OPS435 Ansible

From CDOT Wiki
Revision as of 03:46, 24 November 2019 by Rchan (talk | contribs) (Part 3: Sample runs for using some Ansible's built-in modules)
Jump to: navigation, search

Overview

"Ansible is an IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.
Ansible was designed for multi-tier deployments since day one, and models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.
Ansible uses no agents and no additional custom security infrastructure, and it uses a very simple language called 'YAML', to compose an Ansible Playbook which allow you to describe your automation jobs in a very simple way."

For more detail information about ansible, check out the ansible web site at www.ansible.com

Objective

  • Install and configure Ansible on a controller Linux machine
  • Explore Ansible's ad hoc commands
  • Explore Ansible's built-in modules
  • Explore and create Ansible playbooks

Investigation I: Introduction to Ansible

In this introduction, we explore the main components of the Ansible configuration management system and its operating environment. we also study a simple playbook for managing the configuration of a CentOS 7.x VM. For more detail information about ansible, check out the ansible web site at https://www.ansible.com

Key Concepts when using Ansible

  • YAML - a human-readable data serialization language & is commonly used for configuration files. To know more, your can check out the wikipedia page here
  • Control machine - (Management node)
  • Remote machine - (managed node)
  • playbook - contains one or multiple plays, each of which define the work to be done for a configuration on a managed server. Playbooks are written in YAML. Every play in the playbook is created with environment-specific parameters for the target machines; there are no standard plays.
  • Inventory file - defines the hosts and groups of hosts upon which commands, modules, and tasks in a playbook operate.
  • Hosts file - contains information about machines to be managed - click here for sample hosts file
  • Ad hoc commands
    • shell commands
      • ansible 192.168.99.153 -a 'date'
      • ansible 192.168.99.153 -a 'df'
      • ansible 192.168.99.153 -a 'iptables -L -n -v' -u root
  • Built-in modules
    • copy module
      • ansible 192.168.99.153 -m copy -a "src=/ops435/ansible.txt dest=/tmp/ansible.txt"
    • Package management
      • ansible 192.168.99.153 -m yum -a "name=epel-release state=latest"
  • Running Ansible Playbooks
    • ansible-playbook -i 192.168.99.153, setup_webserver.yaml
    • ansible-playbook firstrun.yaml

Part 1: Installing Ansible on CentOS 7

run the command yum install ansible as root. You may have installed the following dependent packages:
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================
 Package                             Arch                  Version                       Repository             Size
=====================================================================================================================
Installing:
 ansible                             noarch                2.9.1-1.el7                   epel                   17 M
Installing for dependencies:
 python-babel                        noarch                0.9.6-8.el7                   base                  1.4 M
 python-cffi                         x86_64                1.6.0-5.el7                   base                  218 k
 python-enum34                       noarch                1.0.4-1.el7                   base                   52 k
 python-httplib2                     noarch                0.9.2-1.el7                   extras                115 k
 python-idna                         noarch                2.4-1.el7                     base                   94 k
 python-jinja2                       noarch                2.7.2-4.el7                   base                  519 k
 python-markupsafe                   x86_64                0.11-10.el7                   base                   25 k
 python-paramiko                     noarch                2.1.1-9.el7                   base                  269 k
 python-ply                          noarch                3.4-11.el7                    base                  123 k
 python-pycparser                    noarch                2.14-1.el7                    base                  104 k
 python2-cryptography                x86_64                1.7.2-2.el7                   base                  502 k
 python2-jmespath                    noarch                0.9.0-3.el7                   extras                 39 k
 python2-pyasn1                      noarch                0.1.9-7.el7                   base                  100 k
 sshpass                             x86_64                1.06-2.el7                    extras                 21 k

Transaction Summary
=====================================================================================================================
Install  1 Package (+14 Dependent packages)

Total download size: 21 M
Installed size: 120 M
Is this ok [y/d/N]:
To confirm that you have Ansible installed, try the following command:
[rchan@c7-rchan ~]$ ansible --help
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD]
               [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts]
               [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
               [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
               [-c CONNECTION] [-T TIMEOUT]
               [--ssh-common-args SSH_COMMON_ARGS]
               [--sftp-extra-args SFTP_EXTRA_ARGS]
               [--scp-extra-args SCP_EXTRA_ARGS]
               [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D]
               [-e EXTRA_VARS] [--vault-id VAULT_IDS]
               [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
               [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR]
               [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern

