ANSIBLE: PREPARING THE MANAGED NODE FOR ANSIBLE WITH ANSIBLE
If you are new to ansible I would recommend reading my previous article Ansible: Getting Started
Ansible is agent less and works on SSH to manage and automate tasks on Linux nodes. We would also like this automation to be un-attended. To achieve this, managed nodes need to be prepared using the below process...
- Create a non root user, for example devops
- Adds SSH authorized keys for devops user account from control node so that we have password less authentication
- Add this user to sudoers with NOPASSWD so that whenever privilege escalation is required we can achieve that without prompting for password.
All this can be done with a simple ansible playbook
ansible.cfg
Default ansible configuration file is located at /etc/ansible/ansible.cfg. Verify your by running ansible --version command
Disable strict host checking in ansible.cfg file. Make sure the below line is present under [ssh_connection] section
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
Inventory
Add the required host IP Address or hostname in your ansible inventory file.
Playbook
- name: Initial Setup
vars_prompt:
- name: "ansible_ssh_pass"
prompt: "root password for remote connection?"
private: yes
hosts: all
tasks:
- name: Create DevOps User
user:
name: devops
state: present
- name: Add devops to sudoers
lineinfile:
path: /etc/sudoers.d/devops
line: "devops ALL=(ALL) NOPASSWD: ALL"
state: present
create: true
- name: Set authorized key
authorized_key:
user: devops
state: present
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"- Using
vars_promptuser will be prompted to type password for root user of managed node.ansible_ssh_passis the ssh password that will be used to login to remote node. - TASK1: Creates devops user using user module
- TASK2: Add devops user to sudoer file using lineinfile module
- TASK3: Adds SSH authorized keys for devops user accounts using authorized_key module
Lets Execute
[root@centos ~]# ansible-playbook setup.yml
root password for remote connection?:
PLAY [Initial Setup] ****************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [192.168.56.101]
TASK [Create DevOps User] ****************************************************************************
changed: [192.168.56.101]
TASK [Add devops to sudoers] ****************************************************************************
changed: [192.168.56.101]
TASK [Set authorized key] ****************************************************************************
changed: [192.168.56.101]
PLAY RECAP ****************************************************************************
192.168.56.101 : ok=4 changed=3 unreachable=0 failed=0 Lets Test it
If the playbook is runs successfully, we should be able to connect to our managed nodes with ansible using devops user and also gain privilege escalation using --become option. This can be tested with ping module
[root@centos ~]# ansible all -m ping -u devops
192.168.56.101 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@centos ~]# ansible all -m ping -u devops --become
192.168.56.101 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@centos ~]# — Enjoy :)
Like it? Click here to Tweet your feedback