Enable and Disable USB support on Linux servers without reboot

 Hello Guys,

In past couple of weeks i was working on a small project with very specific objective where i need to enable and disable the usb support on linux based edge device. I have use raspberry pi 4 as i don't have any  other supported industrial controller with me.

I have started with installing the default available os on the rasberry pi and i was able to login on the system which looks like 

after doing it i need to enable and disable the usb support on lets say hundreds of devices so its automation is the way cant do it manually at the same time i need to make sure that system should not required reboot other wise it will beat the purpose. so i can not go with conventional way of disabling the usb support at kernel level.

so after much google i have come across a utility in linux called usbguard which can be helpful. once the approach is finalised then i have moved into the  write a playbook the playbook looks as 

---

- name: enable disable USB

  hosts: "{{target}}"

  become: true

  vars:

    enable_usb: allow

  tasks:

    - name: Install usb guard on redhat family os

      ansible.builtin.yum:

        name: usbguard

        state: present

      when: ansible_facts['os_family'] == 'RedHat'

    - name: Install usb guard on others

      ansible.builtin.apt:

        name: usbguard

        state: present

      when: ansible_facts['os_family'] == 'Debian'

    - name: Install usb guard on the edge devices

      ansible.builtin.template:

        src: usbguard-daemon.conf.j2

        dest:  /etc/usbguard/usbguard-daemon.conf

        owner: root

        group: root

        mode: '0600'

    - name: restart usb guard service to {{ enable_usb }}

      ansible.builtin.service:

        name: usbguard

        state: restarted

        enabled: true

and template look like 

RuleFile=/etc/usbguard/rules.conf

RuleFolder=/etc/usbguard/rules.d/

ImplicitPolicyTarget={{ enable_usb }}

PresentDevicePolicy={{ enable_usb}}

PresentControllerPolicy={{enable_usb}}

InsertedDevicePolicy=apply-policy

RestoreControllerDeviceState=false

DeviceManagerBackend=uevent

IPCAllowedUsers=root

IPCAllowedGroups=wheel

IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/

DeviceRulesWithPort=false

AuditBackend=FileAudit

AuditFilePath=/var/log/usbguard/usbguard-audit.log

using above automation i can enable and disable the usb support with the redhat aap with a one click

with This one job i can get my job done

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-4

 In this part we will setup a project in AAP and sync that from (github/gitlab) and using that project create job template execute the same.

So lets quickly go to github and create a repo and add a file name password.yml

---

- name: Genrate and set random password on Remote Servers

  hosts: all

  gather_facts: no

  tasks:

    - name: Check if server are reachable or not

      ansible.builtin.ping:

      register: ping_result

    - debug:

        msg: "{{ ping_result }}"

     

    - name: Generate Complex randome password

      set_fact:

        generated_password: "{{ lookup('community.general.random_string', length=12, min_lower=1, min_upper=1, min_numeric=1, min_special=1, override_special='-_=+!#$()[]') }}"

    - name: Write password to Vault using key value V2 engine

      delegate_to: 127.0.0.1

      community.hashi_vault.vault_write:

        path: secret/data/dev/{{inventory_hostname}}

#        auth_method: approle

#        role_id: ''

#        secret_id: ''

        data:

          data:

            password: "{{ generated_password }}"

    - name: Setting password for user

      ansible.builtin.user:

        name: "{{ ansible_user | trim }}"

        password: "{{ generated_password | password_hash('sha512', 'mysecretsalt') }}"

So in the  This file will help to setup the password on remote server also update it in the password vault so this way if required we can rapidly change the password without disrupting existing automation.

Also we will write one more playbook to test if password change worked and we can execute the play become and after the password change.This play will show you the output of ifconfig and hostname command.point being we can using the updated password from vault and able to connect 

---

- name: Debug AAP

  hosts: all

  tasks:

    - name: Running Hostname command to confirm and no funny bussness

      ansible.builtin.shell: hostname

      register: hostname

    - name: Show debug output

      ansible.builtin.debug:

        msg: "{{hostname.stdout}}"

    - name: Running ifconfig command to confirm and no funny bussness

      ansible.builtin.shell: ifconfig

      register: ifg

    - name: Show debug output

      ansible.builtin.debug:

        msg: "{{ifg.stdout}}"

lets we need to create a job template out in one job template select password.yml and in other select the test.yml also the execution environment will be custom-ee which we have created in the part 3 and Enjoy

we can see in the screen shot as below the execution

Changing/Rotating the Password

Updated Random pass for one of the server 

Able to connect even after changing the pass so no impact to existing automation

We are able to create a zero trust environment .In which we can rotate the password every 60 days if requireed to keep our system safe.

