oO.o's Ansible Host Collection (Formerly Devember 2022)

oO.o · December 11, 2022, 12:18am

oØ.o’s Host Collection for Ansible

I have been working on this and other Ansible collections for about a year now. They have undergone lots of chaotic changes as I learn how to use the platform. Now that the chaos has begun to settle and I am feeling more confident in my Ansible skills, it’s time to get serious about documenting what I have and pushing it to Github.

Devember 2022

While I won’t be able to work on this an hour a day as required by the Devember guidelines, I will be making a concerted effort on this project through the end of January. My hope is to at least average an hour per day.

I had begun work on this around Devember of last year. At that time, I had a Site collection that I have since broken out into host, network and services collections. My focus for this year will be my inventory role and host collection as the others are still undergoing major changes.

Inventory Role

Host Collection

oO.o · December 11, 2022, 12:19am

Initial commit of the inventory role has been pushed.

This generates inventory boilerplate (host_vars and group_vars). It optionally (on by default) will set up a git repo in your inventory directory, automatically commit changes to it and provides a handler for committing changes.

Some handy default values for comments and operating systems are provided as well.

The initial commit to the host collection coming soon…

oO.o · December 12, 2022, 4:40am

Initial commit to the host collection is up.

This includes my lookup plugin first_found_by_host_attributes which will look in the search path for tasks, vars or template files that match the host system from most to least specific. For example, I can find a vars file that matches the exact version of the distribution or just match as SSH hosts. It extends the builtin first_found plugin.

Also included is my connection role which will sort of try to brute force a connection based on common default administrator names, possible IP addresses in the inventory and/or local Vagrantfile. This supports both standard SSH hosts as well as RouterOS hosts. Once a valid connection is established, the relevant connection variables are written to the host’s host_vars file automatically. The role does not attempt to brute force any passwords. It assumes you have an SSH key on the system already.

oO.o · December 13, 2022, 4:47pm

o0_o.host.privilege_escalation is pushed. It will automatically detect and configure Ansible’s become method for you including proper SELinux configuration for sudo. ansible_become_method is written to the host’s host_vars file at the end of the role unless the result is that it is undefined as in the case of RouterOS which has no become method or if you’re connecting as root.

There are some dependencies in other roles that aren’t up yet, but as-is, it will run if you don’t gather facts.

oO.o · December 14, 2022, 3:29pm

o0_o.host.time is pushed. It syncs the host’s time with localhost. This is useful for virtual machines that have been suspended and come back online with huge time drifts that aren’t immediately corrected by NTP. It allows for different time zones configured on remote and local hosts except on RouterOS which has a kludgy clock cli so I’ve just decided to require GMT in that case.

SSH hosts are limited to the raw module because huge time drifts can break package managers which prevents Python from being installed. Speaking of, the next role will be o0_o.host.python_interpreter which will install Python on a remote host that doesn’t have it. After that we can finally gather facts.

oO.o · December 20, 2022, 5:52am

Sorry for the delay here. After looking at my existing Python interpreter role, it was clear that I needed to refactor out a package manager role. I am actively working on this and hope to have it pushed by end of year. That said, package manager configuration is relatively complex so you might not see any commits for a while

oO.o · February 7, 2023, 11:40pm

@SgtAwesomesauce does this make your eyes bleed?

SgtAwesomesauce · February 7, 2023, 11:54pm

Fuck you for showing this to me.

oO.o · February 7, 2023, 11:59pm

Lol. I was able to generalize package manager and repository configuration, but at what cost?

SgtAwesomesauce · February 8, 2023, 3:43am

oO.o · February 8, 2023, 1:34pm

I’m attempting to offload a lot of it into vars and defaults, and then of course comment it thoroughly.

oO.o · February 8, 2023, 2:39pm

I think that’s as good as it can get without ridiculous levels of hand-holding.

oO.o · February 14, 2023, 4:13am

Pushed a few commits tonight. Things are working in my testing environment. Still some cleanup to do, but feels good to reach a milestone.

