Ansible Users Role
In this tutorial we will cover how to use our Docker and Ansible setup to configure one or more Users on our target server. You should have completed the previous tutorials or have an equivalent setup before continuing.
As covered in the previous tutorial, we could either opt to make our own role for this. Or we can leverage the community, which imho is the whole point of using Ansible.
I've settled on the imaginatively titled
ansible-users role from Singleplatform Eng.
At the time of writing / recording, we're going with
v1.2.5, and this release is about 7 months old. To me this says "largely stable".
Here's an example config from the repo readme:
--- users: - username: foo name: Foo Barrington groups: ['wheel','systemd-journal'] uid: 1001 home: /local/home/foo profile: | alias ll='ls -lah' ssh_key: - "ssh-rsa AAAAA.... foo@machine" - "ssh-rsa AAAAB.... foo2@machine" groups_to_create: - name: developers gid: 10000 users_deleted: - username: bar name: Bar User uid: 1002
For our Rancher 2 / Kubernetes needs, I am going to add the following config to
--- users: - username: rancherk8s name: Rancher Kubernetes password: b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86 groups: ['docker'] uid: 1001 ssh_key: - "ssh-rsa AAAAA.... foo@machine"
Note that the
docker group only exists because we installed Docker onto our server in the previous tutorial video. This places an implicit dependency on the way in which we list the roles in our playbook.
I'm happy with this as if the
docker group does not exist, the playbook run will fail with a fairly self explanatory error message:
"Group docker does not exist"
My opinion is that if the group doesn't exist, then something has gone wrong in our setup. I'd rather fail hard here, than create the group if it doesn't exist and continue. This would likely mean Docker has not installed properly anyway.
You may not agree with this, so please adapt accordingly.
As it stands, this user is going to get added to any server in the
rancher-2-kubernetes-node group. This is just a single server, for the moment. As we grow our K8s infrastructure, this will give us the ability to grow in a sane way.
I haven't listed my public SSH key here, but you can find yours with this handy guide from GitHub. Actually I use four different keys due to all the different computers I frequently use. You can list as many as you need, just add as many lines as needed.
To generate a password hash you will need a tool like
mkpasswd --method=SHA-512 # or mkpasswd --method=SHA-512 --rounds=10000
As ever, change any / all of this to meet your own needs. This is not intended to be military secure, and you should always use your own best judgement.
Before we can use the
singleplatform-eng/users role, we need to pull this role down from Ansible Galaxy.
Depending on whether you added a
Makefile entry as suggested in the previous tutorial or not, you will need to run either:
docker run --rm \ -v $(CURDIR):/crv-ansible \ -w /crv-ansible \ williamyeh/ansible:alpine3 \ ansible-galaxy install singleplatform-eng.users
make install_role role="singleplatform-eng.users"
Don't forget to add the role to your
--- - name: Rancher 2 Kubernetes Nodes hosts: rancher-2-kubernetes-nodes roles: - codereviewvideos.common - geerlingguy.docker - singleplatform-eng.users
To finish up adding our user(s) with Docker and Ansible, we just need to run
PLAY RECAP ********************************************************************* 188.8.131.52 : ok=6 changed=0 unreachable=0 failed=0
You should now be able to log in via ssh:
ssh firstname.lastname@example.org Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-38-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. rancherk8s@Ubuntu-1604-xenial-64-minimal:~$
That is us done.
We have learned how to perform the basics of using Ansible to help provisioning a remote server using both our own, and third party roles.
In the next video, we will install and configure our firewall.