OPS435 Ansible
Contents
Overview
- "Ansible is an IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.
- Ansible was designed for multi-tier deployments since day one, and models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.
- Ansible uses no agents and no additional custom security infrastructure, and it uses a very simple language called 'YAML', to compose an Ansible Playbook which allow you to describe your automation jobs in a very simple way."
For more detail information about ansible, check out the ansible web site at www.ansible.com
Objective
- Install and configure Ansible on a controller Linux machine
- Explore Ansible's ad hoc commands
- Explore Ansible's built-in modules
- Explore and create Ansible playbooks
Investigation I: Introduction to Ansible
In this introduction, we explore the main components of the Ansible configuration management system and its operating environment. we also study a simple playbook for managing the configuration of a CentOS 7.x VM. For more detail information about ansible, check out the ansible web site at https://www.ansible.com
Key Concepts when using Ansible
- YAML - a human-readable data serialization language & is commonly used for configuration files. To know more, your can check out the wikipedia page here
- Control machine - (Management node)
- Remote machine - (managed node)
- playbook - contains one or multiple plays, each of which define the work to be done for a configuration on a managed server. Playbooks are written in YAML. Every play in the playbook is created with environment-specific parameters for the target machines; there are no standard plays.
- Inventory file - defines the hosts and groups of hosts upon which commands, modules, and tasks in a playbook operate.
- Hosts file - contains information about machines to be managed - click here for sample hosts file
- Ad hoc commands
- shell commands
- ansible 192.168.99.153 -a 'date'
- ansible 192.168.99.153 -a 'df'
- ansible 192.168.99.153 -a 'iptables -L -n -v' -u root
- shell commands
- Built-in modules
- copy module
- ansible 192.168.99.153 -m copy -a "src=/ops435/ansible.txt dest=/tmp/ansible.txt"
- Package management
- ansible 192.168.99.153 -m yum -a "name=epel-release state=latest"
- copy module
- Running Ansible Playbooks
- ansible-playbook -i 192.168.99.153, setup_webserver.yaml
- ansible-playbook firstrun.yaml
Part 1: Installing Ansible on CentOS 7
- run the command yum install ansible as root. You may have installed the following dependent packages:
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Installing: ansible noarch 2.9.1-1.el7 epel 17 M Installing for dependencies: python-babel noarch 0.9.6-8.el7 base 1.4 M python-cffi x86_64 1.6.0-5.el7 base 218 k python-enum34 noarch 1.0.4-1.el7 base 52 k python-httplib2 noarch 0.9.2-1.el7 extras 115 k python-idna noarch 2.4-1.el7 base 94 k python-jinja2 noarch 2.7.2-4.el7 base 519 k python-markupsafe x86_64 0.11-10.el7 base 25 k python-paramiko noarch 2.1.1-9.el7 base 269 k python-ply noarch 3.4-11.el7 base 123 k python-pycparser noarch 2.14-1.el7 base 104 k python2-cryptography x86_64 1.7.2-2.el7 base 502 k python2-jmespath noarch 0.9.0-3.el7 extras 39 k python2-pyasn1 noarch 0.1.9-7.el7 base 100 k sshpass x86_64 1.06-2.el7 extras 21 k Transaction Summary ===================================================================================================================== Install 1 Package (+14 Dependent packages) Total download size: 21 M Installed size: 120 M Is this ok [y/d/N]:
- To confirm that you have Ansible installed, try the following command:
[rchan@c7-rchan ~]$ ansible --help usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D] [-e EXTRA_VARS] [--vault-id VAULT_IDS] [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR] [-a MODULE_ARGS] [-m MODULE_NAME] pattern Define and run a single task 'playbook' against a set of hosts positional arguments: pattern host pattern optional arguments: --ask-vault-pass ask for vault password --list-hosts outputs a list of matching hosts; does not execute anything else --playbook-dir BASEDIR Since this tool does not use playbooks, use this as a substitute playbook directory.This sets the relative path for many features including roles/ group_vars/ etc. --syntax-check perform a syntax check on the playbook, but do not execute it --vault-id VAULT_IDS the vault identity to use --vault-password-file VAULT_PASSWORD_FILES vault password file --version show program's version number, config file location, configured module search path, module location, executable location and exit -B SECONDS, --background SECONDS run asynchronously, failing after X seconds (default=N/A) -C, --check don't make any changes; instead, try to predict some of the changes that may occur -D, --diff when changing (small) files and templates, show the differences in those files; works great with --check -M MODULE_PATH, --module-path MODULE_PATH prepend colon-separated path(s) to module library (def ault=~/.ansible/plugins/modules:/usr/share/ansible/plu gins/modules) -P POLL_INTERVAL, --poll POLL_INTERVAL set the poll interval if using -B (default=15) -a MODULE_ARGS, --args MODULE_ARGS module arguments -e EXTRA_VARS, --extra-vars EXTRA_VARS set additional variables as key=value or YAML/JSON, if filename prepend with @ -f FORKS, --forks FORKS specify number of parallel processes to use (default=5) -h, --help show this help message and exit -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY specify inventory host path or comma separated host list. --inventory-file is deprecated -l SUBSET, --limit SUBSET further limit selected hosts to an additional pattern -m MODULE_NAME, --module-name MODULE_NAME module name to execute (default=command) -o, --one-line condense output -t TREE, --tree TREE log output to this directory -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) Privilege Escalation Options: control how and which user you become as on target hosts --become-method BECOME_METHOD privilege escalation method to use (default=sudo), use `ansible-doc -t become -l` to list valid choices. --become-user BECOME_USER run operations as this user (default=root) -K, --ask-become-pass ask for privilege escalation password -b, --become run operations with become (does not imply password prompting) Connection Options: control as whom and how to connect to hosts --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE use this file to authenticate the connection --scp-extra-args SCP_EXTRA_ARGS specify extra arguments to pass to scp only (e.g. -l) --sftp-extra-args SFTP_EXTRA_ARGS specify extra arguments to pass to sftp only (e.g. -f, -l) --ssh-common-args SSH_COMMON_ARGS specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand) --ssh-extra-args SSH_EXTRA_ARGS specify extra arguments to pass to ssh only (e.g. -R) -T TIMEOUT, --timeout TIMEOUT override the connection timeout in seconds (default=10) -c CONNECTION, --connection CONNECTION connection type to use (default=smart) -k, --ask-pass ask for connection password -u REMOTE_USER, --user REMOTE_USER connect as this user (default=None) Some modules do not make sense in Ad-Hoc (include, meta, etc)
- There are a lots of options when running Ansible. Let's move on to try a few simple ones.
Part 2: Sample runs for some of the Ad hoc commands
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m copy -a "src=/home/rchan/ops435/ansible/ansible.txt dest=/tmp/ansible.txt" 192.168.99.153 | SUCCESS => { "changed": true, "checksum": "837affc90674fb92cdb0ebac6e49ad31a586b37e", "dest": "/tmp/ansible.txt", "gid": 1001, "group": "rchan", "md5sum": "78ae49d77d28d06173cf2194a3909732", "mode": "0664", "owner": "rchan", "secontext": "unconfined_u:object_r:user_home_t:s0", "size": 106, "src": "/home/rchan/.ansible/tmp/ansible-tmp-1542902119.15-117618539513309/source", "state": "file", "uid": 1001 }
- 192.168.99.153 is the remote machine's IP address.
- "-m copy" tells ansible to use the copy module
- after '-a' is the arguments to the copy module, which specify the source file and the destination for the copy action.
- If you got the same "SUCCESS" message, login to the remote machine (in this example, it is 192.168.99.153) and check the directory "/tmp" for the file ansible.txt.
Part 3: Sample runs for using some Ansible's built-in modules
- "yum" is a built-in ansible module. You can get detail information about an ansible module with the following command:
ansible-doc yum
- The following command demonstrates how to install the "epel-release" package with the "yum" module:
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "epel-release-7-11.noarch providing epel-release is already installed" ] } [rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" -u root 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "epel-release-7-11.noarch providing epel-release is already installed" ] } [rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=latest" -u root 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "All packages providing epel-release are up to date", "" ] }
Part 4: Gather software and hardware information available on remote machine
- One of the main ansible module is called "setup", it is automatically called by ansible playbook to gather useful "facts" about remote hosts that can be used in ansible playbooks. It can also be executed directly by the ansible command (/usr/bin/ansible) to check what "facts" are available to a host.
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m setup 192.168.99.153 | SUCCESS => { "ansible_facts": { "ansible_all_ipv4_addresses": [ "192.168.122.99", "192.168.99.153" ], "ansible_all_ipv6_addresses": [ "fe80::5054:ff:fe11:6767", "fe80::5054:ff:fe8c:b67c" ], "ansible_architecture": "x86_64", "ansible_bios_date": "04/01/2014", "ansible_bios_version": "1.9.1-5.el7_3.2", "ansible_cmdline": { "BOOT_IMAGE": "/vmlinuz-3.10.0-862.14.4.el7.x86_64", "LANG": "en_CA.UTF-8", "console": "ttyS0", ... "ansible_userspace_bits": "64", "ansible_virtualization_role": "guest", "ansible_virtualization_type": "kvm", "module_setup": true }, "changed": false }
Click here for complete contents of the above
Ansible Playbook
Updating /etc/motd file
Name: motd-play.yml
--- - hosts: 192.168.99.153 user: root vars: apache_version: 2.6 motd_warning: 'WARNING: use by ICT faculty/students only.' testserver: yes tasks: - name: setup a MOTD copy: dest: /etc/motd content: "{{ motd_warning }}"
Sample Run:
[rchan@centos7 playbooks]$ ansible-playbook motd-play.yml PLAY [192.168.99.153] ********************************************************** TASK [Gathering Facts] ********************************************************* ok: [192.168.99.153] TASK [setup a MOTD] ************************************************************ changed: [192.168.99.153] PLAY RECAP ********************************************************************* 192.168.99.153 : ok=2 changed=1 unreachable=0 failed=0
Install and start Apache Server
Name: httpd-play.yml
--- - hosts: 192.168.99.153 user: root vars: apache_version: 2.6 motd_warning: 'WARNING: use by ICT faculty/students only.' testserver: yes tasks: - name: install apache action: yum name=httpd state=installed - name: restart apache service: name: httpd state: restarted
Sample Run:
[rchan@centos7 playbooks]$ ansible-playbook httpd-play.yml PLAY [192.168.99.153] ********************************************************** TASK [Gathering Facts] ********************************************************* ok: [192.168.99.153] TASK [install apache] ********************************************************** changed: [192.168.99.153] TASK [restart apache] ********************************************************** changed: [192.168.99.153] PLAY RECAP ********************************************************************* 192.168.99.153 : ok=3 changed=2 unreachable=0 failed=0
Questions
System requirements
- You must have at lease two networked machines
- control node - run ansible to configure remote node - need Ansible 2.x (latest version 2.7)
- remote nodes - to be managed by the control node
- You should be to ssh from your control node as a regular user to any of your remote nodes as root user without supplying a login password.
- Python 2.7+ on all nodes
Reference
- Ansible Configuration Management - Second Edition By: Daniel Hall, Publisher: Packt Publishing Pub. Date: April 27, 2015,ISBN-13: 978-1-78528-230-0
Pages in Print Edition: 122