DEV Community: Group3-kb84

Additional tips for writing Playbooks

Group3-kb84 — Thu, 28 Oct 2021 14:38:28 +0000

Below are a few additional tips for when writing your first few playbooks. These will show you some of the peculiarities of Ansible.

Management of software

Installation is dependent upon the platform. For Unix-like systems you can use the package manager of the distribution and for Windows there is no package manager provided. Ansible has the chocolatey module, which is a package manager, that allows you to manage software automatically.

- name: install chocolatey
  win_chocolatey:
    name:
      - chocolatey
      - chocolatey-core.extension
    state: present

Commands

In general the shell and command modules, or win_shell and win_command for Windows respectively, should not be used as they are not able to use exception and error handling. Even though modules can do a lot, in some cases you must use the shell or command modules.

There is very little difference between the shell and command modules. However the shell module runs the command in a shell and therefore variables and operations like $HOME, >, >>, and | are available. On the other hand, command is safer as it is not dependent on the host environment.

- name: npm install
    command: npm install /<path_to_app_dir>

Running software

There are a couple of options when trying to run a program. One of the options is to run an Ansible shell command. This runs the program in a shell, the same way you would do it from the command line of the device. However many programs have their own modules, which are usually easier to read for humans in the YAML files. If a program needs to keep running after the Ansible configuration, the forever npm package can be used to prevent the program from stopping after the configuration. Other options do exist to keep software running.

- name: start PiCalc
    shell: forever start ./PiCalc/server.js

Writing Playbooks

Group3-kb84 — Thu, 28 Oct 2021 14:31:50 +0000

Hey here! If you prefer a video over text, we've got you covered!

In previous posts we talked about host files and the use of modules. Now we will combine these to create and run playbooks.

What are playbooks?

In this section we will be covering playbooks, which make use of modules in order to automate task execution.

Playbooks are a list of configurations which, if done correctly, are declarative (meaning, you describe what you want, instead of the steps to get there) and idempotent (you can keep executing the playbooks and you will always get the same result). A playbook can be run in parallel on many hosts at the same time.

As you can see in the diagram, Ansible accepts a playbook containing modules. Ansible takes this playbook, connects to the hosts you want to configure, and executes the tasks needed to get to the desired configuration.

Making a playbook

Playbooks are written in YAML. For this tutorial we will be using nano to write our first playbook.

$ nano playbook_name.yml

There are a plethora of plugins for all popular IDE’s. These check your syntax without having to execute the playbook to find mistakes. A good example of this is the Ansible plugin for VScode. It is recommended to use these plugins to write playbooks for production.

We will now write our first playbook:

---
- hosts: Windows
  tasks:

These are the essential elements of a playbook that define the minimal knowledge Ansible will need to configure a machine.

- hosts: defines the hosts to which the playbook gets applied. In this case that is the Windows group
tasks: a list of tasks that need to be applied to all machines in the group.

Note that tasks is still empty, Ansible will apply these tasks from top to bottom to all machines. Let's add a task to install the package manager chocolatey to see how this looks:

---
- hosts: Windows
  tasks:
  - name: install chocolatey
    win_chocolatey:
      name:
        - chocolatey
        - chocolatey-core.extension
      state: present

- name: the name of the current step that Ansible will show in the terminal, so you can follow along where you are when you run this playbook.
win_chocolatey: we've seen before and is the module we'll be using for this task.
name: and state: are arguments of this module.

Be aware that arguments are not the same across modules, so you will have to change them depending on the module you will use.

Now that we have a complete playbook, we can execute it with the ansible-playbook command followed by the name of the playbook.

$ ansible-playbook playbook_name.yml

Attributes of modules

When it comes to managing Windows computers, one common module you will use is the win_user module. It allows you to add users and manage the groups they are in. However to do this you will need to use many of the modules parameters.
Below is a list of all fields that can be assigned:

account_disabled allows you to disable the user account
account_locked allows you to unlock the user account
description allows you to describe the user
fullname provides a way the give the user a name not used for logging in
groups is a field used to define groups that the groups_action field defines
groups_action allows you to define whether the user should be add, remove or replace assigned groups from the
groups field. It has a default value
name this is a required field and defines the vale that is used as login name
password allows you to define a plaintext password of a user
password_expired allows you to force the user to change password on their next login
password_never_expires allows you to define if the password expires
state defines if the user account is absent, present which will also update the user account, or query which checks if the settings are applied. as default present is used.
update_password is by default set to always however you can also set it to on_create
user_cannot_change_password allows you to prevent the user from changing their password

Managing users

Sometimes you want to remove old user accounts or update current user accounts. Below is an example that does exactly this.

