From 4c9ff2c006606e8c506e547f41fccd180cd26de5 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Thu, 17 Oct 2019 12:23:55 +0000 Subject: [PATCH 01/15] Simplify and consolidate tasks --- .../openstack/roles/check/tasks/main.yaml | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/cloud/ansible/openstack/roles/check/tasks/main.yaml b/cloud/ansible/openstack/roles/check/tasks/main.yaml index bc020151..385be4dc 100644 --- a/cloud/ansible/openstack/roles/check/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml @@ -1,28 +1,17 @@ -- name: Install pwgen +- name: Install dependencies package: - name: pwgen - state: present - -- name: Install setuptools - package: - name: python-setuptools - state: present - -- name: Install pip - package: - name: python-pip + name: + - pwgen + - python-setuptools + - python-pip state: present - name: Install openstacksdk pip: name: openstacksdk -- name: Set fact for agent forwarding - set_fact: - agent_forwarding: "{{ lookup('env','SSH_AUTH_SOCK') }}" - - name: Check if agent forwarding is enabled fail: msg: Please enable agent forwarding to allow Ansible to connect to the remote host! ignore_errors: yes - when: agent_forwarding == "" + when: lookup('env','SSH_AUTH_SOCK') == "" From 78f9a83b0430b876ecdbbf267c35601e98193c3d Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 14:02:53 +0000 Subject: [PATCH 02/15] Remove unneeded become declarations --- cloud/ansible/openstack/deploy_tpot.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cloud/ansible/openstack/deploy_tpot.yaml b/cloud/ansible/openstack/deploy_tpot.yaml index 88909b17..c06ef4c5 100644 --- a/cloud/ansible/openstack/deploy_tpot.yaml +++ b/cloud/ansible/openstack/deploy_tpot.yaml @@ -1,8 +1,6 @@ - name: Check host prerequisites hosts: localhost become: yes - become_user: root - become_method: sudo roles: - check @@ -15,8 +13,6 @@ hosts: TPOT remote_user: linux become: yes - become_user: root - become_method: sudo gather_facts: no roles: - install From 602ebfc9523bd3f039816b1c0dde82c79b235f6e Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 14:06:17 +0000 Subject: [PATCH 03/15] Remove waiting delay --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index f6e65e2f..fed3b276 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -1,7 +1,5 @@ - name: Waiting for SSH connection wait_for_connection: - delay: 30 - timeout: 300 - name: Gathering facts setup: From 34f335c7e6609e8594d7518d1f3c1cb891c41b5f Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 14:12:08 +0000 Subject: [PATCH 04/15] Don't print user password in taskname --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index fed3b276..e72c3381 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -12,16 +12,14 @@ - name: Prepare to set user password set_fact: user_name: "{{ ansible_user }}" - user_password: "{{ user_password }}" user_salt: "s0mew1ck3dTpoT" -- name: Changing password for user {{ user_name }} to {{ user_password }} +- name: Changing password for user {{ user_name }} user: name: "{{ ansible_user }}" password: "{{ user_password | password_hash('sha512', user_salt) }}" state: present shell: /bin/bash - update_password: always - name: Copy T-Pot configuration file template: From 2076cea40f11249124d2510acae56445d0d4c01c Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 14:13:04 +0000 Subject: [PATCH 05/15] Shorten task name --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index e72c3381..6bea0ecf 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -29,7 +29,7 @@ group: root mode: 0644 -- name: Install T-Pot on instance - be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given. +- name: Install T-Pot on instance - be patient, this might take 15 to 30 minutes depending on the connection speed. command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf - name: Delete T-Pot configuration file From cbb2b66a723d5d815c40f4f94415aae60c95fce2 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 14:40:19 +0000 Subject: [PATCH 06/15] Hide secrets from log output --- cloud/ansible/openstack/roles/deploy/tasks/main.yaml | 1 + cloud/ansible/openstack/roles/install/tasks/main.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml index 5a0ec914..7e7826b8 100644 --- a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml @@ -5,6 +5,7 @@ - name: Import OpenStack authentication variables include_vars: file: roles/deploy/vars/os_auth.yaml + no_log: true - name: Create security group os_security_group: diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index 6bea0ecf..b931cc77 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -13,6 +13,7 @@ set_fact: user_name: "{{ ansible_user }}" user_salt: "s0mew1ck3dTpoT" + no_log: true - name: Changing password for user {{ user_name }} user: From 71523cf7efdb95a6718816f045ade998c2bf31dd Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 20:17:00 +0000 Subject: [PATCH 07/15] I love double quotes --- cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml index 197403bd..a484f34e 100644 --- a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml @@ -9,5 +9,5 @@ - name: Patching tpot.yml with custom ews configuration file lineinfile: path: /opt/tpot/etc/tpot.yml - insertafter: '/opt/ewsposter/ews.ip' - line: ' - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg' + insertafter: "/opt/ewsposter/ews.ip" + line: " - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg" From 145856960cc8a50d59ffbe271afbb389eb21ec4c Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 20:19:18 +0000 Subject: [PATCH 08/15] Use copy module --- .../roles/custom_hpfeeds/{templates => files}/hpfeeds.cfg | 0 cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename cloud/ansible/openstack/roles/custom_hpfeeds/{templates => files}/hpfeeds.cfg (100%) diff --git a/cloud/ansible/openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg b/cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg similarity index 100% rename from cloud/ansible/openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg rename to cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg diff --git a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml index 421d1ed6..e54b093d 100644 --- a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml @@ -1,6 +1,6 @@ - name: Copy hpfeeds configuration file - template: - src: ../templates/hpfeeds.cfg + copy: + src: ../files/hpfeeds.cfg dest: /data/ews/conf owner: root group: root From 8314a7d34a30ba396baa9cde004fe6a87b595901 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 21 Oct 2019 22:14:48 +0000 Subject: [PATCH 09/15] Fix wrong order of variables - Align with all example configs - This is important for Ansible to check wether the file has changed --- bin/hpfeeds_optin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/hpfeeds_optin.sh b/bin/hpfeeds_optin.sh index ff27a5b8..dceb9c29 100755 --- a/bin/hpfeeds_optin.sh +++ b/bin/hpfeeds_optin.sh @@ -78,9 +78,9 @@ myENABLE=$myENABLE myHOST=$myHOST myPORT=$myPORT myCHANNEL=$myCHANNEL +myCERT=$myCERT myIDENT=$myIDENT mySECRET=$mySECRET -myCERT=$myCERT myFORMAT=$myFORMAT EOF } From 6224146cde8bb233203e87372c66c741caede266 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Fri, 25 Oct 2019 12:37:16 +0200 Subject: [PATCH 10/15] Update README:md: Agent Forwarding --- cloud/ansible/README.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 359e5bf7..cd21a9f6 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -50,19 +50,13 @@ For other OSes and Distros have a look at the official [Ansible Documentation](h ## Agent Forwarding -Agent Forwarding must be enabled in order to let Ansible do its work. +If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines. - On Linux or macOS: - Create or edit `~/.ssh/config` - - If you run the Ansible Playbook remotely on your Ansible Master Server: ``` Host ANSIBLE_MASTER_IP ForwardAgent yes ``` - - If you run the Ansible Playbook locally, enable it for all hosts, as this includes newly generated T-Pots: - ``` - Host * - ForwardAgent yes - ``` - On Windows using Putty for connecting to your Ansible Master Server: ![Putty Agent Forwarding](doc/putty_agent_forwarding.png) From 9c7c6ac4a3d3b8fbe2660f60d4d34b29113a4e7c Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Fri, 25 Oct 2019 12:38:05 +0200 Subject: [PATCH 11/15] Update README.md --- cloud/ansible/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index cd21a9f6..1e173748 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -57,7 +57,7 @@ If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Fo Host ANSIBLE_MASTER_IP ForwardAgent yes ``` -- On Windows using Putty for connecting to your Ansible Master Server: +- On Windows using Putty: ![Putty Agent Forwarding](doc/putty_agent_forwarding.png) From 170439d977348cf0aa608cc993607b56d43dd182 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 28 Oct 2019 11:49:57 +0000 Subject: [PATCH 12/15] Tweak hpfeeds setup - Fix owner and file permissions for proper comparison - Only execute the hpfeeds script when the config file has changed --- .../openstack/roles/custom_hpfeeds/tasks/main.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml index e54b093d..4c5a2c0e 100644 --- a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml @@ -2,9 +2,11 @@ copy: src: ../files/hpfeeds.cfg dest: /data/ews/conf - owner: root - group: root - mode: 0644 + owner: tpot + group: tpot + mode: 0770 + register: config - name: Applying hpfeeds settings command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg + when: config.changed == true From 68a10a2f1f17894e63f90cab6a6caa8bb0dc8560 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 28 Oct 2019 11:59:39 +0000 Subject: [PATCH 13/15] Fire and forget: Move reboot task to background Execute the reboot command asynchronously, so Ansible doesn't report an error. --- cloud/ansible/openstack/roles/reboot/tasks/main.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml index 1490ebfb..946d38d1 100644 --- a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml @@ -1,6 +1,7 @@ -- name: Finally rebooting T-Pot in one minute - shell: /sbin/shutdown -r -t 1 - become: true +- name: Finally rebooting T-Pot + command: shutdown -r now + async: 1 + poll: 0 - name: Next login options debug: From c5ddfd0a7226b0aec61ce3d2923402693c08a447 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 3 Nov 2019 19:58:32 +0000 Subject: [PATCH 14/15] Add SSH ServerAliveInterval Fixes occasional hangup of long running tasks --- cloud/ansible/openstack/ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud/ansible/openstack/ansible.cfg b/cloud/ansible/openstack/ansible.cfg index 0e7d2cb7..6278bc50 100644 --- a/cloud/ansible/openstack/ansible.cfg +++ b/cloud/ansible/openstack/ansible.cfg @@ -3,3 +3,4 @@ host_key_checking = false [ssh_connection] scp_if_ssh = true +ssh_args = -o ServerAliveInterval=10 From d15005195d8b10a264d6e5955308c92d35cf44e3 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 3 Nov 2019 22:15:52 +0000 Subject: [PATCH 15/15] Increase ServerAliveInterval --- cloud/ansible/openstack/ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/openstack/ansible.cfg b/cloud/ansible/openstack/ansible.cfg index 6278bc50..eab457fb 100644 --- a/cloud/ansible/openstack/ansible.cfg +++ b/cloud/ansible/openstack/ansible.cfg @@ -3,4 +3,4 @@ host_key_checking = false [ssh_connection] scp_if_ssh = true -ssh_args = -o ServerAliveInterval=10 +ssh_args = -o ServerAliveInterval=60