Community Servers Tech

Beyond software agents: get to know Ansible

September 2, 2020

Beyond software agents: get to know Ansible

This post is also available in : Spanish

Software Agents with Ansible: save time and work

Software Agents are very small programs that we install in each operating system so that it returns metrics to our Pandora FMS Data Server… What does this have to do with Ansible? Let’s see.

Software Agents in Pandora FMS

Software Agents: is a noun with first and last name that must be written in capital letters. Here I will write it as Software Agent (PFMS). The F letter in our name means flexibility. Therefore, our monitoring software can be used in many ways. Today I present one of them.

Ansible

In another article we tell you a brief history about Ansible, its concepts, basic operations and its relationship with Pandora FMS. Essentially, Ansible frees us from the task of repeating the same instructions over and over on the computers assigned in our work as Network Administrators. Any command that we need to use twice or more must be saved in YAML format, and then reused with Ansible. These files, in turn, can be shared or bequeathed through a version control system such as Git (so, when the time comes, we can go on vacation and have a colleague cover us with no major issues).

I will review the Ansible terminology here as (ANS). Let’s recap:

  • Node (ANS) or Ansible Node: Each of the machines we are in charge of.
  • Inventory File (ANS) or Ansible Inventory File: In plain text (it also accepts YAML) where we have each and every one of the Nodes (ANS) by IP address or, better yet, by their full web address. We can gather, through the structure of an INI file, each of the groups (for example “[pandora_fms_group: children]” and the aliases that we already have registered, to save us the work) and we name them uniquely to use them as variables for the next component. The command ansible-inventory is useful if we have many Nodes (ANS).
  • Task (ANS) or Ansible Task: A block of instructions that define a complete procedure, for example installing an application.
  • Module (ANS) or Ansible Module: It contains a series of Tasks (ANS), generally system ones, that we will apply to the Nodes (ANS). Although we can – and must – type in our Modules (ANS), the idea is to save time and the Community (ANS) or Galaxy Ansible has lots of them created. For example, there is one called group_by that allows machine automated grouping according to the Facts (ANS).
  • Facts (ANS) or Ansible Facts: They are enabled by default in Ansible and have to do with the ability of this software to give back a large amount of information (type of processor, type of operating system, etc.). It can be disabled if we know our Nodes (ANS) very well.
  • Playbook (ANS) or Ansible Playbook: A file in YAML format with Tasks (ANS), Modules (ANS), etc.

To find out the version of Ansible we have installed, execute ansible –version. At the time of typing, the latest stable version is 2.9.11 with Jinja 2 2.11.2 -with yamllint 1.10.0 to verify the .yaml files -. I recommend using virtualenv to stay away from other Python language projects that you may have on your main computer. I have used Lubuntu 18 as Controller Node (ANS) and Ubuntu 16 and 18 as Nodes (ANS).

About Security and Ansible

Great responsibility is inseparable from great power.

Ansible communicates in an encrypted way with the Nodes (ANS) by default with SSH, so we must use a public key that we will register on the machines to be monitored to connect without sending a password. Most companies that rent virtual machines assign us a TOKEN API with which we can create servers with our embedded public key at once (this allows automation if our number of clients and work increase).

Then, the user registered there must not allow the connection by means of a password. That user must have administrator rights or root user (belong to the group sudoer) and, even if it has a password set, not request it to increase privileges (this is achieved with the command sudo visudo and editing their values, log out and disconnect and then they become effective).

Think about this whole scenario: Your Controller Node (ANS) has access to all Nodes (ANS) to execute very important commands automatically!

  • Encrypt your entire hard drive, so if they steal it they will not be able to read its content.
  • Your user should not log in automatically and by default, it should always request a password.
  • Screensaver with password every 5 minutes of inactivity.

Module (ANS) packet controller

Drivers for software packages are already registered with Ansible. Without going any further, in Debian it is apt and in CentOS it is andum. So, to install the Software Agent (PFMS) from Ubuntu’s default repositories:

# file apt_install_pandora_fms_agent.yaml
---
- hosts: pandora_fms_group
become: yes

tasks:

- name: install figlet and pandorafms-agent
apt: name={{ ['figlet', 'pandorafms-agent', 'curl' ] }} update_cache=no state=latest

The parameter become indicates to take administrator rights and the Task (ANS) is to install…figlet? Well, yes, I have included it as a didactic example if we want to install several applications (all figlet does is display the text you type in on a large screen). Notice the Python language style in [‘figlet’, ‘pandorafms-agent’, ‘curl’]. This has evolved in Ansible (it was done in another way, with a cycle) since it reduces the amount of new commands to learn.

Notice that update_cache=no orders not to update the package catalog, which saves some time; state=latest downloads the latest version registered in the repositories of the Linux distro used. Unfortunately this does not totally depend on Pandora FMS, but the company Canonical, creator of Ubuntu, offers an alternative: Personal Package Archive (PPA), which takes us to the next Module (ANS).