Define and run a single task 'playbook' against a set of hosts

positional arguments:
  pattern               host pattern

optional arguments:
  --ask-vault-pass      ask for vault password
  --list-hosts          outputs a list of matching hosts; does not execute
                        anything else
  --playbook-dir BASEDIR
                        Since this tool does not use playbooks, use this as a
                        substitute playbook directory.This sets the relative
                        path for many features including roles/ group_vars/
                        etc.
  --syntax-check        perform a syntax check on the playbook, but do not
                        execute it
  --vault-id VAULT_IDS  the vault identity to use
  --vault-password-file VAULT_PASSWORD_FILES
                        vault password file
  --version             show program's version number, config file location,
                        configured module search path, module location,
                        executable location and exit
  -B SECONDS, --background SECONDS
                        run asynchronously, failing after X seconds
                        (default=N/A)
  -C, --check           don't make any changes; instead, try to predict some
                        of the changes that may occur
  -D, --diff            when changing (small) files and templates, show the
                        differences in those files; works great with --check
  -M MODULE_PATH, --module-path MODULE_PATH
                        prepend colon-separated path(s) to module library (def
                        ault=~/.ansible/plugins/modules:/usr/share/ansible/plu
                        gins/modules)
  -P POLL_INTERVAL, --poll POLL_INTERVAL
                        set the poll interval if using -B (default=15)
  -a MODULE_ARGS, --args MODULE_ARGS
                        module arguments
  -e EXTRA_VARS, --extra-vars EXTRA_VARS
                        set additional variables as key=value or YAML/JSON, if
                        filename prepend with @
  -f FORKS, --forks FORKS
                        specify number of parallel processes to use
                        (default=5)
  -h, --help            show this help message and exit
  -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
                        specify inventory host path or comma separated host
                        list. --inventory-file is deprecated
  -l SUBSET, --limit SUBSET
                        further limit selected hosts to an additional pattern
  -m MODULE_NAME, --module-name MODULE_NAME
                        module name to execute (default=command)
  -o, --one-line        condense output
  -t TREE, --tree TREE  log output to this directory
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                        connection debugging)

Privilege Escalation Options:
  control how and which user you become as on target hosts

  --become-method BECOME_METHOD
                        privilege escalation method to use (default=sudo), use
                        `ansible-doc -t become -l` to list valid choices.
  --become-user BECOME_USER
                        run operations as this user (default=root)
  -K, --ask-become-pass
                        ask for privilege escalation password
  -b, --become          run operations with become (does not imply password
                        prompting)

Connection Options:
  control as whom and how to connect to hosts

  --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE
                        use this file to authenticate the connection
  --scp-extra-args SCP_EXTRA_ARGS
                        specify extra arguments to pass to scp only (e.g. -l)
  --sftp-extra-args SFTP_EXTRA_ARGS
                        specify extra arguments to pass to sftp only (e.g. -f,
                        -l)
  --ssh-common-args SSH_COMMON_ARGS
                        specify common arguments to pass to sftp/scp/ssh (e.g.
                        ProxyCommand)
  --ssh-extra-args SSH_EXTRA_ARGS
                        specify extra arguments to pass to ssh only (e.g. -R)
  -T TIMEOUT, --timeout TIMEOUT
                        override the connection timeout in seconds
                        (default=10)
  -c CONNECTION, --connection CONNECTION
                        connection type to use (default=smart)
  -k, --ask-pass        ask for connection password
  -u REMOTE_USER, --user REMOTE_USER
                        connect as this user (default=None)

Some modules do not make sense in Ad-Hoc (include, meta, etc)
There are a lots of options when running Ansible. Let's move on to try a few simple ones.

Part 2: Sample runs for some of the Ad hoc commands

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m copy -a "src=/home/rchan/ops435/ansible/ansible.txt dest=/tmp/ansible.txt"
192.168.99.153 | SUCCESS => {
    "changed": true, 
    "checksum": "837affc90674fb92cdb0ebac6e49ad31a586b37e", 
    "dest": "/tmp/ansible.txt", 
    "gid": 1001, 
    "group": "rchan", 
    "md5sum": "78ae49d77d28d06173cf2194a3909732", 
    "mode": "0664", 
    "owner": "rchan", 
    "secontext": "unconfined_u:object_r:user_home_t:s0", 
    "size": 106, 
    "src": "/home/rchan/.ansible/tmp/ansible-tmp-1542902119.15-117618539513309/source", 
    "state": "file", 
    "uid": 1001
}
192.168.99.153 is the remote machine's IP address.
"-m copy" tells ansible to use the copy module
after '-a' is the arguments to the copy module, which specify the source file and the destination for the copy action.
If you got the same "SUCCESS" message, login to the remote machine (in this example, it is 192.168.99.153) and check the directory "/tmp" for the file ansible.txt.

