In my lab I’m often spinning up new instances of vRealize Automation (vRA) and need to configure CentOS 7 templates. I created this Ansible playbook to get a freshly installed CentOS 7.2 minimal machine ready to be used by vRA. This is my first attempt and I’ll be modifying it to make it more usable. The playbook can be found at Github.
One nice thing about Ansible is that it’s easy to read so the below shouldn’t require too much explanation. I’ve set up variables for the vRA Appliance and Manager, but that’s it. It shouldn’t be too difficult to parameterize the rest.
I tried to keep this as simple as possible so please don’t take it as a best practice for creating Ansible playbooks.
The playbook performs the following:
- Installs the required packages like EPEL, VMware tools, git and Ansible
- Installs my lab CA certificate that issued my vRA certs
- Adds a couple of users and modifies the sudoers file
- Sets up my root ssh key. I’ll probably be removing this.
- Starts VMware tools
- Gets the SSL thumbprint from the vRA Appliance and Manager nodes
- Downloads the vRA prepare script from the vRA Appliance
- Runs the vRA prepare script
# Tested on vRA 7.2 and CentOS Minimal 7.2. Not intended for production use. --- - hosts: all user: root vars: vra_appliance: vra72.vmware.local vra_iaas_mgr: vra72-iaas-mgr.vmware.local tasks: - name: Install libselinux-python. See http://docs.ansible.com/ansible/intro_installation.html#managed-node-requirements package: name: libselinux-python state: present - name: Install epel repo package: name: epel-release - name: Install required packages package: name: "{{ item }}" state: present with_items: - open-vm-tools - git - ansible become: true - name: Install certs copy: src: kubeca.pem dest: /etc/pki/ca-trust/source/anchors/ - name: Update cert store shell: /usr/bin/update-ca-trust - name: Ensure users exists user: name: "{{ item.name }}" state: present comment: "{{ item.comment }}" with_items: - { name: 'chris', comment: 'Chris'} - { name: 'ansible', comment: 'Ansible'} - name: Ensure required users is sudoer with no password required lineinfile: dest: /etc/sudoers state: present regexp: '^{{ item }} ALL\=' line: '{{ item }} ALL=(ALL) NOPASSWD:ALL' validate: 'visudo -cf %s' with_items: - ansible - chris - name: Setup root ssh key user: name: root generate_ssh_key: yes ssh_key_bits: 2048 ssh_key_file: .ssh/id_rsa - name: Copy test.pem for root user copy: src: /root/.ssh/test.pem dest: /root/.ssh/test.pem mode: 0600 - name: Copy ssh config copy: src: config dest: /root/.ssh/config mode: 0400 - name: Ensure ansible user accepts ssh key authorized_key: user: ansible key: "{{ lookup('file', '/root/.ssh/test.pub') }}" state: present - name: Start open-vm-tools service: name: vmtoolsd enabled: true state: started - name: Get VRA appliance cert thumbprint shell: openssl s_client -connect {{ vra_appliance }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d '=' -f 2 register: vra_appliance_cert_thumbprint - name: Get VRA IaaS manager cert thumbprint shell: openssl s_client -connect {{ vra_iaas_mgr }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d '=' -f 2 register: vra_iaas_mgr_cert_thumbprint - name: Download vRA prepare script get_url: url: https://{{ vra_appliance }}/software/download/prepare_vra_template.sh dest: /tmp/ - name: Run vRA prepare script shell: bash /tmp/prepare_vra_template.sh -m {{ vra_iaas_mgr }} -M 443 -a {{ vra_appliance }} -A 443 -j true -c vsphere -n -g {{ vra_appliance_cert_thumbprint.stdout }} -f {{ vra_iaas_mgr_cert_thumbprint.stdout }} register: vra_prepare_script_results - name: Display vra_prepare_script results debug: "vRA prepare script results {{ vra_prepare_script_results.stdout }}"
You can run the playbook with:
ansible-playbook –ask-pass -i 192.168.3.214, centos7-init.yaml
You can override the vRA Appliance and Manager parameters by following the instructions at Passing Variables On The Command Line