Ansible in Practice

• Available solutions: https://docs.debops.org/en/latest/ansible/roles/ansible-ferm/docs/defaults.html#rules-configuration

• see: https://github.com/thuydang/cloud-lab-controller-template
• https://www.digitalocean.com/community/tutorials/how-to-create-a-kubernetes-cluster-using-kubeadm-on-ubuntu-18-04#step-4-%E2%80%94-setting-up-the-master-node

- hosts: all
  become: yes
  tasks:
    - name: create the 'admin' user
      user: name=admin append=yes state=present createhome=yes shell=/bin/bash

    - name: allow 'admin' to have passwordless sudo
      lineinfile:
        dest: /etc/sudoers
        line: 'admin ALL=(ALL) NOPASSWD: ALL'
        validate: 'visudo -cf %s'

    - name: set up authorized keys for the amdin user
      authorized_key: user=admin key="{{item}}"
      with_file:
        - "../../util/ssh/*.pub"

Here’s a breakdown of what this playbook does:

• Creates the non-root user admin.
• Configures the sudoers file to allow the admin user to run sudo commands without a password prompt.
• Adds the public key in your local machine (usually ~/.ssh/id_rsa.pub) to the remote admin user’s authorized key list. This will allow you to SSH into each server as the admin user.

Copy public key

ssh-copy-id -i ../paht/id_rsa.pub root@remote.host

On controller host. Start the ssh-agent in the background.

eval "$(ssh-agent -s)"

Add SSH private key to the ssh-agent

ssh-add ~/.ssh/id_rsa

Can be added to .bashrc of ansible controller host.

Open ansible console. Command will be sent as ansible -m shell.

ansible-console -u admin master_host

Ssh access to remote host:

  ssh admin@130.149.98.118 -i ../keys/id_rsa
  

• http://serverfault.com/questions/620354/iptables-management-with-ansible-in-huge-environment
• https://docs.ansible.com/ansible/iptables_module.html

• http://www.karlrupp.net/en/computer/nat_tutorial

NOTE: that is not working with Fedora 24. this works

  iptables -t nat -A POSTROUTING -s 192.168.8.0/24 ! -d 192.168.8.0/24  -j MASQUERADE 
  

Connect a LAN to the internet

 $> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

This command can be explained in the following way:

iptables: the command line utility for configuring the kernel

-t nat select table “nat” for configuration of NAT rules.

-A POSTROUTING Append a rule to the POSTROUTING chain (-A stands for “append”).

-o eth1 this rule is valid for packets that leave on the second network interface (-o stands for “output”)

-j MASQUERADE the action that should take place is to 'masquerade' packets, i.e. replacing the sender's address by the router's address.

Choosing match patterns

To manipulate specific packets we have to use appropriate match patterns, therefore there a numerous options to specify them. I will present the most popular ones to clarify their usage. All available match patterns can be found in the manual pages of iptables.

# actions to be taken on matched packets
# will be abbreviated by '[...]'.
# Depending on the match pattern the appropriate chain is selected.

# TCP packets from 192.168.1.2:
$> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 [...]

# UDP packets to 192.168.1.2:
$> iptables -t nat -A POSTROUTING -p udp -d 192.168.1.2 [...]

# all packets from 192.168.x.x arriving at eth0:
$> iptables -t nat -A PREROUTING -s 192.168.0.0/16 -i eth0 [...]

# all packets except TCP packets and except packets from 192.168.1.2:
$> iptables -t nat -A PREROUTING -p ! tcp -s ! 192.168.1.2 [...]

# packets leaving at eth1:
$> iptables -t nat -A POSTROUTING -o eth1 [...]

# TCP packets from 192.168.1.2, port 12345 to 12356
# to 123.123.123.123, Port 22
# (a backslash indicates contination at the next line)
$> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
   --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]

For most of the switches there exists a long form, e.g. –source instead of -s. Using them makes the whole instruction longer but more readable, especially if you are new to iptables.