Ansible kasutamine: erinevus redaktsioonide vahel

Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
(Uus lehekülg: '===Sissejuhatus=== TODO ===Tööpõhimõte=== TODO ===Paigaldamine=== TODO ===Kasutamine=== TODO <pre> $ cat moraal.yml www-1a.moraal.ee www-1b.moraal.ee </pre> <pre> $...')
 
 
(ei näidata sama kasutaja 6 vahepealset redaktsiooni)
9. rida: 9. rida:
 
===Paigaldamine===
  
===Paigaldamine===
   
  +
Süsteemis peab olema python v. 3.8 või uuem ning pip, paigadamine toimub nt
TODO
  
  +
  +
# apt-get install python3 pip
  +
  +
Seejärel paigaldatakse tavakasutajana ansible tarkvara
  +
  +
# su - imre
  +
$ python3 -m pip install --user ansible
  +
  +
Tulemusena on ansible ise ja hulka tema teeke kasutatavad, nt
  +
  +
<pre>
  +
$ /home/imre/.local/bin/ansible --version
  +
ansible [core 2.12.1]
  +
config file = None
  +
configured module search path = ['/home/imre/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  +
ansible python module location = /home/imre/.local/lib/python3.8/site-packages/ansible
  +
ansible collection location = /home/imre/.ansible/collections:/usr/share/ansible/collections
  +
executable location = .local/bin/ansible
  +
python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  +
jinja version = 3.0.3
  +
libyaml = True
  +
</pre>
   
 
===Kasutamine===
  
===Kasutamine===
  +
  +
====Üle võrgu arvutite käsundamine====
  +
  +
Üle võrgu arvutite käsundamiseks peab olema ansible arvuti ja kontrollitavate arvutite vahel usaldus nt ssh võtmete abil
  +
  +
$ ssh imre@192.168.110.213 uptime
  +
12:13:05 up 27 days, 9:09, 1 user, load average: 0.00, 0.00, 0.00
  +
  +
Seejärel sobib kasutada arvutite nimede (või ip aadresside) sisustatud tekstifaili (nn inventory fail)
  +
  +
<pre>
  +
$ cat inventory
  +
[target]
  +
192.168.110.213
  +
</pre>
  +
  +
ja nt sellist playbook yml faili
  +
  +
<pre>
  +
$ cat playbook.yml
  +
---
  +
- hosts: all
  +
tasks:
  +
- name: Hello World!
  +
command: "df -t ext4 -h -T"
  +
register: kasuvaljund
  +
  +
- debug: msg="{{ kasuvaljund.stdout_lines }}"
  +
</pre>
  +
  +
Ansible töötamine näeb välja nii
  +
  +
<pre>
  +
$ /home/imre/.local/bin/ansible-playbook -i inventory playbook.yml
  +
PLAY [all] **********************************************************************************************************
  +
  +
TASK [Gathering Facts] **********************************************************************************************
  +
ok: [192.168.110.213]
  +
  +
TASK [Hello World!] *************************************************************************************************
  +
changed: [192.168.110.213]
  +
  +
TASK [debug] ********************************************************************************************************
  +
ok: [192.168.110.213] => {
  +
"msg": [
  +
"Filesystem Type Size Used Avail Use% Mounted on",
  +
"/dev/mapper/system-root ext4 5.5G 1.2G 4.1G 23% /",
  +
"/dev/vda1 ext4 464M 63M 373M 15% /boot"
  +
]
  +
}
  +
  +
PLAY RECAP **********************************************************************************************************
  +
192.168.110.213 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
  +
</pre>
   
 
TODO
  
TODO
27. rida: 103. rida:
 
