If you are new to ansible I would recommend reading my previous article Ansible: Getting Started

Ansible is agent less and works on SSH to manage and automate tasks on Linux nodes. We would also like this automation to be un-attended. To achieve this,  managed nodes need to be prepared using the below process...

  • Create a non root user, for example devops
  • Adds SSH authorized keys for devops user account from control node so that we have password less authentication
  • Add this user to sudoers with NOPASSWD so that whenever privilege escalation is required we can achieve that without prompting for password.

All this can be done with a simple ansible playbook

ansible.cfg

Default ansible configuration file is located at /etc/ansible/ansible.cfg. Verify your by running ansible --version command

Disable strict host checking in ansible.cfg file. Make sure the below line is present under [ssh_connection] section

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no

Inventory

Add the required host IP Address or hostname in your ansible inventory file.

Playbook

- name: Initial Setup
  vars_prompt:
    - name: "ansible_ssh_pass"
      prompt: "root password for remote connection?"
      private: yes
  hosts: all
  tasks:
    - name: Create DevOps User
      user:
        name: devops
        state: present
    - name: Add devops to sudoers
      lineinfile:
        path: /etc/sudoers.d/devops
        line: "devops        ALL=(ALL)       NOPASSWD: ALL"
        state: present
        create: true
    - name: Set authorized key
      authorized_key:
        user: devops
        state: present
        key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
  • Using vars_prompt user will be prompted to type password for root user of managed node. ansible_ssh_pass  is the ssh password that will be used to login to remote node.
  • TASK1: Creates devops user using user module
  • TASK2: Add devops user to sudoer file using lineinfile module
  • TASK3: Adds SSH authorized keys for devops user accounts using authorized_key module

Lets Execute

[root@centos ~]# ansible-playbook setup.yml
root password for remote connection?: 


PLAY [Initial Setup] ****************************************************************************

TASK [Gathering Facts] ****************************************************************************
ok: [192.168.56.101]

TASK [Create DevOps User] ****************************************************************************
changed: [192.168.56.101]

TASK [Add devops to sudoers] ****************************************************************************
changed: [192.168.56.101]

TASK [Set authorized key] ****************************************************************************
changed: [192.168.56.101]

PLAY RECAP ****************************************************************************
192.168.56.101             : ok=4    changed=3    unreachable=0    failed=0  

Lets Test it

If the playbook is runs successfully, we should be able to connect to our managed nodes with ansible using devops user and also gain privilege escalation using --become option. This can be tested with ping module

[root@centos ~]# ansible all -m ping -u devops
192.168.56.101 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[root@centos ~]# ansible all -m ping -u devops --become
192.168.56.101 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[root@centos ~]# 

— Enjoy :)

Like it? Click here to Tweet your feedback