Difference between revisions of "OPS435 Ansible"

From CDOT Wiki
Jump to: navigation, search
(Sample runs for some of the Ad hoc commands)
(Part 1: Installing Ansible on CentOS 7)
Line 74: Line 74:
 
Is this ok [y/d/N]:  
 
Is this ok [y/d/N]:  
 
</source>
 
</source>
 +
 +
: To confirm that you have Ansible installed, try the following command:<source lang="python">
 +
[rchan@c7-rchan ~]$ ansible --help
 +
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD]
 +
              [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts]
 +
              [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
 +
              [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
 +
              [-c CONNECTION] [-T TIMEOUT]
 +
              [--ssh-common-args SSH_COMMON_ARGS]
 +
              [--sftp-extra-args SFTP_EXTRA_ARGS]
 +
              [--scp-extra-args SCP_EXTRA_ARGS]
 +
              [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D]
 +
              [-e EXTRA_VARS] [--vault-id VAULT_IDS]
 +
              [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
 +
              [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR]
 +
              [-a MODULE_ARGS] [-m MODULE_NAME]
 +
              pattern
 +
 +
Define and run a single task 'playbook' against a set of hosts
 +
 +
positional arguments:
 +
  pattern              host pattern
 +
 +
optional arguments:
 +
  --ask-vault-pass      ask for vault password
 +
  --list-hosts          outputs a list of matching hosts; does not execute
 +
                        anything else
 +
  --playbook-dir BASEDIR
 +
                        Since this tool does not use playbooks, use this as a
 +
                        substitute playbook directory.This sets the relative
 +
                        path for many features including roles/ group_vars/
 +
                        etc.
 +
  --syntax-check        perform a syntax check on the playbook, but do not
 +
                        execute it
 +
  --vault-id VAULT_IDS  the vault identity to use
 +
  --vault-password-file VAULT_PASSWORD_FILES
 +
                        vault password file
 +
  --version            show program's version number, config file location,
 +
                        configured module search path, module location,
 +
                        executable location and exit
 +
  -B SECONDS, --background SECONDS
 +
                        run asynchronously, failing after X seconds
 +
                        (default=N/A)
 +
  -C, --check          don't make any changes; instead, try to predict some
 +
                        of the changes that may occur
 +
  -D, --diff            when changing (small) files and templates, show the
 +
                        differences in those files; works great with --check
 +
  -M MODULE_PATH, --module-path MODULE_PATH
 +
                        prepend colon-separated path(s) to module library (def
 +
                        ault=~/.ansible/plugins/modules:/usr/share/ansible/plu
 +
                        gins/modules)
 +
  -P POLL_INTERVAL, --poll POLL_INTERVAL
 +
                        set the poll interval if using -B (default=15)
 +
  -a MODULE_ARGS, --args MODULE_ARGS
 +
                        module arguments
 +
  -e EXTRA_VARS, --extra-vars EXTRA_VARS
 +
                        set additional variables as key=value or YAML/JSON, if
 +
                        filename prepend with @
 +
  -f FORKS, --forks FORKS
 +
                        specify number of parallel processes to use
 +
                        (default=5)
 +
  -h, --help            show this help message and exit
 +
  -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
 +
                        specify inventory host path or comma separated host
 +
                        list. --inventory-file is deprecated
 +
  -l SUBSET, --limit SUBSET
 +
                        further limit selected hosts to an additional pattern
 +
  -m MODULE_NAME, --module-name MODULE_NAME
 +
                        module name to execute (default=command)
 +
  -o, --one-line        condense output
 +
  -t TREE, --tree TREE  log output to this directory
 +
  -v, --verbose        verbose mode (-vvv for more, -vvvv to enable
 +
                        connection debugging)
 +
 +
Privilege Escalation Options:
 +
  control how and which user you become as on target hosts
 +
 +
  --become-method BECOME_METHOD
 +
                        privilege escalation method to use (default=sudo), use
 +
                        `ansible-doc -t become -l` to list valid choices.
 +
  --become-user BECOME_USER
 +
                        run operations as this user (default=root)
 +
  -K, --ask-become-pass
 +
                        ask for privilege escalation password
 +
  -b, --become          run operations with become (does not imply password
 +
                        prompting)
 +
 +
Connection Options:
 +
  control as whom and how to connect to hosts
 +
 +
  --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE
 +
                        use this file to authenticate the connection
 +
  --scp-extra-args SCP_EXTRA_ARGS
 +
                        specify extra arguments to pass to scp only (e.g. -l)
 +
  --sftp-extra-args SFTP_EXTRA_ARGS
 +
                        specify extra arguments to pass to sftp only (e.g. -f,
 +
                        -l)
 +
  --ssh-common-args SSH_COMMON_ARGS
 +
                        specify common arguments to pass to sftp/scp/ssh (e.g.
 +
                        ProxyCommand)
 +
  --ssh-extra-args SSH_EXTRA_ARGS
 +
                        specify extra arguments to pass to ssh only (e.g. -R)
 +
  -T TIMEOUT, --timeout TIMEOUT
 +
                        override the connection timeout in seconds
 +
                        (default=10)
 +
  -c CONNECTION, --connection CONNECTION
 +
                        connection type to use (default=smart)
 +
  -k, --ask-pass        ask for connection password
 +
  -u REMOTE_USER, --user REMOTE_USER
 +
                        connect as this user (default=None)
 +
 +
Some modules do not make sense in Ad-Hoc (include, meta, etc)
 +
</source>
 +
: There are a lots of options when running Ansible. Let's move on to try a few simple ones.
  
