ansibleyamlredhatbootloadergrub2

Ansible Unable to set password for GRUB bootloader in Redhat


As Salam-o-Alikum, I have written an Ansible playbook for setting GRUB bootloader password on RedHat and Ubuntu, there are no error and i can see changes in Grub2.cfg on both locations. It's weird that when i reboot my both machines, Ubuntu machine asks for username and password but Redhat machine don't. I have seen 50+ tutorials procedure is the same and its pretty easy but i don't why its behaving like that. Any help would be greatly appreciated.

Here is what i've tried.

Hardening.yml

   ---
   - hosts: localhost
     become: yes
     gather_facts: true
     vars:
         grub_password_v1_passwd: puffersoft
         grub_password_v2_passwd: grub.pbkdf2.sha512.10000.A4DE89CBFB84A34253A71D5DD4939BED709AB2F24E909062A902D4751E91E3E82403D9D216BD506091CAA5E92AB958FBEF4B4B4B7CB0352F8191D47A9C93239F.0B07DD3D5AD46BF0F640136D448F2CFB84A6E05B76974C51B031C8B31D6F9B556802A28E95A5E65EC1F95983E24618EE2E9B21A0233AAA8D264781FE57DCE837
         grub_user: cloud_user
     tasks:
    - stat: path=/sys/firmware/efi/efivars/
      register: grub_efi
    - debug: vars=grub_efi
      when: ansible_distribution == 'Redhat'
      tags: grub-password

    - name: "Installing Template on Redhat Systems"
      template:
            src: grub-redhat.j2
            dest: /etc/grub.d/01_users
            owner: root
            group: root
            mode: '0700'
            notify:
                    - grub2-mkconfig EFI
                    - grub2-mkconfig MBR
      when: ansible_distribution == 'Redhat'
      tags: grub-password

    - name: "Installing Template on Ubuntu Systems"
      template:
            src: grub-ubuntu.j2
            dest: /etc/grub.d/40_custom
            owner: root
            group: root
            mode: '0700'
            notify:
                    - grub2-mkconfig EFI
                    - grub2-mkconfig MBR
      when: ansible_distribution == 'Ubuntu'
      tags: grub-password

    - name: "Grub EFI | Add Password"
      lineinfile: dest=/etc/grub2-efi.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
      when: grub_efi.stat.exists == True
      tags: grub-password

    - name: "Grub v2 MBR | Add Password"
      lineinfile: dest=/etc/grub2.cfg regexp = "^password_pbkdf2 {{ grub_user }}" state=present insertafter = EOF line= "password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}"
      when: grub_efi.stat.exists == False

    - name: "grub2-mkconfig EFI"
      command: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
      when: grub_efi.stat.exists == True

    - name: "grub2-mkconfig MBR"
      command: grub2-mkconfig -o /boot/grub2/grub.cfg
      when: grub_efi.stat.exists == False

grub-redhat.j2

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
set supperusers="{{ grub_user  }}"
password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd  }}
EOF

grub-ubuntu.j2

#!/bin/sh
tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
set superusers="{{grub_user}}"
password_pbkdf2 {{grub_user}} {{grub_password_v2_passwd}}

Ansible Distribution

Red Hat 7.7 Maipo and Ubuntu 18.04 bionic


Solution

  • grub-redhat.j2 has some typos.

    Line 11: set supperusers="{{ grub_user }}"

    Change to: set superusers="{{ grub_user }}"

    Line 12: password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}

    Change to:password_pbkdf2 {{ grub_user }} {{ grub_password_v2_passwd }}

    If you're going to use the same grub password on multiple machines, you might want to consider using ansible-vault encrypt_string to encrypt the raw password, then create an additional task which runs grub2-mkpasswd-pbkdf2 (part of grub2-tools-minimal) with the command module and pass it the vaulted variable. Registering the output of that task (e.g. as grub_password_v2_passwd) would result in every target that you run the playbook against receiving a unique hash even though the underlying password would be the same. The expect module works great for this:

    expect:
      command: grub2-mkpasswd-pbkdf2
      responses:
        Enter password: '{{ vaulted_raw_password }}'
        Reenter password: '{{ vaulted_raw_password }}'
    no_log: true