EX294 Red Hat Certified Engineer RHCE – Configuring Ansible Managed Node Part 2

3. Task: Creating user and distributing SSH Keys using Ansible Ad-Hoc Command line

Hello, welcome to this lecture. In this lecture we’ll learn how to create user on remote nodes using ansible ad hoc command and how to copy public key for the user to remote nodes to configure passwordless login here is task description generate SSH keys for user ansible on ansible control control node. We know ansible user is already created on ansible control node. We’ll generate SSH keys for this user on ansible control node using SSH keygen command line. Then we’ll create ansible user on the remote nodes. And finally we’ll copy public key for ansible user to the remote nodes. Use ansible ad hoc command to create user ansible unmanaged nodes and copy the public key for ansible user to manage nodes. Execute this task as root user. Because user can be created only by root user use password password for this user. Here is list of commands I will be using for this task. So first of all, we’ll generate SSH key pair for ansible user on ansible control node by using SSH keygen command line. Then by using ansible adobe command we’ll create ansible user on all the remote nodes.

Here is command ansible all because we need to create this user on all the remote nodes. In our case there are four managed nodes as defined in ansible inventory file m to specify module, we know we need to use user module for this task. A to provide arguments to this module by using name, directive or variable. We’ll provide username of user to be created which is ansible state is equal to present to create user which is default value. Even if we don’t specify this user will be created. In case we need to delete user, we must provide state is equal to absent. So here this is important password we cannot provide password as plain text. So we must provide encrypted password using some hashing algorithm. Again, here we are using ginger to filter.

We haven’t discussed anything about Ginger two filters. We’ll discuss about Ginger two filters. Ginger two statements in separate section. Here you need to know how you can use ginger to filter to encrypt a password. We already used Ginger two templates to access variables to access dictionary variable, list variable and ansible facts. So here we are not providing variable here this is string which is password enclosed in single quotation marks. We’ll pass this value to ginger to filter password underscore hash and here in the brackets we need to specify algorithm we need to use for encrypting the password. Here we are using Sha 256. We can also use Sha five, one, two and any algorithm depending upon task requirements then u to specify user because we need to execute this task as root user. We’ll discuss more on this before we start doing this task. Now I will show you from where you can learn about Ginger two filters in ansible documentation here on this page we can see selected version of ansible is two eight which is exam version.

On this path you can find description about Ginger two filters. Docs User guide working with playbooks templating Ginger two then filters. Here I will use control F and I will search for password underscore high. So here we can see to get sha five one two password high. So we are using same expression in our task. But instead of using five one two we are using two five six. Because it’s not mentioned in the task, you need to use as per task requirement we can use also salt to generate encrypted password. But here we are using random salt. Salt is used as additional input to encrypt the password to safeguard the password. So here you can go through different examples. We’ll discuss more on this later on. Next we need to copy public key forensible user to all manage nodes. For this we’ll use authorized underscore key module with a will provide different arguments. We’ll check the documentation for this module before doing the task with a option will provide user for which we need to copy public key. In our case it’s ansible user state is equal to present because we need to copy public key. In case you need to remove the public key, you must set state is equal to absent. Then here again this is important. Here we are using Lookup plugin which can be used with Ginger two templates. So what Lookup plugin does, so it will look into this file and assign the contents of this file to this key variable. We know public key for ansible user will be stored on this path.

So by using Lookup plugin we’ll look into this file where public key for the user will be stored and will assign the public key value to this key variable. For more information on Lookup plugin, you can check ansible documentation. So here on this page you can navigate from docs user guide working with playbooks advanced playbook features working with plugins. So here we need to check for Lookup plug in. So here you can see one example. So here in the VARs section so this is variable name file underscore contents which is assigned this value. We know this value is the value of the string which is present inside this file. So hereby using Lookup plugin we are assigning the contents in this file to this variable. Here you can just go through this. Now back to task description. Then using path directive we’ll set this path where we need to copy public key. We know this is a default path where public keys are copied ten u to specify user. So here I just mentioned.

