1 00:00:00,770 --> 00:00:04,250 Security is one of the biggest risks in IT world. 2 00:00:04,670 --> 00:00:10,280 That is why Ansible has a built in feature called Ansible Wald. 3 00:00:10,400 --> 00:00:17,480 And in this video, this is what we are going to talk about, how we could protect and secure our Ansible 4 00:00:17,480 --> 00:00:18,380 environment. 5 00:00:18,830 --> 00:00:26,090 Ansible can automate tasks for teams such as hardware, operating system, team virtualization, database 6 00:00:26,090 --> 00:00:33,170 or storage teams, applications, software, and many, many other teams that we deal with and automate 7 00:00:33,170 --> 00:00:34,020 their tasks. 8 00:00:34,040 --> 00:00:41,510 Now, oftentimes you have to share your Ansible code with these groups upon request over the network. 9 00:00:41,510 --> 00:00:49,010 And as you know, anything you share over the network has a risk to end up in the wrong hands. 10 00:00:49,370 --> 00:00:55,070 In addition to that, you probably have a risk of having your system hacked. 11 00:00:55,430 --> 00:01:03,440 So in that case, if you have written many playbooks without the Ansible world, those playbooks can 12 00:01:03,440 --> 00:01:05,420 be viewed openly. 13 00:01:05,420 --> 00:01:13,130 So it is best practice to use Ansible Vault feature, which will password protect your code. 14 00:01:13,490 --> 00:01:20,720 Yes, it's one of the coolest feature of Ansible where you could run your command Ansible vault to pass 15 00:01:20,720 --> 00:01:22,580 your protect your GMO file. 16 00:01:23,270 --> 00:01:30,410 Let's see how we could create our YAML files using ansible walls feature to create YAML file, you have 17 00:01:30,410 --> 00:01:33,950 to use a command ansible dash vault. 18 00:01:33,950 --> 00:01:37,040 The full command will be ansible. 19 00:01:37,400 --> 00:01:38,600 Dash Walt. 20 00:01:38,960 --> 00:01:39,770 Space. 21 00:01:39,770 --> 00:01:42,980 Create space the name of your YAML file. 22 00:01:42,980 --> 00:01:50,630 And in this example we will be using http by Walt YAML, then you will be prompted for a password and 23 00:01:50,630 --> 00:01:57,020 then you have to confirm a password and then you will be entered into the via editor. 24 00:01:57,020 --> 00:02:02,510 Then you specify all the parameters to create a YAML file once the file is created. 25 00:02:02,510 --> 00:02:11,300 And then if you run the YAML file with that command ansible playbooks base the YAML file name, then 26 00:02:11,300 --> 00:02:17,600 it will produce an error because you have to specify dash dash. 27 00:02:17,600 --> 00:02:24,800 Ask for the password right here to run a wanted yaml file you have to run ansible dash playbook the 28 00:02:24,800 --> 00:02:26,150 name of the YAML file. 29 00:02:26,510 --> 00:02:27,080 Dash. 30 00:02:27,080 --> 00:02:28,070 Dash Ask. 31 00:02:28,070 --> 00:02:28,460 Dash. 32 00:02:28,460 --> 00:02:30,290 Walt Dash Pass. 33 00:02:30,410 --> 00:02:37,250 All right, let's do that together and see how we could create a file using Ansible World and run that 34 00:02:37,250 --> 00:02:38,150 YAML file. 35 00:02:39,200 --> 00:02:43,520 All right, I have my Ansible control node right here. 36 00:02:43,700 --> 00:02:50,660 I am logged in as root and I am in etsi ansible playbook directory. 37 00:02:50,660 --> 00:02:54,540 Now let's go ahead and create a YAML file using aspa. 38 00:02:55,100 --> 00:03:00,350 So Ansible Dash Walt and we are creating from scratch. 39 00:03:00,350 --> 00:03:06,530 So we'll use create http bi vault dot yaml. 40 00:03:06,830 --> 00:03:07,190 All right. 41 00:03:07,190 --> 00:03:10,160 So it will prompt you for a password. 42 00:03:10,160 --> 00:03:13,940 So enter a password and make sure you remember the password. 43 00:03:15,200 --> 00:03:15,560 All right. 44 00:03:15,560 --> 00:03:18,290 The password is entered and matched. 45 00:03:18,290 --> 00:03:22,790 Then you are entered in to the VI editor. 46 00:03:23,090 --> 00:03:31,010 Now please note that when you are creating a YAML file through Ansible Dash vault, then you will be 47 00:03:31,010 --> 00:03:34,910 entered through VDI, not the VM editor. 