 4.0 & above
  • This means we can run ansible on
    • Desktop: Win 7 SP1, 8.1 & 10
    • Server: Win 2008 SP2 & above, 2012, 2012 R2, 2016 & 2019

Enabling WinRm listener

  • Lets create a Windows Server 2016 on AWS
  • WinRM can run on http & https protocols.
  • Windows by default doesn’t allow WinRM over HTTP or using basic authentication.
  • To Enable HTTPS as the Transport mechanism for WinRM, we need a self-signed certificate
  • Lets Generate a Self signed Certificate
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DNS "$env:COMPUTERNAME" -FriendlyName "WinRM HTTPS Certificate" -NotAfter (Get-Date).AddYears(5)
  • Now lets setup a new WinRM Listener with the following command
 New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbPrint 0C3F8CCFDE4950DEF2DC1A199062BEF1E0D105FB

Preview

  • Now Enable firewall rule & basic authentication
New-NetFirewallRule -DisplayName 'Win RM' -Profile Domain,Private,Public -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986

 Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true

Connecting Ansible to Windows

  • On the Ansible control server we need winrm python module
sudo yum install python2-winrm

or

sudo pip install "pywinrm>=3.0.0"
  • Now lets create an inventory file for Windows machine
[windows]
172.31.4.25

[windows:vars]
ansible_user=Administrator
ansible_password="A@n6fEBMotK4oPM2rDu$-4JkVM6cKsY2"
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
  • Now execute the ansible adhoc command with module win_ping
ansible -i hosts -m 'win_ping' all

Preview

  • In enterprise we will be havings windows authentication from domains (Active Directory), so lets understand authentication mechanisms in windows

    • Basic: Supported only on local accounts
    • Certificate: Supports local accounts, conceptually similar to ssh key-based authentication
    • Kerberos: Supports AD accounts
    • NTLM: Supports both local and AD accounts
    • CredSSP: Supports both local & AD accounts
  • If your organization is using kerberos authentication then on your ansible control node we need the following packages

sudo yum install python-devel krb5-devel krb5-libs krb5-workstation
sudo apt-get install python-dev libkrb5-dev krb5-user
sudo pip install pywinrm[kerberos]
  • Ensure you ansible server can resolve to AD related Services.
  • Now lets look at the modules that can be used on windows servers Refer Here
  • In linux to create file and copy file we use modules file and copy, to do the same job in windows we have win_file & win_copy
---
- hosts: windows
  gather_facts: false
  tasks:
    - name: Create temporary directory
      win_file:
        path: 'c:\test'
        state: directory

  • Now execute playbook Preview
  • Installing software can be easily done with chocolatey package. Ensure chocolatey package is installed on the server
  • Lets write a playbook for installing chrome and git on the windows server
---
- hosts: windows
  gather_facts: false
  tasks:
    - name: install chrome and git
      win_chocolatey:
        name: "{{ item }}"
        state: present
      loop:
        - git
        - googlechrome

  • Now execute playbook Preview Preview

Exercises

  • If you are aware of jenkins please run the playbooks for the below exercise from Jenkins
  • Exercise-1: Write an Ansible playbook with roles to install Openmrs standalone application from here. Ensure you use mysql server
  • Exercise-2: Write an ansible playbook to install IIS-Server on Windows
  • Exercise-3 Write an ansible playbook to configure nop commerce on ubuntu Refer Here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin