LDAP Client installation using ansible - ansible

We need to install LDAP client over 156 machines. So we want to use ansible to complete this task.
apt-get install ldap-utils libpam-ldapd libnss-ldapd nscd
But when we install it asked lot of question in response (popup box) and we are facing issue how we can handle those response in playbook.
I have used expect module but it was working well when we see question/response on screen not in popup box like below:
- name: run command to install rubyencoder
expect:
chdir: /home/ubuntu/rubyencoder-evaluation/bin
command: /home/ubuntu/rubyencoder-evaluation/bin/rubyencoder
responses:
'.*Press return key to continue.*': ""
'.*type \"I AGREE\".*': "I AGREE"
'.*Your RubyEncoder profile e-mail.*': "abc#xyz.com"
'.*Your RubyEncoder profile password.*': ""
Above config handle response properly but same method is not working in ldap client installation.
I am using below playbook:
---
- hosts: test1
become: true
# remote_user: dagar
# sudo: yes
tasks:
- name: install ldap client packages
expect:
command: apt-get install ldap-utils libpam-ldapd libnss-ldapd nscd
responses:
'.*Do you want to continue?.*': ""
'.*LDAP server URI.*': "Ok"
'.*LDAP server search base.*': "Ok"
'.*Name servives to configure.*': "Ok"
'.*Restart services during package upgrades without asking?.*': "No"
'.*Services to restart to make them use the new libraries.*': "Ok"
Can anybody please help me on above issue.
Any help or guidance will be appriciated.
Thanks.

This accepted answer may help: How to do an initial setup of slapd OLC with ldapmodify
It uses slapd and a heredoc to define the answers for debconf-set-selections to consume.

I run a one line command to join nodes to ldap (assuming the packages are installed and relevant services started. I use nslcd)
authconfig --enableldapauth --ldapserver="ldapserver.example.com" --ldapbasedn="dc=example,dc=com" --update
So Ansible method would be:
- name: This command will join a node to an LDAP server
ansible.builtin.shell:
cmd: authconfig --enableldapauth --ldapserver="ldapserver.example.com" --ldapbasedn="dc=example,dc=com" --update
That should also update /etc/nsswitch.conf, but if not, you can always replace the file with ansible

I'm not sure how to do this with only ansible, but since you are already using expect for automating script responses you could use something like autohotkeys or sikuli to answer popups. You could have ansible run your expect script to answer the scripted responses and run the autohotkeys script to answer the popup. Or perhaps you can just modify whatever script you are running for the install in order to not make a popup.
You can see more info:
https://github.com/sikuli/sikuli
https://www.autohotkey.com/docs/Hotkeys.htm

Related

Weird behavior in ansible regarding executing scripts via win_shell

I have a powershell script for installing MS SQL 2014 to a Windows Server 2016 (manually tested and confirmed working properly).
powershell script abbreviated:
$sqlInstanceName = {{ sqlInstance }}
$localAdminPword = {{ localAdminPword }}
### Some more variables here declared the same as above
echo [OPTIONS] > $SQLServerInstallerPath\SQLServerConfigurationFile
### more echo lines like the above.
& $SQLServerInstallerPath\setup /SAPWD=$localAdminPword /ConfigurationFile=$SQLServerInstallerPath\SQLServerConfigurationFile
My playbook is simple just hosts for the target host and two tasks, I just generate the script using win_template, and then execute it with win_shell. something like:
---
- name: Install SQL
hosts: "{{ newhost }}"
tasks:
- name: generate script
win_template:
src: "scriptName"
dest: "{{ path }}//scriptName.ps1"
- name: run script
win_shell: ./scriptName.ps1
args:
chdir: "{{ path }}"
Here's a rundown of the scenarios:
Scenario 1:
I use Ansible tower to run the job targeting a server newly provisioned with vRealize Automation.
Output says it's successful, no problems.
I login to the new server and see that MS SQL wasn't installed, the powershell script didn't work... weird,
so I logged off the server and I ran the same job again, no changes, just rerun it.
I logged in the server again, this time, MS SQL was installed properly.
Scenario 2:
I repeated scenario 1 completely, everything the same, this time, I ran the job twice in succession.
I logged in the server, saw the MS SQL wasn't installed.
Logged off, then ran the job again, Logged in, saw MS SQL installed
Scenario 3:
I provision a new server, exactly the same as the previous scenarios, but this time, I logged into it to just look at the desktop, take a peek at the start menu, then logged off.
I now run the same job again once, on this new server I provisioned.
After the job completed successfully, I logged into the server and MS SQL was properly installed.
It seems that it won't work, unless I do a first Login on to the new server before running this job. Which defeats the purpose of automating it... Does anyone have an idea about this? Is there some sort of setting or flag I should look into? (note: the server doesn't have the "change password on first login" thing, as far as I'm aware, I didn't specify any first login things on that server.) I need this to work without doing a first login.

