Ansible Quickie - Turning Off Services On A Group of Machines
source link: https://fuzzyblog.io/blog/ansible/2016/10/05/ansible-quickie-turning-off-services-on-a-group-of-machines.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Ansible Quickie - Turning Off Services On A Group of Machines
Oct 5, 2016
In my continuing investigation of SSH failures on my cluster of AWS boxes, I've noticed that sendmail is running on my boxes and NOT refusing connections. I'm not an ops guy but I can't think that this is good. Here's what I'm seeing:
tail -f /var/log/syslog
Oct 5 08:10:01 ip-172-31-32-56 sm-mta[25939]: u958A1I6025939: from=<[email protected]>, size=888, class=0, nrcpts=1, msgid=<201610050810.u958A1eD025938@ip-172-31-32-56.us-west-2.compute.internal>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Stopping Services with Ansible
I don't have a port open for sendmail in my security group so this confuses me but it should be easy enough to add an ansible role to my playbook to address it. Here are the steps:
cd ~/wherever_your_ansible_root_is
mkdir -p roles/services/tasks
touch roles/services/tasks/main.yml
In main.yml add:
- name: stop_sendmail
service: name=sendmail state=stopped
- name: stop_apache2
service: name=apache2 state=stopped
I added the routines to stop my apache2 instances because I'm not actually using them yet and any part of an attack surface that I can reduce might increase the chance of these boxes staying running longer. Ideally they should be on a private internal network that isn't exposed to the world at all. And that's coming but that's a level of work I can't do this very minute.
In my main playbook simply call this role:
- { role: services, tags: services }
You should note that I'm calling that role as the very last role since it does no good to stop a service before its created. According to the ansible service module docs, the options for state are:
- running
- started
- stopped
- restarted
- reloaded
Proof
Here's an example of a ps test on this before and after:
Before:
ps auwwx | grep sendmail
root 1447 0.0 0.0 100704 2628 ? Ss 08:26 0:00 sendmail: MTA: accepting connections
ubuntu 2958 0.0 0.0 10460 940 pts/0 S+ 08:31 0:00 grep --color=auto sendmail
After:
ps auwwx | grep sendmail
ubuntu 8485 0.0 0.0 10460 940 pts/0 S+ 08:37 0:00 grep --color=auto sendmail
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK