Informing the IBM Community

Ansible AIX Introduction

0
(0)
ansible

In previous articles I dabbled with IBM’s Ansible modules for IBM i. Whilst I will definitely be using those in the future I thought I’d take a look at the Ansible modules for AIX too.

There are fewer AIX modules than IBM i at present and many of these are NIM related. Whilst most AIX customers use NIM my feeling is that there are, probably, a small number of people who really understand NIM. I like NIM a lot, but it can be a bit of a challenge to use. Because of this I decided to play safe and try out the users and groups modules.

My Set-Up

I’m running a RHEL LPAR on a Power system using RHEL 8.1 ppc64le. You may be a little surprised by this but I’m finding, in the last 18 months or so, that more Power customers are installing and using Linux on Power. The RHEL LPAR I’m using is the managing node and has the following packages installed to enable the use of Ansible:

  • ansible-2.9.14–1
  • python3–3.6.8–17

The above are ppc64le architecture as we are running on Power.

In order to utilise the AIX specific Ansible modules to supplement the core Ansible modules we have also installed the following collection from Ansible Galaxy:

This provides the IBM developed modules for AIX. We have used the following modules from the ibm.power_aix collection:

These IBM provided modules supplement the core Ansible modules by allowing us to create/delete/manage AIX users and groups.

There are many more AIX specific modules but these are mainly for NIM, Suma and installp usage.

From the core Ansible modules we have used the following:

The above provide the ability to manage files and directories, copy files to the remote system and execute shell commands remotely.

Before running the playbook I have completed the following:

  • Created the LPARs DEV01, DEV02 and DEV03
  • Installed AIX on to the LPARs with OpenSSH
  • Set a root password
  • Copied the ssh public key file from my RHEL LPAR to root’s .ssh folder
  • Added the IP address and hostnames in to DNS
  • As I’d deployed the LPARs using NIM the hostname and IP information was already configured on my LPAR
  • I’d also installed yum and sudo using NIM

Ansible Components

The following two snippets show the ansible.cfg file and the inventory.yml files in my project.

Playbook

The playbook is quite simple because I have used the Ansible roles feature to isolate the tasks I need in to separate code segments. These are shown below.

To run the playbook, execute:

Bash
ansible-playbook dev_lpar_setup.yml

The playbook will log in to each LPAR as root using ssh and use the private key file specified in the inventory.yml file to connect without requesting a password.

The 4 roles are executed to create groups, users, directory structures with permissions and copy a number of files to the LPARs.

Ansible Roles

In my roles directory I have the following directories:

  • aix_users
  • aix_groups
  • aix_dierctories
  • files

Each of the above have the standard sub directories are were created using the ansible-galaxy command:

Bash
ansible-galaxy role init ~/ansible/aix/roles/aix_users

ansible-galaxy role init ~/ansible/aix/roles/aix_groups

ansible-galaxy role init ~/ansible/aix/roles/aix_directories

ansible-galaxy role init ~/ansible/aix/roles/files

ROLE-aix_groups

ROLE-aix_users

ROLE-aix_directories

ROLE-files

Results of the playbook execution

Once the playbook has been run against the three new LPARs I was able to log in using my account, robinsg. I was forced to change my password as I’d used chpasswd in the aix_users role.

The directories I’d specified were created with the correct owners and permissions.

My customised sudoers files had been copied to each LPAR along with the customised /etc/profile file.

The iocp0 device was created and available.

I know this is simple and could easily have been done using NIM, in fact I used a combination of NIM and Ansible.

The AIX modules are still new and are being improved and enhanced all the time so I expect we’ll have access to more modules over the coming months. I’m particularly keen to try the HMC and VIOS modules.

My thoughts on using the AIX modules

I have demonstrated usage of two simple AIX modules but I’ve also played around with the lvg and lvol modules for VG and LV management. These were simple enough to use after some fiddling around.

I also had a play with the SUMA modules which are very simple to use as long as you have SUMA and ESA configured on your LPAR already.

I struggled most with the ibm.power_aix.user module when trying to provide a default password as this needs to be an encrypted password. I found plenty of Google examples showing how to encrypt a password using the password_hash command on Linux but when I used this encrypted password in my Ansible playbook and subsequently tried to log in with my newly created account it failed.

I then discovered that the format of the encrypted password is slightly different between Linux and AIX.

As you can see from the aix_user role above I got bored and piped a clear text password in to the chpasswd command. If you know Ansible at all you’ll be saying that I should have used Ansible vault to encrypt the password in the role. I know, and I would do this in a production environment.

If any one knows how to generate a password in SHA256/SHA512 encrypted format on AIX please let me know.

References

IBM Power AIX collection

IBM Power AIX Documentation

By Glenn Robinson on 30 October 2020.

Canonical link

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.


Comments

3 responses to “Ansible AIX Introduction”

  1. Okay nice post….. I tried changing the password on aix lpar back in 2019 and write a post as well https://aspsqltutorials.blogspot.com/2019/10/lock-unlock-users-on-aix-using-ansible-playbook.html?m=1
    I have the same setup as yours like I installed ansible on Linux system but the only difference is I didn’t use ibm modules for aix but I am able to create, delete, lock and unlock user…. While trying to change the password of existing user I failed because of that encryption thing….. I have aix 7.1 running on lpars and I did investigate that aix uses crypt() algorithm to encrypt the passwords and I tried multiple ways a). To encrypt password using crypt() but failed. b). I did change the algo from cypt() to sha256 and sha512 on my aix lpar and then encrypt(used the Linux way to encrypt in sha256 and sha512) the password using the above algos one by one and even that goes in vain. This was my findings in 2019 and then I stopped working on it. Now if you have succeeded in it then please share the solution.

  2. Rohan Anand avatar
    Rohan Anand

    Thanks for the awesome blog !!!
    Can you help me to know if the aix collectors need to be configured on Ansible control node or on all managed nodes (endpoints) ?

    1. Glenn Robinson avatar
      Glenn Robinson

      The AIX collection only needs to be on the control node.

      All modules will access the AIX nodes via SSH.

Leave a Reply

Your email address will not be published. Required fields are marked *