Attention : support for WAPT 1.8.2 ended on June the 30th 2022.

There are known vulnerabilities in WAPT dependencies in WAPT 1.8.2 branch. Please upgrade to the latest supported version. CVE listing (non exhaustive) :
  • * python engine : python 2.7 (CVE-2020-10735, CVE-2015-20107, CVE-2022-0391, CVE-2021-23336, CVE-2021-3177, CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492, etc.)
  • * cryptography : openssl : CVE-2022-2068, CVE-2022-1292, CVE-2022-0778, CVE-2021-4160, CVE-2021-3712, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968, CVE-2019-1551
  • * python dependencies : cryptography (CVE-2020-36242, CVE-2020-25659), eventlet (CVE-2021-21419), jinja2 (CVE-2020-28493), psutil (CVE-2019-18874), waitress (CVE-2022-31015), lxml (CVE-2021-4381, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787), ujson (CVE-2022-31117, CVE-2022-31116, CVE-2021-45958), python-ldap (CVE-2021-46823)

Deploying the Linux WAPT Agent with Ansible

To avoid mistakes and automate your WAPT agents deployment on Linux, we provide Ansible roles for installing WAPT agents on:

  • Debian logo

  • Ubuntu logo

  • Red Hat / CentOS logo

You can explore the role source code by visiting this link on Github.

Requirements

  • Debian Linux or CentOS hosts;

  • a sudoers user on these hosts;

  • Ansible 2.8;

Installing the Ansible role

  • install tranquilit.waptagent Ansible role;

    ansible-galaxy install tranquilit.waptagent

  • to install the role elsewhere, use the -p subcommand like this;

    ansible-galaxy install tranquilit.waptagent -p /path/to/role/directory/

Using the Ansible role

  • ensure you have a working ssh key deployed on your hosts, if not you can generate and copy one like below;

    ssh-keygen -t ed25519
ssh-copy-id -i id_ed25519.pub user@computer1.mydomain.lan
ssh user@computer1.mydomain.lan -i id_ed25519.pub

  • edit Ansible hosts inventory ( ./hosts ) and add the Linux hosts;

    [computers]
computer1.mydomain.lan ansible_host=192.168.1.50
computer1.mydomain.lan ansible_host=192.168.1.60

  • create a playbook with the following content in ./playbooks/deploywaptagent.yml;

    - hosts: computers
  roles:
    - { role: tranquilit.waptagent }

  • ensure all variables are correctly set (see wapt-get.ini variables);

    • wapt_server_url;

    • wapt_repo_url;

    • wapt_crt;

Important

Variables configuration is important as it will configure the behavior of the WAPT.

You must replace the default certificate with your Code-Signing public certificate.

  • run your playbook with the following command;

ansible-playbook -i ./hosts ./playbooks/deploywaptagent.yml -u user --become --become-method=sudo -K

Clapping hands Congratulations, you have installed your WAPT agent on your Linux hosts!

Role variables

Available variables are listed below, along with default values (see defaults/main.yml).

WAPT agent variables

  • version of WAPT that will be installed from WAPT Deb/RPM repository;

wapt_version: "1.8"

  • version of CentOS used for RPM repository address;

centos_version: "centos7"

wapt-get.ini variables

The wapt_server_url parameter points to your WAPT server and is used by default for the wapt_repo_url.

wapt_server_url: "https://srvwapt.mydomain.lan"
wapt_repo_url: "{{ wapt_server_url }}/wapt/"

You can override it like so:

wapt_server_url: "https://wapt.landomain.lan"
wapt_repo_url: "https://wapt.otherdomain.com/wapt/"

Certificate filename located in files/ subdirectory of the role:

wapt_crt: "wapt_ca.crt"

Example Ansible playbook

Here is an example of an Ansible playbook.

- hosts: hosts
  vars_files:
    - vars/main.yml
  roles:
    - tranquilit.waptagent