bomonike

ansible-flow-v02b-1024x576-59848.jpg This robot butler is simple, but not stupid

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

The object of this tutorial is provide deep but succinct commentary (without marketing generalizations) as we take a carefully crafted step-by-step hands-on tour. All on a single searcheable page. NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Overview

Why Ansible?

Ansible is not a configuration management system like Jenkins.
Ansible is an infrastructure management system like Terraform, Puppet, Chef, Salt. The Ansible Project (https://docs.ansible.com/) (Ansible Core) was identified as, among the hundreds of thousands of repositories in GitHub, #7 most contributors and most discussed projects (in front of even Kubernetes, npm).

BTW The name “ansible” is popularized by the science-fiction book and movie “Ender’s Game” which uses what it calls an “ansible” to communicate, in real-time, with many ships at once, to many galaxies far away.

The objective of building an Ansible Managed Environment is to configure software of many host nodes using “declarative” YAML code within “playbooks” instead of manual configuration on individual nodes.

When the ansible program is invoked, it delegates work to various Modules. Additional custom modules can be defined, such as for building assets within AWS using CloudFormation as well as other clouds (Digital Ocean, Linode, Rackspace, etc.).

ansible is one of the command-line executables installed by Python when the Ansible (Core) Control Server is installed.

“Ansible Core” since version 2.13 only contains core (essential) modules. It’s legacy “Ansible Engine” in RHEL 8.5 and earlier includes 3367 modules by default.

“Core” in RHEL 8.6 and later installs additional modules through collections from the ansible-galaxay at https://galaxy.ansible.com website, which is a community-submitted repository of Roles that define the installation of many categories of software (database, etc).

The website shows a “quality rating” based on runs of the ansible-lint program which validate changes. The program used on by the website can be run on your server after being installed by pip to validate changes after downloading and editing.

Files in the Galaxy are versioned in a GitHub repository files can also be pulled by the ansible-pull program which (like Git) can pull other files such as the inventory of host nodes to be populated. Inventory files are managed by the ansible-inventory executable. Among downloads can be (dyn) programs that act like a static inventory file, but dynamically retrieve inventory data.

is a dependency of the Ansible Tower which provides an API and GUI front-end to the open-source Control Server. It has a command line interface and web-based interface for managing Ansible projects using role-based access control, job scheduling, and real-time job status updates. For small to medium-sized environments.

SSH

The use of SSH (Secure Shell) is Ansible’s differentiatior. This is the approach that makes Ansible easy and secure because the SSH utility comes standard in all Linux distributions for users to communicate with servers. SSH uses a commonly open port 22, one does not need to beg for special ports to be opened through the enterprise firewall (which one needs to do with custom agent programs used by Chef, Puppet, and others.

Use of SSH does require the Linux ssh-keygen program to create pairs of “cryptographic” key files. The public key is copied to each host node created. This does not compromise secrets because the private key stays on the machine where the pair is created. The SSH program encrypts communications with its private key for the receiver to decrypt using the public part of the key pair.

By default, JSON messages are communicated back to the Control Server’s API listening on standard port 80. Internally, Ansible uses the Django-REST framework, PyYAML.

Various modules run on remote hosts provide the plumbing for other networking protocols, such as HTTP, runing on remote machines.

Ansible plug-ins can also be downloaded and installed so Ansible can communicate via ZeroMQ “fireball mode” or other means.

WinRM

To connect with Windows machines, Windows Remote Management (WinRM) is used (from Vista SP1 or Windows 2008 R1 and up).

Other Windows modules include win_feature (to install and uninstall Windows Features) and win_regedit (Add, Edit, or Remove Registry Keys and Values). WinRM python module

Tasks, Plays, Playbook

Modules are invoked by a series of Tasks defined as plays in playbooks.yml files.

Instead of using a database server, Ansible stores declarations in text files of yml format (pronounced as “yamil”) that are both human and machine readable. So Playbooks can be edited by any text editor.

A task can trigger handlers (shell scripts) which run on some condition, usually once at the end of plays.

