VMware Cloud and Multi mode Ansible - New Use case
Ansible has become the most popular automation tool in the cloud.
When it comes to a cloud service provider, there are major challenges
that prevent utilising Ansible to its full potential.
The challenge will be more evident for a managed cloud service provider who host hundreds to thousands of customer network silos as below:
What options does a VMware cloud service provider have?
However, Ansible speaks the language of SSH and WinRM, not Guest Operations. How to leverage Ansible to configure VMs through Guest Operations? There is a simple yet elegant way – build a command proxy in the middle that can serve as SSH server or WinRM server. At the other end, it calls Guest Operations to configure VM guests and return results to Ansible.
During the development of the command proxy for WinRM, one can attempt to understand how Ansible speaks with a Windows server by observing the TCP streams using Wireshark. Then decode the PowerShell code sent by Ansible, finally a simulated WinRM server can be built work with Ansible.
The sequence diagram shows how the 3 components (Ansible, Command Proxy, Windows Server) work together. Note that it is not a complete implementation of WinRM protocols, but it is sufficient to work with Ansible.
And here is what it looks like from Ansible, note that it is successful in gathering facts and making changes.
Wanting to try running code inside VM guests, but you are not familiar with web APIs? Don’t worry, VMware provided PowerCLI that can utilise Guest Operations in one liner. It can be easily incorporated into .NET Core and run in containers.
The challenge will be more evident for a managed cloud service provider who host hundreds to thousands of customer network silos as below:
What options does a VMware cloud service provider have?
- Configure physical/virtual firewalls and VPNs to allow Ansible traffic (very high management overhead)
- Use Ansible pull mode (potentially simpler network setup than Option 1)
- Add a backdoor network to each VM (massive security loophole, although it can mitigated by VMware distributed firewall)
However, Ansible speaks the language of SSH and WinRM, not Guest Operations. How to leverage Ansible to configure VMs through Guest Operations? There is a simple yet elegant way – build a command proxy in the middle that can serve as SSH server or WinRM server. At the other end, it calls Guest Operations to configure VM guests and return results to Ansible.
During the development of the command proxy for WinRM, one can attempt to understand how Ansible speaks with a Windows server by observing the TCP streams using Wireshark. Then decode the PowerShell code sent by Ansible, finally a simulated WinRM server can be built work with Ansible.
The sequence diagram shows how the 3 components (Ansible, Command Proxy, Windows Server) work together. Note that it is not a complete implementation of WinRM protocols, but it is sufficient to work with Ansible.
And here is what it looks like from Ansible, note that it is successful in gathering facts and making changes.
Final Word
It is a complex endeavor to manage multiple tenants as a VMware cloud provider. This article made it possible to manage VMs centrally without getting involved in complex networking. Hope this will help people finding a different route in managing servers without compromising security.Wanting to try running code inside VM guests, but you are not familiar with web APIs? Don’t worry, VMware provided PowerCLI that can utilise Guest Operations in one liner. It can be easily incorporated into .NET Core and run in containers.
Used a referrence from One of Ansible Operators
ReplyDelete