Ansible kasutamine
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Tööpõhimõte
TODO
Paigaldamine
Süsteemis peab olema python v. 3.8 või uuem ning pip, paigadamine toimub nt
# apt-get install python3 pip
Seejärel paigaldatakse tavakasutajana ansible tarkvara
# su - imre $ python3 -m pip install --user ansible
Tulemusena on ansible ise ja hulka tema teeke kasutatavad, nt
$ /home/imre/.local/bin/ansible --version ansible [core 2.12.1] config file = None configured module search path = ['/home/imre/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/imre/.local/lib/python3.8/site-packages/ansible ansible collection location = /home/imre/.ansible/collections:/usr/share/ansible/collections executable location = .local/bin/ansible python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0] jinja version = 3.0.3 libyaml = True
Kasutamine
Üle võrgu arvutite käsundamine
Üle võrgu arvutite käsundamiseks peab olema ansible arvuti ja kontrollitavate arvutite vahel usaldus nt ssh võtmete abil
$ ssh imre@192.168.110.213 uptime 12:13:05 up 27 days, 9:09, 1 user, load average: 0.00, 0.00, 0.00
Seejärel sobib kasutada arvutite nimede (või ip aadresside) sisustatud tekstifaili (nn inventory fail)
$ cat inventory [target] 192.168.110.213
ja nt sellist playbook yml faili
$ cat playbook.yml
---
- hosts: all
tasks:
- name: Hello World!
command: "df -t ext4 -h -T"
register: kasuvaljund
- debug: msg="{{ kasuvaljund.stdout_lines }}"
Ansible töötamine näeb välja nii
$ /home/imre/.local/bin/ansible-playbook -i inventory playbook.yml
PLAY [all] **********************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************
ok: [192.168.110.213]
TASK [Hello World!] *************************************************************************************************
changed: [192.168.110.213]
TASK [debug] ********************************************************************************************************
ok: [192.168.110.213] => {
"msg": [
"Filesystem Type Size Used Avail Use% Mounted on",
"/dev/mapper/system-root ext4 5.5G 1.2G 4.1G 23% /",
"/dev/vda1 ext4 464M 63M 373M 15% /boot"
]
}
PLAY RECAP **********************************************************************************************************
192.168.110.213 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
TODO
$ cat moraal.yml www-1a.moraal.ee www-1b.moraal.ee
$ ansible all -i moraal.yml --list-hosts
hosts (2):
www-1a.moraal.ee
www-1b.moraal.ee
Fortigate tulemüüri seadistamine
Osutub, et ansible jaoks on olemas fortigate tulemüüri seadistamiseks vajalikud teegid. Nt sellise inventory faili
$ cat hosts [fortigates] fortigate01 ansible_host=192.168.10.76 ansible_user="admin" ansible_password="parool" [fortigates:vars] ansible_network_os=fortinet.fortios.fortios
Ja sellise playbook abil saab muuta seadme nimi
$ cat playbook-fortigate.yml
- hosts: fortigate01
connection: httpapi
collections:
- fortinet.fortios
vars:
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure global attributes.
fortios_system_global:
system_global:
hostname: 'CustomHostName'
Muudatuse tegemiseks sobib öelda
$ /home/imre/.local/bin/ansible-playbook -i hosts playbook-forti-change-name.yml
Aadress objektide moodustamiseks
$ cat playbook-fortigate.yml
- hosts: fortigate01
connection: httpapi
collections:
- fortinet.fortios
vars:
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure global attributes.
fortios_system_global:
system_global:
hostname: 'CustomHostName'
- name: fortios_firewall_address_11
fortios_firewall_address:
state: present
firewall_address:
name: dst_imre_11
subnet: 11.11.11.0 255.255.255.0
type: ipmask
- name: fortios_firewall_address_12
fortios_firewall_address:
state: present
firewall_address:
name: dst_imre_12
subnet: 11.11.12.12 255.255.255.255
type: ipmask
Policy objektide moodustamiseks
$ cat playbook-fortigate.yml
- hosts: fortigate01
connection: httpapi
collections:
- fortinet.fortios
vars:
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: fortios_firewall_address_11
fortios_firewall_address:
state: present
firewall_address:
name: dst_imre_11
subnet: 11.11.11.0 255.255.255.0
type: ipmask
- name: fortios_firewall_address_12
fortios_firewall_address:
state: present
firewall_address:
name: dst_imre_12
subnet: 11.11.12.12 255.255.255.255
type: ipmask
- name: fortios_firewall_policy_11
fortios_firewall_policy:
state: present
firewall_policy:
action: accept
dstaddr:
- name: "dst_imre_11"
dstintf:
- name: "lan"
name: dst_imre_policy_11
schedule: always
service:
- name: "HTTP"
srcaddr:
- name: "all"
srcintf:
- name: "lan5"
status: enable
policyid: 1
- name: fortios_firewall_policy_12
fortios_firewall_policy:
state: present
firewall_policy:
action: accept
dstaddr:
- name: "dst_imre_12"
dstintf:
- name: "lan"
name: dst_imre_policy_12
schedule: always
service:
- name: "PING"
srcaddr:
- name: "all"
srcintf:
- name: "lan5"
status: enable
policyid: 2
Policy reeglite järjekorra muutmiseks
$ cat playbook-fortigate.yml
- hosts: fortigate01
connection: httpapi
collections:
- fortinet.fortios
vars:
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: fortios_firewall_policy_move
fortios_firewall_policy:
action: move
self: "2"
before: "1"
TODO
Kasulikud lisamaterjalid
- https://docs.ansible.com/ansible/latest/collections/fortinet/index.html
- https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/
Ansible Galaxy
TODO
Kasulikud lisamaterjalid