Plays map a group of hosts to roles. Each role is like a (subroutines) which make code in playbooks reusable by putting the functionality into generalized “libraries” that can be then used in any playbook as needed.

The ansible-playbook program manages playbooks.

ansible-vault encrypts and derypts entire playbooks.

ansible-console can execute individual tasks (during debugging).

Within each host node, a facts.d in created within the /etc/ansible folder.

Finally, the ansible-doc executable presents additional information.

Recap:

ansible-flow-v02b-1024x576-59848.jpg

Owned by Red Hat

The @ansible Twitter account is titled “Red Hat Ansible” because it’s initiating author, Michael DeHaan from North Carolina (@laserllama), began writing Ansible in his spare time in 2006 while working at RedHat (after a stint at Puppet). His AnsibleWorks got acquired by RedHat in 2015. See the slides to his video Python-Powered Radically Simple IT Automation” at PyCon 2014.

His advice at All Things Open lightning talk Dec 3, 2014:

docs.ansible.com lists the major aspects of Ansible:

Ansible Tower

VIDEO: Red Hat (IBM) Ansible Tower adds a web server UI for “push button deployment” to manage projects (set of playbooks).

ansible-tower-inv-669x217

For example, checking “ENABLE PRIVILEGE ESCALATION” is the same as adding -b in ansible ad-hoc commands.

Tower installs within Linux base configurations at /etc/tower/settings.py. Look at this after install.

PROJECTS_ROOT

Ansible Tower makes use of a PostgreSQL database, either locally, remotely, or in a HA inventory group cluster. Tower provides Role Based Access Control (RBAC) to acccess its database via REST API.

Ansible Automation Platform

Red Hat’s Ansible Automation Platform includes Ansible Tower as one of its components to provide a comprehensive suite for enterprise-level automation of large-scale operations and complex environments (thousands of nodes). It provides an Automation mesh for distributed deployments with high availability through clustering and performance monitoring across clusters.

Ansible Lightspeed

Ansible Lightspeed can do:

  1. Single and multitask generation
  2. Generate Playbooks
  3. Explain Playbooks
  4. Content source matching
  5. Content maintenance and modernization
  6. Monitoring through Red Hat Hybrid Cloud Console Admin Dashboard

To use GenAI services to make it easier to create and manage Ansible playbooks, add to Ansible Lightspeed IBM Watsonx Code Assistant’s training models to generate code. Ansible is one of 100 languages supported by WatsonX Code Assistant. Lightspeed can use Ansible-specific custom IBM Watsonx Granite LLM models. Assistant tools to make it easier to create and manage Ansible playbooks.

Ansible Lightspeed is a paid VS Code extension add-on for Ansible Automation Platform. A separate license of Ansible Lightspeed and Ansible Automation Platform (AAP). A free 90-days license of Lightspeed “Cloud Pak for Data” is available. After that, it’s a minimum of $ 1,500. A developer license option to use AAP doesn’t count as a valid license for AAP + Lightspeed.

Ansible Lightspeed is offered on both on-premises and in a cloud hosted by IBM.

  1. Request a trial for Ansible Automation Platform (not through developers.redhat.com) 
    https://cloud.ibm.com/catalog/services/ibm-watsonx-code-assistant
  2. install: 
    sudo dnf install python3-pip ansible-core

    https://github.com/monfresh/laptop my personal playbooks and scripts to install a laptop from scratch including some dotfiles. Based on Fedora 27. Not idempotent.

    https://github.com/vaskas/laptop-ansible for Fedora 26

  3. install the Ansible development package: python3 -m pip install ansible-dev-tools --no-input
  4. Download VS Code from visualstudio.com
  5. Run the RPM installer and start VS Code
  6. From the left side, open the Extension option
  7. Search for the Ansible extension and click Install
  8. This adds an Ansible icon in the left toolbar. Click it

  9. Click the Link “Create Ansible environment” in the upper left corner

    From a terminal, create a directory: mkdir ansible

  10. In VS Code, select File > Open Folder and open the ansible directory you just created
  11. Open a new file in this directory and start typing YAML code

  12. In Ansible Development Tools, select Settings and have a look at the settings that are available

  13. In the VS Code plugin, select Settings > Ansible Lightspeed
  14. Ensure that all options are selected
  15. In the Ansible Lightspeed settings, click Connect. VS Code shows a pop-up where you need to allow the extension to sign in.
  16. Check your browser if no pop-up shows!

  17. You’ll be connected, once you use it for the first time, you’ll be prompted to request a 90 days trial license

  18. Create a yml file, and use name: for the task that you want to create
    • The argument to name: should be a complete description of what you want the task to do
    • name: install postgresql-server
  19. Press Enter to generate the task, which by default will be all grayed-out
  20. Press Tab to convert the commented-out task to real code
  21. Press Escape to ignore the code suggestion
  22. To create a multitask request, start the request with a #, separate the requests with an &, and do NOT include - name:

  23. install postgresql-server & run postgresql-setup command

  24. See the Lightspeed plugin working for about 5 seconds each task. Once done, code will be generated

    View Lightspeed Sources:

  25. Select View > Open View
  26. Scroll down to see Lightspeed training matchs
  27. A new pane opens, where sources can be clicked open to get more details

Alternatives to Ansible

ansible-vs-others-607x381-20230 by Jeff Geerling

Ansible functionality

Exam prep

Linux Academy has the most complete set of video classes on Ansible:

Stosh Oldham’s video prep class [21:24:31] with diagrams and sample practical exams for the 4-hour $400 Red Hat Certified Specialist in Ansible Automation (EX407) tasks based on Red Hat® Enterprise Linux® 7.5 and Ansible 2.7:

Mercifully, Tower is not a significant requirement in the exam.

Install Ansible

Due to the transition from Ansible to Ansible Core:

  1. Know what version may be installed already:

    ansible --version

    The response for the version at time of writing (substitute “$USER” with your own account name):

      config file = None
  configured module search path = ['/Users/$USER/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.8.0/libexec/lib/python3.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.7.3 (default, Mar 27 2019, 09:23:15) [Clang 10.0.1 (clang-1001.0.46.3)]

    NOTE: Ansible makes use of Python, so install that.

    If you don’t see the above and instead see “command not found”, continue:

  2. If you’re on a Mac, install XCode.

  3. Install Python.

  1. Skip to Configuration instructions.

Setup Vagrant and Virtualbox

  1. Download and install:

    • A virtual image manager from VagrantUp.com (87.9 MB for vagrant_1.8.1.dmg).
    • A vm provider (hypervisor) to run virtual machines from Oracle’s VirtualBox

  2. Verify availability from a command-line Terminal:

    vagrant
    vboxmanager

  3. Create a folder (of any name) for Ansible configuration files. This is typically for a project. This can be in a git folder if you’d like version management.

    cd ~
    mkdir ansible
    cd ansible

    The ~ (tilde character above) refers to your home folder.

  4. Switch to an internet browser to open a repository of Vagrant server base images:

    http://vagrantcloud.com (which redirects to a site owned by hashicorp, who owns Vagrant, thus the advert for the Atlas licensed product)

    NOTE: Many enterprises instead use an internal repository.

  5. In the box under “Discover Vagrant Boxes”, search for ubuntu or CentOS, etc.

  6. Choose one and copy its text in blue, such as “nrel/CentOS-6.5-x86_64” from contributor nrel or “ubuntu/trusty64”.

  7. Close down any process making use of port 8080, as that’s Vagrant’s default port. (Jenkins also uses port 8080 by default)

  8. Initialize a Vagrantfile for use by Vagrant:

    vagrant init

    Sample response:

    A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

  9. If you have a file named Vagrantfile from another source, copy it into the folder to replace the file generated.

    Alternately, open a text editor to create a file name Vagrantfile in end up with this sample content to specific the acs (Ansible Control Server), web, and db servers:

