Last week, I wrote about connecting the Virtual I/O Server to Ansible. Or another way. Anyway, it was hard manual work: find the version of VIOS, find the suitable Python, install it, create the user with the correct attributes, set the password, and distribute the SSH keys. Boah. What the work! Especially if you have many Virtual I/O Servers. Can I automate this work with Ansible even if the Virtual I/O Server is not yet ready to be managed by Ansible?

Good news - yes, you can! Bad news - there are some limitations.

Ansible module for systems without Python

You probably know the modules like command and shell that help to execute commands on remote hosts. There is one more module with a similar purpose - ansible.builtin.raw. Ansible documentation says it “executes a low-down and dirty SSH command, not going through the module subsystem.” The use case with a missing Python interpreter is described in the documentation, too.

You can try it directly with your VIOS:

As you see, it works even with the padmin user and its restricted shell. It means we could use the module to prepare our VIOS for Ansible.

But stop! Why “could”? Why not “can”?

Why not?

The problem is that we must start several commands in oem_setup_env mode. The command “oem_setup_env” switches to this mode but doesn’t understand any parameters. If you try something like:

$ ansible -i vios, -m raw -a "oem_setup_env" all

The command will not come back. You can even try with a simple playbook like:

---
- name: Try raw with VIOS
  gather_facts: false
  hosts: vios
  
  tasks:
    - name: Execute some commands on VIOS
      ansible.builtin.raw: |
        oem_setup_env
        who am i
        exit

The result is, unfortunately, the same. It does not work.

We must have another way!

Expect expectable!

There is a tool in AIX that can help us. The tool is expect. On AIX, it is a standard part of AIX distribution and is included in the fileset expect.base. If you have Ansible on Linux, you should have expect too. Simply start expect and see if you get an error or not. If you get an error, install the package expect. It is called so in all Linux distributions I can remember.

expect is a TCL-based domain-specific language. If you have never worked with it, no problem. It is easy to use, and I show you the code anyway. As the name implies, expect waits for some expected input and performs some actions. Like:

expect "password:"
send "mypassword\r"

In our case, it is a little bit more complicated.

First, we check the arguments for our script and set them to variables:

#!/usr/bin/expect -f

if { $argc != 3 } {
  send_error "Usage : $argv0 ssh-connection ssh-password user-password\n"
  exit 1
}

set timeout 60
set sshconn [lindex $argv 0]
set sshpw [lindex $argv 1]
set newpw [lindex $argv 2]

Next, we start our SSH connection to the server:

spawn ssh $sshconn

After the SSH connection is established, we have two options. Either password authentication is used, and we must send the password or SSH-key authentication is used, and we don’t have a password. In any case, we should become $ as the last line.

while 1 {
  expect {
    "password: " {
      send "$sshpw\r"
    }
    "$ " break
  }
}

Starting here, we can execute standard VIOS commands like oem_setup_env or any other.

send "oem_setup_env\r"
expect "# "
send "mkuser roles=PAdmin,CacheAdm,FSAdmin,pkgadm,SysBoot,isso default_roles=PAdmin,CacheAdm,FSAdmin,pkgadm,SysBoot,isso ansible\r"
expect "# "
send "echo 'ansible:$newpw' | chpasswd -c\r"
expect "# "

You may wish to add some commands, like setting a password for the user root , if you need it. After you have executed all the commands you need, you should close the session:

expect "# "
send "exit\r"
send "exit\r"

You can test the script by setting execution rights to it and starting it.

$ chmod +x vios_ansible.exp
$ ./vios_ansible.exp padmin@vios mypadminpw myansiblepw

Where is Ansible?

Do we need Ansible at all if we did everything already with expect?

Not really. Of course, you can use the expect script directly without any Ansible playbooks. But if you want to integrate the script into your broader automation ecosystem, making a small playbook around it makes sense.

In this small playbook, I use the only module we discussed: ansible.builtin.raw.

I first re-hash the target VIOS's fingerprint. This is for the case where the fingerprint is unknown or changed since I last logged in to the server.

    - name: Rehash ssh host key
      ansible.builtin.raw: |
        ssh-keygen -R {{ inventory_hostname }}
        ssh-keyscan -H {{ inventory_hostname }} >>$HOME/.ssh/known_hosts
      delegate_to: localhost
      throttle: 1
      changed_when: true

This is the task you can’t parallelize. If many ssh-keyscan commands would try to write to the same file, you lose the contents of the file. This is the reason why I added “throttle: 1” here to achieve serial execution even if I have many VIOSs in the inventory.

Now we can execute our expect script.

    - name: Create remote user
      ansible.builtin.raw: "./vios_ansible.exp padmin@{{ inventory_hostname }} {{ ansible_password }} {{ new_password }}"
      delegate_to: localhost
      changed_when: true

As the last step, I copy my SSH key to the target user. I use sshpass command to supply the user’s password.

    - name: Copy ssh public key
      ansible.builtin.raw: "SSHPASS={{ new_password }} sshpass -e ssh-copy-id ansible@{{ inventory_hostname }}"
      delegate_to: localhost
      changed_when: true

If you don’t have the command, install it from AIX Toolbox for Opensource applications or your Linux vendor’s repositories.

Want to know more about Virtual I/O Server management with Ansible?

Yes, you get the information in this newsletter for free! I promise it and plan no changes! Still, you can have more. I have a special offer for you: an E-mail course called “Managing Virtual I/O Server with Ansible.” You will get even more comprehensive how-tos and theoretical and practical knowledge on managing a Virtual I/O Server with Ansible. You will get deep explanations and exercises to learn to practically manage Virtual I/O Server with Ansible. After the course, you can manage big and small IBM Power installations with the modern automation tool Ansible, make them repeatable and manageable, and save your time for a better life! Click here and subscribe to the course today! The price is only 49€ till the end of January.

Ready for new challenges!

As Shawn Bodily says, we “ansiblified” our VIOS. Now, we can manage it using Ansible. You have one week time till the next newsletter to ansiblify all your Virtual I/O Servers! Next week we continue with VIOS and Ansible.

Have fun connecting VIOS to Ansible!

Andrey

Hi, I am Andrey Klyachkin, IBM Champion and IBM AIX Community Advocate. This means I don’t work for IBM. Over the last twenty years, I have worked with many different IBM Power customers all over the world, both on-premise and in the cloud. I specialize in automating IBM Power infrastructures, making them even more robust and agile. I co-authored several IBM Redbooks and IBM Power certifications. I am an active Red Hat Certified Engineer and Instructor.

Follow me on LinkedIn, Twitter and YouTube.

You can meet me at events like IBM TechXchange, the Common Europe Congress, and GSE Germany’s IBM Power Working Group sessions.