48 00:03:35,210 --> 00:03:44,780 So you have to make sure you are writing the YAML file build write indentation because it won't do the 49 00:03:44,780 --> 00:03:46,400 indentation for you. 50 00:03:46,730 --> 00:03:47,150 All right. 51 00:03:47,150 --> 00:03:53,210 So you put in dash, dash, dash, then the name of your playbook. 52 00:03:53,210 --> 00:03:57,620 So install a HTTP dx package. 53 00:03:58,250 --> 00:03:58,700 All right. 54 00:03:58,700 --> 00:04:06,140 And then you see as soon as you hit enter, it did not indent it for you because we are in VI editor, 55 00:04:06,170 --> 00:04:07,610 not VM editor. 56 00:04:07,730 --> 00:04:08,090 All right. 57 00:04:08,090 --> 00:04:16,040 So hit space to go right directly under the name so it will be vertically aligned, so. 58 00:04:16,040 --> 00:04:19,730 Host And let's say you wanted to do it in local. 59 00:04:19,730 --> 00:04:21,140 Host All right, good. 60 00:04:21,140 --> 00:04:25,460 So for now, just save it and we'll write the rest later on. 61 00:04:27,640 --> 00:04:32,380 File has been created, you could do ls minus l tr and you will see. 62 00:04:32,380 --> 00:04:38,170 Here is the file that is created, and it is encrypted in two ways. 63 00:04:38,170 --> 00:04:42,070 One, it is it does not have read permission for group and others. 64 00:04:42,070 --> 00:04:47,740 And second, if you do, let's say cat http by Walt. 65 00:04:48,890 --> 00:04:56,570 It will show you all the encrypted lines so it won't show you the actual code. 66 00:04:56,690 --> 00:04:58,160 Let's move down. 67 00:04:58,190 --> 00:05:05,310 If I wanted to run this Ansible code, I could run it with Ansible. 68 00:05:05,330 --> 00:05:08,900 The playbook http p. 69 00:05:10,150 --> 00:05:11,530 Bye, Walt. 70 00:05:11,560 --> 00:05:13,370 Dot yaml. 71 00:05:14,380 --> 00:05:15,100 Ask. 72 00:05:15,100 --> 00:05:20,740 This is the option you have to specify in order to run this Yamal file. 73 00:05:21,610 --> 00:05:21,880 All right. 74 00:05:21,880 --> 00:05:27,550 Now, it will ask you for the password you put in the password that you created while you created this 75 00:05:27,820 --> 00:05:28,780 YAML file. 76 00:05:29,140 --> 00:05:30,880 And it did. 77 00:05:31,390 --> 00:05:36,360 See, we didn't have anything except the name and host, so it didn't do anything. 78 00:05:36,370 --> 00:05:38,410 Nothing changed but yaml fell. 79 00:05:38,410 --> 00:05:39,430 File did run. 80 00:05:39,430 --> 00:05:40,940 The playbook did run. 81 00:05:40,980 --> 00:05:43,060 Okay, moving on then. 82 00:05:43,060 --> 00:05:46,030 The next thing is to view a Walter yaml file. 83 00:05:46,030 --> 00:05:48,850 You could simply use the view option. 84 00:05:48,850 --> 00:05:51,460 So let's go back to our. 85 00:05:54,100 --> 00:05:54,520 Yeah. 86 00:05:55,000 --> 00:05:55,780 Command. 87 00:05:55,780 --> 00:06:03,760 Sorry, the ansible dash wall command instead of create will do view and this will show you after entering 88 00:06:03,760 --> 00:06:04,400 the password. 89 00:06:04,420 --> 00:06:04,960 Of course. 90 00:06:04,960 --> 00:06:07,440 Because now we have to deal with the password. 91 00:06:07,450 --> 00:06:14,110 And right here is showing us all three lines that we entered inside of this YAML file playbook. 92 00:06:14,230 --> 00:06:14,710 All right. 93 00:06:14,710 --> 00:06:18,780 Next one is to edit an existing wall to Gmail file. 94 00:06:18,790 --> 00:06:21,370 You have to use the option added. 95 00:06:22,210 --> 00:06:32,530 So let's go to our same YAML file and replace of you with edit and you will see after entering the password 96 00:06:33,400 --> 00:06:37,990 you are prompted back to your YAML file. 97 00:06:38,020 --> 00:06:41,980 Now you could come in and you could specify the tasks. 98 00:06:46,040 --> 00:06:51,950 If you want to view it again, you could do Ansible Dash, Walt space view and to the password. 99 00:06:53,090 --> 00:06:54,800 And it will show you the code. 100 00:06:55,220 --> 00:06:56,270 The code is there. 