All That you need to know about Docker Volumes.

Bind Volumes: How Map folders in your Docker host to your container

First lets create folder in our docker host

root@master:~# mkdir mysql
root@master:~# ls
index.html  mysql  snap

Map the new folder to the folder in the container

root@master:~# docker run -d -v /mnt/mysql:/var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Now, Lets enter to the container and create new database.

root@master:~# docker exec -it some-mysql bash
root@43bbea76beca:/#  mysql -u root -pmy-secret-pw
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \\g.
Your MySQL connection id is 8
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
    
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.01 sec)

mysql> create database docker_db;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| docker_db          |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> exit
root@43bbea76beca:/# exit
exit

Now lets delete the container.

root@master:~# docker rm -f some-mysql

Make sure that you have some data in our new folder in the docker host.

root@master:~# ls /mnt/mysql/
 auto.cnf        ca-key.pem        docker_db            ibdata1      '#innodb_temp'        private_key.pem   sys
 binlog.000001   ca.pem           '#ib_16384_0.dblwr'   ib_logfile0   mysql                public_key.pem    undo_001
 binlog.000002   client-cert.pem  '#ib_16384_1.dblwr'   ib_logfile1   mysql.ibd            server-cert.pem   undo_002
 binlog.index    client-key.pem    ib_buffer_pool       ibtmp1        performance_schema   server-key.pem

Lets restore our information in a new brand MySQL container, basically we using the same command as before.

root@master:~# docker run -d -v /mnt/mysql:/var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Lets enter to our new container and check that we can see our new docker_db database.

root@master:~# docker exec  -ti some-mysql bash
root@814f0801e5d4:/# mysql -u root -pmy-secret-pw
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \\g.
Your MySQL connection id is 8
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| docker_db          |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql>

Normal Volume – Manage by docker

How to create a Normal Volume:

  • Important to know Normal volume created in the Docker Root Directory
root@master:~# docker volume create mysql_volume
mysql_volume

How to find Normal volume:

Long way….

root@master:~# docker info | grep -i root
WARNING: No swap limit support
 Docker Root Dir: /var/lib/docker
root@master:~# cd /var/lib/docker/
root@master:/var/lib/docker# ls
builder  buildkit  containers  image  network  overlay2  plugins  runtimes  swarm  tmp  trust  volumes
root@master:/var/lib/docker# ls volumes/
mysql_volume

Short way…

root@master:/var/lib/docker# docker volume ls
DRIVER              VOLUME NAME
local               mysql_volume

Lets create new MySQL container:

root@master:/var/lib/docker# docker run -d -v mysql_volume:/var/lib/mysql --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Now we can see all the data in our new docker volume.

root@master:/var/lib/docker/volumes/mysql_volume/_data# ls
 auto.cnf        ca-key.pem       '#ib_16384_0.dblwr'   ib_logfile0     mysql                public_key.pem    undo_001
 binlog.000001   ca.pem           '#ib_16384_1.dblwr'   ib_logfile1     mysql.ibd            server-cert.pem   undo_002
 binlog.000002   client-cert.pem   ib_buffer_pool       ibtmp1          performance_schema   server-key.pem
 binlog.index    client-key.pem    ibdata1             '#innodb_temp'   private_key.pem      sys

Anonymous Volumes: Be Careful when you use them (Not Recommended)

Lets create MySQL container this time with the tag -v we don’t specify any mapping to the Docker Host.

root@master:~# docker run -d -v /var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

To find where docker create the Anonymous volume we use this command

root@master:~# docker inspect some-mysql

Under mounts we can find what the name of the volume

In this output we can see the mapping and the location of the volume to the container folder.

  • Volume name “060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b”,
  • Volume location “/var/lib/docker/volumes/”
"Mounts": [
            {
                "Type": "volume",
                "Name": "060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b",
                "Source": "/var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data",
                "Destination": "/var/lib/mysql",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            }
        ],

If we will go the Volume Location folder we can find all MySQL data in the container in our docker root directory.

root@master:~# cd /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data
root@master:/var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data# ls
 auto.cnf        ca-key.pem       '#ib_16384_0.dblwr'   ib_logfile0     mysql                public_key.pem    undo_001
 binlog.000001   ca.pem           '#ib_16384_1.dblwr'   ib_logfile1     mysql.ibd            server-cert.pem   undo_002
 binlog.000002   client-cert.pem   ib_buffer_pool       ibtmp1          performance_schema   server-key.pem
 binlog.index    client-key.pem    ibdata1             '#innodb_temp'   private_key.pem      sys

Important to know.

  • The Anonymous Volumes can be removed when you delete the container if you using this flag -v.
root@master:# docker rm -fv some-mysql

root@master:~# cd /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data
-bash: cd: /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data: No such file or directory

Remove Dangling volumes (volumes that are not in use with any container)

root@master:~# docker volume rm $(docker volume ls -f=dangling=true -q)

Change Docker Root Directory location.

In this post i am going to show you how to find the Docker Root Directory and how to change the location so that docker can save the files in some other location (For Backup or High Availability).

This is the commands to find and verify the Docker Root Folder.

root@master:~# docker info | grep -i root
 Docker Root Dir: /var/lib/docker

root@master:~# sudo du -sh /var/lib/docker/
2.7G    /var/lib/docker/

root@master:~# cd /var/lib/docker/
root@master:/var/lib/docker# ll
total 56
drwx--x--x 14 root root 4096 Nov 16 11:31 ./
drwxr-xr-x 40 root root 4096 Nov 16 07:53 ../
drwx------  2 root root 4096 Nov 16 07:53 builder/
drwx--x--x  4 root root 4096 Nov 16 07:53 buildkit/
drwx------  2 root root 4096 Nov 17 12:58 containers/
drwx------  3 root root 4096 Nov 16 07:53 image/
drwxr-x---  3 root root 4096 Nov 16 07:53 network/
drwx------ 46 root root 4096 Nov 17 12:58 overlay2/
drwx------  4 root root 4096 Nov 16 07:53 plugins/
drwx------  2 root root 4096 Nov 16 11:31 runtimes/
drwx------  2 root root 4096 Nov 16 07:53 swarm/
drwx------  2 root root 4096 Nov 17 12:42 tmp/
drwx------  2 root root 4096 Nov 16 07:53 trust/
drwx------ 13 root root 4096 Nov 16 13:41 volumes/

To change the location of the Root Directory

  • Stop all containers
  • Stop the Docker servicer
sudo systemctl stop docker

After all the above was done.We need to enter to the docker config file.

sudo vi /lib/systemd/system/docker.service

Now we need to move the docker folder form his old location to the new one.

root@master:/var/lib/docker# sudo rm -rf /mnt/docker

root@master:/var/lib/docker# ls /mnt/

root@master:/var/lib/docker# mv docker /mnt/

After we moved the folder we need to start the service again.

sudo systemctl restart docker

That’s it you ready to keep using Docker 🙂

Setup Snipe-IT on Ubuntu.

Snipe-IT Open Source Asset Management

Installation Details

  • Infrastructure: AWS
  • AMI ID: RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2 (ami-07dfba995513840b5)
  • Instance type : t2.medium
  • Instance Hardware: 2vcpu , 4G Memory.

What is it Snipe-IT

Snipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories are available, and so on.


Lets Start:

Update Ubuntu:

sudo apt update
sudo apt upgrade

Install Apache2 HTTP:

sudo apt install apache2 -y

To find out if Apache2 HTTP server is installed, simply open your web browser and type in the server’s IP or hostname.

When you see the page similar to the one below, then Apache2 is installed and working.

apache2 ubuntu install

Install PHP:

sudo apt install php -y
sudo apt install php7.2-mbstring php7.2-curl php7.2-mysql php7.2-ldap php7.2-zip php7.2-bcmath php7.2-xml php7.2-gd -y

Install MySQL:

sudo apt install mysql-server -y

Create the database:

sudo mysql -u root

You should now have the mysql prompt mysql>

Create the database and the user and grant permissions to the user.

mysql> create database snipeit;
mysql> create user snipe_user;
mysql> grant all on snipeit.* to 'snipe_user'@'localhost' identified by 'YOUR_DB_PASSWORD';
mysql> exit (to leave the mysql shell)
sudo apt install git vim -y

Download Snipe-IT into the web server directory:

sudo mkdir /var/www/html/snipe-it
sudo chown yourusername:yourusername /var/www/html/snipe-it

cd to the new directory and download

cd /var/www/html/snipe-it
git clone https://github.com/snipe/snipe-it .

Set up Snipe-IT config file:

Copy the .env.example file to a new .env file and open it in your text editor.

cp .env.example .env
vim .env

Make sure APP_ENV is set to production and APP_DEBUG is set to false

APP_ENV=production
APP_DEBUG=false

Setup APP_URL:

This is the url to your application, beginning with http:// or https:// (if you’re running Snipe-IT over SSL). This should not have a trailing slash, and you should not have public in the URL.Images and javascript will not load correctly if this is not set to EXACTLY the URL you access your Snipe-IT app from.