Starting Bitbucket Server in Ansible

I'm using Vagrant and Ansible to create my Bitbucket Server on Ubuntu 15.10. I have the server setup complete and working but I have to manually run the start-webapp.sh script to start the server each time I reprovision the server.
I have the following task in my Bitbucket role in Ansible and when I increase the verbosity I can see that I get a positive response from the server saying it will be running at http://localhost/ but when I go to the URL the server isn't on. If I then SSH in to the server and run the script myself, getting the exact same response after running the script I can see the startup webpage.
- name: Start the Bitbucket Server
become: yes
shell: /bitbucket-server/atlassian-bitbucket-4.7.1/bin/start-webapp.sh
Any advice would be great on how to fix this.
Thanks,
Sam
Probably better to change that to an init script and use the service module to start it. For example, see this role for installing bitbucket...
Otherwise, you're subject to HUP and other issues from running processes under an ephemeral session.

Ansible and Fedora23 - "firewalld required for this module"

I'm trying to set up my firewalld through Ansible on my Fedora 23 server from my Fedora client (Yes I like fedora :D ).
However, each time I try to execute a playbook with some commands including firewalld (Example - firewalld: service=https permanent=true state=enabled), the playbook execution fail with the following message :
failed: [w.x.y.z] => {"failed": true, "parsed": false}
failed=True msg='firewalld required for this module'
I have firewalld up and running on the remote server :
# firewall-cmd --version
0.3.14.2
On my computer :
$ ansible --version
ansible 1.9.4
configured module search path = None
Does anyone know where it could come from ?
Thank you !
--
EDIT: At this line in Ansible source code, firewall library seems not to be imported (and execute error which display that there is no firewall). However, this library exists in Python3 and not Python2 which is used by Ansible.
$ locate firewall
[...]
/usr/lib/python3.4/site-packages/firewall
[...]
I will continue to search, but if someone has an idea...
I found the explanation and solution :
Following my edit, I installed python-firewall which is python 2 bindings of firewalld. But, the execution was incorrect because of the absence of cockpit.
So I had to install cockpit too...
Long story, short story, this is what I've done on remote machine :
# dnf install python-firewall cockpit -y

Migrating ansible version 1.5.4 to latest ansible version

I have been using ansible 1.5.4 for 8 month. Yesterday I found that login_port of mysql_repilcation module is not supported in 1.5.4 version.
It is a bug in that version, but they supported in latest version (>= 1.8 I think). But I already have more than 50 ansible script running in 1.5.4
which has been used in production side
What is the best possible scenario:
If I move 1.5.4 to latest version , will it impact on any existing
ansible script
Is it possible to achieve the desire outout by shell command.
I am stuck in the middle of ocean. please help me to out of this
problem
If I move 1.5.4 to latest version , will it impact on any existing
ansible script
This highly depends on your playbook/roles, but I'm pretty sure it won't just work without changes. For example I read many times now that users have problems with sudo on role level:
- roles:
- role: whatever
sudo: yes
That was broken in 1.9.1. Officially it is fixed but I have read users have still problems. Generally sudo has been replaced with become. Even though the documentation claims sudo is still supported, it clearly isn't completely.
Another change I remember was related to ssh transport but you should only stumble about this issue if you reboot your host during play with Ansible.
I think the sudo/become change was the biggest one. If you want to avoid the hassle and do not necessarily need the very recent version you might just upgrade to a version before 1.9 and will have better chances of getting through without changes.
If you have the time though, I recommend you make your play compatible with the recent version. The Ansible 2.0 release is ahead and will introduce many new very useful features.
Is it possible to achieve the desire outout by shell command.
You mean to automatically convert your playbook/roles? No, not unless you find out exactly about the problems and write that script yourself. :)
I am stuck in the middle of ocean. please help me to out of this problem
Generally you should test every new version of Ansible on a testing/staging environment first. If you do not have testing hosts you can set up local VM's. There you can test and fix your play.
Since login_port of mysql_repilcation module is not supported in ansible 1.7 version. I found a way to achieve the result.
- name: "stop slaves of existing database server"
shell: >
mysql -uroot -p{{ mysql_exist_slave_database_password }} \
-P{{ default_port }} -h{{ default_host }} -e "stop slave" -s
- name: "Retrieve the Position and binary file number using slave
status"
shell: >
mysql -uroot -p{{ mysql_exist_slave_database_password }} \
-P{{ default_port }} -h{{ default_host }} -e "show slave
status\G" -s
register: output
- name: "start slaves of existing database server"
shell: >
mysql -uroot -p{{ mysql_exist_slave_database_password }} -P{{
default_port }} -h{{ default_host }} -e "start slave" -s

What is the default Jenkins password?