   Vagrant.configure(2) do |config|

     config.vm.define "acs" do |acs|
       acs.vm.box = "nrel/CentOS-6.5-x86_64"
       acs.vm.hostname = "acs"
       acs.vm.network "private_network", ip: "192.168.33.10"
     end

     config.vm.define "web" do |web|
       web.vm.box="nrel/CentOS-6.5-x86_64"
       web.vm.hostname = "web"
       web.vm.network "private_network", ip: "192.168.33.20"
       web.vm.network "forwarded_port", guest: 80, host: 8080
     end

     config.vm.define "db" do |db|
       db.vm.box = "nrel/CentOS-6.5-x86_64"
       db.vm.hostname = "db"
       db.vm.network "private_network", ip: "192.168.33.30"
     end
   end

The (2) in Vagrant.configure(2) configures the configuration version.

Names between | (pipe) characters provide handles to identify each server.

Two spaces are used to indent.

Internal IP addresses (192.168.33.xxx) are used in this example.

Change 8080 to another port if it is already used by another process on your computer.

Vagrant up

  1. Navigate to a folder containing a Vagrantfile specification file.

  2. Bring up a machine based on the Vagrantfile in the folder:

    vagrant up

    This can take several minutes if this is the first time, since images for servers specified need to be downloaded.

  3. Switch to a Finder to see that a .vagrant (hidden) folder has been added. Under the machines folder is a folder for each type specified between pipe characters (acs, web, db, etc).

  4. Open another terminal shell to check what is running:

    vboxmanage list runningvms

    The response are hashes:

   "ansible_acs_1463860205025_4852" {128ce450-8384-4adb-a4fd-7f4ac5c1f0b8}
   "ansible_web_1463862332570_44406" {dd044db3-ecf1-4b9b-9c42-96952172bd4d}
   "ansible_db_1463882256962_22323" {411c8704-f220-4188-8b94-d1bfb093e1b4}

Provision Ansible Control Server

  1. SSH into the acs server via vagrant:

    vagrant ssh acs

    This takes several seconds to connect.

    This adds the ey to the known_hosts file within the .ssh folder for future reference.

  2. When you’re done:

    exit

  3. Use a package manager to download bits. On a CentOS or RHEL server:

    sudo yum -y install ansible

    Alternately, on a Debian Ubuntu server:

    sudo apt-get -y install ansible

    Notice the log says Python is installed as well.

  4. Verify:

    ansible --version

    Provision web server

  5. SSH into the web server via vagrant:

    vagrant ssh web

  6. Use a package manager to download bits:

    sudo yum -y install epel-release

Install by Compiling Source Code

  1. Install the C-language compiler used with Python:

    sudo yum install gcc

    sudo yum install python-setuptools

    sudo easy_install pip

    sudo yum install python-devel

    sudo pip install ansible

Configure Ansible Server

Linux machines instead install to:

/etc/ansible

But on Macs, as with all program installed on a Mac by Homebrew:

Ansible executables

  1. Install the tree command if you haven’t already:

    brew install tree

  2. Construct the command to list files down to the 2nd level of the folder tree:

    tree /usr/local/Cellar/ansible/2.8.0 -sh -L 3 | less

    Press Enter to display more lines, q to quit.

    The programs that can be executed on the CAS CLI console are:

    • ansible -
    • ansible-config -
    • ansible-connection -
    • ansible-console -

    • ansible-doc -

    • ansible-galaxy -
    • ansible-inventory -
    • ansible-playbook -
    • ansible-pull -
    • ansible-vault -

Configure host nodes

Ansible works under the concept of “idempotance”, where repeated executions of the same script results in the same state at the end of each run. If something doesn’t exist, it is created. If something does exist already, it is left alone and another isn’t created.

A function is “idempotent” if repeated applications has the same affect as a single (initial) invocation.

Ansible reads declarations of desired state (what is wanted after processing) rather than imperative programming commands (to do this and that in a specified sequence). This is like when you get in a taxi and you provide a destination address rather than providing turn-by-turn directions to that location.

This makes definitions more reusable.

Ansible-Galaxy Roles

  1. Install the Ansible-Galaxy CLI Python library:

    pip install ansible-tower-cli

  2. To download a particular role file from https://galaxy.ansible.com in the format:

    ansible-galaxy install username.role_name

    Example:

    ansible-galaxy install elastic.elasticsearch

CAUTION: When deleting roles, its dependencies are not deleted automatically, leaving orphans not used by roles that remain.