You can set APP_URL to an IP address for setup or testing and change it to another domain name later.

APP_URL=your.domain.name

Set the timezone. Use one of the PHP supported time zone strings from https://www.php.net/manual/en/timezones.php

APP_TIMEZONE='YOURTIMEZONE'

Set your language. Default is English (en). See https://snipe-it.readme.io/docs/configuration#section-setting-a-language:

APP_LOCALE=en

Fill in the database settings with the database name, database user name and password you created in the mysql setup step:

DB_DATABASE=snipeit
DB_USERNAME=snipe_user
DB_PASSWORD=YOUR_DB_PASSWORD

Install snipe-IT dependencies

Make sure you are still in the snipe-it directory. If you are following this guide it will be /var/www/html/snipe-it

cd /var/www/html/snipe-it

Snipe-IT uses a PHP dependency manager called Composer to manage its dependencies so install it and then install the dependencies: (This might take a few minutes)

curl -sS https://getcomposer.org/installer | php
php composer.phar install --no-dev --prefer-source

Generate your app key

php artisan key:generate

This will generate an encryption key and set APP_KEY in your .env file. Copy the key and save it in secure location.

Grant appropriate filesystem permissions so apache can access the files:

sudo chown -R yourusername:www-data /var/www/html/snipe-it

Now remove group write permission from the files. There’s no reason for apache to be able to write to all these files:

sudo chmod -R g-w /var/www/html/snipe-it

Now add back write permission for the areas we want Snipe-IT to be able to write to:

sudo chmod -R g+w /var/www/html/snipe-it/storage
sudo chmod -R g+w /var/www/html/snipe-it/public/uploads

Configure the server

Copy the default vhost file and open the copy in your text editor.

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/snipe-it.conf
sudo vim /etc/apache2/sites-available/snipe-it.conf

Edit the file to look like this:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port 
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/snipe-it/public

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
        ServerName 10.64.118.91

        <Directory /var/www/html/snipe-it/public>
                Allow From All
                AllowOverride All
                Options -Indexes
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Save the file and close your text editor

Disable the old default vhost and enable your new vhost

sudo a2dissite 000-default.conf
sudo a2ensite snipe-it.conf

Also enable mod_rewrite

sudo a2enmod rewrite
sudo systemctl reload apache2

And we finish! you can now point your web browser at the address of your web server.You should get the Snipe-IT Pre-Flight and your Pre-Flight check should be all green check mark.

[Gsuite]Deploy Google MDM (Windows device management)

Overview: Enhanced desktop security for Windows

As an administrator, you can set up company-owned and personal Microsoft Windows devices to use Google’s single-sign on (SSO) access security, push Windows settings, and wipe device data remotely.

Enhanced desktop security for Windows has two complementary features that can be set up together or individually:

  • Google Credential Provider for Windows (GCPW)—Use Google Account authentication on Windows 10 devices.
  • Windows device management—Manage Windows settings on enrolled devices.

At this post we will be focusing on the Windows device management

Requirements

License

  • GCPW is available with all G Suite and Cloud Identity editions. However, to deploy GCPW and Windows device management together, you must have G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.
  • Windows device management is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.

System

  • Windows 10 Pro, Pro for Workstations, Enterprise, or Education, version 1803 or later
  • For GCPW, Chrome Browser 81 or later

Enable Windows device management

Recommended – Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. In your Google Admin console (at admin.google.com)…
  2. Go to Devices.
  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. On the left, click SettingsWindows settings.
  5. Click Desktop security setup.
  6. Next to Windows device management, select Enabled.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit’s settings.

There are 2 ways to enroll a device

Manual way : Enroll a Windows device

  1. Sign in to the Windows 10 device.
  2. Open https://deviceenrollmentforwindows.googleapis.com/v1/deeplink in a Chrome or Edge browser.
  3. In the message that asks whether you meant to switch apps, click Yes.
  4. Enter the Google email address you would like to use for this feature.
  5. Click Next to start device enrollment.
  6. Sign in to your managed Google Account.

Automatic way : Enroll a Windows device

Automatic enrollment in Windows device management — If you use GCPW and Windows device management, devices are automatically enrolled in Windows device management.