www-1b.moraal.ee
  
www-1b.moraal.ee
 
</pre>
  
</pre>
  +
  +
====Fortigate tulemüüri seadistamine====
  +
  +
Osutub, et ansible jaoks on olemas fortigate tulemüüri seadistamiseks vajalikud teegid. Nt sellise inventory faili
  +
  +
<pre>
  +
$ cat hosts
  +
[fortigates]
  +
fortigate01 ansible_host=192.168.10.76 ansible_user="admin" ansible_password="parool"
  +
  +
[fortigates:vars]
  +
ansible_network_os=fortinet.fortios.fortios
  +
</pre>
  +
  +
Ja sellise playbook abil saab muuta seadme nimi
  +
  +
<pre>
  +
$ cat playbook-fortigate.yml
  +
- hosts: fortigate01
  +
connection: httpapi
  +
collections:
  +
- fortinet.fortios
  +
vars:
  +
ansible_httpapi_use_ssl: yes
  +
ansible_httpapi_validate_certs: no
  +
ansible_httpapi_port: 443
  +
tasks:
  +
- name: Configure global attributes.
  +
fortios_system_global:
  +
system_global:
  +
hostname: 'CustomHostName'
  +
</pre>
  +
  +
Muudatuse tegemiseks sobib öelda
  +
  +
$ /home/imre/.local/bin/ansible-playbook -i hosts playbook-forti-change-name.yml
  +
  +
Aadress objektide moodustamiseks
  +
  +
<pre>
  +
$ cat playbook-fortigate.yml
  +
- hosts: fortigate01
  +
connection: httpapi
  +
collections:
  +
- fortinet.fortios
  +
vars:
  +
ansible_httpapi_use_ssl: yes
  +
ansible_httpapi_validate_certs: no
  +
ansible_httpapi_port: 443
  +
tasks:
  +
- name: Configure global attributes.
  +
fortios_system_global:
  +
system_global:
  +
hostname: 'CustomHostName'
  +
  +
- name: fortios_firewall_address_11
  +
fortios_firewall_address:
  +
state: present
  +
firewall_address:
  +
name: dst_imre_11
  +
subnet: 11.11.11.0 255.255.255.0
  +
type: ipmask
  +
  +
- name: fortios_firewall_address_12
  +
fortios_firewall_address:
  +
state: present
  +
firewall_address:
  +
name: dst_imre_12
  +
subnet: 11.11.12.12 255.255.255.255
  +
type: ipmask
  +
</pre>
  +
  +
Policy objektide moodustamiseks
  +
  +
<pre>
  +
$ cat playbook-fortigate.yml
  +
- hosts: fortigate01
  +
connection: httpapi
  +
collections:
  +
- fortinet.fortios
  +
vars:
  +
ansible_httpapi_use_ssl: yes
  +
ansible_httpapi_validate_certs: no
  +
ansible_httpapi_port: 443
  +
tasks:
  +
- name: fortios_firewall_address_11
  +
fortios_firewall_address:
  +
state: present
  +
firewall_address:
  +
name: dst_imre_11
  +
subnet: 11.11.11.0 255.255.255.0
  +
type: ipmask
  +
  +
- name: fortios_firewall_address_12
  +
fortios_firewall_address:
  +
state: present
  +
firewall_address:
  +
name: dst_imre_12
  +
subnet: 11.11.12.12 255.255.255.255
  +
type: ipmask
  +
  +
- name: fortios_firewall_policy_11
  +
fortios_firewall_policy:
  +
state: present
  +
firewall_policy:
  +
action: accept
  +
dstaddr:
  +
- name: "dst_imre_11"
  +
dstintf:
  +
- name: "lan"
  +
name: dst_imre_policy_11
  +
schedule: always
  +
service:
  +
- name: "HTTP"
  +
srcaddr:
  +
- name: "all"
  +
srcintf:
  +
- name: "lan5"
  +
status: enable
  +
policyid: 1
  +
  +
- name: fortios_firewall_policy_12
  +
fortios_firewall_policy:
  +
state: present
  +
firewall_policy:
  +
action: accept
  +
dstaddr:
  +
- name: "dst_imre_12"
  +
dstintf:
  +
- name: "lan"
  +
name: dst_imre_policy_12
  +
schedule: always
  +
service:
  +
- name: "PING"
  +
srcaddr:
  +
- name: "all"
  +
srcintf:
  +
- name: "lan5"
  +
status: enable
  +
policyid: 2
  +
</pre>
  +
  +
Policy reeglite järjekorra muutmiseks
  +
  +
<pre>
  +
$ cat playbook-fortigate.yml
  +
- hosts: fortigate01
  +
connection: httpapi
  +
collections:
  +
- fortinet.fortios
  +
vars:
  +
ansible_httpapi_use_ssl: yes
  +
ansible_httpapi_validate_certs: no
  +
ansible_httpapi_port: 443
  +
  +
tasks:
  +
- name: fortios_firewall_policy_move
  +
fortios_firewall_policy:
  +
action: move
  +
self: "2"
  +
before: "1"
  +
</pre>
  +
  +
TODO
  +
  +
=====Kasulikud lisamaterjalid=====
  +
  +
* https://docs.ansible.com/ansible/latest/collections/fortinet/index.html
  +
* https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/
  +
  +
===Ansible Galaxy===
  +
  +
TODO
  +
  +
Kasulikud lisamaterjalid
  +
  +
* https://linuxhint.com/using_ansible_galaxy/
   
 
===Kasulikud lisamaterjalid===
  
===Kasulikud lisamaterjalid===

Viimane redaktsioon: 3. oktoober 2022, kell 01:54

Sissejuhatus

TODO

Tööpõhimõte

TODO

Paigaldamine

Süsteemis peab olema python v. 3.8 või uuem ning pip, paigadamine toimub nt 

# apt-get install python3 pip

Seejärel paigaldatakse tavakasutajana ansible tarkvara 

# su - imre
$ python3 -m pip install --user ansible

Tulemusena on ansible ise ja hulka tema teeke kasutatavad, nt 

$ /home/imre/.local/bin/ansible --version
ansible [core 2.12.1]
  config file = None
  configured module search path = ['/home/imre/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/imre/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/imre/.ansible/collections:/usr/share/ansible/collections
  executable location = .local/bin/ansible
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  jinja version = 3.0.3
  libyaml = True

Kasutamine

Üle võrgu arvutite käsundamine

Üle võrgu arvutite käsundamiseks peab olema ansible arvuti ja kontrollitavate arvutite vahel usaldus nt ssh võtmete abil 

