Ansible Users Role

In this tutorial we will cover how to use our Docker and Ansible setup to configure one or more Users on our target server. You should have completed the previous tutorials or have an equivalent setup before continuing.

As covered in the previous tutorial, we could either opt to make our own role for this. Or we can leverage the community, which imho is the whole point of using Ansible.

I've settled on the imaginatively titled ansible-users role from Singleplatform Eng.

At the time of writing / recording, we're going with v1.2.5, and this release is about 7 months old. To me this says "largely stable".

Here's an example config from the repo readme:

  - username: foo
    name: Foo Barrington
    groups: ['wheel','systemd-journal']
    uid: 1001
    home: /local/home/foo
    profile: |
      alias ll='ls -lah'
      - "ssh-rsa AAAAA.... foo@machine"
      - "ssh-rsa AAAAB.... foo2@machine"
  - name: developers
    gid: 10000
  - username: bar
    name: Bar User
    uid: 1002

For our Rancher 2 / Kubernetes needs, I am going to add the following config to /group_vars/rancher-2-kubernetes-node:

  - username: rancherk8s
    name: Rancher Kubernetes
    password: b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
    groups: ['docker']
    uid: 1001
      - "ssh-rsa AAAAA.... foo@machine"

Note that the docker group only exists because we installed Docker onto our server in the previous tutorial video. This places an implicit dependency on the way in which we list the roles in our playbook.

I'm happy with this as if the docker group does not exist, the playbook run will fail with a fairly self explanatory error message:

"Group docker does not exist"

My opinion is that if the group doesn't exist, then something has gone wrong in our setup. I'd rather fail hard here, than create the group if it doesn't exist and continue. This would likely mean Docker has not installed properly anyway.

You may not agree with this, so please adapt accordingly.

As it stands, this user is going to get added to any server in the rancher-2-kubernetes-node group. This is just a single server, for the moment. As we grow our K8s infrastructure, this will give us the ability to grow in a sane way.

I haven't listed my public SSH key here, but you can find yours with this handy guide from GitHub. Actually I use four different keys due to all the different computers I frequently use. You can list as many as you need, just add as many lines as needed.

To generate a password hash you will need a tool like mkpasswd:

mkpasswd --method=SHA-512
# or
mkpasswd --method=SHA-512 --rounds=10000

As ever, change any / all of this to meet your own needs. This is not intended to be military secure, and you should always use your own best judgement.

Before we can use the singleplatform-eng/users role, we need to pull this role down from Ansible Galaxy.

Depending on whether you added a Makefile entry as suggested in the previous tutorial or not, you will need to run either:

docker run --rm \
    -v $(CURDIR):/crv-ansible \
    -w /crv-ansible \
    williamyeh/ansible:alpine3 \
    ansible-galaxy install singleplatform-eng.users


make install_role role="singleplatform-eng.users"

Don't forget to add the role to your rancher-2-kubernetes-node.yml playbook:

- name: Rancher 2 Kubernetes Nodes
  hosts: rancher-2-kubernetes-nodes
     - codereviewvideos.common
     - geerlingguy.docker
     - singleplatform-eng.users

To finish up adding our user(s) with Docker and Ansible, we just need to run make run_playbook:

PLAY RECAP *********************************************************************                : ok=6    changed=0    unreachable=0    failed=0

You should now be able to log in via ssh:

ssh rancherk8s@

Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-38-generic x86_64)

 * Documentation:
 * Management:
 * Support:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


That is us done.

We have learned how to perform the basics of using Ansible to help provisioning a remote server using both our own, and third party roles.

In the next video, we will install and configure our firewall.