source: main/waeup-ansible/README.rst @ 14656

Last change on this file since 14656 was 14324, checked in by uli, 8 years ago

Remove empty line.

File size: 7.3 KB
Line 
1=============================================
2 Playbooks for administrating WAeUP servers.
3=============================================
4
5These are materials to use with our servers.
6
7For starters: the tutorial given on
8
9  https://github.com/leucos/ansible-tuto
10
11is a really nice hands-on intro to `ansible`. Please read it!
12
13If you want to devel/test scripts in here, try to work with virtual machines
14first. The ``Vagrant`` section below explains the details.
15
16Server Lifecircle
17=================
18
19When we get a server freshly installed from Hetzner, we want to make sure, at
20least some common security holes are closed.
21
22
23Right after first install: `bootstrap.yml`
24------------------------------------------
25
26For starters we "bootstrap" a server install with the ``bootstrap.yml``
27playbook. This playbook does three things:
28
29- It secures the ``SSHD`` config according to infos from
30  https://bettercrypto.org
31- It adds accounts for admin users (including sudo rights)
32- It disables root login via SSH.
33
34Before the playbook can be run, you have to fix some things.
35
361) Make sure you can ssh into the systems as ``root``.
37
382) Make sure, Python2.x is installed on the target systems. This is not the
39   case anymore for instance for minimal Ubuntu images starting with 16.04 LTS.
40
41   If Python2.x is not installed, do::
42
43     # apt-get update
44     # apt-get install python python-simplejson
45
46   as `root` on each targeted system.
47
483) For each server to handle, make an entry in the ``[yet-untouched]`` section
49   of the ``hosts`` file like this::
50
51     # hosts
52     [yet-untouched]
53     h23.waeup.org ansible_user=root ansible_ssh_pass=so-secret ansible_sudo_pass="{{ ansible_ssh_pass }}"
54     h24.waeup.org ansible_user=root ansible_ssh_pass=123456789 ansible_sudo_pass="{{ ansible_ssh_pass }}"
55
56   The ``ansible_sudo_pass`` is not neccessary for now, but will be needed if
57   you want to run everything as a normal user. And it is just a blank copy of
58   ``ansible_ssh_pass``.
59
60   Yes, this is a very dangerous part and you should not check this
61   modifications in. Instead you should remove the entries after you are done.
62
634) Update the ``vars`` in ``bootstrap.yml``. Tell, whether SSH root access
64   should stay enabled and say ``no`` or ``false``.
65
66   Then, you have to create a dict of admin users. For each user we need a name
67   (key) and a hashed password. This can be done like this::
68
69     $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
70
71   which will create a random password and its SHA512-hashed variant in a file
72   called ``mypw``. If you do not have `diceware` installed, you can use
73   `pwgen` (or any other password maker)::
74
75     $ pwgen -s 33 | tee mypw | mkpasswd -s --method=sha-512 >> mypw
76
77   The hashed variant then has to be entered as ``hashed_pw`` in the `vars` of
78   ``bootstrap.yml``.
79
80   In the end, there should be something like::
81
82     # bootstrap.yml
83     # ...
84     vars:
85       permit_ssh_root: false
86       admin_users:
87         user1:
88           hashed_pw: "$6$Wsdfhwelkl32lslk32lkdslk43...."
89         user2:
90           hashed_pw: "$6$FDwlkjewlkWs2434SVRDE65DFF...."
91     ...
92
93   Please note, that all users listed in this dict will have the same passwords
94   on all servers handled when running the script.
95
965) Finally, run the play::
97
98     $ ansible-playbook -i hosts -C bootstrap.yml
99
100   to see, whether setup is fine (dry run) and::
101
102     $ ansible-playbooj -i hosts bootstrap.yml
103
104   to actually perform the changes.
105
106
107Vagrant
108=======
109
110In `Vagrantfile` we set up a vagrant environment which provides three
111hosts as virtualbox:
112
113  ``vh5.sample.org``, ``vh6.sample.org``, ``vh7.sample.org``
114
115running Ubuntu 14.04. ``vh5`` represents "virtual host 5" and should
