Ansible

0

Ansible Error – “NSPlaceholderDate initialize may have been in progress in another thread when fork() was called”

Posted on by rafpe

If you have came across the same error as I did  ( error below ) then solving this might be easier than you think

TASK [Test credstash lookup plugin -- get the password with a context defined here] ***********************************************************************************************************************************************************************************************
objc[6763]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called.
objc[6763]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.

You just need to run the following ( https://github.com/ansible/ansible/issues/31869 )

export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES

 

 

1

Redhat 7 – LDAP authentication using Ansible

Posted on by rafpe

Hey! Recently along with Sanderv32 we have been trying to get LDAP authentication working on Redhat machines. I must admit that we have spent some quite looking for more structured and decent information how to get this working. However up to our surprise information were completely inaccurate or outdated.

So without big delays we have decided to tackle this challenge using Ansible. Of course first attempts were just to get the idea working. As we were moving our playbook were growing to reach stage at which we could deploy LDAP authentication mechanism to all of our RedHat 7 systems

Below is the output of the runbook being used:

    - name: "LDAP Authentication | Install the required packages"
      yum: >
        name="{{item}}"
        state=present
      with_items:
        - "nss-pam-ldapd"
        - "oddjob"
        - "oddjob-mkhomedir"
      tags:
        - "ldap"
        - "packages"
        - "packages_ldap"

    - name: "LDAP Authentication | Ensure services are running"
      service:
          name={{item}}
          enabled=yes
          state=started
      with_items:
        - "nscd"
        - "nslcd"
        - "oddjobd"
      register: services_ldap
      tags:
        - "ldap"
        - "services_ldap"

    - name: "Debug | Display results"
      debug: msg="{{services_ldap.results}}"
      tags:
        - "ldap"

    - name: "LDAP Authentication | Enable LDAP PAM modules"
      command: "authconfig --enableldap --enableldapauth --enablemkhomedir --update"
      tags:
        - "ldap"

    - name: "LDAP Authentication | Adding configuration templates"
      template: >
        src="templates/{{item}}.j2"
        dest="/etc/{{item}}"
      with_items:
        - "nslcd.conf"
      tags:
        - "ldap"
        - "repository"
        - "repository_ldap"
      notify:
        - restart services ldap

And associated handler

---
  - name: "restart services ldap"
    service: >
      name="{{item.name}}" 
      state=restarted
    with_items: services_ldap.results
    tags:
      - "ldap"
      - "services_ldap"

 

In the above I have highlighted the part which we use to template NLSCD config file. The file contents are completely overwritten so make sure you adjust it to your needs.

This template has been used to connect to Active Directory with dedicated bind user and modified pagesize ( so our results are not trimmed )

# {{ ansible_managed }}
uid nslcd
gid ldap

uri {{ ldap.uri }}
base {{ ldap.basedn }}
binddn {{ ldap.binduser }}
bindpw {{ ldap.binduserpw }}
scope sub
tls_reqcert allow

pagesize 10000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
map    passwd loginShell       "/bin/bash"
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)


ssl no
tls_cacertdir /etc/openldap/cacerts

 

 

Thats it folks! If it would not work with you please leave some comments as this is used to make sure we have means of using LDAP auth on Linux boxes

 

0

Ansible – Using template lookup

Posted on by rafpe

For some of actions / modules / roles it might be that you would like to use your Jinja template as variable. I have been looking some time for this lookup module. Therefore to save you from crawling over internet this is how could you use it

Example of Jinja template

  location ~ \.php$ {
    try_files $uri =404;
    root           /var/www/htdocs/;
    fastcgi_pass   unix:/var/run/php65-php-fpm.sock;
    fastcgi_intercept_errors        on;
    fastcgi_buffers 256 16k;
    fastcgi_max_temp_file_size 0;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include        fastcgi_params;

    {% if env is defined and env=="testos" %}
    auth_basic           "Ninja Test ";
    auth_basic_user_file {{ nginx_basic_auth }} ;
    {% endif %}
  }

And then within our playbook we define it as following

---
- name: Testing
  hosts: localhost
  vars:
    - blabla: "Testing123"
    - testing: "{{ lookup('template', 'template.j2') }}"

  tasks:
  - debug: msg="{{testing}}"

 

Are you using this in other way ? Comment whats your approach 🙂

0

Ansible – Using dictionary to deploy pem certificates

Posted on by rafpe

When automating certificate deployments I wanted to have smart way of deploying them. So I went ahead and decided to use dictionaries.

