Open in app

Sign in

Write

Sign in

Mastering Ansible: A Comprehensive Guide to Configuration and Privilege Management

Ayushmaan Srivastav
4 min readFeb 18, 2024

--

Introduction:

Welcome to our in-depth exploration of Ansible, a versatile automation tool widely used for configuration management and task orchestration. In this comprehensive guide, we’ll provide an extensive breakdown of Ansible configuration commands, user management on the controller node, executing commands on the target node, and mastering privilege escalation.

Understanding Ansible Configuration Commands:

ansible-config list:

The ansible-config list command is your gateway to the heart of Ansible's configuration. It presents a detailed list of configuration options supported by Ansible, showcasing defaults and allowing users to customize settings based on their specific needs. The 'default' keyword plays a crucial role in setting initial values, which can be easily overridden by user-defined configurations.

ansible-config view:

When troubleshooting or inspecting the current state of your configuration, the ansible-config view command comes in handy. This command allows you to examine the content of the configuration file, giving you a bird's-eye view of your current Ansible setup.

ansible-config dump | less:

For those who prefer a more readable format, ansible-config dump | less is a powerful command. This not only displays the current configuration options but does so in a user-friendly manner using the 'less' command. Scrolling through the options becomes more accessible, aiding in quick reference and analysis.

ansible-config init:

Creating an entire configuration file is simplified with ansible-config init. This command initializes a basic configuration file, providing a starting point for users to customize according to their requirements.

ansible-config init > /etc/ansible/ansible.cfg:

To save the newly created configuration file at a specific location, such as /etc/ansible/ansible.cfg, users can redirect the output of ansible-config init to their desired path. This enables easy access and modification of the configuration file.

ansible-config init --disabled > /etc/ansible/ansible.cfg:

The --disabled option comes into play when certain keywords are not supported in the configuration file. By commenting out options with this command, potential conflicts are avoided, ensuring a smoother configuration process.

vim /etc/ansible/ansible.cfg:

Opening the configuration file in the Vim editor allows for detailed customization. Users can uncomment specific options, tailoring the configuration to their unique needs and preferences.

ansible --version:

Verifying the integrity of your Ansible installation is crucial. The ansible --version command provides detailed information about the installed Ansible version and configurations, offering assurance that your setup aligns with your expectations.

Managing Users and Configuration on the Controller Node:

Creating a General User:

In the realm of security best practices, leveraging Ansible as a general user rather than the root user is highly recommended. This ensures that Ansible operations do not unnecessarily wield administrative powers.

  1. useradd (username):
  • The useradd command is employed to create a new user. Replace "(username)" with your desired username.

2. passwd (username):

  • Set a password for the newly created user using the passwd command.

Handling Configuration Files:

When operating as a general user, specific steps are required to manage configuration files effectively.

  1. ansible-config init — disabled > ansible.cfg:
  • The ansible-config init --disabled command is especially useful when working with a general user, as it ensures that unsupported keywords are commented out, preventing potential conflicts during command execution.

2. vim /etc/ansible/ansible.cfg:

  • Open the configuration file with the Vim editor, providing a platform for uncommenting desired options and customizing the configuration to meet specific requirements.

Creating a New Inventory File:

In the context of user management, generating a new inventory file for the general user is essential. Ensure that the path to the inventory file is updated in the configuration file.

Executing Commands on the Target Node:

  1. Creating a General User on the Target Node:
  • Disable the root account and create a general user on the target node, following the same principles applied on the controller node.

2. Updating /etc/sudoers:

  • Grant extra privileges to the user in the sudoers file. This step is crucial for executing admin-level commands on the target node without hindrance.

3. ansible all -a id:

  • Verify the setup by running basic commands on the target node. This ensures that the general user has the necessary permissions to execute essential operations.

Handling Privilege Escalation:

Updating /etc/sudoers on Target Node:

Privilege escalation is a key consideration when executing admin-level commands on the target node. Updating the sudoers file is a critical step in this process.

  1. which:
  • Use the which command to determine the full path of a command. This information is crucial when updating the sudoers file.

2. Updating /etc/sudoers:

  • Open the sudoers file with the Vim editor and add an entry for the new user, specifying the full paths of commands that require elevated privileges.

devops ALL=(ALL) NOPASSWD: /full/path/to/command

  • The NOPASSWD keyword ensures that the user's password is not required when executing commands with sudo.

3. which:

  • Repeat the which command for each command you plan to run with sudo, ensuring accurate path information for the sudoers file.

4.Updating /etc/sudoers:

  • Amend the sudoers file to include the necessary entries for all admin-level commands.

devops ALL=(ALL) NOPASSWD: /full/path/to/command1, /full/path/to/command2, …

Setting Up Ansible Configuration File:

Simplify privilege escalation by modifying the Ansible configuration file. This one-time setup eliminates the need to include become-method options in each command.

  1. Open Ansible Configuration File:
  • Open the ansible.cfg file in a text editor of your choice.

2. Adding Privilege Escalation Configuration:

  • Locate the section privilege_escalation in the configuration file.

[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False

  • The configuration above specifies that Ansible should use sudo for privilege escalation, the user to become is ‘root’, and no password prompt should be initiated.

Executing Ansible Commands:

With the setup complete, executing Ansible commands becomes a seamless process. For example:

ansible all -m package -a “name=httpd state=present”

The --become option handles privilege escalation without prompting for a password. This allows for efficient execution of admin-level commands on target nodes.

Conclusion:

In conclusion, this detailed guide serves as a comprehensive resource for mastering Ansible. By understanding Ansible configuration commands, efficiently managing users on the controller node, executing commands on the target node, and mastering privilege escalation, users can harness the full potential of Ansible for automation and configuration management. Start your journey to mastering Ansible today!

100 Days
Technical Transformation
Challenge
Day12
Ansible

--

--

Ayushmaan Srivastav
Ayushmaan Srivastav

Written by Ayushmaan Srivastav

87 Followers
4 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams