Commit d629c260 authored by Adam Robinson's avatar Adam Robinson
Browse files

initial import

parents
VMSA-2019-0011_workaround
=========
This role implements a workaround for
[VMSA-2019-0011](https://www.vmware.com/in/security/advisories/VMSA-2019-0011.html) as described in
[VMware kb 67920](https://kb.vmware.com/s/article/67920).
Requirements
------------
pyvmomi is required. This role assumes your inventory file contains each ESXi host you are managing.
Role Variables
--------------
### Required
- `vcenter_hostname` - The hostname or address of the vCenter server.
- `inventory_hostname` - The hostname or address of the ESXi server.
Dependencies
------------
None
Example Playbook
----------------
Todo
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for VMSA-2019-0011-Workaround
vmware_user: "{{ lookup('env','VMWARE_USER') }}"
vmware_password: "{{ lookup('env','VMWARE_PASSWORD') }}"
\ No newline at end of file
---
# handlers file for VMSA-2019-0011-Workaround
- name: Restart hostd
shell: /etc/init.d/hostd restart && sleep 120
vars:
ansible_user: '{{ vmware_user }}@{{ ad_domain|upper }}'
ansible_password: '{{ vmware_password }}'
ansible_connection: paramiko
ansible_python_interpreter: /bin/python
- name: Stop SSH
vmware_host_service_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
username: '{{ vmware_user }}'
password: '{{ vmware_password }}'
service_name: TSM-SSH
state: stop
delegate_to: localhost
when: not host_service_facts['host_service_facts'][inventory_hostname] | selectattr('key', 'equalto', 'TSM-SSH') | map(attribute='running') | list | first | bool
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.4
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for VMSA-2019-0011-Workaround
- name: Get the current state of all services
vmware_host_service_facts:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
username: '{{ vmware_user }}'
password: '{{ vmware_password }}'
delegate_to: localhost
register: host_service_facts
- name: Start SSH Temporarily
vmware_host_service_manager:
hostname: '{{ vcenter_hostname }}'
esxi_hostname: '{{ inventory_hostname }}'
username: '{{ vmware_user }}'
password: '{{ vmware_password }}'
service_name: TSM-SSH
state: start
delegate_to: localhost
when: (ansible_distribution_version == "6.7.0" or ansible_distribution_version == "6.5.0") and not host_service_facts['host_service_facts'][inventory_hostname] | selectattr('key', 'equalto', 'TSM-SSH') | map(attribute='running') | list | first | bool
notify: Stop SSH
- name: Add ioTrackers to /etc/vmware/hostd/config.xml
xml:
backup: yes
path: /etc/vmware/hostd/config.xml
xpath: /config/ioTrackers
value: ' false '
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int <= 13981272) or (ansible_distribution_version == "6.5.0" and ansible_distribution_build|int < 13932383)
notify: Restart hostd
vars:
ansible_user: '{{ vmware_user }}@{{ ad_domain|upper }}'
ansible_password: '{{ vmware_password }}'
ansible_connection: paramiko
ansible_python_interpreter: /bin/python
- name: Remove ioTrackers from /etc/vmware/hostd/config.xml
xml:
backup: yes
path: /etc/vmware/hostd/config.xml
xpath: /config/ioTrackers
state: absent
when: (ansible_distribution_version == "6.7.0" and ansible_distribution_build|int > 13981272) or (ansible_distribution_version == "6.5.0" and ansible_distribution_build|int >= 13932383)
notify: Restart hostd
vars:
ansible_user: '{{ vmware_user }}@{{ ad_domain|upper }}'
ansible_password: '{{ vmware_password }}'
ansible_connection: paramiko
ansible_python_interpreter: /bin/python
\ No newline at end of file
---
- hosts: localhost
remote_user: root
roles:
- VMSA-2019-0011-Workaround
\ No newline at end of file
---
# vars file for VMSA-2019-0011-Workaround
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment