How to Execute an Ansible Role

Add the role to a playbook

At the root of the infrastructure-examples repository, there is an Ansible playbook, playbook.yml, with multiple Ansible Roles already defined. To deploy your Ansible role, change the name of the included role within the Playbook playbook.yml.

---
- hosts: all 
  user: ansible
  become: 'yes'
  become_method: sudo
  vars_files:
    - config.yml
  tasks:
    - include_role:
        name: ssh_authorized_keys  # <<< replace with the name of your role

Execute Ansible Playbook

After configuring the playbook to include your role, you can deploy it to the Test VMs using the command ansible-playbook as follows, where IP1 and IP2 represent the IPs of the two Test VMs that are running:

ansible-playbook -i ${ip_1},${ip_2}  playbook.yml

The command executes the playbook against the ‘inventory list’ of hosts, IP1 and IP2.

Note: You can specify to run only against a single host, but you must have a trailing comma.

ansible-playbook -i ${ip_1}, playbook.yml

What Systems should be Tested

When developing submissions for Linux systems, your role should at least be tested on two distributions, CentOS 7 or 8, and Ubuntu 18+. The VMs created using Vagrant on the [Getting Started With Vagrant](TODO LINK) page are Ubuntu 18.04 and CentOS 7.

Tests to Perform

When testing your role, be sure to perform the following tests to guarantee your role works standalone.

  • [ ] The VM can be restarted properly; nothing hinders startup
  • [ ] Any configured service is functional after setup
  • [ ] All required packages are installed at their correct versions
  • [ ] Other services on the system are unaffected by your role
  • [ ] All setup and temporary files that are not required for operation are removed from the system
  • [ ] The exploit steps within the challenge’s c2games.yml file work as intended, without extra implicit steps

Examples

Several examples are included in the roles/ directory of the infrastructure-examples repository. The repository can be downloaded using the download button in Gitlab, next to the "Clone" button.

Included Examples:

  • The ssh_authorized_keys role will install an SSH public key onto the system, and allow root to SSH with password authentication (no SSH key required).
  • The manatee_bank_web_app role will install git/apache on a system and clone down a vulnerable web application.

These examples can be executed by first ensuring they are included in the playbook.yml playbook:

  tasks:
    - include_role:
        name: ssh_authorized_keys
    - include_role:
        name: manatee_bank_web_app

Then run the following Ansible command, with the IP(s) of your test machines substituted:

# single host - note the tailing comma!
ansible-playbook -i 10.1.10.17, playbook.yml
# multiple hosts
ansible-playbook -i 10.1.10.17,10.1.10.18 playbook.yml

If a playbook is successful, you should see a footer similar to this at the end of the output. Watch out for ok=xxx and changed=xxx to be non-zero, and failed=xxx to be zero.

PLAY RECAP *******************************************************************************************************
10.1.11.28                 : ok=6    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Don’t forget to restore your VM to its initial snapshot after running the examples!