Improving Provisioning in

VMware with Ansible

Who Am I?
>>> print json.dumps(mpg[‘matts’], sort_keys=True,
indent=2)
{
“bio”: “Master of none.”,
“handle”: [
“2mshepherd”,
“matts-mpg”
],
“name”: “Matt Shepherd”,
“specialty”: [
“Automation”,
“Cloud”,
“Engineering”,
“Incident Response”,
“Scotch”,
“System Administration”
]
}
Bona Fides

•  Lead Engineer for Department of Justice (DOJ) Security Operations

Center (JSOC) for the last 2.5 years.
•  JSOC is the Tier-2 SOC for DOJ reporting up to US-CERT.
•  Oversight for ~40 agencies and >150K endpoints.
•  ~4B log events aggregated every day (and growing).
•  ~10,000 events in triage every week.
•  Common target for DDoS & APT actors.
•  Some of our accomplishments in 2.5 years:
•  Built small VMWare farm to replace 100% physical deployments;
•  Implement SSLV;
•  Replace all of the various sensors (NIDS, Email, web, etc);
•  Implement endpoint threat hunting tool;
•  Deployed a knowledgebase using Confluence;
•  Deployed and did a lot of development around JIRA to build a
SIEM interface for Splunk and a new case management system;
•  Ansible Tower for systems management; and
•  GitHub Enterprise for our Ansible playbooks.
Virtualization vs Private Cloud

•  What’s so great about AWS anyway?

•  Provisioning: Provision resources the same way you configure
them.
•  Elastic Compute: Use a single AMI to deploy systems of any
scale (t2.micro to m4.medium to x1.16xlarge and so on).
•  Elastic Storage: Provision with a disk of a certain size. Then
simply grow the disk when it’s necessary automagically.
•  What is not great about AWS?
•  Goldilocks Syndrome: Almost never being able to find an
instance size that fits “just right.”
•  Internal Mandate: You’re required to use internal resources
either because you are searching for the grail of hybrid cloud or
because of compliance/security reasons.
•  External Dependency: When us-west-1 is down you are reliant
on someone else to recover it.
What do we want? Private cloud!
When do we want it? Now!
Ansible & VMware

•  There has been substantial development around VMware modules for

Ansible in the last 12 months.
•  Migrated some modules from pyvsphere lib to PyVmomi.
•  Unsupported à supported
•  Community à vendor developed
•  Added important features to core vCenter module.
•  Access to many core vCenter and ESXi/vSphere functions is
available:
•  Create VMs through the vCenter or vSphere API;
•  Create and manage Distributed Switches;
•  Perform vMotion operations;
•  Add, remove, or put vSphere hosts into maintenance mode;
•  Create a VSAN cluster;
•  Manage VMkernel interfaces; and
•  Move files to datastores.
AWS and OpenStack can’t hog all the glory any more.
3 ….

•  Assumptions:
•  IP address assignments are static;
•  Minimize the number of templates in your VM inventory in order
to:
•  Simplify maintenance; and
•  Reduce confusion about which template to use.
•  Keep VM templates as small as possible in order to reduce space
consumed so they are more portable
•  Required to use systems with discrete file systems for defined
mount points partitions in accordance with
$security_hardening_baseline
•  /
•  /opt
•  /home
•  /var
•  /var/log
•  /var/log/audit
•  /tmp
2 …..

Change
Include Create VM from
template IP to Reboot & wait
creden*als template
perm IP

Create par**on
LVM: Make new Scan for new Apply common
on new disk part
phys volume par**on role
w/ fdisk

LVM: Extend vol LVM: Extend

Grow the FS into
group to new each logical
the new space
phys volume volume

Only thing to know about my common role is that it installs Python’s

pexpect (required for use of the Ansible expect module).
1 …..

•  Modules required to automate provisioning:

•  vmware_guest: This module is your Valyrian steel sword.
•  Major updates over last several months.
•  Do not confuse this with outdated vsphere_guest!
•  vmware_vm_shell: Sometimes you need to just get on the
console of a VM …. and you can!!
•  wait_for: Just wait for the VM to be accessible.
Do not add yet another tool to do something you already have the
capability of doing. Reduce cost and complexity in your tooling.
•  Modules required to achieve elastic storage goodness:
•  expect: You will (unfortunately) need to do some interactive work.
•  command: Yes, this will be some rather specific, low-level stuff.
Go!

https://github.com/MindPointGroup/
ansible-vmware-provisioning
Where To Go Next

•  Use disk_resize.yml as a basis for automating storage changes for

machines that are already running.
•  Use provisioning.yml as a basis for automating VM template
maintenance:
•  Spin a new VM from a template;
•  Just run basic update/maintenance such as patching;
•  Prep the system for template conversion (this is 5 tasks);
•  Rename the existing “current” template; and
•  Create a new VM template from our updated VM.
References & Q&A

•  Bare-bones VMware centric content repo-

https://github.com/MindPointGroup/ansible-vmware-provisioning
•  VMware VM provisioning play
•  Disk resizing play for Linux

Questions?