Ansible on FreeBSD Faster setup Configuration

Ansible is a software tool that provides simple but powerful automation for computer support with a wide variety of operating systems. It is primarily aimed at IT professionals, who use it for application deployment, updates to workstations and servers, cloud provisioning, configuration management, intra-service orchestration, and almost any activity a system administrator performs on an hourly, daily or weekly basis. Ansible does not rely on agent software and has no additional security infrastructure, making it easy to deploy.

For example, you have 100 servers and you need to install the same configuration (Apache, postgres, redis, mongodb). With this tool, it takes very little time. No need to connect to each server, install and configure the config for each program. Just write a script and it will do everything for you, on all servers.

There are many actions in the work of a system administrator that can be automated using special configuration management system software. One of them is Ansible, with which you can automate the installation and configuration of software on any number of machines.

In this article I will show you how to use Ansible to launch infrastructure components, as well as for some everyday tasks.


1. System Specifications

OS: FreeBSD 13.2
Hostname: ns6
IP Addreess: 192.168.5.2
Ansible version: py39-ansible-8.2.0
Username: ansible


2. Why use Ansible
Ansible is cross-platform software, so it can be installed on almost all operating systems such as FreeBSD, Windows, Linux, and MacOS. This software has many advantages:
  1. Ease of use. One master node is enough, from which the configuration will be launched in the YAML markup language. There is no need to install agents or third-party software the SSH protocol is used to connect hosts remotely.
  2. Many modules are available. Ansible comes with various modules that allow you to perform certain actions on the server, interact with the operating system, configure networking, work with files, users and special access rights.
  3. Security, can use the SSH protocol, so no need to take additional steps.


3. Ports and PKG Ansible

On FreeBSD, Ansible installation can be done with the PKG package and system ports. We will combine the two, to install Ansible dependencies use PKG and to install Ansible use the ports system. The following is a script to install the Ansible dependency.
root@ns6:~ # pkg install python39 ansible-sshjail py39-setuptools py39-ansible-compat py39-ansible-core py39-ansible-iocage py39-ansible-runner
Use the FreeBSD system ports to install Ansible.
root@ns6:~ # cd /usr/ports/sysutils/ansible
root@ns6:/usr/ports/sysutils/ansible # make config
root@ns6:/usr/ports/sysutils/ansible # make install clean
Installing Ansible with a ports system is highly recommended, because all library files will be included during the installation process.

After Ansible is installed on your FreeBSD system, we can continue by creating a folder "/usr/local/etc/ansible", and create files called "ansible.cfg" and "hosts" in that folder.
root@ns6:~ # mkdir -p /usr/local/etc/ansible
root@ns6:~ # touch /usr/local/etc/ansible/ansible.cfg
root@ns6:~ # touch /usr/local/etc/ansible/hosts
root@ns6:~ # chmod +x /usr/local/etc/ansible/
Ketikkan script di bawah ini pada file "/usr/local/etc/ansible/ansible.cfg".
root@ns6:~ # ee /usr/local/etc/ansible/ansible.cfg
[defaults]
inventory = hosts
remote_user=ansible
and the file "/usr/local/etc/ansible/hosts".
root@ns6:~ # ee /usr/local/etc/ansible/hosts
[mybsdhosts]
ns6 ansible_python_interpreter=/usr/local/bin/python
#mediatama ansible_python_interpreter=/usr/local/bin/python


4. Create User and authorized_keys SSH

In point 3 we will create a user who can access Ansible. In this example our user is named "ansible", but you can choose whatever you want. I'll show you how to add users in FreeBSD. To learn more about point 3, you can read the previous article.



root@ns6:~ # adduser
Username: ansible
Full name: ansible python
Uid (Leave empty for default):
Login group [ansible]:
Login group is ansible. Invite ansible into other groups? []:
Login class [default]:
Shell (sh csh tcsh git-shell bash rbash nologin) [sh]:
Home directory [/home/ansible]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: router2
Enter password again: router2
Lock out the account after creation? [no]:
Username   : ansible
Password   : *****
Full Name  : ansible python
Uid        : 1002
Class      :
Groups     : ansible
Home       : /home/ansible
Home Mode  :
Shell      : /bin/sh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ansible) to the user database.
Add another user? (yes/no): no
Goodbye!
Now, we test the SSH connection on the ansible user.
root@ns6:~ # ssh ansible@192.168.5.2
(ansible@192.168.5.2) Password: router2
ansible@ns6:~ $
It worked!
We were able to log into the system without the need to enter our passphrase. 