- name: remove the user jeff
  win_user:
    name: jeff
    state: absent

- name: update the user
  win_user:
    name: user
    state: present
    groups: serverabc
    groups_action: add
    description: user is a server and network admin
    fullname: philippa michael
    password_expired: yes
    update_password: on_create
    password: default_password

As you can see the user account jeff was removed in the first task. In the second task however the user account is updated with new settings.
First the user is added to the server group using the groups and groups_action fields.
Then the user account is given a description and full name for convenience using the description and fullname fields respectively.
Lastly, the password is set to be changed with the password_expired field and if the user needs to be created it defines a default password with the fields update_password and password.

Setting up Firefox policies

Some policies need to be added separately as they belong to a specific application. Some of these are having a specific homepage in a Firefox browser, preventing users from installing extensions, and disabling advanced settings. All of these are done by copying a file into the distribution folder of Firefox. The tasks below install Firefox and then copies a policies.json file into the correct folder.

  - name: install firefox
    win_chocolatey:
      name: firefox
      state: latest
  - name: provide policies
    win_copy:
      dest: "C:/Program Files/Mozilla Firefox/distribution"
      src: "~/policies.json"

The policies.json file describes the policies that are enabled for Firefox. You can find an description of all possible policies for Firefox on their Github page.

{
    "policies": {
        "BlockAboutConfig": true,
        "ExtensionSettings": {
            "*": {
                "blocked_install_message": "Installing extensions is not allowed in this company.",
                "install_sources": ["about:addons","https://addons.mozilla.org/"],
                "installation_mode": "blocked",
                "allowed_types": ["extension"]
            },
            "uBlock0@raymondhill.net": {
                "installation_mode": "force_installed",
                "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
            }
        },
        "Homepage": {
            "URL": "https://bbc.com",
            "Locked": false,
            "StartPage": "none"
        }
    }
}

In short

In this post we have shown you how to write a basic playbook, how to add tasks to a playbook and explained how the playbook is structured.

With this we have explained all basic knowledge that you need in order to use Ansible for Windows machines. Thank you for reading! In the next post we will show a few peculiarities that you might encounter when using Ansible. Handy to know, but not required.

See you there!

All about Ansible modules

Group3-kb84 — Thu, 28 Oct 2021 13:38:49 +0000

Hey here! If you prefer a video over text, we've got you covered!

In this section we will be zooming in specifically on modules, which are essential for using Ansible to its fullest potential.

Ansible modules are used to simplify complex tasks. Ansible includes a standard module library with your installation. You are also able to write your own modules if needed.

Modules are used inside playbooks (which we will cover in the next post) or can be used in the command line.

Modules are often written using Python and can have the same functionality as any other Python script.

Using a module from the command line

We have used a module before in the previous post. We used the win_ping module to test if there is a connection.

$ ansible Windows -m win_ping

As you can see the -m signals that the next name is the name of a module.

Sometimes you want to use a module for a single action, without having to set up a playbook. In this case you may use the command line. Lets say you want to add Google Chrome on 250 Window machines.

The command would look something like this:

$ ansible Windows -m win_chocolatey -a "name=googlechrome state=present"

In the above example, we are using the win_chocolatey module to install Google Chrome. The components of the above command are as follows:

Windows - Name of your host group
win_chocolatey - Name of the module. In this case the windows Chocolatey module
-a "..." - Arguments for the module. The present argument specifies that if the software is not available then to make it available.

Each module has its own arguments. You can use the documentation to look up what they are.

