- Security Automation with Ansible 2
- Madhu Akula Akash Mahajan
- 844字
- 2021-07-02 21:59:52
LAMP stack playbook example – combining all the concepts
We will look at how to write a LAMP stack playbook using the skills we have learned so far. Here is the high-level hierarchy structure of the entire playbook:
inventory # inventory file
group_vars/ #
all.yml # variables
site.yml # master playbook (contains list of roles)
roles/ #
common/ # common role
tasks/ #
main.yml # installing basic tasks
web/ # apache2 role
tasks/ #
main.yml # install apache
templates/ #
web.conf.j2 # apache2 custom configuration
vars/ #
main.yml # variables for web role
handlers/ #
main.yml # start apache2
php/ # php role
tasks/ #
main.yml # installing php and restart apache2
db/ # db role
tasks/ #
main.yml # install mysql and include harden.yml
harden.yml # security hardening for mysql
handlers/ #
main.yml # start db and restart apache2
vars/ #
main.yml # variables for db role
Let's start with creating an inventory file. The following inventory file is created using static manual entry. Here is a very basic static inventory file where we will define a since host and set the IP address used to connect to it.
Configure the following inventory file as required:
[lamp]
lampstack ansible_host=192.168.56.10
The following file is group_vars/lamp.yml, which has the configuration of all the global variables:
remote_username: "hodor"
The following file is the site.yml, which is the main playbook file to start:
- name: LAMP stack setup on Ubuntu 16.04
hosts: lamp
gather_facts: False
remote_user: "{{ remote_username }}"
become: True
roles:
- common
- web
- db
- php
The following is the roles/common/tasks/main.yml file, which will install python2, curl, and git:
# In ubuntu 16.04 by default there is no python2
- name: install python 2
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
- name: install curl and git
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- curl
- git
The following task, roles/web/tasks/main.yml, performs multiple operations, such as installation and configuration of apache2. It also adds the service to the startup process:
- name: install apache2 server
apt:
name: apache2
state: present
- name: update the apache2 server configuration
template:
src: web.conf.j2
dest: /etc/apache2/sites-available/000-default.conf
owner: root
group: root
mode: 0644
- name: enable apache2 on startup
systemd:
name: apache2
enabled: yes
notify:
- start apache2
The notify parameter will trigger the handlers found in roles/web/handlers/main.yml:
- name: start apache2
systemd:
state: started
name: apache2
- name: stop apache2
systemd:
state: stopped
name: apache2
- name: restart apache2
systemd:
state: restarted
name: apache2
daemon_reload: yes
The template files will be taken from role/web/templates/web.conf.j2, which uses Jinja templating, it also takes values from local variables:
<VirtualHost *:80><VirtualHost *:80>
ServerAdmin {{server_admin_email}}
DocumentRoot {{server_document_root}}
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The local variables file is located in roles/web/vars/main.yml:
server_admin_email: hodor@localhost.local
server_document_root: /var/www/html
Similarly, we will write database roles as well. The following file roles/db/tasks/main.yml includes installation of the database server with assigned passwords when prompted. At the end of the file, we included harden.yml, which executes another set of tasks:
- name: set mysql root password
debconf:
name: mysql-server
question: mysql-server/root_password
value: "{{ mysql_root_password | quote }}"
vtype: password
- name: confirm mysql root password
debconf:
name: mysql-server
question: mysql-server/root_password_again
value: "{{ mysql_root_password | quote }}"
vtype: password
- name: install mysqlserver
apt:
name: "{{ item }}"
state: present
with_items:
- mysql-server
- mysql-client
- include: harden.yml
The harden.yml performs hardening of MySQL server configuration:
- name: deletes anonymous mysql user
mysql_user:
user: ""
state: absent
login_password: "{{ mysql_root_password }}"
login_user: root
- name: secures the mysql root user
mysql_user:
user: root
password: "{{ mysql_root_password }}"
host: "{{ item }}"
login_password: "{{mysql_root_password}}"
login_user: root
with_items:
- 127.0.0.1
- localhost
- ::1
- "{{ ansible_fqdn }}"
- name: removes the mysql test database
mysql_db:
db: test
state: absent
login_password: "{{ mysql_root_password }}"
login_user: root
- name: enable mysql on startup
systemd:
name: mysql
enabled: yes
notify:
- start mysql
The db server role also has roles/db/handlers/main.yml and local variables similar to the web role:
- name: start mysql
systemd:
state: started
name: mysql
- name: stop mysql
systemd:
state: stopped
name: mysql
- name: restart mysql
systemd:
state: restarted
name: mysql
daemon_reload: yes
The following file is roles/db/vars/main.yml, which has the mysql_root_password while configuring the server. We will see how we can secure these plaintext passwords using ansible-vault in future chapters:
mysql_root_password: R4nd0mP4$$w0rd
Now, we will install PHP and configure it to work with apache2 by restarting the roles/php/tasks/main.yml service:
- name: install php7
apt:
name: "{{ item }}"
state: present
with_items:
- php7.0-mysql
- php7.0-curl
- php7.0-json
- php7.0-cgi
- php7.0
- libapache2-mod-php7
- name: restart apache2
systemd:
state: restarted
name: apache2
daemon_reload: yes
To run this playbook, we need to have Ansible installed in the system path. Please refer to http://docs.ansible.com/ansible/intro_installation.html for installation instructions.
Then execute the following command against the Ubuntu 16.04 server to set up LAMP stack. Provide the password when it prompts for system access for user hodor:
$ ansible-playbook -i inventory site.yml
After successful completion of the playbook execution, we will be ready to use LAMP stack in a Ubuntu 16.04 machine. You might have observed that each task or role is configurable as we need throughout the playbook. Roles give the power to generalize the playbook and customize easily using variables and templating.