Note while creating user, never use plain text password. Instead use encrypted password for which we are using Ginger to filter. Now let’s move to the system and start doing this task. Now we are on ensuable control node and I am logged in as root. Before starting with this task, I would like to explain how Ginger to filter password underscore hash generates encrypted password. For this I will use debug module. Or to explain this I will use debug module ansible. And here I will provide some target. We are not doing any action on this target. We are just going to display some variable. We’ll use debug module and here we’ll use MSG. And here I will provide password as string. You must enclose this inside single quotation marks. Then I will pass this value using pipe to password underscore hash. And here we’ll specify hashing algorithm. This is all we need to do to specify user. Because if we don’t specify this user so it will be executed as ansible user.

And we don’t have ansible user created on managed nodes. So we have this error. We know why we have this error. First of all, we need to move to the path where ansible config file is present. You can view the ansible config file by using ansible dashconfig with view command. So here is our config file. Now again I will execute this command. So here you can see this encrypted password. So this is how we can use Ginger to filter password underscore hash to encrypt the password. Now I will clear the screen. Now I will explain how Lookup plugin works. For this I will create simple playbook with name lookup YML. And here we know three dashes on the top dash, in the hosts I will specify mhostone. Then in the VAR section I will create one variable with name file underscore contents. And here I will use lookup plugin to assign string value to this variable using Ginger to template lookup file.

Because we are going to look inside a file. Then here we need to provide path of the file. I will use path home ansible Tasks file dot TXT. I will create file with name file dot TXT on this path. And we’ll put something inside this file. This is all we need to do. Then, here in Tasks section, we’ll use debug module to display this variable. Taskspace name to provide description displaying file contents we’ll use debug modules. Here we’ll use MSG. We need to print the variable file underscore contents. We know how we can print variable. Because this is simple key value pair. This is all we need to do. Now on this path I will create file with name file dot TXT and here write something some string. This is all. Now I will execute this playbook using ansible playbook command line. But before I execute, I will perform syntax check. Everything seems okay. So here we have errors. Again, we are making same mistake. We must provide user because by default it will use ansible user.

So here we have this output. So in this way Lookup plugin can look inside file and assign the contents of the file to some variable. Same we are doing to copy public key I will clear the screen. Now we’ll start doing the task. Now, before creating user, I will display ansible documentation for user module. I know we’ve already gone through this, but we’ll just walk through this overall. So for this task we are going to use name which is ensible and password. So this is used to set users password to this crypted value. To this cryptid value, I mean value assigned to this directive. We must use cryptid password for more information, you can also check on this link how to encrypt password. This is all I wanted to show you. I will clear the screen. Now we’ll use ansible M to specify module A to provide arguments name of user or username is ansible state is equal to present which is default value. So here important is password. Here we need to use Ginger to syntax.

So we need to password as password. So here we are supplying or providing password as string. We are passing this value to Ginger to filter password underscore hash. And here we are using sha two five six algorithm to encrypt this password. This is all we need to do. Don’t forget to use dash u to specify user. Also enclose list of arguments in double quotation marks. This is all we need to do. Now I will execute this command. This can take few seconds, so everything seems okay. User has been created on all the remote nodes. Here password is not logging password. So this is no error because password is in encrypted format. So this means this is not shown. I will clear the screen now. Next step is we need to copy public key for ansible user to the remote nodes. We know ansible user is already created on ansible control node. I will switch user to ansible. And here we need to use SSH key gen to generate SSH key pair. I will specify type as RSA. Here I will accept all the default values.