Part 3: Sample runs for using some Ansible's built-in modules

"yum" is a built-in ansible module. You can get detail information about an ansible module with the following command:
    ansible-doc yum
The following command demonstrates how to install the "epel-release" package with the "yum" module:
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present"
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "epel-release-7-11.noarch providing epel-release is already installed"
    ]
}

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" -u root
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "epel-release-7-11.noarch providing epel-release is already installed"
    ]
}

[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=latest" -u root
192.168.99.153 | SUCCESS => {
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "All packages providing epel-release are up to date", 
        ""
    ]
}

Part 4: Gather software and hardware information available on remote machine

One of the main ansible module is called "setup", it is automatically called by ansible playbook to gather useful "facts" about remote hosts that can be used in ansible playbooks. It can also be executed directly by the ansible command (/usr/bin/ansible) to check what "facts" are available to a host.
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m setup
192.168.99.153 | SUCCESS => {
    "ansible_facts": {
        "ansible_all_ipv4_addresses": [
            "192.168.122.99", 
            "192.168.99.153"
        ], 
        "ansible_all_ipv6_addresses": [
            "fe80::5054:ff:fe11:6767", 
            "fe80::5054:ff:fe8c:b67c"
        ], 
        "ansible_architecture": "x86_64", 
        "ansible_bios_date": "04/01/2014", 
        "ansible_bios_version": "1.9.1-5.el7_3.2", 
        "ansible_cmdline": {
            "BOOT_IMAGE": "/vmlinuz-3.10.0-862.14.4.el7.x86_64", 
            "LANG": "en_CA.UTF-8", 
            "console": "ttyS0", 
...
        "ansible_userspace_bits": "64", 
        "ansible_virtualization_role": "guest", 
        "ansible_virtualization_type": "kvm", 
        "module_setup": true
    }, 
    "changed": false
}

Click here for complete contents of the above

Ansible Playbook

Updating /etc/motd file

Name: motd-play.yml

---
- hosts: 192.168.99.153
  user: root
  vars:
    apache_version: 2.6
    motd_warning: 'WARNING: use by ICT faculty/students only.'
    testserver: yes
  tasks:
    - name: setup a MOTD
      copy: 
        dest: /etc/motd
        content: "{{ motd_warning }}"

Sample Run:

[rchan@centos7 playbooks]$ ansible-playbook motd-play.yml

PLAY [192.168.99.153] **********************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.168.99.153]

TASK [setup a MOTD] ************************************************************
changed: [192.168.99.153]

PLAY RECAP *********************************************************************
192.168.99.153             : ok=2    changed=1    unreachable=0    failed=0   

Install and start Apache Server

Name: httpd-play.yml

---
- hosts: 192.168.99.153
  user: root
  vars:
    apache_version: 2.6
    motd_warning: 'WARNING: use by ICT faculty/students only.'
    testserver: yes
  tasks:
    - name: install apache
      action: yum name=httpd state=installed
    
    - name: restart apache
      service: 
        name: httpd
        state: restarted

Sample Run:

[rchan@centos7 playbooks]$ ansible-playbook httpd-play.yml

PLAY [192.168.99.153] **********************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.168.99.153]

TASK [install apache] **********************************************************
changed: [192.168.99.153]

TASK [restart apache] **********************************************************
changed: [192.168.99.153]

PLAY RECAP *********************************************************************
192.168.99.153             : ok=3    changed=2    unreachable=0    failed=0   

Questions

System requirements

  • You must have at lease two networked machines
    • control node - run ansible to configure remote node - need Ansible 2.x (latest version 2.7)
    • remote nodes - to be managed by the control node
  • You should be to ssh from your control node as a regular user to any of your remote nodes as root user without supplying a login password.
  • Python 2.7+ on all nodes

Reference

Pages in Print Edition: 122