$ ssh imre@192.168.110.213 uptime
 12:13:05 up 27 days,  9:09,  1 user,  load average: 0.00, 0.00, 0.00

Seejärel sobib kasutada arvutite nimede (või ip aadresside) sisustatud tekstifaili (nn inventory fail) 

$ cat inventory 
[target]
192.168.110.213

ja nt sellist playbook yml faili 

$ cat playbook.yml 
---
- hosts: all
  tasks:
    - name: Hello World!
      command: "df -t ext4 -h -T"
      register: kasuvaljund
      
    - debug: msg="{{ kasuvaljund.stdout_lines }}"

Ansible töötamine näeb välja nii 

$ /home/imre/.local/bin/ansible-playbook -i inventory playbook.yml 
PLAY [all] **********************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************
ok: [192.168.110.213]

TASK [Hello World!] *************************************************************************************************
changed: [192.168.110.213]

TASK [debug] ********************************************************************************************************
ok: [192.168.110.213] => {
    "msg": [
        "Filesystem              Type  Size  Used Avail Use% Mounted on",
        "/dev/mapper/system-root ext4  5.5G  1.2G  4.1G  23% /",
        "/dev/vda1               ext4  464M   63M  373M  15% /boot"
    ]
}

PLAY RECAP **********************************************************************************************************
192.168.110.213            : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

TODO 

$ cat moraal.yml 
www-1a.moraal.ee
www-1b.moraal.ee

$ ansible all -i moraal.yml --list-hosts
  hosts (2):
    www-1a.moraal.ee
    www-1b.moraal.ee

Fortigate tulemüüri seadistamine

Osutub, et ansible jaoks on olemas fortigate tulemüüri seadistamiseks vajalikud teegid. Nt sellise inventory faili 

$ cat hosts 
[fortigates]
fortigate01 ansible_host=192.168.10.76 ansible_user="admin" ansible_password="parool"

[fortigates:vars]
ansible_network_os=fortinet.fortios.fortios

Ja sellise playbook abil saab muuta seadme nimi 

$ cat playbook-fortigate.yml
- hosts: fortigate01
  connection: httpapi
  collections:
  - fortinet.fortios
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
   - name: Configure global attributes.
     fortios_system_global:
        system_global:
            hostname: 'CustomHostName'

Muudatuse tegemiseks sobib öelda 

$ /home/imre/.local/bin/ansible-playbook -i hosts playbook-forti-change-name.yml

Aadress objektide moodustamiseks 

$ cat playbook-fortigate.yml
- hosts: fortigate01
  connection: httpapi
  collections:
  - fortinet.fortios
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
   - name: Configure global attributes.
     fortios_system_global:
        system_global:
            hostname: 'CustomHostName'

   - name: fortios_firewall_address_11
     fortios_firewall_address:
       state: present
       firewall_address:
         name: dst_imre_11
         subnet: 11.11.11.0 255.255.255.0
         type: ipmask            

   - name: fortios_firewall_address_12
     fortios_firewall_address:
       state: present
       firewall_address:
         name: dst_imre_12
         subnet: 11.11.12.12 255.255.255.255
         type: ipmask

Policy objektide moodustamiseks 

$ cat playbook-fortigate.yml
- hosts: fortigate01
  connection: httpapi
  collections:
  - fortinet.fortios
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
   - name: fortios_firewall_address_11
     fortios_firewall_address:
       state: present
       firewall_address:
         name: dst_imre_11
         subnet: 11.11.11.0 255.255.255.0
         type: ipmask            

   - name: fortios_firewall_address_12
     fortios_firewall_address:
       state: present
       firewall_address:
         name: dst_imre_12
         subnet: 11.11.12.12 255.255.255.255
         type: ipmask  

   - name: fortios_firewall_policy_11
     fortios_firewall_policy:
       state: present
       firewall_policy:
         action: accept
         dstaddr:
           - name: "dst_imre_11"
         dstintf:
           - name: "lan"
         name: dst_imre_policy_11
         schedule: always
         service:
           - name: "HTTP"
         srcaddr:
           - name: "all"
         srcintf:
           - name: "lan5"
         status: enable
         policyid: 1

   - name: fortios_firewall_policy_12
     fortios_firewall_policy:
       state: present
       firewall_policy:
         action: accept
         dstaddr:
           - name: "dst_imre_12"
         dstintf:
           - name: "lan"
         name: dst_imre_policy_12
         schedule: always
         service:
           - name: "PING"
         srcaddr:
           - name: "all"
         srcintf:
           - name: "lan5"
         status: enable
         policyid: 2

Policy reeglite järjekorra muutmiseks 

$ cat playbook-fortigate.yml
- hosts: fortigate01
  connection: httpapi
  collections:
  - fortinet.fortios
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443

  tasks:
   - name: fortios_firewall_policy_move
     fortios_firewall_policy:
       action: move
       self: "2"
       before: "1"

TODO

Kasulikud lisamaterjalid

Ansible Galaxy

TODO

Kasulikud lisamaterjalid

Kasulikud lisamaterjalid

Pärit leheküljelt "https://www.auul.pri.ee/wiki/index.php?title=Ansible_kasutamine&oldid=307"