OSDC 2018 | Spicing up VMWare with Ansible and InSpec by Martin Schurz and Sebastian Gumprich

Spicing up VMware with
Ansible and InSpec
T-Systems Multimedia Solutions GmbH

Martin Schurz
Sebastian Gumprich
T-Systems MMS

Ops: the old days (tm)

Ops: the old days (tm)
handcrafted and sometimes arcane con guration
clusters
parameters for Oracle
the "one" server someone installed
virtualization is just lift and shift

Ops: slowly improving
reliance on enterprise tools
vSphere / vRealize / vCloud

VMware

We have a lot of pets,
but we need more cattle

Mantra:
manual work is a bug!

Why Ansible?
because we don't like Puppet
Ansible is simple, agent-less
easy to learn
straight-forward in task execution
Not written in Ruby (looking @ you, Puppet)

Ansible - quick rundown

Ansible modules - many of them

... except Oracle
pet, not cattle.

Jenkins incoming
already reliable application deployments
now reliable con guration of servers, too

Automation is fun!
... or so they say ...

Automation is fun!
due to "unfortunate circumstances" we lost half
our servers
“
“

Automation is fun!
... and we did recover easily
due to "unfortunate circumstances" we lost half
our servers
“
“

Managing ESX Hosts
Prebuild modules for all basic tasks:
Network
Storage
Cluster
vCenter
VM tasks

Managing ESX Hosts (example)
I want to con gure all VLANs for my ESX Cluster
All Hosts should have correct VLAN con guration
All Hosts should be con gured from one source
Adding Hosts and VLANs should be easy
(like a distributed vSwitch)

create a host group (e.g. esx-servers )
Add group_vars:
vlans:
customer1-vlan:
tag: 4006
vswitch: vSwitch0
customer2-vlan:
tag: 4007
vswitch: vSwitch0
...

Add a playbook task:
- hosts: esx-servers
tasks:
- name: "Add VLANs"
local_action:
module: vmware_portgroup
hostname: '{{ ansible_hostname }}'
username: root
password: '{{ esxi_pass }}'
switch_name: "{{ item.value.vswitch }}"
portgroup_name: "{{ item.key }}"
vlan_id: "{{ item.value.tag }}"
validate_certs: false
with_dict: "{{ vlans }}"

rst Ansible run
TASK [Add VLANs] *****************************************
ok: [esx_server] => (item={'value':
{u'vswitch': u'vSwitch0', u'tag': 4006},
'key': u'customer1-vlan'})
changed: [esx_server] => (item={'value':
PLAY RECAP ***********************************************
esx_server : ok=1 changed=1 unreachable=0 failed=0

second Ansible run
TASK [Add VLANs] *****************************************
PLAY RECAP ***********************************************
esx_server : ok=1 changed=0 unreachable=0 failed=0

I want to con gure all VLANs for my ESX Cluster
All Hosts should have correct VLAN con g
All Hosts should be con gured from one source
Adding Hosts and VLANs should be easy
(like a distributed vSwitch)

Creating VMs - Host variables
vm_cpu: 8
vm_ram: 8
vm_storage: srv_live_vmdata1
vm_host: srv-live-vh07
vm_disksize: 80
default_gateway: 172.31.225.1
network_ether_interfaces:
- vm_net: srv-lgen-app
device: eth0
bootproto: static
address: 172.31.225.36
netmask: 255.255.255.128
onboot: "yes"
dns1: "{{ srv_dns1 }}"
dns2: "{{ srv_dns2 }}"
domain: "{{ srv_domain }}"

Creating VMs - the Ansible task
- name: Create new VM
vmware_guest:
hostname: "{{ vcenter_host }}"
username: "{{ vcenter_user }}"
password: "{{ vcenter_pass }}"
datacenter: "{{ vcenter_dc }}"
name: "{{ item }}"
template: "{{ vm_template }}"
state: poweredon
wait_for_ip_address: yes
hardware:
memory_mb: "{{hostvars[item]['vm_ram']}}"
num_cpus: "{{hostvars[item]['vm_cpu']}}"
disk:
- size_gb: "{{hostvars[item]['vm_disksize']}}"
datastore: "{{hostvars[item]['vm_storage']}}"

Adding Security to the mix
Telekom security guideline requires all servers to
be hardened
also VMware security guideline:
https://www.vmware.com/security/hardening-
guides.html (beware Excel!)

