OPS435 Ansible
Overview
- "Ansible is an IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.
- Ansible was designed for multi-tier deployments since day one, and models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.
- Ansible uses no agents and no additional custom security infrastructure, and it uses a very simple language called 'YAML', to compose an Ansible Playbook which allow you to describe your automation jobs in a very simple way."
For more detail information about ansible, check out the ansible web site at www.ansible.com
Objective
- Install and configure Ansible on a controller Linux machine
- Explore Ansible's ad hoc commands
- Explore Ansible's built-in modules
- Explore and create Ansible playbooks
Investigation I: Introduction to Ansible
In this introduction, we explore the main components of the Ansible configuration management system and its operating environment. we also study a simple playbook for managing the configuration of a CentOS 7.x VM. For more detail information about ansible, check out the ansible web site at https://www.ansible.com
Key Concepts when using Ansible
- YAML - a human-readable data serialization language & is commonly used for configuration files. To know more, your can check out the wikipedia page here
- Control machine - (Management node)
- Remote machine - (managed node)
- playbook - contains one or multiple plays, each of which define the work to be done for a configuration on a managed server. Playbooks are written in YAML. Every play in the playbook is created with environment-specific parameters for the target machines; there are no standard plays.
- Inventory file - defines the hosts and groups of hosts upon which commands, modules, and tasks in a playbook operate.
- Hosts file - contains information about machines to be managed - click here for sample hosts file
- Ad hoc commands
- shell commands
- ansible 192.168.99.153 -a 'date'
- ansible 192.168.99.153 -a 'df'
- ansible 192.168.99.153 -a 'iptables -L -n -v' -u root
- shell commands
- Built-in modules
- copy module
- ansible 192.168.99.153 -m copy -a "src=/ops435/ansible.txt dest=/tmp/ansible.txt"
- Package management
- ansible 192.168.99.153 -m yum -a "name=epel-release state=latest"
- copy module
- Running Ansible Playbooks
- ansible-playbook -i 192.168.99.153, setup_webserver.yaml
- ansible-playbook firstrun.yaml
Part 1: Installing Ansible on CentOS 7
- run the command yum install ansible as root. You may have installed the following dependent packages:
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Installing: ansible noarch 2.9.1-1.el7 epel 17 M Installing for dependencies: python-babel noarch 0.9.6-8.el7 base 1.4 M python-cffi x86_64 1.6.0-5.el7 base 218 k python-enum34 noarch 1.0.4-1.el7 base 52 k python-httplib2 noarch 0.9.2-1.el7 extras 115 k python-idna noarch 2.4-1.el7 base 94 k python-jinja2 noarch 2.7.2-4.el7 base 519 k python-markupsafe x86_64 0.11-10.el7 base 25 k python-paramiko noarch 2.1.1-9.el7 base 269 k python-ply noarch 3.4-11.el7 base 123 k python-pycparser noarch 2.14-1.el7 base 104 k python2-cryptography x86_64 1.7.2-2.el7 base 502 k python2-jmespath noarch 0.9.0-3.el7 extras 39 k python2-pyasn1 noarch 0.1.9-7.el7 base 100 k sshpass x86_64 1.06-2.el7 extras 21 k Transaction Summary ===================================================================================================================== Install 1 Package (+14 Dependent packages) Total download size: 21 M Installed size: 120 M Is this ok [y/d/N]:
- To confirm that you have Ansible installed, try the following command:
[rchan@c7-rchan ~]$ ansible --help usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D] [-e EXTRA_VARS] [--vault-id VAULT_IDS] [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR] [-a MODULE_ARGS] [-m MODULE_NAME] pattern Define and run a single task 'playbook' against a set of hosts positional arguments: pattern host pattern optional arguments: --ask-vault-pass ask for vault password --list-hosts outputs a list of matching hosts; does not execute anything else --playbook-dir BASEDIR Since this tool does not use playbooks, use this as a substitute playbook directory.This sets the relative path for many features including roles/ group_vars/ etc. --syntax-check perform a syntax check on the playbook, but do not execute it --vault-id VAULT_IDS the vault identity to use --vault-password-file VAULT_PASSWORD_FILES vault password file --version show program's version number, config file location, configured module search path, module location, executable location and exit -B SECONDS, --background SECONDS run asynchronously, failing after X seconds (default=N/A) -C, --check don't make any changes; instead, try to predict some of the changes that may occur -D, --diff when changing (small) files and templates, show the differences in those files; works great with --check -M MODULE_PATH, --module-path MODULE_PATH prepend colon-separated path(s) to module library (def ault=~/.ansible/plugins/modules:/usr/share/ansible/plu gins/modules) -P POLL_INTERVAL, --poll POLL_INTERVAL set the poll interval if using -B (default=15) -a MODULE_ARGS, --args MODULE_ARGS module arguments -e EXTRA_VARS, --extra-vars EXTRA_VARS set additional variables as key=value or YAML/JSON, if filename prepend with @ -f FORKS, --forks FORKS specify number of parallel processes to use (default=5) -h, --help show this help message and exit -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY specify inventory host path or comma separated host list. --inventory-file is deprecated -l SUBSET, --limit SUBSET further limit selected hosts to an additional pattern -m MODULE_NAME, --module-name MODULE_NAME module name to execute (default=command) -o, --one-line condense output -t TREE, --tree TREE log output to this directory -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) Privilege Escalation Options: control how and which user you become as on target hosts --become-method BECOME_METHOD privilege escalation method to use (default=sudo), use `ansible-doc -t become -l` to list valid choices. --become-user BECOME_USER run operations as this user (default=root) -K, --ask-become-pass ask for privilege escalation password -b, --become run operations with become (does not imply password prompting) Connection Options: control as whom and how to connect to hosts --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE use this file to authenticate the connection --scp-extra-args SCP_EXTRA_ARGS specify extra arguments to pass to scp only (e.g. -l) --sftp-extra-args SFTP_EXTRA_ARGS specify extra arguments to pass to sftp only (e.g. -f, -l) --ssh-common-args SSH_COMMON_ARGS specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand) --ssh-extra-args SSH_EXTRA_ARGS specify extra arguments to pass to ssh only (e.g. -R) -T TIMEOUT, --timeout TIMEOUT override the connection timeout in seconds (default=10) -c CONNECTION, --connection CONNECTION connection type to use (default=smart) -k, --ask-pass ask for connection password -u REMOTE_USER, --user REMOTE_USER connect as this user (default=None) Some modules do not make sense in Ad-Hoc (include, meta, etc)
- There are a lots of options when running Ansible. Let's move on to try a few simple ones.
