Thursday, December 17, 2020

Ansible - Ansible Vault, command Idempotence, shell module

 Ansible Vault, command Idempotence, shell module
=====================================================

1. Create your yaml file
We are going to create a file keepitsecret.yaml and we will keet it secret using vault
[root@master wk_16]# cat myvault.yaml
- hosts: 127.0.0.1
  vars_files:
    - keepitsecret.yaml
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      host: smtp.gmail.com
      port: 587
      username: "{{ u }}"
      password: "{{ p }}"
      to: sam@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.

2. Create a vault where you will store your username/pw
[root@master wk_16]# ansible-vault create keepitsecret.yaml
New Vault password:
Confirm New Vault password:
u: "sam@gmail.com"
p: "MyPasswordSecret"

3. View the content of the file. You can't read what your stored. Its encripted.
[root@master wk_16]# cat keepitsecret.yaml
$ANSIBLE_VAULT;1.1;AES256
32346435633239646636626465663162613262623434333664393437316461366565316364396632
6365373834616464333437373134653435386335653165660a326331363163353932373161386362
61316464353339383834666662353230393036313538646563303632393134363165353431336130
3037393363643463650a643762353433663662306630376231363836376464656330346235663964
31656463373832353739303239353032613838333231613464343336656239656535333561663064
3036336665303135313061666234313831626630343066613130
[root@master wk_16]#

Run your playbook

I got email alert
Sign-in attempt was blocked
sam@gmail.com
Someone just used your password to try to sign in to your account from a non-Google app. Google blocked them, but you should check what happened. Review your account activity to make sure no one else has access.

Less secure app blocked
Google blocked the app you were trying to use because it doesn't meet our security standards.
Some apps and devices use less secure sign-in technology, which makes your account more vulnerable. You can turn off access for these apps, which we recommend, or turn on access if you want to use them despite the risks. Google will automatically turn this setting OFF if it's not being used.
Learn more
google for less secure app access and 
Enabling less secure apps to access Gmail

========================================

Idempotence
- If service already exists, do not do anything
- by design command modules don't have idempotence feature
How do we create it?
Lets create a sample yaml file
# cat command.yaml
- hosts: w1
  tasks:
  - package:
      name: "httpd"
      state: present
  - command: "date"
# ap command.yaml
hide the message of the change (that is displayed on yellow color)
-> Using "changed_when" module
# cat command.yaml
- hosts: w1
  tasks:
  - package:
      name: "httpd"
      state: present
  - command: "date"
    changed_when

-----------
Command module always runs
- hosts: w1
  tasks:
  - package:
      name: "httpd"
      state: present
  - command: "date"
    changed_when: false
   - command: "mkdir /opt/test"

it keep running
- hosts: w1
  tasks:
  - package:
      name: "httpd"
      state: present
  - command: "date"
    changed_when: flase
   - command: "mkdir /opt/test"
      ignore_errors: yes

How do we make command module an intelligent one.
lets put some condition,
if you find the directory /opt/test exists, do not run. if not create it.

- hosts: w1
  tasks:
  - package:
      name: "httpd"
      state: present
  - command: "date"
    changed_when: flase
   - command: "mkdir /opt/test"
      ignore_errors: yes
How to check if dir exists?
# ls -ld /opt/test
if it exist, list the directory, if not gives you error
How ansible knows this is an error?
Unix systems captures the last command state, whether the command failed or success.
0=success
1 or other number - failed or other condition
[root@master wk_16]# ls -ld /root
dr-xr-x---. 22 root root 4096 Dec  8 07:50 /root
[root@master wk_16]# echo $?
0
[root@master wk_16]# ls -ld /roo1
ls: cannot access '/roo1': No such file or directory
[root@master wk_16]# echo $?
2
Now, lets see how we can make this task little more intellegent.
we are talking about idompotent ..
- hosts: w1
  tasks:
  - command: "ls -ld /opt/test"
     register: x # store the output of ls -ld output
    ignore_error: yes
  - debug:
  #      msg: "Testing ..."
       var: x # you can use debug to print a variable ...
   - command: "mkdir /opt/test"
      ignore_errors: yes
      when: false