 
== Part 2: Sample runs for some of the Ad hoc commands ==
 
== Part 2: Sample runs for some of the Ad hoc commands ==
Line 95: Line 209:
 
</pre>
 
</pre>
  
== Sample runs for using some Ansible's built-in modules ==
+
== Part 3: Sample runs for using some Ansible's built-in modules ==
 
<pre>
 
<pre>
 
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present"
 
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present"

Revision as of 02:30, 24 November 2019

Overview

"Ansible is an IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.
Ansible was designed for multi-tier deployments since day one, and models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.
Ansible uses no agents and no additional custom security infrastructure, and it uses a very simple language called 'YAML', to compose an Ansible Playbook which allow you to describe your automation jobs in a very simple way."

For more detail information about ansible, check out the ansible web site at www.ansible.com

Objective

  • Install and configure Ansible on a controller Linux machine
  • Explore Ansible's ad hoc commands
  • Explore Ansible's built-in modules
  • Explore and create Ansible playbooks

Investigation I: Introduction to Ansible

In this introduction, we explore the main components of the Ansible configuration management system and its operating environment. we also study a simple playbook for managing the configuration of a CentOS 7.x VM. For more detail information about ansible, check out the ansible web site at https://www.ansible.com

Key Concepts when using Ansible

  • YAML - a human-readable data serialization language & is commonly used for configuration files. To know more, your can check out the wikipedia page here
  • Control machine - (Management node)
  • Remote machine - (managed node)
  • playbook - contains one or multiple plays, each of which define the work to be done for a configuration on a managed server. Playbooks are written in YAML. Every play in the playbook is created with environment-specific parameters for the target machines; there are no standard plays.
  • Inventory file - defines the hosts and groups of hosts upon which commands, modules, and tasks in a playbook operate.
  • Hosts file - contains information about machines to be managed - click here for sample hosts file
  • Ad hoc commands
    • shell commands
      • ansible 192.168.99.153 -a 'date'
      • ansible 192.168.99.153 -a 'df'
      • ansible 192.168.99.153 -a 'iptables -L -n -v' -u root
  • Built-in modules
    • copy module
      • ansible 192.168.99.153 -m copy -a "src=/ops435/ansible.txt dest=/tmp/ansible.txt"
    • Package management
      • ansible 192.168.99.153 -m yum -a "name=epel-release state=latest"
  • Running Ansible Playbooks
    • ansible-playbook -i 192.168.99.153, setup_webserver.yaml
    • ansible-playbook firstrun.yaml

Part 1: Installing Ansible on CentOS 7

run the command yum install ansible as root. You may have installed the following dependent packages:
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================
 Package                             Arch                  Version                       Repository             Size
=====================================================================================================================
Installing:
 ansible                             noarch                2.9.1-1.el7                   epel                   17 M
Installing for dependencies:
 python-babel                        noarch                0.9.6-8.el7                   base                  1.4 M
 python-cffi                         x86_64                1.6.0-5.el7                   base                  218 k
 python-enum34                       noarch                1.0.4-1.el7                   base                   52 k
 python-httplib2                     noarch                0.9.2-1.el7                   extras                115 k
 python-idna                         noarch                2.4-1.el7                     base                   94 k
 python-jinja2                       noarch                2.7.2-4.el7                   base                  519 k
 python-markupsafe                   x86_64                0.11-10.el7                   base                   25 k
 python-paramiko                     noarch                2.1.1-9.el7                   base                  269 k
 python-ply                          noarch                3.4-11.el7                    base                  123 k
 python-pycparser                    noarch                2.14-1.el7                    base                  104 k
 python2-cryptography                x86_64                1.7.2-2.el7                   base                  502 k
 python2-jmespath                    noarch                0.9.0-3.el7                   extras                 39 k
 python2-pyasn1                      noarch                0.1.9-7.el7                   base                  100 k
 sshpass                             x86_64                1.06-2.el7                    extras                 21 k

