DO457 - ch04s03

In this exercise, you will use Ansible Vault to add encrypted passwords to existing group variables files. Then you will delete these files and replace them with fully encrypted ones. You will subsequently rekey the encrypted files. You will then view the contents of the encrypted files and edit an encrypted file.

Outcomes

You should be able to:

Encrypt a plain text file and create a new encrypted file.
Change the Vault password of your encrypted files.
View the contents of an encrypted file.
Edit an encrypted file.

Open a terminal window on the workstation VM.

Prepare a working directory for this guided exercise.

Create a directory named ge4-1/ and change into it.

[student@workstation ~]$ mkdir ge4-1
[student@workstation ~]$ cd ge4-1

Download the ansible.cfg and inventory files.

[student@workstation ge4-1]$ wget \
> http://materials.example.com/content/ch4/ge4-1/ansible.cfg
[student@workstation ge4-1]$ wget \
> http://materials.example.com/content/ch4/ge4-1/inventory

Create a group_vars subdirectory in the ge4-1/ directory and change into it.

[student@workstation ge4-1]$ mkdir group_vars
[student@workstation ge4-1]$ cd group_vars

Download the network, ios, and vyos group variables files.

[student@workstation group_vars]$ wget \
> http://materials.example.com/content/ch4/ge4-1/group_vars/network
[student@workstation group_vars]$ wget \
> http://materials.example.com/content/ch4/ge4-1/group_vars/ios
[student@workstation group_vars]$ wget \
> http://materials.example.com/content/ch4/ge4-1/group_vars/vyos

Change back to the parent of the group_vars directory.
```
[student@workstation group_vars]$ cd ..
```
Verify that when you provide the appropriate SSH password, you can connect and authenticate to IOS and VyOS devices with Ansible.
1. Use an ad hoc command to run the Ansible ping module to verify that you can connect and authenticate to IOS devices. Use the -k option so that the ansible command prompts for the SSH password. The SSH password for IOS devices is student.
```
[student@workstation ge4-1]$ ansible -k -m ping ios
SSH password: student
cs01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
```
2. Use an ad hoc command to run the Ansible ping module to verify that you can connect and authenticate to VyOS devices. Use the -k option so that the ansible command prompts for the SSH password. The SSH password for VyOS devices is vyos.
```
[student@workstation ge4-1]$ ansible -k -m ping vyos
SSH password: vyos
spine02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
spine01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
leaf02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
leaf01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
```

Encrypt a plain text file and create a new encrypted file.

Edit the group_vars/ios file and add the ansible_ssh_pass variable with the value student. It should look like this when you are done:
```
ansible_network_os: ios
ansible_user: admin
ansible_ssh_pass: student
```

Now encrypt the file. Use foobar when prompted to provide the Vault password.

[student@workstation ge4-1]$ ansible-vault encrypt group_vars/ios
New Vault password: foobar
Confirm New Vault password: foobar
Encryption successful

Verify that the file is encrypted.

[student@workstation ge4-1]$ cat group_vars/ios
$ANSIBLE_VAULT;1.1;AES256
$ANSIBLE_VAULT;1.1;AES256
39393935323362373335323630613166323066316536373335316365336261373765656331626535
6238623735396634393638623264343761646237626238660a663539333330383738316538326365
36346532303263616235373861326337316438613533393437326138386235353337616365663536
6539386535366136300a393839343464343330383839303135393634373466323665616530646361
38386330323732346431313161666331396238356532363730623933356334373765396163633665
37636532326462623937636566303633376635346465633035396437633135353937353166366366
66353731393638346536626362646438336337666239363737623732643863626432663731323562
62626530663161326636313439306539353231366663333065623839663261656234653538366132
6637

Delete the group_vars/vyos file.

[student@workstation ge4-1]$ rm group_vars/vyos

Create a new, encrypted, group-vars/vyos file. Continue to use foobar as the Vault password.

[student@workstation ge4-1]$ ansible-vault create group_vars/vyos
New Vault password: foobar
Confirm New Vault password: foobar

The file should contain this text:

ansible_network_os: vyos
ansible_user: vyos
ansible_ssh_pass: vyos

Verify that the file you just created is encrypted.

[student@workstation ge4-1]$ cat group_vars/vyos
$ANSIBLE_VAULT;1.1;AES256
35616661613563653666393263323961343263613439333566333565333534353133653538613263
3432306334353032336631663636383361313861656536610a613235343330653739376365663830
33613436313234666263656231353739633166383464633963386665396661363336363835373661
6538626334323037630a643431393863386634313164393233653431363934393761653437353036
31393838623262663261316632356432323632653735633264393364626466346263356561383530
63306261653534323564363039623863633932383566323635336531353531633735616137353430
31623136306631373064313634383361636466313130666632393365376539636334326632393364
38373234613030373961

Verify that you can now connect and authenticate to both IOS and VyOS devices by providing only the Vault password, which you set to foobar.

[student@workstation ge4-1]$ ansible --ask-vault-pass -m ping network
Vault password: foobar
leaf02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
spine02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
cs01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
spine01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
leaf01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Change the Vault password of your encrypted files.

Rekey the group_vars/ios file. Set the new Vault password to redhat.

[student@workstation ge4-1]$ ansible-vault rekey group_vars/ios
Vault password: foobar
New Vault password: redhat
Confirm New Vault password: redhat
Rekey successful

Rekey the group_vars/vyos file. Set the new Vault password to redhat.

[student@workstation ge4-1]$ ansible-vault rekey group_vars/vyos
Vault password: foobar
New Vault password: redhat
Confirm New Vault password: redhat
Rekey successful

View the contents of an encrypted file.

View the contents of the group_vars/ios file. The Vault password should now be redhat.

[student@workstation ge4-1]$ ansible-vault view group_vars/ios
Vault password: redhat
ansible_network_os: ios
ansible_user: admin
ansible_ssh_pass: student

View the contents of the group_vars/vyos file. The Vault password should now be redhat.

[student@workstation ge4-1]$ ansible-vault view group_vars/vyos
Vault password: redhat
ansible_network_os: vyos
ansible_user: vyos
ansible_ssh_pass: vyos

Edit an encrypted file.

Add this variable to the group_vars/ios file:

banner_message: Access is restricted to authorized users only.

Edit the group_vars/ios file. The Vault password should be redhat.

[student@workstation ge4-1]$ ansible-vault edit group_vars/ios
Vault password: redhat

Display the file to confirm that the new variable has been successfully added.

[student@workstation ge4-1]$ ansible-vault view group_vars/ios
Vault password: redhat
ansible_network_os: ios
ansible_user: admin
ansible_ssh_pass: student
banner_message: Access is restricted to authorized users only.

This concludes the guided exercise.

Discuss Red Hat Ansible for Network Automation

Go to community

Welcome to the Red Hat Ansible for Network Automation (DO457) group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Ansible for Network Automation! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO457.Read more about Red Hat Ansible for Network Automation here.

3120

Revision: do457-2.5-4693601