116reflect h5.waeup.org. The same holds for ``vh6`` and ``vh7``
117accordingly.
118
119The three virtual hosts are for testing any upcoming ansible
120playbooks. They should be used before running playbooks on the real
121hosts!
122
123
124Initialize Vagrant Env
125----------------------
126
127You must have `vagrant` installed, if possible in a fairly recent
128version. I (uli) use `vagrant 1.8.1` (latest as time of writing).  As
129Ubuntu 14.04 is pretty outdated in that respect, I had to grab a .deb
130package from
131
132  https://www.vagrantup.com/downloads.html
133
134that could be installed with::
135
136 $ sudo dpkg -i vagrant_1.8.1_x86_64.deb
137
138
139When everything is in place, change into this directory and run::
140
141  $ vagrant up
142  Bringing machine 'vh5' up with 'virtualbox' provider...
143  Bringing machine 'vh6' up with 'virtualbox' provider...
144  Bringing machine 'vh7' up with 'virtualbox' provider...
145  ==> vh5: Importing base box 'ubuntu/trusty32'...
146  ...
147
148This will fetch Vagrant virtualbox images for trusty32, i.e. Ubuntu
14914.04 images, 32bit version (plays nice also on 64bit hosts).
150
151When hosts are being supplied by Hetzner or another hosting provider,
152then we normally get access as `root` user only. Therefore, After base
153init the root accounts of all hosts are enabled with password
154``vagrant``. This is done by the ansible playbook in
155``vagrant-provision.yml``.
156
157All three hosts provide ssh access via::
158
159  $ vagrant ssh vh0
160
161or equivalent commands. They have a user 'vagrant' installed, which
162can sudo without password.
163
164After install all three hosts can also be accessed as `root` using
165password `vagrant` (for example vh5):
166
167  $ ssh -l root 192.168.36.10
168
169See ``Vagrantfile`` for the IP addresses set.
170
171You can halt (all) the virtual hosts with::
172
173  $ vagrant halt
174
175
176
177Ansible Environment
178===================
179
180The ansible environment should provide ansible roles and playbooks for
181WAeUP related server administration.
182
183The general file-layout and naming should follow
184
185  https://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout
186
187
188Bootstrapping - Freshmechs
189--------------------------
190
191We call those machines "freshmech" that are freshly delivered from the
192hosting provider or that were freshly provisioned by `vagrant` (see
193above).
194
195These machines are expected to have only a single root account and
196normally a (security-wise) poor SSH configuration.
197
198Bootstrapping these machines means we secure SSH, restart the SSH
199daemon and then add important accounts: "uli", "henrik", "ansible".
200
201To make sure, the connection to a "freshmech" works, you should at
202least one time login via SSH before proceeding with ansible and all
203bells and whistles::
204
205  ssh -l root 192.168.36.10
206
207(with the real IP of the machine you want to reach, of course).
208
209Any host you want to "bootstrap" must be entered in a local hosts
210file, normally ``hosts-virtual``, with a line like this:
211
212  [yet-untouched]
213  vh5.sample.org ansible_host=192.168.36.10 ansible_user=root
214
215in the "yet-untouched" section.
216
217Afterwards try:
218
219  $ ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml
220
221The ``ask-pass`` parameter is needed to enter the password given by
222the provider on the commandline. For the local `vagrant` machines this
223will be `vagrant`.
224
225If run on local virtual machines, you might want to make sure that
226your local `known_hosts` file does not contain an old ssh host
227fingerprint. Otherwise you have to remove entries for::
228
229  192.168.36.10
230  192.168.36.11
231  192.168.36.12
232
233respectively before running `bootstrap.yml`.
234
235Alternatively you can run everything with the
236`ANSIBLE_HOST_KEY_CHECKING` environment variable set to ``False``::
237
238  $ ANSIBLE_HOST_KEY_CHECKING=False  ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml
239
240This will suppress host fingerprint checking.
Note: See TracBrowser for help on using the repository browser.