Lab Back Up

Posted on January 14, 2026 by larry

Still need a lab, not just a lab, but VMs with a minimal install.

One skill I have lost was building machines from scratch that don’t have the packages I need.

I am working a bit on a playbook that can change passwords.

---
- name: Securely change root password on multiple machines
  hosts: all
  become: yes
  vars:
     local_rpm_path: "python3-passlib-1.7.4-9.el9.noarch.rpm"
     package_name: "python3-passlib"

  vars_files:
    - vault_root_passwords.yml

  tasks:
    - name: Gather installed package facts
      ansible.builtin.package_facts:
        manager: auto

    - name: Copy RPM to target
      ansible.builtin.copy:
        src: "{{ local_rpm_path }}"
        dest: /tmp/python3-passlib-1.7.4-9.el9.noarch.rpm
        mode: '0644'
      when: package_name not in ansible_facts.packages

    - name: Install package from local RPM file if not installed
      ansible.builtin.dnf: 
        name: /tmp/python3-passlib-1.7.4-9.el9.noarch.rpm
        state: present
        disable_gpg_check: true 
      when: package_name not in ansible_facts.packages

    - name: Set unique root password per host
      ansible.builtin.user:
        name: root
        password: "{{ root_passwords[inventory_hostname] | password_hash('sha512') }}"
      no_log: true

    - name: "Support Password"
      ansible.builtin.user:
        name: support
        state: present
        password: "{{ support_password[inventory_hostname] | password_hash('sha512') }}"
      no_log: true
...

I needed that python3-passlib file what got me on the path of a small minimal install.

Here is a sample of the vault_root_passwords.yml

root_passwords:
  lxhost01.retrodvr.com: arajmyisyeeng7
  lxhost02.retrodvr.com: giojisthoc9
  lxhost03.retrodvr.com: crersyijlirfuv5
support_password:
  lxhost01.retrodvr.com: 3onagvakni
  lxhost02.retrodvr.com: gejed4shlamegso
  lxhost03.retrodvr.com: un5olwugus

I really used those passwords because it is easy to recreate a new one

#!/bin/bash
HOSTNAMELIST=`ansible-vault view inventory | grep -v '^\[' | awk '{print $1}';`
echo "root_passwords:"
for HOSTNAME in $HOSTNAMELIST
do
  PASSWORD=`apg -n1 -m10 -x15 -MN`
  echo "  $HOSTNAME: $PASSWORD"
done

echo "support_password:"
for HOSTNAME in $HOSTNAMELIST
do
   PASSWORD=`apg -n1 -m10 -x15 -MN`
   echo "  $HOSTNAME: $PASSWORD"
done

I do encrypt the vault_root_passwords.yml and sometimes the inventory file

Remove old file
  rm vault_root_passwords.yml

Create emmpty file
  touch vault_root_passwords.yml

Limit perms
  chmod 0600 vault_root_passwords.yml

Create Passwords file
./makepwfile.sh > vault_root_passwords.yml
ansible-vault encrypt vault_root_passwords.yml

Weight: 328.4

This entry was posted in Coding, Technical, Training, Weigh In. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.