Transaction Summary
=====================================================================================================================
Install  1 Package (+14 Dependent packages)

Total download size: 21 M
Installed size: 120 M
Is this ok [y/d/N]:
To confirm that you have Ansible installed, try the following command:
[rchan@c7-rchan ~]$ ansible --help
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD]
               [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts]
               [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
               [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
               [-c CONNECTION] [-T TIMEOUT]
               [--ssh-common-args SSH_COMMON_ARGS]
               [--sftp-extra-args SFTP_EXTRA_ARGS]
               [--scp-extra-args SCP_EXTRA_ARGS]
               [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D]
               [-e EXTRA_VARS] [--vault-id VAULT_IDS]
               [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
               [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR]
               [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern

Define and run a single task 'playbook' against a set of hosts

positional arguments:
  pattern               host pattern

optional arguments:
  --ask-vault-pass      ask for vault password
  --list-hosts          outputs a list of matching hosts; does not execute
                        anything else
  --playbook-dir BASEDIR
                        Since this tool does not use playbooks, use this as a
                        substitute playbook directory.This sets the relative
                        path for many features including roles/ group_vars/
                        etc.
  --syntax-check        perform a syntax check on the playbook, but do not
                        execute it
  --vault-id VAULT_IDS  the vault identity to use
  --vault-password-file VAULT_PASSWORD_FILES
                        vault password file
  --version             show program's version number, config file location,
                        configured module search path, module location,
                        executable location and exit
  -B SECONDS, --background SECONDS
                        run asynchronously, failing after X seconds
                        (default=N/A)
  -C, --check           don't make any changes; instead, try to predict some
                        of the changes that may occur
  -D, --diff            when changing (small) files and templates, show the
                        differences in those files; works great with --check
  -M MODULE_PATH, --module-path MODULE_PATH
                        prepend colon-separated path(s) to module library (def
                        ault=~/.ansible/plugins/modules:/usr/share/ansible/plu
                        gins/modules)
  -P POLL_INTERVAL, --poll POLL_INTERVAL
                        set the poll interval if using -B (default=15)
  -a MODULE_ARGS, --args MODULE_ARGS
                        module arguments
  -e EXTRA_VARS, --extra-vars EXTRA_VARS
                        set additional variables as key=value or YAML/JSON, if
                        filename prepend with @
  -f FORKS, --forks FORKS
                        specify number of parallel processes to use
                        (default=5)
  -h, --help            show this help message and exit
  -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
                        specify inventory host path or comma separated host
                        list. --inventory-file is deprecated
  -l SUBSET, --limit SUBSET
                        further limit selected hosts to an additional pattern
  -m MODULE_NAME, --module-name MODULE_NAME
                        module name to execute (default=command)
  -o, --one-line        condense output
  -t TREE, --tree TREE  log output to this directory
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                        connection debugging)

Privilege Escalation Options:
  control how and which user you become as on target hosts

  --become-method BECOME_METHOD
                        privilege escalation method to use (default=sudo), use
                        `ansible-doc -t become -l` to list valid choices.
  --become-user BECOME_USER
                        run operations as this user (default=root)
  -K, --ask-become-pass
                        ask for privilege escalation password
  -b, --become          run operations with become (does not imply password
                        prompting)

Connection Options:
  control as whom and how to connect to hosts

  --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE
                        use this file to authenticate the connection
  --scp-extra-args SCP_EXTRA_ARGS
                        specify extra arguments to pass to scp only (e.g. -l)
  --sftp-extra-args SFTP_EXTRA_ARGS
                        specify extra arguments to pass to sftp only (e.g. -f,
                        -l)
  --ssh-common-args SSH_COMMON_ARGS
                        specify common arguments to pass to sftp/scp/ssh (e.g.
                        ProxyCommand)
  --ssh-extra-args SSH_EXTRA_ARGS
                        specify extra arguments to pass to ssh only (e.g. -R)
  -T TIMEOUT, --timeout TIMEOUT
                        override the connection timeout in seconds
                        (default=10)
  -c CONNECTION, --connection CONNECTION
                        connection type to use (default=smart)
  -k, --ask-pass        ask for connection password
  -u REMOTE_USER, --user REMOTE_USER
                        connect as this user (default=None)

Some modules do not make sense in Ad-Hoc (include, meta, etc)
There are a lots of options when running Ansible. Let's move on to try a few simple ones.

