[AWS] Deploy Ansible for linux and Windows Domain Joined

Installation Details

  1. Infrastructure: AWS

  2. AMI ID: RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2 (ami-07dfba995513840b5)

  3. Instance type : t2.medium

  4. Instance Hardware: 2vcpu , 4G Memory.

 

Before we start

Install Vim:

sudo yum install vim

 

Update Packages

sudo yum update
 
 

Prepare For Installation

Change the Hostname:

sudo vim /etc/hostname
 

Add DNS in hosts file.

sudo vim /etc/hosts
 

Install epel Repo:

yum -y install [<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>](<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>)
 

Install Ansible:

sudo yum install ansible
 
 

General Configuration Ansible

Create user:

sudo useradd ansible
 

Generate password:

passwd ansible 
 

Login with ansible user:

sudo su - ansible
 

Give Sudo Permissions:

  1. Change user to root

sudo su -
 
  1. Give ansible sudo privileges (Centos)

[root@itansible ~]# usermod -aG wheel ansible
[root@itansible ~]# sudo su - ansible
[ansible@itansible ~]$ id ansible
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),10(wheel)

[ansible@itansible ~]$ sudo visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
ansible         ALL=(ALL)       NOPASSWD: ALL
ec2-user        ALL=(ALL)       NOPASSWD: ALL

 
 

login back to you ansible user and Create SSH key pair.

[ansible@itansible ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
/home/ansible/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): ******

 
 

Configure Linux Managed Hosts:

  1. Create user and password name ansible

  2. Copy the ssh public key from ansible master to to the managed hosts.

# On the managed host, switch to ansible user
Type the command  =  cd .ssh/
# Create authorized_keys file
vim authorized_keys
# Go to ansible master and copy the public key:
cat ~/.ssh/id_rsa.pub [select and copy to your clipboard]
# ssh into ansible managed hosts, and append the contents of that to the authorized_keys file:
[paste your clipboard contents to the authorized_keys file:]
 
  1. Give sudo permissions (Ubuntu)

ansible@ip-10-64-118-34:~$ sudo visudo

 
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ansible     ALL=(ALL) NOPASSWD:ALL

 
 

Configure Ansible for Linux

  1. log in to the Ansible Master with the user ansible

  2. Create a linux project directory in ansible home folder

mkdir linux
 
  1. in the linux directory create 2 file.

[ansible@itansible linux]$ ls
ansible.cfg  inventory
 
  1. Configure ansible.cfg file like this:

[defaults]
remote_user = ansible
host_key_checking = false
inventory = inventory
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false
 
  1. Configure inventory file like this:

[linux]
itansible-slave

 
  1. Test the connection examples:

[ansible@itansible linux]$ ansible all -m command -a "id ansible"
itansible-slave | CHANGED | rc=0 >>
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),27(sudo)

 
[ansible@itansible linux]$ ansible all -m user -a name=test
itansible-slave | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1002,
    "home": "/home/test",
    "name": "test",
    "shell": "/bin/sh",
    "state": "present",
    "system": false,
    "uid": 1002
}

 
 

Configure Ansible for Windows

  1. log in to the Ansible Master with the user ansible

  2. Create a windows project directory in ansible home folder

mkdir windows
 

Installing the Kerberos Library

# via Yum (RHEL/Centos/Fedora)
sudo yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
sudo yum -y pip3 install "pywinrm>=0.2.2"

 

Configuring Kerberos

Edit your /etc/krb5.conf (which should be installed as a result of installing packages above) and add the following information for each domain you need to connect to:

ansible@ip-10-64-118-34:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = mydomain.com (Enter your domain)
dns_lookup_realm = true
dns_lookup_kdc = true
 

Testing a kerberos connection

If you have installed krb5-workstation (yum) or krb5-user (apt-get) you can use the following command to test that you can be authorised by your domain controller.

kinit user@MY.DOMAIN.COM

 

To see what tickets if any you have acquired, use the command klist

klist
 

Create Inventory,Config,Variables file

[ansible@itansible windows]$ ls
ansible.cfg group_vars inventory winvars winvars.yml
 

Create Inventory file

[ansible@itansible windows]$ vim inventory

[windows]
mt-n.argus.local
 

Create config file

[ansible@itansible windows]$ vim ansible.cfg

[defaults]
host_key_checking = false
inventory = inventory
 

Create Group_vars directory and variables file

mkdir group_vars
 
[ansible@itansible group_vars]$ vim windows
ansible_user: user@ARGUS-LOCAL
ansible_password: password
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore

 
 

Configure Windows Managed Hosts

To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this script as Administrator.

Log into WinServer1 as Administrator, download ConfigureRemotingForAnsible.ps1 and run this PowerShell script without any parameters.

Once this command has been run on the windows 10 , return to the Ansible master Controller host.

Test Connectivity to the Windows Server

If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect to the remote WinServer1 server and report success or failure.

Type: ansible windows -m win_ping

https://argonsys.com/wp-content/uploads/2018/02/kb32-ansible-etcansiblehosts.png

#Ansible #Devops #Linux

2 views0 comments