Particularly proud of the work done with package managers in my software management role. It went through many revisions, including the documentation which I found challenging to write.

oO.o · February 18, 2023, 12:11am

Added a feature called “Role call” which tracks how the roles are executed and prints the dependency tree at the end of the play.

Here is a Rocky Linux VM that was provisioned without Python installed. There is one call to o0_o.host.privilege_escalation.

ok: [rocky8.hq.example.com] => {
    "role_call": [
        "o0_o.host.connection",
        "  o0_o.inventory",
        "o0_o.host.privilege_escalation",
        "  o0_o.host.facts",
        "  o0_o.host.software_management",
        "    o0_o.host.time",
        "  o0_o.host.python_interpreter",
        "    o0_o.host.facts",
        "    o0_o.host.time",
        "    o0_o.host.software_management",
        "  o0_o.host.mandatory_access_control"
    ]
}

connection is a dependency for privilege_escalation defined in meta/main.yml
inventory is included in the connection role
privilege_escalation begins to run after its connection dependency
privilege_escalation defines ansible_become_method (supports sudo or doas), but needs facts, software_management, python_interpreter and mandatory_access_control to configure sudo
software_management needs time to be accurate or repo certificates will fail to verify
facts, time and software_management’s capabilities are limited while running without a Python interpreter, so python_interpreter runs them again as soon as Python is installed and the ansible_python_interpreter is defined.

Because of how interdependent these roles are, running any one of privilege_escalation, software_management, time or mandatory_access_control will all result in the same final host state for SSH hosts. Since much of this isn’t applicable to network devices, I use time to bring all host types to my first configuration milestone where Python, privilege escalation, system time, package managers and mandatory access control are all fully configured. This will work even in sandboxed or air-gapped networks that rely on local mirrors (local repositories would need to be defined in the inventory).

Note that AppArmor on Arch and Raspbian requires bootloader configuration and a restart. I have not implemented that yet. Currently in those cases, AppArmor is left disabled.

oO.o · February 19, 2023, 6:50pm

And it’s up!

Try it out! Let me know if any of the documentation needs clarification.

Related question, why is reStructuredText ever used over markdown?

candybar · February 19, 2023, 7:45pm

I believe it’s for auto-magic linking to other modules/classes/etc, though maybe that’s more a sphinx thing than reStructuredText itself…

It was also around before markdown IIRC, not to mention Ansible is python and sphinx/rst used a lot in python.

Were you looking for a serious answer?

oO.o · February 19, 2023, 7:48pm

Yeah I know… wish they’d switch over but I’m sure that would be a lot of work.