Available modules

Ansible provides the standard module library which consist of the following module category:

Cloud: tools for managing specific cloud provider actions
Clustering: contains functionality for managing clusters (such as Kubernetes)
Commands: general command and script execution tool set for nodes
Cryptography: used for general encryption purposes
Database: contains modules for managing database servers and database manipulation
Files: used for reading, writing and altering files
Identity: used for managing user identity services
Inventory: module for adding hosts to the Ansible playbook and groups
Messaging: used specifically for Rabbitmq messaging
Monitoring: general purpose monitoring for (remote) nodes
Net Tools: DNS/IP management and tools for uploading/retrieving files from nodes
Network: a vast tool set for all-purpose network management
Notification: used for sending push notification to messaging platforms
Packaging: modules for the usage of most commonly known package managers
Remote Management Modules: used for managing remote hardware resource pools
Source Control Modules: used for managing source control providers such as Github, Gitlab and Bitbucket
Storage Modules: general storage group management
System Modules: management tools for system specific configuration
Utilities modules: contains utilities specific for Ansible usage
Web Infrastructure Modules: used for managing web service related tools
Windows: contains a large tool set of utilities, used specifically for managing Windows hosts

You can find more information about these categories on the Ansible website.

Writing custom modules

If you can't find a module that has your desired functionality, you can write your own. If you choose to write your own module, you can use any desired language. For learning more about making your own modules, you can find more at: Developing Ansible modules — Ansible Documentation.

In short

In this post we have shown how you can execute modules from the command line and we have shown what module categories are available.

In the next post we will show you how you can combine multiple modules together in playbooks. making it much easier to do large changes in one operation.

See you there!

Installing Ansible on Ubuntu

Group3-kb84 — Thu, 28 Oct 2021 12:22:33 +0000

Hey here! If you prefer a video over text, we've got you covered!

During this section, you will be learning how to setup Ansible on a Linux control node and how to setup a proper connection to one (or multiple) host machines by creating a Host inventory. In our example, we will be setting up a connection to Windows hosts, which require a special communication protocol named WinRM.

Installing Ansible on a Linux machine

We will be using Ubuntu LTS 20.04 as an example, which you can download from here if you want to follow along.

We are not going to explain how to install Ubuntu on your device (or virtual machine) since we assume that you know how to do that. if you need help with that, then Canonical (The creators of Ubuntu OS) has a nice walkthrough on how to do that on their website.

Once you have completed the installation, open the terminal to use apt (the package manager of Ubuntu) to install Ansible.

To install the most recent version of Ansible we need to install the Ansible repository into apt, we can do this with the add-apt-repository command, which you can find in the software-properties-common software package.

$ sudo apt update && sudo apt install software-properties-common

This package might already be installed. If that’s the case, just continue with the rest of the steps.

Now that we have a way of adding apt repositories, we can add the Ansible repository so that we can install the latest version of Ansible.

$ sudo add-apt-repository --yes --update ppa:ansible/ansible

After the repository has been added, installing Ansible is as easy as installing it with apt.

$ sudo apt install ansible

After Ansible is done installing we need to install an extension to connect to Windows machines with Ansible. We need to use WinRM connections for this. Why WinRM and not SSH? That’s because as of the time of writing, the SSH module for Windows is in beta, while the WinRM module is not.

WinRM stands for Windows Remote Management, and is a protocol for managing Windows machines remotely. Similar to SSH.

Support for WinRM connections is not installed into Ansible by default. For that we need a Python package named pywinrm. Which we need to install with the Python package manager pip.

First, let’s install pip.

$ sudo apt install pip

And then install the pywinrm package.

$ pip install "pywinrm >= 0.2.2"

Everything is now installed to be able to connect to Windows machines.

Making the Windows client reachable for Ansible

Now that Ansible can use WinRM to connect to Windows machines, we need to configure the Windows machines to allow WinRM connections.

Before you take these steps, make sure your Powershell is at least version 3.0, and you have at least .net framework 4.0 (as of the time of writing, Windows 10 contains Powershell 5.0 and .net framework 4.8)

Open Powershell as administrator and use the following command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

This downloads a Powershell script that enables and configures WinRM for Ansible. Specifically it does the following steps:

Enables WinRM services & firewall exceptions
Allow remote login of local users
Create HTTP & HTTPS listeners for WinRM
Generate a self-signed certificate for the HTTPS connection

Warning: This script is going to set up self signed certificates to secure the connection. While this is fine for demo purposes, it’s not enough for production & professional use. If you do want to set up a secure winrm connection for your company. Consider getting a certificate from a Certificate Authority (CA) and setting up WinRM manually.

