How to Execute an Ansible Role

Add the role to a playbook

At the root of the infrastructure-examples repository, there is an Ansible playbook, playbook.yml, with multiple Ansible Roles already defined. To deploy your Ansible role, change the name of the included role within the Playbook playbook.yml.

---
- hosts: all 
  user: ansible
  become: 'yes'
  become_method: sudo
  vars_files:
    - config.yml
  tasks:
    - include_role:
        name: ssh_authorized_keys  # <<< replace with the name of your role

Execute Ansible Playbook

After configuring the playbook to include your role, you can deploy it to the Test VMs using the command ansible-playbook as follows, where IP1 and IP2 represent the IPs of the two Test VMs that are running:

ansible-playbook -i ${ip_1},${ip_2}  playbook.yml

The command executes the playbook against the ‘inventory list’ of hosts, IP1 and IP2.

Note: You can specify to run only against a single host, but you must have a trailing comma.

ansible-playbook -i ${ip_1}, playbook.yml

What Systems should be Tested

When developing submissions for linux systems, your role should at least be tested on two distributions, CentOS 7 or 8, and Ubuntu 18+. The VMs created using Vagrant on the Getting Started With Vagrant page are Ubuntu 18.04 and CentOS 7.

Tests to Perform

When testing your role, be sure to perform the following tests to guarantee your role works standalone.

  • [ ] The VM can be restarted properly; nothing hinders startup
  • [ ] Any configured service is functional after setup
  • [ ] All required packages are installed at their correct versions
  • [ ] Other services on the system are unaffected by your role
  • [ ] All setup and temporary files that are not required for operation are removed from the system
  • [ ] The exploit steps within the challenge’s c2games.yml file work as intended, without extra implicit steps

Examples

Several examples are included in the roles/ directory of the the infrastructure-examples repository. The repository can be downloaded using the download button in Gitlab, next to the "Clone" button.

Included Examples:

  • The ssh_authorized_keys role will install an SSH public key onto the system, and allow root to SSH with password authentication (no SSH key required).
  • The manatee_bank_web_app role will install git/apache on a system and clone down a vulnerable web application.

These examples can be executed by first ensuring they are included in the playbook.yml playbook:

  tasks:
    - include_role:
        name: ssh_authorized_keys
    - include_role:
        name: manatee_bank_web_app

Then run the following Ansible command, with the IP(s) of your test machines substituted:

# single host - note the tailing comma!
ansible-playbook -i 10.1.10.17, playbook.yml
# multiple hosts
ansible-playbook -i 10.1.10.17,10.1.10.18 playbook.yml

If a playbook is successful, you should see a footer similar to this at the end of the output. Watch out for ok=xxx and changed=xxx to be non-zero, and failed=xxx to be zero.

PLAY RECAP *******************************************************************************************************
10.1.11.28                 : ok=6    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Don’t forget to restore your VM to it’s initial snapshot after running the examples!