I'm using a EC2 server instance. Used the following to install Jenkins:
wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -
sudo sh -c 'echo deb http://pkg.jenkins-ci.org/debian binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins
but I need to install software on the Jenkins server so in my EC2 instance I did
sudo –s –H –u jenkins
to get into the jenkins server.
Then I tried to do
sudo cabal install quickcheck
but it prompted me for jenkins password.
I've been searching around the internet for 4hrs now and nothing is helping me get administrative privilege in the jenkins server.
So I'm building my project using the following command in shell:
sudo cabal clean
sudo cabal configure
sudo cabal build
sudo cabal install
This is the error I'm getting:
Started by timer
Building in workspace /var/lib/jenkins/jobs/Finance/workspace
Checkout:workspace / /var/lib/jenkins/jobs/Finance/workspace - hudson.remoting.LocalChannel#eea6dc
Using strategy: Default
Last Built Revision: Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
Fetching changes from 1 remote Git repository
Fetching upstream changes from origin
Commencing build of Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
Checking out Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
[workspace] $ /bin/sh -xe /tmp/hudson3500373817395137440.sh
+ sudo cabal clean
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
Build step 'Execute shell' marked build as failure
Sending e-mails to: ***#gmail.com
ERROR: Could not connect to SMTP host: localhost, port: 25
javax.mail.MessagingException: Could not connect to SMTP host: localhost, port: 25;
nested exception is:
java.net.ConnectException: Connection refused
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
at javax.mail.Service.connect(Service.java:295)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at hudson.tasks.MailSender.execute(MailSender.java:116)
at hudson.tasks.Mailer.perform(Mailer.java:117)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:814)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:786)
at hudson.model.Build$BuildExecution.post2(Build.java:183)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:733)
at hudson.model.Run.execute(Run.java:1592)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:237)
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
at java.net.Socket.connect(Socket.java:579)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:286)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:231)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1900)
... 17 more
Finished: FAILURE
Here is how you can fix it:
Stop Jenkins
Go go edit /var/lib/jenkins/config.xml
Change <useSecurity>true</useSecurity> to false
Restart Jenkins: sudo service jenkins restart
Navigate to the Jenkins dashboard to the "Configure Security" option you likely used before. This time, setup security the same as before, BUT set it to allow anyone to do anything, and allow user signup.
Go to www.yoursite.com/securityRealm/addUser and create a user
Then go change allow anyone to do anything to whatever you actually want users to be able to do. In my case, it is allow logged in users to do anything.
If you installed using apt-get in ubuntu 14.04, you will found the default password in /var/lib/jenkins/secrets/initialAdminPassword location.
Before installing jenkins, create a user named jenkins and set password there. Then after installing jenkins you can use the password you created.
With the default Jenkins installation using Homebrew on macOS this will output the initial password for the admin user:
sudo cat /Users/Shared/Jenkins/Home/secrets/initialAdminPassword
jenkins default administrator password is logged in log file in ubuntu
log file is situated in /var/log/jenkins/jenkins.log folder
password will be placed after this,
Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:
After Jenkins is installed just run sudo cat /var/lib/jenkins/secrets/initialAdminPassword.
In the Jenkins login page:
User: admin
Password: the output from the above command
On ubuntu 19.04, the default password are stored in the home directory:
cat ~/.jenkins/secrets/initialAdminPassword
The password is present in the log generated by docker run image as shown in the example below.
Jenkins Docker run log
Additionally you can check the directory /var/jenkins_home/secrets/
Its in the file name initialAdminPassword
You can use
cat /var/jenkins_home/secrets/initialAdminPassword
In my case I was using Jenkins Docker Image and I found the initial admin password using this command:
cat ~/secrets/initialAdminPassword
You can always disable security, then go in and re-enable it with the settings you want.
By default, Jenkins account is created without password and with the login shell as /bin/false.
jenkins:x:496:493:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false
Change the shell to /bin/bash and you should be able to login without password by sudo su - jenkins.
Command to change the shell is:
chsh -s /bin/bash jenkin
