Skip to main content

Creating an Ansible Controller

Test Cases

See how to configure ansible with the basic requirements below, test with any mixture of the following basic Ansible commands.

ansible <host> -m ping
ansible <hostgroup> -m ping
ansible <hostgroup> -m ping -u <user>
ansible <host> -m ping --private-key=/home/user/.ssh/key
ansible <host> -m ping -u <user> --private-key=/home/user/.ssh/key
Instructions

To configure an ansible worker -

# Create the user that ansible will authenticate with when running plays
admin@wordpress:~$ sudo adduser username
[sudo] password for admin: 
ssh-rsa AAAeAB3NXyXeAAADAQABAAABXwxAQDXndHlHw2DxXMk1thdTsSJWoRxXXGl5jXXMGaRta1sdprzg/sXJAdding user `username' ...
Port 22
Adding new group `username' (1000) ...
Adding new user `username' (1000) with group `username' ...
Creating home directory `/home/username' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for username
Enter the new value, or press ENTER for the default
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y

# Add or edit our custom sudoers config
admin@server:~$ sudo visudo -f /etc/sudoers.d/mySudoers

# Add our new user to sudo group
admin@server:~$ sudo vigr 
You have modified /etc/group.
You may need to modify /etc/gshadow for consistency.
Please use the command 'vigr -s' to do so.
admin@server:~$ sudo vigr -s
You have modified /etc/gshadow.
You may need to modify /etc/group for consistency.
Please use the command 'vigr' to do so.

# Change PAM authentication to allow our user to bypass other modules
admin@server:~$ sudo vim /etc/pam.d/sshd 
# Add our user to the pam_userlist.so configured in the changes made above
admin@server:~$ sudo vim /etc/authusers

# Specify a custom user and group ID
admin@server:~$ sudo usermod -u 61182 username
admin@server:~$ 
admin@server:~$ sudo groupmod -g 61181 username

# Change file permissions created when we added the user
# Just updating user files to reflect new IDs. Errors are ok
admin@server:~$ sudo find / -group 1000 -exec chgrp -h username {} \;
find: ‘/proc/18580/task/18580/fd/6’: No such file or directory
find: ‘/proc/18580/task/18580/fdinfo/6’: No such file or directory
find: ‘/proc/18580/fd/5’: No such file or directory
find: ‘/proc/18580/fdinfo/5’: No such file or directory
admin@server:~$ sudo find / -user 1000 -exec chown -h username {} \;
find: ‘/proc/18611/task/18611/fd/6’: No such file or directory
find: ‘/proc/18611/task/18611/fdinfo/6’: No such file or directory
find: ‘/proc/18611/fd/5’: No such file or directory
find: ‘/proc/18611/fdinfo/5’: No such file or directory

# Login as the user, and add the publickey ansible will pass for authentication.
admin@server:~$ sudo -iu username
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

username@server:~$ mkdir .ssh
username@server:~$ sudo vim .ssh/authorized_keys

# Verify sshd_config, and restart sshd.service
username@server:~$ sudo vim /etc/ssh/sshd_config 
username@server:~$ sudo systemctl restart sshd.service

In /etc/pam.d/sshd, we can add the following line to allow for a list of users past any other modules configured on the server. Be sure to add this line at the top of our configuration file, so it is handled before any other module.

auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers

In the /etc/authusers file, we simply list users that can bypass further PAM configurations -

user
otheruser
thirduser
Basic Requirements

So the basic requirements for running / creating an ansible controller for a set of hosts is as follows -

  1. controller
    • has ansible
    • create ssh key as the ansible user
      • ssh-copy-id <worker>
      • should be able to ssh with no password - ssh <workstation> as ansible user
        • If the above does not work, create /home/USER/.ssh/config and add IdentityFile /path/to/Private.key, this will pass the key automatically when connecting as USER.
        • Ensure the host you are connecting to has the connecting key within the ~/.ssh/authorized_keys file.
        • restart sshd.service - sudo systemctl restart sshd.service
  2. worker
    • has ansible
    • has a known password, but can sudo without one.
      • <user> ALL=(ALL:ALL) NOPASSWD:ALLLALL within sudoers
Back to top