Ansible can issue ad-hoc commands from the command-line to remote systems. A simple example to demonstrate Ansible’s functionality is using the ping module to verify that the target systems are responding:


Next, create a public authorized_keys SSH key for user "ansible".
ansible@ns6:~ $ mkdir .ssh
ansible@ns6:~ $ cd .ssh
ansible@ns6:~/.ssh $ ssh-keygen -t rsa
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): router1
Enter same passphrase again: router1
Your identification has been saved in ansible
Your public key has been saved in ansible.pub
The key fingerprint is:
SHA256:Pa5Geb77fWsdOW8ss8D5UIDcPaXntG++q0kimfchlTk ansible@ns6
The key's randomart image is:
+--[ED25519 256]--+
|                .|
|         . o . o |
|          o o + o|
|         .   .o=.|
|        S.o  E..o|
|        o.+o.o.+.|
|       . *.+=o .B|
|        ..+ ===+*|
|       .. o+.+*X=|
+----[SHA256]-----+
ansible@ns6:~/.ssh $
ansible@ns6:~/.ssh $ cat ~/.ssh/id_rsa.pub | ssh ansible@192.168.5.2 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
The authenticity of host '192.168.5.2 (192.168.5.2)' can't be established.
ED25519 key fingerprint is SHA256:WpdCFPbgIgcvkDmCr8Cw1XWvU9Yej73honnnS34YsP8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.2' (ED25519) to the list of known hosts.
(ansible@192.168.5.2) Password: router2
ansible@ns6:~/.ssh $
Then, we use ssh-add to adds private key identities to the authentication agent.
ansible@ns6:~/.ssh $ ssh-agent sh -c 'ssh-add /usr/home/ansible/.ssh/id_rsa'
Enter passphrase for /usr/home/ansible/.ssh/id_rsa: router1
Identity added: /usr/home/ansible/.ssh/id_rsa (ansible@ns6)
ansible@ns6:~/.ssh $
Next, I create the permission.
ansible@ns6:~ $ chown -R ansible:ansible /usr/home/ansible/.ssh
ansible@ns6:~ $ chmod 0700 /usr/home/ansible/.ssh
ansible@ns6:~ $ chmod 0600 /usr/home/ansible/.ssh/authorized_keys


5. Ansible Bootstrap Python

As we know, the only requirement on the target machine is a modern version of python installed on the FreeBSD system. But what if the python version is not installed on the target machine. You can do it manually on multiple machines but what if you have many target servers that don't have python installed on each machine.

To solve this chicken-and-egg problem, we can use different methods to execute commands. This is called raw mode and does not have any abstractions, instead using literal commands:
ansible@ns6:~/.ssh $ ansible all -m ping
The authenticity of host 'ns6 (192.168.5.2)' can't be established.
ED25519 key fingerprint is SHA256:WpdCFPbgIgcvkDmCr8Cw1XWvU9Yej73honnnS34YsP8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: 192.168.5.2
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Enter passphrase for key '/home/ansible/.ssh/id_rsa': router1
ns6 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
ansible@ns6:~/.ssh $
Once that command has executed successfully, Ansible is fully set up and can use other modes, modules, and playbooks. To make sure our communication between the control machine and the targets is encrypted, we set up SSH and exchange public keys for passwordless logins.

A common task is to transfer files from the local to remote systems. This includes configuration files, templates, or other data of any kind. Ansible is able to SCP (secure copy) files in parallel to multiple machines. The copy module requires the source and destination as parameters.
ansible@ns6:~ $ ansible ns6 -m copy -a "src=/usr/local/etc/ansible/hosts dest=/usr/home/ansible"
BECOME password: router1
ns6 | CHANGED => {
    "changed": true,
    "checksum": "9186f375eff9eb4b884c50f157e5d9973db8002b",
    "dest": "/usr/home/ansible/hosts",
    "gid": 1002,
    "group": "ansible",
    "md5sum": "aff4eaca42fb7821d748b4b2b98f8d75",
    "mode": "0644",
    "owner": "ansible",
    "size": 529,
    "src": "/home/ansible/.ansible/tmp/ansible-tmp-1701429314.8753471-2935-107761807460326/source",
    "state": "file",
    "uid": 1002
}
ansible@ns6:~ $

There are many other useful things associated with Ansible that were not even considered in this post. I encourage you to look at the Ansible documentation as it is quite complete and understandable, and details the true capabilities of the Ansible automation framework. In addition, having a pattern and standards associated with how to construct Ansible playbooks, share code, audit actions, etc. is essential to ensuring the integrity of your resources and cleanliness of your Ansible code. Organization of your code, grouping of your hosts, and least-privileged access are just some components that will be most critical to mass adoption of the Ansible framework while being able to maintain the integrity of your environments.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post