Skip to main content

Creating an Ansible Controller

BasicSee requirements,how to configure ansible with the basic requirements below, test with any mixture of the following basic Ansible commands.

ansible <host> -m ping
ansible <hostgroup> -m ping
ansible <hostgroup> -m ping -u <user>
ansible <host> -m ping --private-key=/home/user/.ssh/key
ansible <host> -m ping -u <user> --private-key=/home/user/.ssh/key

To configure an ansible worker -  

# Create the user that ansible will authenticate with when running plays
admin@wordpress:~$ sudo adduser username
[sudo] password for admin: 
ssh-rsa AAAeAB3NXyXeAAADAQABAAABXwxAQDXndHlHw2DxXMk1thdTsSJWoRxXXGl5jXXMGaRta1sdprzg/sXJAdding user `username' ...
Port 22
Adding new group `username' (1000) ...
Adding new user `username' (1000) with group `username' ...
Creating home directory `/home/username' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for username
Enter the new value, or press ENTER for the default
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y

# Add or edit our custom sudoers config
admin@server:~$ sudo visudo -f /etc/sudoers.d/mySudoers

# Add our new user to sudo group
admin@server:~$ sudo vigr 
You have modified /etc/group.
You may need to modify /etc/gshadow for consistency.
Please use the command 'vigr -s' to do so.
admin@server:~$ sudo vigr -s
You have modified /etc/gshadow.
You may need to modify /etc/group for consistency.
Please use the command 'vigr' to do so.

# Change PAM authentication to allow our user to bypass other modules
admin@server:~$ sudo vim /etc/pam.d/sshd 
# Add our user to the pam_userlist.so configured in the changes made above
admin@server:~$ sudo vim /etc/authusers

# Specify a custom user and group ID
admin@server:~$ sudo usermod -u 61182 username
admin@server:~$ 
admin@server:~$ sudo groupmod -g 61181 username

# Change file permissions created when we added the user
# Just updating user files to reflect new IDs. Errors are ok
admin@server:~$ sudo find / -group 1000 -exec chgrp -h username {} \;
find: ‘/proc/18580/task/18580/fd/6’: No such file or directory
find: ‘/proc/18580/task/18580/fdinfo/6’: No such file or directory
find: ‘/proc/18580/fd/5’: No such file or directory
find: ‘/proc/18580/fdinfo/5’: No such file or directory
admin@server:~$ sudo find / -user 1000 -exec chown -h username {} \;
find: ‘/proc/18611/task/18611/fd/6’: No such file or directory
find: ‘/proc/18611/task/18611/fdinfo/6’: No such file or directory
find: ‘/proc/18611/fd/5’: No such file or directory
find: ‘/proc/18611/fdinfo/5’: No such file or directory

# Login as the user, and add the publickey ansible will pass for authentication.
admin@server:~$ sudo -iu username
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

username@server:~$ mkdir .ssh
username@server:~$ sudo vim .ssh/authorized_keys

# Verify sshd_config, and restart sshd.service
username@server:~$ sudo vim /etc/ssh/sshd_config 
username@server:~$ sudo systemctl restart sshd.service

In /etc/pam.d/sshd, we can add the following line to allow for a list of users past any other modules configured on the server. Be sure to add this line at the top of our configuration file, so it is handled before any other module. 

auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers

In the /etc/authusers file, we simply list users that can bypass further PAM configurations - 

user
otheruser
thirduser

2 hosts

  1. controller
    1. has ansible
    2. create ssh key as the ansible user
      1. ssh-copy-id <worker>
      2. should be able to ssh with no password - ssh <workstation> as ansible user
        1. If the above does not work, create /home/USER/.ssh/config and add IdentityFile /path/to/Private.key, this will pass the key automatically when connecting as USER.
        2. Ensure the host you are connecting to has the connecting key within the ~/.ssh/authorized_keys file.
        3. restart sshd.service - sudo systemctl restart sshd.service
  2. worker
    1. has ansible
    2. has a known password, but can sudo without one.
      1. <user> ALL=(ALL) ALL NOPASSWD:ALL within sudoers
Using Ansible Locally - Vagrant / vBox

Run the following - 

ansible@controller:~$ sudo apt -y install vagrant
ansible@controller:~$ sudo apt -y install virtualbox

# Create a directory to store our server configurations
ansible@controller:~$ mkdir /some/path/vBox
ansible@controller:~$ cd /some/path/vBox

# Ensure you are in the directory you created, and continue
ansible@controller:~/vBox$ pwd

# Download the vagrant box (Ubuntu 18.04 is the below box)
ansible@controller:~/vBox$ vagrant box add ubuntu/bionic64
==> box: Loading metadata for box 'ubuntu/bionic64'
    box: URL: https://vagrantcloud.com/ubuntu/bionic64
==> box: Adding box 'ubuntu/bionic64' (v20190813.1.0) for provider: virtualbox
    box: Downloading: https://vagrantcloud.com/ubuntu/boxes/bionic64/versions/20190813.1.0/providers/virtualbox.box
==> box: Successfully added box 'ubuntu/bionic64' (v20190813.1.0) for 'virtualbox'!

# Initialize our server configuration using vagrant init..
ansible@controller:~/vBox$ vagrant init ubuntu/bionic64
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

# Run a quick check to ensure our new vagrant box is up-to-date..
vagrant box update

# Spin up our new box
ansible@controller:~/vBox$ vagrant up

Now, we need to tell vBox where to save our virtual machines, to avoid the default directory, which includes capitalization and spaces, making it difficult to navigate to within a Bash terminal - 

vboxmanage setproperty machinefolder /path/to/directory/

For a complete list of available Vagrant boxes, visit The Vagrant Box Search Page

Now, if we already spun up a box using the default directory, we should navigate to the directory containing the Vagrantfile for that box, and run the following..

vagrant destroy
vagrant up

This will destroy all traces of our previous box, and spin up a new one using our new default directory. We should note that it is still necessary to remove the default directory created if we had previously spun up a box using the default directory. Vagrant will not remove these files, since they are associated with the virtualbox machine and not the Vagrant configuration itself. Simply run sudo rm -r /path/to/VirtualBox\ VMs/ and refer to your newly configured directory for all boxes spun up from here forward.

Vagrant Provisioning With Ansible

To configure Vagrant for Ansible provisioning, we'll need to make some changes to the file generated when we ran vagrant init when initializing our box. Navigate to the directory of the box we wish to provision via an Ansible playbook, and edit the Vagrantfile to contain the following lines, prior to the end statement.

configure.vm.provision "ansible" do |ansible|
  ansible.playbook = "playbook.yml"
end
Back to top