So SSH keypair has been created. We can verify navigating to path dot SSH under users home directory. So here we have private and public keypir. So this is private key and this is public key with extension pub. Now we need to copy contents of this public key to the file authorized underscore keys on the remote nodes. For this I will switch user to root. Because we will have to execute this task as root user. Now we need to navigate to path where our config file is present. Where unsuble config file is present. This is important. Now I will display documentation for authorized underscore key module using ansible dock command line. So here we’ll discuss only important directives adds or removes SSH authorized keys for a particular user accounts key which is important. We already discussed about this. Then manage underscore dir. So by default this is true. So this is set to true whether this module should manage the directory of the authorized key file.

So we know on the remote node. In our case, directory of authorized key file is dot SSH under user’s home directory. If this is set to yes which is default, the module will create the directory which is dot SSH as well as set the owner and permissions of an existing directory. Be sure to set manage underscore dir to know if you are using an alternate directory for authorized underscore keys. But we are using standard path so we will use it which is by default path alternate path to the authorized underscore keys file. But we are going to use standard path so we can omit this directory from our command. State is equal to present to copy, state is equal to absent to remove or delete public key.

Default is present. So we can omit this directive from our command as well user which is important and mandatory username for which we need to copy the public key. In our case, we need to copy public key for an sibling user. So here in the end, you can find some important examples. These examples are for playbook. So here user is charlie, state is equal to present. And here using Ginger two template with lookup plugin we can assign public key contents to this variable.

Now I will quit. I will clear the screen. Now we’ll execute an symbol all dash m to specify module and a to provide arguments. User is ancient key which is important. We know. Here we need to use Ginger to template the lookup plugin. So make sure you are typing correct syntax. Here we are looking inside file and here we need to provide path of file where public key is present. Enclosed in single quotation marks we know path isomencible dot SSH and public key. File name is ID underscore RSA pub. This is all we need to do. So here we are omitting state and path directives or variables. Because by default state is equal to present and path is default path where we need to copy this public key. Don’t forget to use u to specify user. This is all we need to do. Now I will execute this command. This can take few seconds. So we have yellow output.

So here we can see change is equal to true. State is present. So everything seems okay. Now to verify, I will switch user to Ncbull. I will establish Sswitch connection to Mhost one. So we are connected. I will type hostname. We are connected to mhostone without entering password. So this means our configurations are correct. Now I will try to connect to Mhost two SSH m host two we are connected. Similarly we’ll verify for Mhost three we are connected same for Mhost four. So everything is working fine. Now we have set up SSH keys for ansible user to enable passwordless login for ansible user. This is all about this lecture. In next lecture we will configure privilege escalation for an civil user on remote nodes.

4. Task: Configuring Privilege Escalation Using Ansible Ad-Hoc Command line

Hello welcome to this lecture. In this lecture we will learn how to configure Perville escalation for some user using ansible ad hoc command. Here is task description using ansible ad hoc command configure per village escalation for user ansible on all managed nodes user ansible should be able to use pseudo without providing password so it means per will the escalation must be possible even without entering password for the user to perform this task we’ll execute this command as root user. Because this section can be done as root user only. Now we know to configure prevailing escalation for some user we need to add user to the wheel group. If we add user to the wheel group in the pseudo’s file user will be used sudo but with password. But here we are not going to add user to the wheel group but we are creating separate line for the user in the pseudos file. Also we are using no pass WD so that Perville escalation will be possible even without entering password.

We’ve already gone through documentation of line in file module path which file need to be modified. In our case it’s sudoirs file present under etc. Directory state is present. We are going to add this line by default line will be added to the end of file. Earlier we used insert after directive and also rag EXP directives but here we don’t need to use them. We are going to add this line to the end of file. Backup is equal to yes to create backup of original file before making changes validate to validate file to make sure everything is correct then here using dash u option we are providing user root. Now let’s move to the system and start doing this task. Now we are on ensuble control node and I am logged in as root. First of all I will switch user to ansible. Here I will navigate to tasks directory where our ansible config file is present. In previous lecture we already set up SSH keys for ansible user. So here I will execute ansible old m ping to verify if our connectivity is fine from ansible point of view so everything is fine. Now what I will do using ansible Adobe command I will try to create user as ansible user but I will use become to tell ansible to execute these commands on the remote nodes with pseudo and we’ll see what happens. Ansible all m to specify user module a I will try to create user with username test state is equal to present and here I will use dash dash become to tell the ansible when connected to the remote nodes use pseudo. To perform the task I will press enter.