Install GCPW

  1. Get the GCPW installer onto the device. You can download the installer from https://tools.google.com/dlpage/gcpw and distribute it to devices using GPO or other deploy methods , or the user can download it directly.
  2. On the device, run the installer:
    1. Open the Command Prompt.
    2. Run gcpwstandaloneenterprise64.msi as administrator.

Verify enrollment of a Windows device

  1. In your Google Admin console (at admin.google.com)…
  2. Go to Devices.
  3. Click Endpoints.
  4. Check the list of Windows devices to verify that the device enrolled. Tip: Click Add a filterManagement Type and select Enhanced desktop security to show only devices enrolled in Windows device management.

It’s very recommend to create A “playground” OU and move your user to this OU for testing before you deploy it to all your organization.


Apply Windows settings on the managed hosts.

Block apps on Windows 10 devices with custom settings.

Example XML For blocking EXE apps. (Putty and Ditto)

<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="c6ed8334-5b63-4418-aa9f-653321413bb7" Name="%PROGRAMFILES%\\Ditto\\Ditto.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\Ditto\\Ditto.exe" />
      </Conditions>
      <Exceptions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x7E988D388840A8AC096BE6BBF20F9657C025C452A2659BE9B7728A0FC0A67113" SourceFileName="Ditto.exe" SourceFileLength="5040128" />
        </FileHashCondition>
      </Exceptions>
    </FilePathRule>
    <FileHashRule Id="dd0060fd-79ff-4ba1-b3cb-c2b87be9fdf3" Name="putty.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x88D37305A54641AEAB56E8E134F82711E91A3F8F9FE3FC97F8A5A26EB9EBB99B" SourceFileName="putty.exe" SourceFileLength="883600" />
        </FileHashCondition>
      </Conditions>
    </FileHashRule>
  </RuleCollection>

Example XML For blocking Store apps. (Microsoft Store)

<RuleCollection Type="Appx" EnforcementMode="Enabled">
  <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
        <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="21d5002d-f66c-4460-ae41-fc734e006eaa" Name="Microsoft.WindowsStore, version 12007.1001.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
        <BinaryVersionRange LowSection="12007.1001.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
</RuleCollection>

Generating XML

  1. Follow the instructions in the “Generating the XML” section of this Microsoft article. Stop following the instructions when you get to the “Creating the Policy” section. Note: These instructions describe how to create a policy for an application that is installed on the device. To create a policy for an application that isn’t installed on the device, in step 6, select Use a packaged app installer as a reference.
  2. After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.

Create A Policy


Sync and test your policy manually

[AWS] Deploy Ansible for linux and Windows Domain Joined

Installation Details

  • Infrastructure: AWS
  • AMI ID: RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2 (ami-07dfba995513840b5)
  • Instance type : t2.medium
  • Instance Hardware: 2vcpu , 4G Memory.

Before we start

Install Vim:

sudo yum install vim

Update Packages

sudo yum update

Prepare For Installation

Change the Hostname:

sudo vim /etc/hostname

Add DNS in hosts file.

sudo vim /etc/hosts

Install epel Repo:

yum -y install [<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>](<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>)

Install Ansible:

sudo yum install ansible

General Configuration Ansible

Create user:

sudo useradd ansible

Generate password:

passwd ansible 

Login with ansible user:

sudo su - ansible

Give Sudo Permissions:

  1. Change user to root
sudo su -
  1. Give ansible sudo privileges (Centos)
[root@itansible ~]# usermod -aG wheel ansible
[root@itansible ~]# sudo su - ansible
[ansible@itansible ~]$ id ansible
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),10(wheel)

[ansible@itansible ~]$ sudo visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
ansible         ALL=(ALL)       NOPASSWD: ALL
ec2-user        ALL=(ALL)       NOPASSWD: ALL


login back to you ansible user and Create SSH key pair.

[ansible@itansible ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
/home/ansible/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): ******


Configure Linux Managed Hosts:

  1. Create user and password name ansible
  2. Copy the ssh public key from ansible master to to the managed hosts.
# On the managed host, switch to ansible user
Type the command  =  cd .ssh/
# Create authorized_keys file
vim authorized_keys
# Go to ansible master and copy the public key:
cat ~/.ssh/id_rsa.pub [select and copy to your clipboard]
# ssh into ansible managed hosts, and append the contents of that to the authorized_keys file:
[paste your clipboard contents to the authorized_keys file:]
  • Give sudo permissions (Ubuntu)
ansible@ip-10-64-118-34:~$ sudo visudo

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ansible     ALL=(ALL) NOPASSWD:ALL