oO.o · February 20, 2023, 5:54pm

Womp

github.com/ansible/ansible

Galaxy collection install dependency fails mysteriously

opened 05:51PM - 20 Feb 23 UTC

o0-o

### Summary I recently uploaded my first collection to Ansible Galaxy 🎉 Un…fortunately, I am experiencing some strange behavior which I believe is related to `requirements.yml`. `ansible-galaxy collection install o0_o.host` results in: ``` Starting galaxy collection install process Process install dependency map ERROR! Failed to resolve the requested dependencies map. Could not satisfy the following requirements: * o0_o.host:* (direct request) ``` It appears to be trying to install itself as a dependency, but this is not reflected in my `requirements.yml` file. ``` --- roles: - name: o0_o.inventory collections: - name: ansible.netcommon - name: ansible.posix - name: community.general - name: community.routeros - name: community.network ``` Most confusingly, specifying either version or installing from a tarball works as expected. Each of the following will complete without an error: ``` ansible-galaxy collection install o0_o.host:1.0.0-alpha.1 ``` ``` ansible-galaxy collection install o0_o.host:1.0.0-alpha.2 ``` ``` ansible-galaxy collection install o0_o-host-1.0.0-alpha.2.tar.gz ``` ``` Starting galaxy collection install process Process install dependency map Starting collection install process Downloading https://galaxy.ansible.com/download/o0_o-host-1.0.0-alpha.2.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/o0_o-host-1.0.0-alpha.2-k8q8lx0u Installing 'o0_o.host:1.0.0-alpha.2' to '/Users/o0-o/.ansible/collections/ansible_collections/o0_o/host' Downloading https://galaxy.ansible.com/download/ansible-posix-1.5.1.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-posix-1.5.1-aeh7481o o0_o.host:1.0.0-alpha.1 was installed successfully Installing 'ansible.posix:1.5.1' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/posix' Downloading https://galaxy.ansible.com/download/community-general-6.3.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-general-6.3.0-dsdjucim ansible.posix:1.5.1 was installed successfully Installing 'community.general:6.3.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/general' Downloading https://galaxy.ansible.com/download/community-network-5.0.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-network-5.0.0-8unm3c6c community.general:6.3.0 was installed successfully Installing 'community.network:5.0.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/network' Downloading https://galaxy.ansible.com/download/ansible-netcommon-4.1.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-netcommon-4.1.0-8z9q_2qb community.network:5.0.0 was installed successfully Installing 'ansible.netcommon:4.1.0' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/netcommon' Downloading https://galaxy.ansible.com/download/ansible-utils-2.9.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-utils-2.9.0-lr2u1tmo ansible.netcommon:4.1.0 was installed successfully Installing 'ansible.utils:2.9.0' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/utils' Downloading https://galaxy.ansible.com/download/community-routeros-2.7.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-routeros-2.7.0-bvkoq41m ansible.utils:2.9.0 was installed successfully Installing 'community.routeros:2.7.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/routeros' community.routeros:2.7.0 was installed successfully ``` ### Issue Type Bug Report ### Component Name requirements.yml ### Ansible Version ```console $ ansible --version ansible [core 2.14.2] config file = None configured module search path = ['/Users/o0-o/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/Cellar/ansible/7.2.0/libexec/lib/python3.11/site-packages/ansible ansible collection location = /Users/o0-o/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.11.2 (main, Feb 16 2023, 03:07:35) [Clang 14.0.0 (clang-1400.0.29.202)] (/usr/local/Cellar/ansible/7.2.0/libexec/bin/python3.11) jinja version = 3.1.2 libyaml = True ``` ### Configuration ```console # if using a version older than ansible-core 2.12 you should omit the '-t all' $ ansible-config dump --only-changed -t all ``` ### OS / Environment macOS ### Steps to Reproduce ``` ansible-galaxy collection install o0_o.host ``` ### Expected Results It should install successfully with dependencies. ``` Starting galaxy collection install process Process install dependency map Starting collection install process Downloading https://galaxy.ansible.com/download/o0_o-host-1.0.0-alpha.2.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/o0_o-host-1.0.0-alpha.2-k8q8lx0u Installing 'o0_o.host:1.0.0-alpha.2' to '/Users/o0-o/.ansible/collections/ansible_collections/o0_o/host' Downloading https://galaxy.ansible.com/download/ansible-posix-1.5.1.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-posix-1.5.1-aeh7481o o0_o.host:1.0.0-alpha.1 was installed successfully Installing 'ansible.posix:1.5.1' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/posix' Downloading https://galaxy.ansible.com/download/community-general-6.3.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-general-6.3.0-dsdjucim ansible.posix:1.5.1 was installed successfully Installing 'community.general:6.3.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/general' Downloading https://galaxy.ansible.com/download/community-network-5.0.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-network-5.0.0-8unm3c6c community.general:6.3.0 was installed successfully Installing 'community.network:5.0.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/network' Downloading https://galaxy.ansible.com/download/ansible-netcommon-4.1.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-netcommon-4.1.0-8z9q_2qb community.network:5.0.0 was installed successfully Installing 'ansible.netcommon:4.1.0' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/netcommon' Downloading https://galaxy.ansible.com/download/ansible-utils-2.9.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/ansible-utils-2.9.0-lr2u1tmo ansible.netcommon:4.1.0 was installed successfully Installing 'ansible.utils:2.9.0' to '/Users/o0-o/.ansible/collections/ansible_collections/ansible/utils' Downloading https://galaxy.ansible.com/download/community-routeros-2.7.0.tar.gz to /Users/o0-o/.ansible/tmp/ansible-local-11511pdq6gyg0/tmprccg_5ng/community-routeros-2.7.0-bvkoq41m ansible.utils:2.9.0 was installed successfully Installing 'community.routeros:2.7.0' to '/Users/o0-o/.ansible/collections/ansible_collections/community/routeros' community.routeros:2.7.0 was installed successfully ``` ### Actual Results ```console Starting galaxy collection install process Process install dependency map ERROR! Failed to resolve the requested dependencies map. Could not satisfy the following requirements: * o0_o.host:* (direct request) ``` ### Code of Conduct - [X] I agree to follow the Ansible Code of Conduct

