Red Hat Ansible for Network Automation

Convert the existing proj/group_vars/groupname files into proj/group_vars/groupname/vars.yml files.

Convert the existing ~/proj/group_vars/ directory structure, which stores group-specific variables in files named groupname, to a structure in which the variables are stored in vars.yml files located in group_vars/groupname/ directories.

1. With each group_vars/groupname file:

   1. Rename the group_vars/groupname file to group_vars/vars.yml.

   2. Create a directory named group_vars/groupname/.

   3. Move the group_vars/vars.yml file into the group_vars/groupname/ directory.

   [student@workstation proj]$ mv group_vars/ios group_vars/vars.yml
   [student@workstation proj]$ mkdir group_vars/ios
   [student@workstation proj]$ mv group_vars/vars.yml group_vars/ios/
   [student@workstation proj]$ mv group_vars/leafs group_vars/vars.yml
   [student@workstation proj]$ mkdir group_vars/leafs
   [student@workstation proj]$ mv group_vars/vars.yml group_vars/leafs/
   [student@workstation proj]$ mv group_vars/network group_vars/vars.yml
   [student@workstation proj]$ mkdir group_vars/network
   [student@workstation proj]$ mv group_vars/vars.yml group_vars/network/
   [student@workstation proj]$ mv group_vars/spines group_vars/vars.yml
   [student@workstation proj]$ mkdir group_vars/spines
   [student@workstation proj]$ mv group_vars/vars.yml group_vars/spines/
   [student@workstation proj]$ mv group_vars/vyos group_vars/vars.yml
   [student@workstation proj]$ mkdir group_vars/vyos
   [student@workstation proj]$ mv group_vars/vars.yml group_vars/vyos/

2. Alternatively, you can download a shell script and run it. It will transform the directory structure for you.

   [student@workstation proj]$ wget \
   > http://materials.example.com/content/ch4/ge4-3/transform-directory-structure.sh
   [student@workstation proj]$ chmod +x transform-directory-structure.sh
   [student@workstation proj]$ ./transform-directory-structure.sh

Create encrypted vault.yml files for the vyos and ios groups, setting the ansible_ssh_pass variable.

1. Create an encrypted vault.yml file in the group_vars/vyos/ directory. It should contain the ansible_password variable for VyOS machines in the Network Lab. This password is vyos. When prompted for the Vault password (New Vault password:), respond with redhat. Define the variable and its value using the familiar key: value form. It should appear as ansible_password: vyos in the file as you are creating it. Save the file and quit.

   [student@workstation proj]$ ansible-vault create group_vars/vyos/vault.yml
   New Vault password: redhat
   Confirm New Vault password: redhat

2. Confirm the file is indeed encrypted.

   [student@workstation proj]$ cat group_vars/vyos/vault.yml
   $ANSIBLE_VAULT;1.1;AES256
   31613333393034346266616434326364636134386136636131663236653365393666376132616637
   3666633766393932343262396432616339333934643962350a353338643634303331323465306333
   37643436666365653263646265633266376430353131623035336635303332333436363131363033
   3939616338366531360a613332396232613465613865396464306235373834653861303337373263
   63303433663139343237323734343136663962343364653434303337363436373837

3. View the content of the encrypted file to confirm that it is correct.

   [student@workstation proj]$ ansible-vault view group_vars/vyos/vault.yml
   Vault password: redhat
   ansible_password: vyos

4. Create the encrypted vault.yml file in the group_vars/ios/ directory. It should contain the ansible_password variable for ios machines in the lab network. This password is student. The decrypted file should contain the following content:

   ansible_password: student

   Save the file and quit. When prompted for the Vault password, respond with redhat.

   [student@workstation proj]$ ansible-vault create group_vars/ios/vault.yml
   New Vault password: redhat
   Confirm New Vault password: redhat

5. Confirm the file is encrypted.

   [student@workstation proj]$ cat group_vars/ios/vault.yml
   $ANSIBLE_VAULT;1.1;AES256
   30623734306234313231633730323766616165623464386237383337623164613062323334396261
   3430623662396636326135343632383735663263653264310a333039323639363866323833613639
   64646633623330646637346636386230343463303831346332343139616533353138306631643233
   3163613865616566300a663163643762353030376436366133636162373966636132366534656466
   31306239656432333235373731346430393164663833663666353862313166323065

6. View the content of the encrypted file to confirm that it is correct.

   [student@workstation proj]$ ansible-vault view group_vars/ios/vault.yml
   Vault password: redhat
   ansible_password: student

Write a playbook that demonstrates authentication to both VyOS and IOS machines in the Network Lab by providing only the Vault password. Create a playbook named multi-vendor-hostname.yml in the proj/ directory, and add the following content:

---
- name: demonstrate authentication to network devices by showing hostname
  hosts: network

  tasks:

    - name: hostname on IOS machine
      ios_command:
        commands:
          - show run | include hostname
      register: result
      when: ansible_network_os == 'ios'

    - debug:
        var: result.stdout
      when: ansible_network_os == 'ios'

    - name: hostname on VyOS machine
      vyos_command:
        commands:
          - show host name
      register: result
      when: ansible_network_os == 'vyos'

    - debug:
        var: result.stdout
      when: ansible_network_os == 'vyos'

Run the play, using --ask-vault-pass to request to be prompted for the Vault password. You will be prompted for your SSH password. You can provide anything; your input will be ignored.

[student@workstation proj]$ ansible-playbook --ask-vault-pass multi-vendor-hostname.yml
SSH password: anything
Vault password: redhat

Create a Vault password file, using file-system permissions to secure it.

1. Create a protected directory named ~/.rhv outside of the project directory to hold the Vault password file. Set the permissions on this directory to owner-only read/write/execute (700).

   [student@workstation proj]$ mkdir -p ~/.rhv
   [student@workstation proj]$ chmod 700 ~/.rhv

2. Create a Vault password file named ~/.rhv/vault-secret. Set the permissions on this file to owner-only read/write (600).

   [student@workstation proj]$ echo redhat > ~/.rhv/vault-secret
   [student@workstation proj]$ cat ~/.rhv/vault-secret
   redhat
   [student@workstation proj]$ chmod 600 ~/.rhv/vault-secret
   [student@workstation proj]$ ls -l ~/.rhv/vault-secret
   -rw-------. 1 student student 7 Jul 30 11:18 /home/student/.rhv/vault-secret

Configure Ansible locally to automatically use the Vault password file.

1. Edit the project-specific (local) Ansible configuration. Ensure that the ask_pass line is removed, meaning you will no longer be prompted. Also add this line:

   vault_password_file = /home/student/.rhv/vault-secret

   Here is a an example of a local ansible.cfg file that contains the newly added line:

   [student@workstation proj]$ cat ansible.cfg
   [defaults]
   inventory       = inventory
   host_key_checking = False
   # so you don't have to say gather_facts: no
   gathering = explicit
   vault_password_file = /home/student/.rhv/vault-secret
   
   [persistent_connection]
   command_timeout = 180
   connect_timeout = 100
   connect_retry_timeout = 100

Run the play again, this time without being prompted to supply the Vault password.

[student@workstation proj]$ ansible-playbook multi-vendor-hostname.yml