Introduction
In previous articles I dabbled with IBM’s Ansible modules for IBM i. Whilst I will definitely be using those in the future I thought I’d take a look at the Ansible modules for AIX too.
There are fewer AIX modules than IBM i at present and many of these are NIM related. Whilst most AIX customers use NIM my feeling is that there are, probably, a small number of people who really understand NIM. I like NIM a lot, but it can be a bit of a challenge to use. Because of this I decided to play safe and try out the users and groups modules.
My set up
I’m running a RHEL LPAR on a Power system using RHEL 8.1 ppc64le. You may be a little surprised by this but I’m finding, in the last 18 months or so, that more Power customers are installing and using Linux on Power. The RHEL LPAR I’m using is the managing node and has the following packages installed to enable the use of Ansible:
- ansible-2.9.14–1
- python3–3.6.8–17
The above are ppc64le architecture as we are running on Power.
In order to utilise the AIX specific Ansible modules to supplement the core Ansible modules we have also installed the following collection from Ansible Galaxy:
This provides the IBM developed modules for AIX. We have used the following modules from the ibm.power_aix collection:
These IBM provided modules supplement the core Ansible modules by allowing us to create/delete/manage AIX users and groups.
There are many more AIX specific modules but these are mainly for NIM, Suma and installp usage.
From the core Ansible modules we have used the following:
The above provide the ability to manage files and directories, copy files to the remote system and execute shell commands remotely.
Before running the playbook I have completed the following:
- Created the LPARs DEV01, DEV02 and DEV03
- Installed AIX on to the LPARs with OpenSSH
- Set a root password
- Copied the ssh public key file from my RHEL LPAR to root’s .ssh folder
- Added the IP address and hostnames in to DNS
- As I’d deployed the LPARs using NIM the hostname and IP information was already configured on my LPAR
- I’d also installed yum and sudo using NIM
The Ansible components
The following two snippets show the ansible.cfg file and the inventory.yml files in my project.
The playbook
The playbook is quite simple because I have used the Ansible roles feature to isolate the tasks I need in to separate code segments. These are shown below.
To run the playbook, execute:
$ ansible-playbook dev_lpar_setup.yml
The playbook will log in to each LPAR as root using ssh and use the private key file specified in the inventory.yml file to connect without requesting a password.
The 4 roles are executed to create groups, users, directory structures with permissions and copy a number of files to the LPARs.
The ansible roles
In my roles directory I have the following directories:
- aix_users
- aix_groups
- aix_dierctories
- files
Each of the above have the standard sub directories are were created using the ansible-galaxy command:
$ ansible-galaxy role init ~/ansible/aix/roles/aix_users
$ ansible-galaxy role init ~/ansible/aix/roles/aix_groups
$ ansible-galaxy role init ~/ansible/aix/roles/aix_directories
$ ansible-galaxy role init ~/ansible/aix/roles/files
ROLE-aix_groups
ROLE-aix_users
ROLE-aix_directories
ROLE-files
The results of the playbook execution
Once the playbook has been run against the three new LPARs I was able to log in using my account, robinsg. I was forced to change my password as I’d used chpasswd in the aix_users role.
The directories I’d specified were created with the correct owners and permissions.
My customised sudoers files had been copied to each LPAR along with the customised /etc/profile file.
The iocp0 device was created and available.
I know this is simple and could easily have been done using NIM, in fact I used a combination of NIM and Ansible.
The AIX modules are still new and are being improved and enhanced all the time so I expect we’ll have access to more modules over the coming months. I’m particularly keen to try the HMC and VIOS modules.
My thoughts on using the AIX modules
I have demonstrated usage of two simple AIX modules but I’ve also played around with the lvg and lvol modules for VG and LV management. These were simple enough to use after some fiddling around.
I also had a play with the SUMA modules which are very simple to use as long as you have SUMA and ESA configured on your LPAR already.
I struggled most with the ibm.power_aix.user module when trying to provide a default password as this needs to be an encrypted password. I found plenty of Google examples showing how to encrypt a password using the password_hash command on Linux but when I used this encrypted password in my Ansible playbook and subsequently tried to log in with my newly created account it failed.
I then discovered that the format of the encrypted password is slightly different between Linux and AIX.
As you can see from the aix_user role above I got bored and piped a clear text password in to the chpasswd command. If you know Ansible at all you’ll be saying that I should have used Ansible vault to encrypt the password in the role. I know, and I would do this in a production environment.
If any one knows how to generate a password in SHA256/SHA512 encrypted format on AIX please let me know.
References
IBM Power AIX collection
By Glenn Robinson on October 30, 2020.
Okay nice post….. I tried changing the password on aix lpar back in 2019 and write a post as well https://aspsqltutorials.blogspot.com/2019/10/lock-unlock-users-on-aix-using-ansible-playbook.html?m=1
I have the same setup as yours like I installed ansible on Linux system but the only difference is I didn’t use ibm modules for aix but I am able to create, delete, lock and unlock user…. While trying to change the password of existing user I failed because of that encryption thing….. I have aix 7.1 running on lpars and I did investigate that aix uses crypt() algorithm to encrypt the passwords and I tried multiple ways a). To encrypt password using crypt() but failed. b). I did change the algo from cypt() to sha256 and sha512 on my aix lpar and then encrypt(used the Linux way to encrypt in sha256 and sha512) the password using the above algos one by one and even that goes in vain. This was my findings in 2019 and then I stopped working on it. Now if you have succeeded in it then please share the solution.