Making the hosts known to Ansible

Ansible works with a file named “hosts” in /etc/ansible. In this file you define what the ip’s are of the machines you want to configure automatically with Ansible.

While this is the easiest way to configure Ansible’s host file. It is not the only way. You can also create ansible.cfg files that point to a host file in a different location. You can read more about this on the documentation on their website.

You can group machines together in the host file. You can give these groups names that you can use when specifying which machines need to be configured by Ansible.

In the file you need to add the following to the end, change everything in capital letters to the values of the host you want to configure:

[GROUPNAME]
# ip's of machines here
[GROUPNAME:vars]
ansible_user = WINDOWS_USER
ansible_password = WINDOWS_PASSWORD
ansible_connection = winrm
# more variables can be put in here.

With [GROUPNAME:vars] you specify the details of the machines you want to configure.
In this case we specify the user, the user password and the connection type when we want to connect to any of these machines in this group.

For our example we will be using the following settings.

[Windows]
192.168.178.201
[Windows:vars]
ansible_user = Administrator
ansible_password = root
ansible_connection = winrm
ansible_winrm_server_cert_validation = ignore

You might have noticed that we have disabled server certificate validation in our example above. Since we are using a self-signed certificate, we have disabled the certificate validation. If you do want to set up a connection with certificate validation, you will need to buy a certificate from a Certificate Authority. And set up WinRM to use this certificate.

Testing if Ansible can reach your hosts

Once you have configured your host file you can test if Ansible can reach your machines with the win_ping module.

$ ansible Windows -m win_ping

You can edit the Windows argument to the Windows group name you have written in your host file. You can also use all to target all groups.

In short

In this post we have shown you how to install Ansible on a Ubuntu machine and how to configure Ansible & Windows so that Ansible can reach your Windows machine. In the next post we will be explaining What modules are, which kinds are available and how you can use them from the command line.

See you there!

Introduction to Ansible

Group3-kb84 — Thu, 28 Oct 2021 12:16:13 +0000

Hey here! If you prefer a video over text, we've got you covered!

Ever wondered how cloud providers create virtual machines that "just work" so easily? The secret is that they use tools to quickly spin up and configure virtual machines for you, using tools that automate configuring these machines.

We will be talking about one of these configuration tools in this post, Ansible.

What's Ansible?

Ansible is a tool that is able to automate repetitive tasks and configure multiple machines at the same time. Ansible works with Python and is executable via the command line.

Ansible is meant to replace the custom scripts that server admin's previously wrote by themselves. Usually these scripts were used once and needed to be rewritten and redistributed every time something needed to change to the environment.

Ansible solves this problem, by giving you a way to

describe how you want to configure machines
deploy these configuration changes on demand

For example, you can automate:

Installing new software
adjusting passwords
updating system OS
adjusting security policies

The image above gives you a general overview of the architecture of Ansible. You can see that there is a Ubuntu server with Ansible installed. Ansible reads the playbook you created, and uses the hosts file and required modules to connect to the Windows hosts you want to configure.

We will talk in greater detail about each of these parts of Ansible in future posts. Just keep in mind for now that Ansible connects to machines to configure them the way you describe in the playbook.

You might also have noticed that we are only connecting to Windows machines. This is part of the example that we are going to use for this tutorial, which we will introduce now.

The final goal

We think that the best way to learn how to work with Ansible is by working towards a goal. Therefore we have thought of a scenario that we will use as a goal for this series:

An organization has recently created a new department. The company has bought a bunch of new machines for the employees that are going to work in the new building for the department. We are responsible for configuring the windows machines so that they match the company policies.

only administrators are allowed to install software on the machines.
every machine must have Firefox installed
- installing extensions must be disabled.
- disable advanced settings on Firefox (about:config page)
- default homepage of the browser is https://bbc.com so that employees can track news about our company.

Why this example? There is a lack of tutorials that explain both installing & configuring and how to then use Ansible. These tend to be separate tutorials. We also specifically target windows machines for this tutorial, since Windows machines are the norm in most companies.

You are free to use a different scenario for yourself of course, but you will need to adjust parts of these tutorials to your situation.

Next up

In the next few posts we will be covering the following subjects:

Installing Ansible on a Ubuntu machine.
Modules, what they are, and which ones are available
combining modules with playbooks, to automate configuring machines.

See you there!