So here we have error so we can see pseudo a password is required even if you provide password it will not work because we haven’t configured per village escalation four and sible user I will clear the screen. I will execute same command again but this time with dash capital k to ask for per village escalation password it will ask for password but even if you provide password for user and sible it will not work because pervillage escalation is not configured yet. Now I will clear the screen I will exit now I am logged in as root. I will move to the same path. Now before we configure pervila escalation I will display Sudars files on this node. So we’ll go to the end of this file.

So here we can see for root, allow root to run any commands anywhere so we know so this is possible. And here we can see wheel group line. So if we add user to wheel group, user will be able to escalate privileges. But he must have to provide password here in the next line which is commented out. So this is line with no password. If we uncomment this line and assign user to wheel group user will be able to use per village escalation even without entering password but in our case we are going to create one separate line for ansible user. We are not going to assign user to the wheel group so we need this line but only instead of percentage wheel we’ll use ansible user. Now I will quit this again. I will display documentation for line in file module. We already gone through this documentation. We’ll just check about validate directive which is in the last the validate command to run before copying into place so it will validate config file. The path to the file to validate is passed in via percentages. So here you can see one example in the last. So same thing we are going to do. We need to validate Sudoir’s file. So this is a program for this file. We need to provide complete path c for check f for file location and we need to pass this path via percentage s to validate file.

I will create this. Now we’ll execute command to configure per village escalation unsafe all m linen file A to provide arguments path of sudors file here I would like to tell you one thing. I shown you Sudars file on an sibling control node for reference only. We are not going to make any changes on local node. We need to make changes on remote nodes only. Then here we’ll specify line to be added enclosed in single quotation marks. Ancient space all equal to then in brackets all here I am not specifying no past WD just to show you how we can use dash capital k option to provide become password. Later on we’ll change this state is equal to present because we need to add this line backup is equal to yes validate. Here we need to provide path for program which is USR fbim visodu. Then we’ll provide VF options and we’ll pass path of config file using percentage s. We’ll enclose this inside single quotation marks. This is all we need to do. U to specify user. Don’t forget to enclose list of arguments inside double quotation marks I will press enter. So we have yellow output. So line has been added. I will verify for one host host Mostwell using command module. So here we have file and here is our line. So now we configured per village escalation for user ansible on the remote nodes. But user ansible must enter his password for per village escalation. Now I will change to user ansible. We need to move to directory tasks. And here again I will use user module to create test user on Mhost one to tell ansible to use pseudo on the remote host. We have error this is normal this time I will use capital k option it will ask for become password I will enter password for an sible user.

Now user has been created so it means Perville escalation is working fine but we need to enter password. But according to task requirement Perville escalation must be possible even without entering password. I will clear the screen. I will exit so again. I will execute same command which state is equal to absent? To delete the line we added already. So we have done. We can see line has been removed. Now I will make changes. Here we’ll change state to present again. But here we must use no pass WD colon space. This is all we need to do. We’ll execute this command.

We have done so. Line has been added. Now I will switch user to Mcbell. We’ll navigate to tasks directory. Now again I will create one more test user. And this time without using dash capital k option. Ansie will Mhost one m to specify user module I will create user with username test one state is equal to present dash dash become. So when we execute this command ansible will connect to Mhost one as ansible user. But on the remote node it will use sudo. So we already configured parabola escalation on the remote node. And now Perville escalation is possible even without entering Perville escalation password. So this command should be successful. So user has been created. So in this way we can configure pervoli escalation using ansible ad hook commands. Same action you can do with playbook as well. This is all about this task.

• Category: Uncategorized