Menu Close

Learning Ansible from the ground up.

Ansible (As defined by wikipedia) is an open-source software provisioning, configuration management, and application-deployment tool. It runs on many Unix-like systems, and can configure both Unix-like systems as well as Microsoft Windows. It includes its own declarative language to describe system configuration.

In this article, I intend to walk through the basics of setting up an initial test controller node on CentOS 7, as well as a simple configuration of a Windows Server 2016 node using a basic Ansible playbook. (perhaps building multiple playbooks for different tasks)

This is my first dive into learning Ansible, and my intent here is to share my experience, and hopefully help you start a simple Ansible environment which you can build and grow from.

Windows and Ansible documentation is located in the official Ansible documentation website.

By following the instructions in this series, you will be able to manage a Windows Server 2016 systems using Ansible as easily as managing any Linux environment.

I intend this article to be a gateway to multiple in a series which possibly will progress into a fully functional production environment. However for just this one instance, I’m simply going to focus on building a sandbox/development environment to learn some basics, then use this as a spring board to expand off of.

Lab Environment

The examples in this article will reference the following configuration:

  • One Ansible controller node running CentOS 7
    • For my dev environment, I’m simply using a spare desktop PC I have.
  • One Windows 2016 Server to be managed by Ansible
    • I’m using our lab environment, with a virtual machine on vmware esxi 5.5. ( I know, I know.. this is lab… sheesh.)
  • One Active Directory Server providing DNS (This can be a standalone just for this environment, or an existing one, as long as you have admin access)

NOTEYou can configure these however you want. however they should be accessible to each other, and you may need to validate firewall settings allow access.

Configure Network Prerequisites

We’ll need to create some Forward and Reverse lookup records in DNS for Kerberos to resolve correctly, so make sure you created an “A” record for your linux system, (you can also leverage an “alias” record if you’d like) – as well as a reverse DNS pointer. You decide what fits best in your environement.

Build and configure the Ansible System

NOTE For the sake of brevity, I will not be coving the build of the Operating System and I am assuming that you have built a base CentOS 7 with a minimum configuration, set the IP address details, and enabled SSH access.

Install Prerequisite Packages

Update the following files. Be sure to modify as appropriate for your own environment.

1. Install GCC required for Kerberos

yum -y group install β€œDevelopment Tools”

2. Install EPEL Repository

yum -y install epel-release

3. Install Ansible

yum -y install ansible

4. Install Kerberos

yum -y install python-devel krb5-devel krb5-libs krb5-workstation

5. Install Pythos PIP

yum -y install python-pip

6. Update all the system packages to insure everything is at the latest version.

yum -y update

After an full system update, I always find it a good idea to reboot the system, so go ahead and do that now.

reboot

Check that Ansible and Python is Installed and working

ansible --version | head -n 1
python --version

Configure Kerberos

While there are other options to authenticate with Windows guests, Kerberos is generally the best option to utilize in an Active Directory domain.

1. Install the Kerberos PIP Package.

pip install pywinrm[Kerberos]

2. Edit the /etc/krb5.conf file and add the following:

NOTEMake sure to adjust these to your specific environment. Also make note that I am specifying the domain name is all UPPER CASE LETTERS. This is due to kerberos naming standards. Make sure this is all upper case, as well, when testing, pass the domain name as all upper case or you may get errors.

These following articles explain in greater detail.

Add:

[realms]
DOMAIN.LOCAL = {
  kdc = DC1.DOMAIN.LOCAL
}

Add:

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

Your completed /etc/krb5.conf file should look similar to this:

Test Kerberos

Run the follow to test kerberos:

kinit <username>@DOMAIN.LOCAL

Enter the password for the user you entered above.

You should see a kerberos KEYRING record similar to below:

At this point, our Ansible machine is now ready for us to start creating some playbooks to run against our windows server.

For my next article, I’ll build the Windows Client to manage, and we’ll setup some simple playbooks to experiment with. Additionally in the future, I’d like to delve into the Ansible AWX project, and see where that can fit in too! C

Leave a Reply

avatar
  Subscribe  
Notify of