Module (ANS) command

To continue with this proof of concept, let’s imagine that we sign up in the Launchpad page that Canonical keeps online: we will get up to 2 gigabytes of storage for our source code (it does not accept binary code) and we get our own “name” to share our work. A particular example is the utilities of Mr. Lorenzo Carbonell, whose «name», is ppa:atareao/atareao How would we introduce this personal repository in our list of repositories? Using the Module (ANS) command:

# file apt_add_repository_ppa_atareao.yaml
---
- hosts: pandora_fms_group
become: yes

tasks:

- name: add a ppa repository if running Debian
command: add-apt-repository ppa:atareao/atareao -y
when: ansible_os_family == "Debian"

- name: apt update for new ppa repository
apt: update_cache=yes

Considerations:

  • Yes, there are other more suitable Modules (ANS) to carry out this work.
  • If you decide to work in an MS Windows® environment, there is the command win_command (generally it has the prefix win_) and, of course, you must use a valid command in that environment. Check more details for that SO in this link.
  • Remember Acts (ANS)? As it runs by default and first, we can place a when: conditional to make sure we are on Debian (Ubuntu, Lubuntu, etc.).
  • The next task is to update the package catalog. Why do I add it if together with the parameter -y I can add -u? Because there we can place another conditional, if the ppa was added, update then.

If you noticed, or not, in the example of the Module (ANS) apt I set curl to be installed: we can download the latest version of Agent Software (PFMS) in .deb format:

curl -o https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/747/Debian_Ubuntu/pandorafms.agent_unix_7.0NG.747.deb/download
dpkg -i pandorafms.agent_unix_7.0NG.747.deb

Of course with the Ansible commands; right now the version is 747 but set 7XX as we release new Debian / Ubuntu versions. As you can see, the beginning of this work is manual but the installation will be done in bulk.

Module (ANS) inline

It allows changing a specific line in a file, generally a configuration file, if it matches the search criteria. As we already have the Software Agent (PFMS) installed, it has localhost established, so we will type in 192.168.1.107 (our PFMS server) in this example.

# file pandora_agent_conf_data_server_ip.yaml
---
- hosts: pandora_fms_group
become: yes

tasks:

- name: Set data server ip for pandorafms agent daemon
lineinfile:
path: /etc/pandorafms/pandora_agent.conf
regexp: '^server_ip'
line: server_ip 192.168.1.107

Here we are on rough terrain: regular expressions or regex: if the line starts with server_ip, modify. To be safe, we can use the option backup: yes; there are many other parameters that would make this article endless. In the meantime, rejoice with the following graphic joke:

In the same way we can change, if necessary, the value of the server_port (41121 by default). With other Modules (ANS) we can open that port in the Ubuntu Fire Wall (ufw)or any other that we use.

Módulo (ANS) service

Once we have installed and configured our Software Agent (PFMS) we can stop, start or restart (or any other service) with service:

# file pandora_agent_daemon_started.yaml
---
- hosts: pandora_fms_group
become: yes

tasks:

- name: Start service pandora_agent_daemon, if not started
service:
stated: started

The other possible values for stated are stopped (if the service is running, it applies it), restarted and reloaded (they always run).

Beyond Software Agents (PFMS)

There is a Module (ANS) called ping- the cornerstone of monitoring – that does that and simply returns a pong as a positive response.

As I said, there are infinite Modules (ANS) and it is impossible to cover them all today, but knowledge does not take up any space. That said, I want to go even further: How about we turn Ansible itself into a Software Agent (PFMS)? (My rhetorical question).

A path that we can pave -figuredly- is through Pandora FMS API, taking into account the following:

  • Safety first. Our Pandora FMS server will not accept orders to the API if our Controller Node (ANS), its IP address, is not duly registered.
  • It is up to us to add programs, such as fail2ban,to block attacks. It is recognized as an attack by just the IP address where it comes from (see previous point).
  • It must also come with the credentials of a registered user, also authorized for the task. It is up to us to acquire digital certificates to encrypt our communications; this is also valid for the Tentacle protocol and its Software Agents (PFMS).
  • We must comply with each and every one of the API rules. To this example in Python language we can add code that handles Ansible and set a data bridge.
  • Once done, the data we pass will be converted into XML format that will be passed to our Data Server (PFMS) but without any guarantee that they will be processed and assimilated. Why?
  • Because we must direct to specific Modules (PFMS) and specific data to it (if it is numeric it will only be numbers, if we enter a single letter it ruins everything).

Do not get discouraged, no. All this is already solved (and with a graphical interface) in the Pandora FMS Enterprise version!

Before finishing, remember Pandora FMS is a flexible monitoring software, capable of monitoring devices, infrastructures, applications, services and business processes.

Would you like to find out more about what Pandora FMS can offer you?? Find out clicking here.

If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise DEMO. Get it here.

Finally, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here.

Do not hesitate to send us your questions. Pandora FMS team will be happy to help you!


Written by:



Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.