Part 2: Sample runs for some of the Ad hoc commands
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m copy -a "src=/home/rchan/ops435/ansible/ansible.txt dest=/tmp/ansible.txt" 192.168.99.153 | SUCCESS => { "changed": true, "checksum": "837affc90674fb92cdb0ebac6e49ad31a586b37e", "dest": "/tmp/ansible.txt", "gid": 1001, "group": "rchan", "md5sum": "78ae49d77d28d06173cf2194a3909732", "mode": "0664", "owner": "rchan", "secontext": "unconfined_u:object_r:user_home_t:s0", "size": 106, "src": "/home/rchan/.ansible/tmp/ansible-tmp-1542902119.15-117618539513309/source", "state": "file", "uid": 1001 }
- 192.168.99.153 is the remote machine's IP address.
- "-m copy" tells ansible to use the copy module
- after '-a' is the arguments to the copy module, which specify the source file and the destination for the copy action.
- If you got the same "SUCCESS" message, login to the remote machine (in this example, it is 192.168.99.153) and check the directory "/tmp" for the file ansible.txt.
Part 3: Sample runs for using some Ansible's built-in modules
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "epel-release-7-11.noarch providing epel-release is already installed" ] } [rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=present" -u root 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "epel-release-7-11.noarch providing epel-release is already installed" ] } [rchan@centos7 ansible]$ ansible 192.168.99.153 -m yum -a "name=epel-release state=latest" -u root 192.168.99.153 | SUCCESS => { "changed": false, "msg": "", "rc": 0, "results": [ "All packages providing epel-release are up to date", "" ] }
Gather all the information available on remote machine
[rchan@centos7 ansible]$ ansible 192.168.99.153 -m setup 192.168.99.153 | SUCCESS => { "ansible_facts": { "ansible_all_ipv4_addresses": [ "192.168.122.99", "192.168.99.153" ], "ansible_all_ipv6_addresses": [ "fe80::5054:ff:fe11:6767", "fe80::5054:ff:fe8c:b67c" ], "ansible_architecture": "x86_64", "ansible_bios_date": "04/01/2014", "ansible_bios_version": "1.9.1-5.el7_3.2", "ansible_cmdline": { "BOOT_IMAGE": "/vmlinuz-3.10.0-862.14.4.el7.x86_64", "LANG": "en_CA.UTF-8", "console": "ttyS0", ... "ansible_userspace_bits": "64", "ansible_virtualization_role": "guest", "ansible_virtualization_type": "kvm", "module_setup": true }, "changed": false }
Ansible Playbook
Updating /etc/motd file
Name: motd-play.yml
--- - hosts: 192.168.99.153 user: root vars: apache_version: 2.6 motd_warning: 'WARNING: use by ICT faculty/students only.' testserver: yes tasks: - name: setup a MOTD copy: dest: /etc/motd content: "{{ motd_warning }}"
Sample Run:
[rchan@centos7 playbooks]$ ansible-playbook motd-play.yml PLAY [192.168.99.153] ********************************************************** TASK [Gathering Facts] ********************************************************* ok: [192.168.99.153] TASK [setup a MOTD] ************************************************************ changed: [192.168.99.153] PLAY RECAP ********************************************************************* 192.168.99.153 : ok=2 changed=1 unreachable=0 failed=0
Install and start Apache Server
Name: httpd-play.yml
--- - hosts: 192.168.99.153 user: root vars: apache_version: 2.6 motd_warning: 'WARNING: use by ICT faculty/students only.' testserver: yes tasks: - name: install apache action: yum name=httpd state=installed - name: restart apache service: name: httpd state: restarted
Sample Run:
[rchan@centos7 playbooks]$ ansible-playbook httpd-play.yml PLAY [192.168.99.153] ********************************************************** TASK [Gathering Facts] ********************************************************* ok: [192.168.99.153] TASK [install apache] ********************************************************** changed: [192.168.99.153] TASK [restart apache] ********************************************************** changed: [192.168.99.153] PLAY RECAP ********************************************************************* 192.168.99.153 : ok=3 changed=2 unreachable=0 failed=0
Questions
System requirements
- You must have at lease two networked machines
- control node - run ansible to configure remote node - need Ansible 2.x (latest version 2.7)
- remote nodes - to be managed by the control node
- You should be to ssh from your control node as a regular user to any of your remote nodes as root user without supplying a login password.
- Python 2.7+ on all nodes
Reference
- Ansible Configuration Management - Second Edition By: Daniel Hall, Publisher: Packt Publishing Pub. Date: April 27, 2015,ISBN-13: 978-1-78528-230-0
Pages in Print Edition: 122