VMware Cloud Community
hawks76
Enthusiast
Enthusiast
Jump to solution

vRA 8.x and Ansible Integration

Does anybody have this working in their environment?  I'm struggling to get it to work.  

Reply
0 Kudos
2 Solutions

Accepted Solutions
hawks76
Enthusiast
Enthusiast
Jump to solution

Figured it out. Active Directory needs to the accounts that are used for the Ansible integration and used to run the playbooks to be the same.  Has something to do with impersonation/delegation with AD accounts.  AD guy was willing to take a look and helped point me in the right direction. So, the integration account, and the account used to connect to Windows needs to be the same, at least in my environment.

View solution in original post

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

Some additional info.  Initial answer turned out not being the actual fix.  That for whatever reason was an anomaly.  What actually resolved the issue was found in documentation for 8.9 Ansible setup.  Can't definitively state it wasn't there before, but i don't ever remember seeing it when reading it the first 10 times...    🙂  

Basically, by default, vRA adds ansible_host: ip_address to the host variables.  Kerberos doesn't work with IP address.  So, the fix was adding a host variable for ansible_host like this:

hostVariables: |
  ansible_host: ${resource.WebApp_VM.resourceName}.domain.name

This replaces the IP address with the FQDN for ansible_host and allows kerberos authentication to work properly.

View solution in original post

Reply
0 Kudos
12 Replies
ronaldod
Enthusiast
Enthusiast
Jump to solution

I had it running in the lab and it was pretty straight forward. Just stupid issues with fqdn and ip adresses for registering the vm's in Ansible.

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

Were you connecting to Windows or Linux?  I'm trying to manage windows machines and i keep getting a Kerberos error:
Server not found in Kerberos database', -1765328377

Everything points to DNS, but i can ping the box and run the playbooks manually from the ACM.  

Reply
0 Kudos
ronaldod
Enthusiast
Enthusiast
Jump to solution

If i remember correct  it was the inventory in ansible was filled with an ip address and not with fqdn.

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

My inventory shows the hostname.  I've tried FQDN as well, but get the same result. 

Reply
0 Kudos
eswoodford
Contributor
Contributor
Jump to solution

Kerberos issues, sigh. 90% of our kerberos issues were firewall related. Ansible script configured to domain join would inevitably die here. if I remember correctly, there are a bunch of WinRM ports required. 

We had the host name issue also after a change with VRA's ansible implementation. The machine wouldn't be registered with DNS for several minutes, so the playbook couldn't resolve the target machine. To fix, we changed the 'hostname' value passed to Ansible to use the IP address assigned to the first network adapter, using something like:

  Cloud_Ansible_1:
    type: Cloud.Ansible
    properties:
      host: ${resource.Cloud_Instance_1.*}
      hostName: ${resource.Cloud_Instance_1.networks[0].address}

 

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

I'll give this a try, but i don't believe this will resolve our issue the way we do provisioning.  We allow vRA to join to domain and then run ansible on the back end.  I believe Kerberos requires hostname when joined to AD.  I'll post results after my test.

Reply
0 Kudos
eswoodford
Contributor
Contributor
Jump to solution

yeah, even after the domain join I believe they continued to use the IP address as the hostname took too long to resolve. 

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

So, i tried IP address, and still no dice.  Still getting Kerberos error.  Waiting to hear back from support (SDK).  Maybe they can provide some insight.

Reply
0 Kudos
ronaldod
Enthusiast
Enthusiast
Jump to solution

Also check your certificate enrollment.

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

For certificate authentication?  

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

Figured it out. Active Directory needs to the accounts that are used for the Ansible integration and used to run the playbooks to be the same.  Has something to do with impersonation/delegation with AD accounts.  AD guy was willing to take a look and helped point me in the right direction. So, the integration account, and the account used to connect to Windows needs to be the same, at least in my environment.

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
Jump to solution

Some additional info.  Initial answer turned out not being the actual fix.  That for whatever reason was an anomaly.  What actually resolved the issue was found in documentation for 8.9 Ansible setup.  Can't definitively state it wasn't there before, but i don't ever remember seeing it when reading it the first 10 times...    🙂  

Basically, by default, vRA adds ansible_host: ip_address to the host variables.  Kerberos doesn't work with IP address.  So, the fix was adding a host variable for ansible_host like this:

hostVariables: |
  ansible_host: ${resource.WebApp_VM.resourceName}.domain.name

This replaces the IP address with the FQDN for ansible_host and allows kerberos authentication to work properly.

Reply
0 Kudos