Hardening an ESX host (example)
VMware Requirement:
Guideline ID: ESXi.disable-mob:
The managed object browser (MOB) provides a
way to explore the object model used by the
VMkernel to manage the host; it enables
con gurations to be changed as well. This
interface is meant to be used primarily for
debugging the vSphere SDK. In Sphere 6.0 this
is disabled by default

Hardening an ESX host (example)
Ansible implementation:
# Guideline ID: ESXi.disable-mob
- name: get | disable MOB
shell: "vim-cmd hostsvc/advopt/view
Config.HostAgent.plugins.solo.enableMob
| grep value | cut -d ' ' -f 9"
register: mob_status
changed_when: mob_status.rc > 0
- name: set | disable MOB
shell: "vim-cmd hostsvc/advopt/update
Config.HostAgent.plugins.solo.enableMob
bool {{ mob }}"
when: mob not in mob_status.stdout

Hardening VMs - nding them all!
- name: Find all .vmx files on local store
shell: |
find /vmfs/volumes/datastore/ -name *.vmx
register: found_vms
changed_when: False

Hardening VMs - changing them
- name: Set VM parameters
lineinfile:
path: "{{ item[1] }}"
regexp: "{{ item[0].key }}"
backrefs: yes
line: "{{ item[0].key }} = "{{ item[0].value }}""
with_nested:
- "{{ parameters_add }}"
- "{{ found_vms }}"
parameters_add:
- { key: isolation.tools.copy.disable, value: TRUE }
- { key: isolation.tools.paste.disable, value: TRUE }

Managing VMs - deleting them
- name: delete VM
vmware_guest:
vcenter_hostname: "{{ vcenter_host }}"
username: "{{ vcenter_user }}"
password: "{{ vcenter_pass }}"
validate_certs: false
guest: "{{ item }}"
force: true
state: absent # deletion!
with_items: "{{ vm_name }}"

Managing VMs - making snapshots
- name: Create snapshot of {{vm_name}}
vmware_guest_snapshot:
folder: "/vm/"
name: "{{ vm_name }}"
state: present
snapshot_name: "snap_{{ '%Y-%m-%d-%M' | strftime }}"

Not everything out of the box
moving VMs not implemented in Ansible :(
but Ansible is extensible with Python code
so just write your own module
VMware vSphere API Bindings for Python
(https://github.com/vmware/pyvmomi)
VMware API Docs
Python + API =

we started with Ansible code:
- name: Move VM to target host and DS
delegate_to: localhost
vm_move:
vc_host: "{{ vcenter_host }}"
vc_pass: "{{ vcenter_pass }}"
vc_user: "{{ vcenter_user }}"
vm_name: "{{ inventory_hostname }}"
ds_name: "{{ vm_storage }}"
esx_host: "{{ vm_host }}"

then think about implementation
what needs to be done:
Locate the VM we want to move

Locate the target ESX host / storage

check what needs to be changed

check what needs to be changed
move the VM

some boilerplate is needed:
def main():
module = AnsibleModule(
argument_spec=dict(
vc_host = dict(required=True, type='str'),
...
esx_host = dict(required=False, type='str'),
),
)
result = dict(
changed=False, original_message='', message=''
)
# do something
module.exit_json(**result)

vm = get_obj(content, [vim.VirtualMachine], vm_name)
vm_datastore = get_obj(content, [vim.Datastore], ds_name)
dest_host = get_obj(content, [vim.HostSystem], esx_host)
vm_relocate_spec = vim.vm.RelocateSpec()

if vm.datastore[0] != vm_datastore:
result['changed'] = True
vm_relocate_spec.datastore = vm_datastore

if vm.runtime.host != dest_host:
vm_relocate_spec.host = dest_host

if vm.runtime.host != dest_host:
vm_relocate_spec.host = dest_host
if result['changed']:
task = vm.Relocate(spec=vm_relocate_spec)
wait_for_task(module, task, si)

VMWare has a tool called govc
https://github.com/vmware/govmomi/tree/mast
er/govc
pretty easy to use from the command line
this can also be included in Ansible scripts
but do I really need to write all this python code?
I'm not a programmer!
“
“

Testing

Testing with inSpec
written by Chef guys
originally a fork of serverspec
diverged since then and has gotten many new
features

Testing with inSpec - the test
control 'VM.disable-console-drag-n-drop' do
title 'Explicitly disable copy/paste operations'
vsphere.datacenters.each { |dc|
dc.vms.each { |vm|
describe vm_advancedsetting) do
its(['isolation.tools.dnd.disable'])
{ should eq true }
end
}
}
end

Testing with inSpec - results
VM.disable-console-drag-n-drop
isolation.tools.dnd.disable should eq true
Profile Summary: 136 successful controls, 0 failures
Test Summary: 136 successful, 0 failures, 0 skipped

Bonus - ansible-cmdb

The End
Now grab some food!

Ansible logo from redbubble.com
VMWare logo from fujitsu
InSpec logo from sdtimes
Fry from ickr user liliana_von_k
success kid from instagram user laneymg
automate from ickr user Amber Case
Ansible works image from tutorialspoint.com

OSDC 2018 | Spicing up VMWare with Ansible and InSpec by Martin Schurz and Sebastian Gumprich

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OSDC 2018 | Spicing up VMWare with Ansible and InSpec by Martin Schurz and Sebastian Gumprich

Similar to OSDC 2018 | Spicing up VMWare with Ansible and InSpec by Martin Schurz and Sebastian Gumprich (20)

Recently uploaded

Recently uploaded (20)

OSDC 2018 | Spicing up VMWare with Ansible and InSpec by Martin Schurz and Sebastian Gumprich