Run the playbook
# ap command.yaml
----------------------------------

- hosts: w1
  tasks:
  - command: "ls -ld /opt/test"
     register: x # store the output of ls -ld output
    ignore_errors: yes
  - debug:
  #      msg: "Testing ..."
       var: x
   - command: "mkdir /opt/test"
#      ignore_errors: yes
      when: x.rc != 0

===============================
shell module and command modules
shell prompt commands
User database
# cat /etc/passwd | wc -l
# cat ad-hock.yaml
- hosts: w1
  tasks:
  - command: "cat /etc/passwd | wc -l"
throws error
we do have shell module to perform shell prompt commands terminals
these are little slower than command module
# cat ad-hock.yaml
- hosts: w1
  tasks:
  - shell: "cat /etc/passwd | wc -l"
=======================================================
ansible volt
-----------------
send the mail using your gmail to your friends email using ansible
# cat mymail.yaml
- hosts: 127.0.0.1
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: sam@gmail.com
      password: itsasecret
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.
Run it
# ap mymail.yaml
failed - authentication failed

# cat mymail.yaml
- hosts: 127.0.0.1
  vars:
    -u: "sam@gmail.com"
    - p: "mypass"
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: u
      password: p
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.
Run it
# ap mymail.yaml

failed again

now, lets create a secret file
# cat secret
u: "sam@gmail.com
p: "mypass"

# cat mymail.yaml
- hosts: 127.0.0.1
  vars_files:
    - mysecret.yaml
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: u
      password: p
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.
Run it
# ap mymail.yaml
say you open the secret file or uploaded on the net, someone will get access to your account.
so, you would like to re-arrange this file.

# cat mymail.yaml
- hosts: 127.0.0.1
  vars_files:
    - mysecret.yaml
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: u
      password: p
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.
Run it
# ap mymail.yaml
Update with your real password.
# cat secret
u: "sam@gmail.com
p: "mypass_secret"
you include actual password of your gmail account

now, run the code - your play
# ap mymail.yaml
still got authentication error ..

there might be an issue with mail server
go to your gmail account
google for gmail secure app
myaccount.google.com
less secure app access?
say yes to allow the email sending feature.
now, anyone with this feature can send email.
re-run your play
# ap mymail.yaml

somehow, its not working ...
In this play, we see a security flaw.. someone may see confidential 
information at office or any place (say net) if you upload on the net
accidently.


# cat mymail.yaml
- hosts: 127.0.0.1
  vars_files:
    - mysecret.yaml
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: {{ u }}
      password: {{ p }}
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.


Now, to secure your mysecret.yaml file, -> lock it with key.
Locking with key in called vault.
how do we lock it?
There is a command called ansible-vault
how do I lock this file
get help
# ansible-vault -h 
encript yaml file
look at the syntax
let go ahead and create a vault
# ansible-vault -h
# av create mysecure.yaml
enter your pw
Vault password: EnterYourPassword
now store your variable
u: "sam@gmail.com"
p: "password123"
now this file is encripted..
# cat mysecure.yaml
you can't read the output.

How do I edit
# av edit myseure.yaml
How do I view it
# av view mysecure.yaml
This is a better way to manage your password.
Even this file is shared, your password is kept secret.

# cat mymail.yaml
- hosts: 127.0.0.1
  vars_files:
    - mysecret.yaml
  tasks:
  - name: Sending email using Gmail's smtp services
    mail:
      hosts: smtp.gmail.com
      port: 587
      username: {{ u }}
      password: {{ p }}
      to: ram@gmail.com
      subject: Testing email from gmail using ansible
      body: system {{ ansible_host }} has been successfully tested.

# ap mymail.yaml

prompt for pw.
# ap --ask-vault-pw m-yaml # --vault-password-file to specify the file.
Enter vault pw which will unlock the file
and start executing the code..

to get other options, use help file
# ansible-vault -h
to change the pw, use rekey
edit - to edit the file to make change to the file


dynamic inventory
------------------------

No comments:

Post a Comment

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...