101 00:06:56,300 --> 00:06:59,070 Now, let's see if we could run it. 102 00:06:59,090 --> 00:07:02,930 So in order to run it, we have to use this command. 103 00:07:03,320 --> 00:07:05,230 Ask Dash, Walt. 104 00:07:05,240 --> 00:07:10,900 But before we run it, let's make sure we do not have a HTTP package installed. 105 00:07:10,910 --> 00:07:12,560 If you do, we'll just remove it. 106 00:07:12,580 --> 00:07:13,310 Okay, we do. 107 00:07:13,310 --> 00:07:16,090 So we'll do yum remove http feed. 108 00:07:16,340 --> 00:07:21,230 Since we've been playing with the HTTP feed for quite some time, that's where we have to remove it 109 00:07:21,560 --> 00:07:22,580 quite a few times. 110 00:07:22,580 --> 00:07:24,860 All right, so it should be gone. 111 00:07:24,860 --> 00:07:28,430 Now, let's confirm one more time by running RPM Dash Command. 112 00:07:28,430 --> 00:07:42,470 Yes, it is gone now let's go ahead and run ansible dash playbook http bye Walt and ask dash walt dash 113 00:07:42,860 --> 00:07:43,760 pass. 114 00:07:44,090 --> 00:07:45,830 It should prompt you for a password. 115 00:07:45,860 --> 00:07:46,430 Oops. 116 00:07:46,610 --> 00:07:48,320 Something wrong? 117 00:07:48,320 --> 00:07:53,720 Oh, I typed a case instead of a ask. 118 00:07:54,500 --> 00:07:57,650 All right, now it should prompt me for the password. 119 00:07:59,300 --> 00:08:04,670 And it should run and it should install the packages. 120 00:08:05,080 --> 00:08:05,210 All right. 121 00:08:05,210 --> 00:08:07,400 Let's give it a few seconds. 122 00:08:08,840 --> 00:08:09,410 Okay. 123 00:08:09,980 --> 00:08:17,240 So it finished installed the changed equal one you could verify by running the same command rpm and 124 00:08:17,240 --> 00:08:20,540 grep for http and you'll see all the packages are there. 125 00:08:21,230 --> 00:08:22,070 Excellent. 126 00:08:22,160 --> 00:08:22,700 All right. 127 00:08:22,700 --> 00:08:29,150 Next one is to get a list of options for Ansible, Dash or Walt. 128 00:08:29,180 --> 00:08:30,230 You can run the command. 129 00:08:30,230 --> 00:08:31,820 Ansible, dash, Walt. 130 00:08:31,820 --> 00:08:33,890 Space dash, dash. 131 00:08:33,920 --> 00:08:34,580 Help. 132 00:08:34,850 --> 00:08:38,960 So let's see what other options we have available with that command. 133 00:08:38,960 --> 00:08:39,860 Ansible. 134 00:08:40,130 --> 00:08:41,090 Dash. 135 00:08:41,120 --> 00:08:42,050 Walt. 136 00:08:42,050 --> 00:08:42,500 Dash. 137 00:08:42,500 --> 00:08:43,010 Dash. 138 00:08:43,040 --> 00:08:43,430 Help! 139 00:08:45,010 --> 00:08:45,880 All right, you'll see. 140 00:08:45,880 --> 00:08:47,530 These are the options we have available. 141 00:08:47,530 --> 00:08:50,380 Create, create a new world encrypted file. 142 00:08:50,380 --> 00:08:53,650 This is what we use to create it decrypts it. 143 00:08:53,650 --> 00:08:58,920 If you want to decrypt a file which is encrypted at it, we already covered you. 144 00:08:58,930 --> 00:08:59,950 We already covered. 145 00:08:59,950 --> 00:09:08,140 Encrypt is another option to encrypt the existing file, which we'll check in a second right here when 146 00:09:08,140 --> 00:09:12,850 we say HTTP by what the file was created with assembled, dash walled. 147 00:09:12,850 --> 00:09:15,400 What about existing files? 148 00:09:15,400 --> 00:09:15,940 Yes. 149 00:09:15,940 --> 00:09:20,950 What if I wanted to create or encrypt an existing file for that? 150 00:09:20,950 --> 00:09:28,660 You could create a file, let's say using Vim editor and then you could use a command ansible dash walled 151 00:09:28,660 --> 00:09:30,430 space encrypt. 152 00:09:30,430 --> 00:09:37,630 Instead of create, you use the word encrypt followed by the name of your existing YAML file. 153 00:09:37,660 --> 00:09:44,350 It is just that simple, and then it will prompt you for a new password and prompt you to confirm that 154 00:09:44,350 --> 00:09:45,220 password. 155 00:09:45,220 --> 00:09:47,140 Then it will be encrypted. 156 00:09:47,140 --> 00:09:53,440 You will have to use this same command ask dash wall going forward to run that yaml file.