Part 2: Sample runs for some of the Ad hoc commands

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m copy -a "src=/home/rchan/ops435/ansible/ansible.txt dest=/tmp/ansible.txt"
192.168.99.153 | SUCCESS => {
    "changed": true, 
    "checksum": "837affc90674fb92cdb0ebac6e49ad31a586b37e", 
    "dest": "/tmp/ansible.txt", 
    "gid": 1001, 
    "group": "rchan", 
    "md5sum": "78ae49d77d28d06173cf2194a3909732", 
    "mode": "0664", 
    "owner": "rchan", 
    "secontext": "unconfined_u:object_r:user_home_t:s0", 
    "size": 106, 
    "src": "/home/rchan/.ansible/tmp/ansible-tmp-1542902119.15-117618539513309/source", 
    "state": "file", 
    "uid": 1001
}

Part 3: Sample runs for using some Ansible's built-in modules

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present"
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "epel-release-7-11.noarch providing epel-release is already installed"
    ]
}
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" -u root
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "epel-release-7-11.noarch providing epel-release is already installed"
    ]
}
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=latest" -u root
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "All packages providing epel-release are up to date", 
        ""
    ]
}

Gather all the information available on remote machine

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m setup
192.168.99.153 | SUCCESS => {
    "ansible_facts": {
        "ansible_all_ipv4_addresses": [
            "192.168.122.99", 
            "192.168.99.153"
        ], 
        "ansible_all_ipv6_addresses": [
            "fe80::5054:ff:fe11:6767", 
            "fe80::5054:ff:fe8c:b67c"
        ], 
        "ansible_architecture": "x86_64", 
        "ansible_bios_date": "04/01/2014", 
        "ansible_bios_version": "1.9.1-5.el7_3.2", 
        "ansible_cmdline": {
            "BOOT_IMAGE": "/vmlinuz-3.10.0-862.14.4.el7.x86_64", 
            "LANG": "en_CA.UTF-8", 
            "console": "ttyS0", 
...
        "ansible_userspace_bits": "64", 
        "ansible_virtualization_role": "guest", 
        "ansible_virtualization_type": "kvm", 
        "module_setup": true
    }, 
    "changed": false
}

Click here for complete contents of the above

Ansible Playbook

Updating /etc/motd file

Name: motd-play.yml

---
- hosts: 192.168.99.153
  user: root
  vars:
    apache_version: 2.6
    motd_warning: 'WARNING: use by ICT faculty/students only.'
    testserver: yes
  tasks:
    - name: setup a MOTD
      copy: 
        dest: /etc/motd
        content: "{{ motd_warning }}"

Sample Run:

[rchan@centos7 playbooks]$ ansible-playbook motd-play.yml

PLAY [192.168.99.153] **********************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.168.99.153]

TASK [setup a MOTD] ************************************************************
changed: [192.168.99.153]

PLAY RECAP *********************************************************************
192.168.99.153             : ok=2    changed=1    unreachable=0    failed=0   

Install and start Apache Server

Name: httpd-play.yml

---
- hosts: 192.168.99.153
  user: root
  vars:
    apache_version: 2.6
    motd_warning: 'WARNING: use by ICT faculty/students only.'
    testserver: yes
  tasks:
    - name: install apache
      action: yum name=httpd state=installed
    
    - name: restart apache
      service: 
        name: httpd
        state: restarted

Sample Run:

[rchan@centos7 playbooks]$ ansible-playbook httpd-play.yml

PLAY [192.168.99.153] **********************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.168.99.153]

TASK [install apache] **********************************************************
changed: [192.168.99.153]

TASK [restart apache] **********************************************************
changed: [192.168.99.153]

PLAY RECAP *********************************************************************
192.168.99.153             : ok=3    changed=2    unreachable=0    failed=0   

Questions

System requirements

  • You must have at lease two networked machines
    • control node - run ansible to configure remote node - need Ansible 2.x (latest version 2.7)
    • remote nodes - to be managed by the control node
  • You should be to ssh from your control node as a regular user to any of your remote nodes as root user without supplying a login password.
  • Python 2.7+ on all nodes

Reference

Pages in Print Edition: 122