Ok, so use ansible-galaxy collection install o0_o.host --pre until a stable release exists.

Also now realizing that it will fail almost immediately because the o0_o.inventory role tries to scrape the collection version from galaxy.yml for comment headers but Ansible galaxy doesn’t actually distribute galaxy.yml because it’s just intended to facilitate metadata for importing the collection into Galaxy.

If anyone cares to try, the galaxy.yml file is in the repo.

github.com

o0-o/ansible_collection_host/blob/main/galaxy.yml

### REQUIRED
# The namespace of the collection. This can be a company/brand/
# organization or product namespace under which all content lives. May
# only contain alphanumeric lowercase characters and underscores.
# Namespaces cannot start with underscores or numbers and cannot contain
# consecutive underscores
namespace: o0_o

# The name of the collection. Has the same character restrictions as
# 'namespace'
name: host

# The version of the collection. Must be compatible with semantic
# versioning
version: 1.0.0-alpha.2

# The path to the Markdown (.md) readme file. This path is relative to
# the root of the collection
readme: README.md

This file has been truncated. show original

I’ll probably just take out the version scraping altogether. I thought it was nice to have it in the comment headers though.

oO.o · February 25, 2023, 1:25pm

Alpha 3 is up. If anyone wants to test it out, please do!

ansible-galaxy collection install o0_o.host --pre

Once it’s installed and you have a basic inventory, run ansible-playbook -i path/to/inventory o0_o.host.m1

oO.o · March 8, 2023, 7:41pm

Alpha 4 is up which adds the users role. On first run, it will dump a users dictionary into each host’s host_vars file which is configurable. You can also simply supply something like this:

users:
  my_admin:
    adm: true
    lock: true

Which will set up my_admin with passwordless admin privileges and your SSH key. Note that this would also delete any non-system users except the current Ansible user. To preserve the current user state, run the role without supplying a users dictionary and then edit what shows up in the inventory.

Here is an example of what the users dictionary looks like after an initial run on a Debian Vagrant VM.

# BEGIN ANSIBLE MANAGED BLOCK: Local users (Editable)
users:
  root:
    gecos: root
    group: root
    groups:
    - root
    home: /root
    shell: /bin/bash
    ssh:
      auth: []
      id: []
    uid: '0'
  vagrant:
    adm: true
    gecos: vagrant,,,
    group: vagrant
    groups:
    - audio
    - cdrom
    - dip
    - floppy
    - netdev
    - plugdev
    - vagrant
    - video
    home: /home/vagrant
    shell: /bin/bash
    ssh:
      auth:
      - pub: AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
        type: rsa
      id: []
    uid: '1000'
# END ANSIBLE MANAGED BLOCK: Local users (Editable)

Support for RouterOS here was a little rocky, but it works. Of course there is much less to configure for RouterOS users, but administration and authorized SSH keys are handled.