Automating tasks with Ansible

, , , , ,

In this post, I will show how to automate tasks using Ansible.

For this example, I will use the script to Domain join Ubuntu servers to the Active Directory domain.

First, install ansible on the Control Node, which is the server you will use to manage the others, in our case, server01 is the chosen one, the installation is very simple, please check this page.

Prerequisite, make sure to have a user account on each managed server, preferably with the same user and password to make things easier, this is required only for the initial steps, like, copying the SSH key to allow passwordless authentication between the Control Node and the Managed Servers.

Create an SSH key pair with the command ssh-keygen -t rsa, press enter for the given prompts, the first prompt is where the key will be stored, the default location is good, the second prompt is for the password, enter for an empty password.

Ok, now we have to copy this key to the remote servers we will be managing, and I will use a script for that.

Create a file containing all the servers to which you want to copy the SSH key and also check if you can reach them by doing a simple ping to them.

Create a file in the same directory as our server.txt

#!/bin/bash
#
for x in $(cat server.txt)
do
    #echo $x
    ssh-copy-id -i /root/.ssh/id_rsa root@$x
done

Make the file executable by running chmod +x copy_ssh.sh and run it.

It will ask the password for the remote server so it can copy the key to them.

Now we can SSH to each server without having to enter a password.

Ok, now we have everything ready.

Create an inventory file containing the managed servers.

Let’s try a simple ping test using the ping module, run ansible all -m ping -i inventory and we should see a success message.

Now let’s create our playbook, a playbook is a set of sets to be executed on the managed servers, basically, we have to strip our existing script into separate tasks, here is how our AD Join script is transformed into a playbook.


---
- hosts: servers
  become: yes
  remote_user: root
  tasks:
  - name: Update before everything
    apt:
      update_cache: yes
  - name: Install Active Directory packages
    apt:
      pkg:
      - krb5-user
      - samba
      - sssd
      - sssd-tools
      - libnss-sss
      - libpam-sss
      - ntp
      - ntpdate
      - realmd
      - adcli
  - name: Set timzone
    shell: timedatectl set-timezone America/Cuiaba
  - name: Realm Discover
    shell: realm discover CONTOSO.LOCAL
  - name: Kerberus init
    shell: echo 'password' | kinit -V administrator@CONTOSO.LOCAL
  - name: Join AD
    shell: echo 'password' | realm join --verbose CONTOSO.LOCAL -U 'administrator@CONTOSO.LOCAL' --install=/
  - name: Prevent all users from log into this server
    shell: realm deny -a
  - name: Permit a specific group to log into this server
    shell: realm permit -g LinuxAdmins@contoso.local
  - name: Configure automatic home directory creation
    shell: echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" >> /etc/pam.d/common-session
  - name: Add the permited group to the sudoers file
    shell: echo "%linuxadmins@contoso.local ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

As we have two prompts to enter the password to join the computer to the domain, I have passed the password inside the playbook, but you can remove that part.

Run ansible-playbook ad_join_playbook.yml -i inventory

And after some minutes, all the servers are joined to the domain.

Thanks for reading.


Leave a Reply

Your email address will not be published. Required fields are marked *