Let me know if on which ansible you want to know more and i am happy to help

 

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-3

 So Now lets start with building the required execution environment to use the collections which we need to execute our play we will required below collections

1.    community.general --> To Generate the Random Password

2. community.hashi_vault --> To interact with the HashiCorp vault

So lets get into the action lets Install the ansible builder don't go for the latest one as you may encounter some issues lets go for the one stable release as of writing the blog the the release version i know id 3.0.1 so i am installing the same 

We are installing pip if already not present and then using pip we are installing the ansible builder

# dnf install python3-pip

# pip install ansible-builder==3.0.1

Once the ansible builder is installed lets create some files like 

Note: EE stands for execution environment

Create a directory call EE and go to that directory

# mkdir EE and cd EE

create a first file execution-environment.yml and add following content:

cat <<EOT >> execution-environment.yml

---

version: 1

dependencies:

  galaxy: requirements.yml

  python: requirements.txt

  system: bindep.txt

additional_build_steps:

  prepend: |

    RUN whoami

    RUN cat /etc/os-release

  append:

    - RUN echo This is a post-install command!

    - RUN ls -la /etc

EOT

Now lets start create the dependencies which we have specified 

cat <<EOT >> requirements.yml

---

collections:

  - name: community.general

  - name: community.hashi_vault

EOT

We have some dependencies for the collections which will specify in the requirements.txt

cat <<EOT >> requirements.txt

gcp-cli

ncclient

netaddr

paramiko

hvac

EOT

If We have some binary dependencies then specify it bindep.txt

cat <<EOT >> bindep.txt

findutils [compile platform:centos-8 platform:rhel-8]

gcc [compile platform:centos-8 platform:rhel-8]

make [compile platform:centos-8 platform:rhel-8]

python39-devel [compile platform:centos-8 platform:rhel-8]

python39-cffi [platform:centos-8 platform:rhel-8]

python39-cryptography [platform:centos-8 platform:rhel-8]

python39-pycparser [platform:centos-8 platform:rhel-8]

EOT 

One we have added everything we will start building the image using command 

ansible-builder build -v3 -t custom-ee 

Once the image is build we can tag the image 

podman tag custom-ee  aap2.example.com/custom-ee

podman push aap2.example.com/custom-ee

Once we have done with this 

Once we are done with this We can start with the building playbook

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-2

 In the Second part lets Start working with the AAP login to AAP and login as a Admin user and go to the Credential Type and click on Add

Create a New Credential called HashiCorp

Input Configuration:

fields:

  - id: vault_server

    type: string

    label: URL for Vault Server

  - id: vault_token_id

    type: string

    label: Vault token ID

    secret: true

required:

  - vault_server

  - vault_token_id

And Injector Configuration 

env:

  VAULT_ADDR: '{{ vault_server }}'

  VAULT_TOKEN: '{{ vault_token_id }}'

Its Looks like This

Now Go to Credentials and Create a Credential call hashicorp_token

Enter the values which are associated with the vault 

Now go to inventory and create a Inventory i have created a inventory name hashi and add a host which will look like this just make sure you add the below line in variables

ansible_password: "{{ lookup('hashi_vault', 'secret=secret/data/dev/{{ inventory_hostname }}:password')}}"

We are almost done from host setup stand point in the in AAP all which is remaining is writting a playbook to change the password.

Now lets take a look at setting up the initial password in the hashicorp vault 

login to vault with the taken available in the init file present on path /etc/vault/init.file

Login to UI of Vault and go to Secrets Engine Go to generic inside select the KV

Path : secret 

After the Engine is enable the screen will look like this 

Click on secret and create a paths as per the environment for me its a development environment so i have label it dev and the FQDN or the IP address which we have specify in the inventory

and create a password secret once you build the secrets it may look like this 

As we are done with this part we are almost done We will create the execution environment in the AAP or AWX