Configure Ansible for Linux

  1. log in to the Ansible Master with the user ansible
  2. Create a linux project directory in ansible home folder
mkdir linux
  1. in the linux directory create 2 file.
[ansible@itansible linux]$ ls
ansible.cfg  inventory
  1. Configure ansible.cfg file like this:
[defaults]
remote_user = ansible
host_key_checking = false
inventory = inventory
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false
  1. Configure inventory file like this:
[linux]
itansible-slave

  1. Test the connection examples:
[ansible@itansible linux]$ ansible all -m command -a "id ansible"
itansible-slave | CHANGED | rc=0 >>
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),27(sudo)

[ansible@itansible linux]$ ansible all -m user -a name=test
itansible-slave | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1002,
    "home": "/home/test",
    "name": "test",
    "shell": "/bin/sh",
    "state": "present",
    "system": false,
    "uid": 1002
}


Configure Ansible for Windows

  1. log in to the Ansible Master with the user ansible
  2. Create a windows project directory in ansible home folder
mkdir windows

Installing the Kerberos Library

# via Yum (RHEL/Centos/Fedora)
sudo yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
sudo yum -y pip3 install "pywinrm>=0.2.2"

Configuring Kerberos

Edit your /etc/krb5.conf (which should be installed as a result of installing packages above) and add the following information for each domain you need to connect to:

ansible@ip-10-64-118-34:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = mydomain.com (Enter your domain)
dns_lookup_realm = true
dns_lookup_kdc = true

Testing a kerberos connection

If you have installed krb5-workstation (yum) or krb5-user (apt-get) you can use the following command to test that you can be authorised by your domain controller.

kinit user@MY.DOMAIN.COM

To see what tickets if any you have acquired, use the command klist

klist

Create Inventory,Config,Variables file

[ansible@itansible windows]$ ls
ansible.cfg group_vars inventory winvars winvars.yml

Create Inventory file

[ansible@itansible windows]$ vim inventory

[windows]
mt-n.argus.local

Create config file

[ansible@itansible windows]$ vim ansible.cfg

[defaults]
host_key_checking = false
inventory = inventory

Create Group_vars directory and variables file

mkdir group_vars
[ansible@itansible group_vars]$ vim windows
ansible_user: user@ARGUS-LOCAL
ansible_password: password
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore


Configure Windows Managed Hosts

To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this script as Administrator.

Log into WinServer1 as Administrator, download ConfigureRemotingForAnsible.ps1 and run this PowerShell script without any parameters.

Once this command has been run on the windows 10 , return to the Ansible master Controller host.

Test Connectivity to the Windows Server

If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect to the remote WinServer1 server and report success or failure.

Type: ansible windows -m win_ping

https://argonsys.com/wp-content/uploads/2018/02/kb32-ansible-etcansiblehosts.png

Bypass FortiGate Captive Portal 24 Hours Session limit.

What is it captive portal?

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication.


What is it Session Timeout?

Session timeout is a fairly popular option that needs to be used carefully. It is used to determine how long a device may remain authenticated before it must perform authentication again.

By default the authentication timeout is set to 5 minutes.

Argus-fw# show full-configuration user setting

The authentication timeout can be changed globally to maximum of 24 hours.

Argus-fw# config user setting
Argus-fw(setting) # set auth-timeout
<timeout_integer>   The auth time-out range is 1-1440 minutes (24 hours)
Argus-fw(Guest-group) # end

Increase session timeout above the 24 hours limit:


But what if you want your users to authenticate to the company’s wifi once in 3 days or a week.

how do you actually bypass the 24 hour limit.

To bypass this limtation you can set authtimeout <timeout> value by Group and not Global.

In group seeting you can Set the value between 1-43200 (or one minute to thirty days).

The default is set to 0, which sets the timeout to use the global authentication (24Hours).

To change group settings :

Argus-fw # config user group
Argus-fw(group) # edit Guest-group
Argus-fw(Guest-group) # set authtimeout
<integer> The auth time-out range is 0-43200 minutes (0 = use global authtimeout value)
Argus-fw (Guest-group) # end

To view the changes:

Argus-fw $ config user group 

Argus-fw (group) $ get Guest\ Group 
name                : Guest Group
group-type          : firewall 
authtimeout         : 43200
auth-concurrent-override: disable 
http-digest-realm   : 
member              : "menit"

Now all you need to do is to assign the group with the new settings, to your WIFI Configuration.


%d bloggers like this: