Ad hoc commands are a very useful tool to quickly perform simple tasks with Ansible.
Running Ad Hoc Commands : Use the ansible command to run ad hoc commands:
syntax :
ansible host-pattern -m module [-a 'module arguments'] [-i inventory]
[root@controlnode ~]$ ansible all -m ping
servera.example.com | SUCCESS =>
{
"changed": false,
"ping": "pong"
}
In this exercise, you will execute ad hoc commands on multiple managed hosts.
We will execute ad hoc commands on control node and host node using the devops user account. This account has the same sudo configuration on both control and host node.
Steps
1. Determine the sudo configuration for the devops account on both control and
host.
1.1. Determine the sudo configuration for the devops account that was configured when control node was built.
[root@control ~]$ sudo cat /etc/sudoers.d/devops
[sudo] password for devops: devops
devops ALL=(ALL) NOPASSWD: ALL
Note that the user has full sudo privileges but does not require password
authentication.
1.2. Determine the sudo configuration for the devops account that was configured when servera was built.
[root@control ~]$ ssh devops@servera.example.com
[devops@servera ~]$ sudo cat /etc/sudoers.d/devops
devops ALL=(ALL) NOPASSWD: ALL
[devops@servera ~]$ exit
2. Change directory to /home/student/dep-adhoc and examine the contents of the
ansible.cfg and inventory files.
[root@control ~]$ cd /home/root/dep-adhoc
[root@control dep-adhoc]$ cat ansible.cfg
[defaults]
inventory=inventory
[root@control dep-adhoc]$ cat inventory
[myself]
localhost
[intranetweb]
servera.example.com
3. Using the ping module, execute an ad hoc command to make sure all managed hosts in the everyone group can run Ansible modules using Python.
[root@control dep-adhoc]$ ansible everyone -m ping
servera.example.com | SUCCESS => {
"changed": false,
"ping": "pong"
}
localhost | SUCCESS => {
"changed: false,
"ping": "pong"
}
[root@control dep-adhoc]$ ansible localhost -m command -a 'id'
localhost | SUCCESS | rc=0 >>
uid=1000(root) gid=1000(root) groups=1000(root),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
5. Notice that the ad hoc command was performed on the managed host as the devops user.
[root@control dep-adhoc]$ ansible localhost -m command -a 'id' -u devops
localhost | SUCCESS | rc=0 >>
uid=1001(devops) gid=1001(devops) groups=1001(devops)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
6.Notice that the /etc/motd file is currently empty.
[root@control dep-adhoc]$ ansible localhost -m command -a 'cat /etc/motd' -u
devops
localhost | SUCCESS | rc=0 >>
7.Note that the command succeeded this time because the ad hoc command was executed with privilege escalation.
[root@control dep-adhoc]$ ansible localhost -m copy -a 'content="Managed by
Ansible\n" dest=/etc/motd' -u devops --become
localhost | SUCCESS => {
"changed": true,
"checksum": "4458b979ede3c332f8f2128385df4ba305e58c27",
"dest": "/etc/motd",
"gid": 0,
"group": "root",
"md5sum": "65a4290ee5559756ad04e558b0e0c4e3",
"mode": "0644",
"owner": "root",
"secontext": "system_u:object_r:etc_t:s0",
"size": 19,
"src": "/home/devops/.ansible/tmp/ansible-tmp-1463518320.68-167292050637471/
source",
"state": "file",
"uid": 0
}
No comments:
Post a Comment