For this example my variables looked more like as following :

ssl_certificates:
    domain_uno_com:
      owner: haproxy
      group: haproxy
      mode: "u=r,go="
      certificate: |
                                              -----BEGIN CERTIFICATE-----
                                              dslkajfafak234h23o4h32jkh43jqtghkjafhads;fhd89fuad9f6a8s7f6adsf
                                              < ..................... bogus info uno ...................... >
                                              yjEdslkajfafak234h23o4h32jkh43jZlcmlTaWduLCBJbmMuMR8wHQYDVQQL23
                                                -----END CERTIFICATE-----
      key: |
                                              -----BEGIN PRIVATE KEY-----
                                              dslkajfafak234h23o4h32jkh43jqtghkjafhads;fhd89fuad9f6a8s7f6adsf
                                              < ..................... bogus info uno ...................... >
                                              yjEdslkajfafak234h23o4h32jkh43jZlcmlTaWduLCBJbmMuMR8wHQYDVQQL23
                                              Edslkajfafak234h==
                                              -----END PRIVATE KEY-----
      
    domain_duo_com:
      owner: haproxy
      group: haproxy
      mode: "u=r,go="
      certificate: |
                                              -----BEGIN CERTIFICATE-----
                                              dslkajfafak234h23o4h32jkh43jqtghkjafhads;fhd89fuad9f6a8s7f6adsf
                                              < ..................... bogus info duo ...................... >
                                              yjEdslkajfafak234h23o4h32jkh43jZlcmlTaWduLCBJbmMuMR8wHQYDVQQL23
                                                -----END CERTIFICATE-----
      key: |
                                              -----BEGIN PRIVATE KEY-----
                                              dslkajfafak234h23o4h32jkh43jqtghkjafhads;fhd89fuad9f6a8s7f6adsf
                                              < ..................... bogus info duo ...................... >
                                              yjEdslkajfafak234h23o4h32jkh43jZlcmlTaWduLCBJbmMuMR8wHQYDVQQL23
                                              Edslkajfafak234h==
                                              -----END PRIVATE KEY-----

 

Once we have that within our playbook we will be using the following actions to create ourselves pem files

       - name: SSL certificates Web | Create certificate key files
         copy:
           dest: "{{web_ssl_folder}}/{{ item.key.replace('_','.') }}.pem"
           content: "{{ item.value.certificate + '\n' + item.value.key }}"
           owner: "{{ item.value.owner }}"
           group: "{{ item.value.group }}"
           mode: "{{ item.value.mode }}"
         with_dict: ssl_certificates
         no_log: true

 

Now when we run our playbook what will happen is we will get within folder defined under web_ssl_folder  new certificates called respectively domain.uno.com.pem and domain.duo.com.pem.

Of course if you add more entries you will get more created. So for you the only thing to change from here is the owner and possibly the rights ( although think twice 🙂 )

0

Ansible – IP addresses of all nodes in group

Posted on by rafpe

I have been searching this for a while especially when I was setting up GlusterFS. Challenge of getting all IPs of hosts within my group of ansible.

Maybe not the prettiest and elegant solution however does perfectly what is it expected from. Sets variable of IP addresses ( in my example I’m using eth0 address of IPv4 ) and join them into comma seperated result.

 

 

If you have a better approach – please leave a comment as I’m quite interested to read how you tackle this challenge 🙂