When you install jenkins on your local machine, the default username is admin and password it gets automatically filled.
I was running Jenkins executing java -jar jenkins.war.
In my case Jenkins wrote webroot in an stdout: webroot: $user.home/.jenkins. So admin secret key was placed in a ~/.jenkins/secrets/initialAdminPassword.
I don't believe that the Jenkins user that is installed via apt has a password. If it does, I have never seen documentation. Based on the commands you entered, I am guessing you are using a Debian distro?
Is there any particular reason you must use the jenkins user to do the install instead of the user which was set up when you created your instance?
When installing Jenkins from AWS Marketplace . . .
"A default user "admin"with the instance-id as password is created to secure the Jenkins instance."
On the AWS Console for EC2, with the instance selected, choose the "Usage Instructions" tab:
"AWS Marketplace Usage Instructions
Latest Versions: 2.19.4.2
A default user "admin"with the instance-id as password is created to secure the Jenkins instance. Once the instance is started, copy the public DNS hostname of the server in the AWS Management Console and enter it in your web browser. The welcome screen allows you to request a trial license, start and evaluation, enter a license key, or connect to your instance to Operations Center. Once the license step is done, your instance is fully functional. We recommend enabling security and backups. You can connect with SSH to the server using the "ubuntu"linux user. The JENKINS_HOME is located under "/var/lib/jenkins". Jenkins listens on the following ports: * HTTP 80: through HAProxy, can be configured to use HTTPS:443 instead * Jenkins SSH 2222: primarily for the CloudBees Git Validated Merge Plugin * Jenkins JNLP 10000: communication from Jenkins agents or Jenkins CLI configured to use JNLP protocol. Not exposed by default on security groups."
Similar to the Ubuntu answer above, the Windows admin default password is stored in {jenkins install dir}\secrets\initialAdminPassword file (default install location would it in C:\Program Files (x86)\Jenkins\secrets\initialAdminPassword )
If you don't create a new user when you installed jenkins, then:
user: admin
pass: go to C:\Program Files (x86)\Jenkins\secrets and open the file initialAdminPassword
I am a Mac OS user & following credential pair worked for me:
Username: admin
Password: admin
For me the best method of retrieving admin pass is by executing cat command inside the running container.
docker exec YOUR_JENKINS_CONTAINER cat /var/jenkins_home/secrets/initialAdminPassword
On Windows it can be found in the file "C:\Windows\System32\config\systemprofile\AppData\Local\Jenkins\.jenkins\secrets\initialAdminPassword"
(I know OP specified EC2 server, but this is now the first result on google when searching Jenkins Password)
Jenkins Default username and password
username: admin
And
password available in the root directory .jenkins\secrets\initialAdminPassword just open the file and copy text and paste into password textbox.
Well,
Even I tried to log in with the admin/password which was failed.
So I created my own user like this.
Go to Jenkins home folder (C:\User.jenkins or you can find this in Jenkins server startup logs)
Go to Config file config.xml
set disableSignup to false false
if at all you want to disable login security
4.set ser security to false. true
For mac users: Just run this command
cat ~/.jenkins/secrets/initialAdminPassword
Initial Password of Jenkins is stored in the following directory
cat /var/lib/jenkins/secrets/initialAdminPassword
There are few steps to follow:
Go to the folder: C:\Users\Manjeet\.jenkins .(here in your case, there can be your system name or your name instead of mine)
Open config.xml file using any text editor.(recommended Notepad++)
Go to Line number seven which is like <useSecurity>true</useSecurity>.
So make it change this from true to false.
Save this file and close the window.
Open Command Prompt and start your Jenkins .
(java -jar jenkins.war --httpPort=8085).
Open browser and search for your localhost at your given port number.
(localhost:8085)
You will see it doesn't ask for username and password anymore. Now you have to delete
that existed user and Add new user for setting new username and password.
Steps to make new Admin:
1.Go to people option which present at second number at left hand side below Dashboard
Click on admin option present in a row and than click on delete.
Go to Dashboard, Click on Manage Jenkins, Click on Configure Global Security.
Check the box of Enable security option.
Check the box of Jenkins own user database option and Uncheck Allow user to sign up present just below of it.
6 . Check Logged-in user can do anything option and Uncheck Allow anonymous read access present just below of it.
Make it Save and it will give you a new form for creating new first user. Fill the details correctly and click on Create First Admin User .(it will automatically made a change on that config.xml file just save it. )

Resources