Modules

Core Modules listed alphabetically:

  1. Get documentation on a specific module:

    ansible-doc lineinfile

    Press q to quit out of list.

    VIDEO see http://docs.ansible.com/ansible/latest/modules/modules_by_category.html

ad-hoc commands

  1. Run ansible without parameters to get list of options:

    ansible

  2. Install software on host:

    ansible node1 -i ansible/inv.ini \
-b \
-m yum \
-a "name=httpd state-latest" \
-f 100

    node1 is the host name

    -b specifies “become user” to avoid permission errors by using elevated root permissions

    -i specifies the iinventory file and its path

    -b specifies user

    -m yum specifies the module yum command

    -a "name=httpd state-latest" specifies the arguments to the ansible program saying install the latest version of httpd (http daemon web server)

    state=absent is specified instead to remove the program, since Ansible is declarative.

    -f specifies the number of forks running copies of Ansible simultaneously

    “SUCCESS” is the expected response.

  3. Check system properties (disk space, RAM)

  4. Check system performance

  5. Check log commands
  6. Check daemon up/down
  7. Process management

Steps Modules do

  1. Gather facts on hosts into variables such as ansible_os_family.
  2. Fetch md5 checksum from remote to verify downloaded file
  3. Create and manage local users and groups

  4. Enable and disable OS features and preferences

  5. Fetch files from remote sites
  6. Install software (web server, app server, database, virus scanner, etc.)
  7. Update software security patches

  8. Copy app configurations

  9. Copy files into server

  10. Call databases to retrieve data

  11. Enable service to start on reboot
  12. Start web service
  13. Deploy load balancer configurations (put in or take out server on rotation)

Playbooks

Let’s look at a playbook with full annotations:

Ansible with Cloud Formation

Book Ansible for AWS ($19.99+) by Yan Kurniawan provides Ansible playbook examples:

Tweets about the book, #ansible4aws, is inactive since 2016 when the book was done.

The book provides an Ansible module in folder: library/vpc_lookup

PROTIP: Each Ansible module is associated with a command, and return JSON.

PROTIP: Disable host key checking in ssh configuration so ssh will automatically add new host keys to the user known hosts files without asking (the default is “ask”).

View sample configurations

  1. Use an internet browser to open https://galaxy.ansible.com/search?deprecated=false&order_by=-relevance&keywords=

  2. Search.

  3. Open a sample playbook.

    Playbooks are defined in .yml files, which begin with three dashes in the first line.

    Playbooks define plays. consisting of one or a set of tasks.

    tasks invoke modules.

    Tasks trigger handlers which run on some condition, usually once at the end of plays.

    Spaces after dashes and colons are required.

An Ansible Config define Ansible control server configuration.

Jeff Geerling

Notice the repos downloaded more than anyone is by @geerlingguy, Jeff Geerling (all around nice guy and Drupal expert jeffgeerling.com who has been contributing to Ansible community since early 2013.

In addition to series on Raspberry Pi and Drupal, he wrote ansiblefordevops.com completed 2020-05-13 on LeanPub).

Code for the book is at https://github.com/geerlingguy/ansible-for-devops, which has an issue for each of 15 episodes of his Ansible 101 series on YouTube. He has chapter markers into each video at his blog plus Q&A (written in Markdown).

  1. Introduction to Ansible 2.9.6 and Python 3.7.6 on CentOS via dhcp.

    “DevOps is a philosophy”. Use pip3 install ansible

  2. Ad hoc tasks and Inventory

  3. Introduction to Playbooks

  4. Your first real world playbook

  5. Playbook handlers, environment vars, etc

  6. Ansible Vault and Roles

    BOOK chapter 5.

    Inside the Ansible main.yml:

    API_KEY: ""

    To encrypt a file [15:16] replaced it with:

    ansible-vault encrypt vars/api_key.yml

    [17:40] Reference a password file:

    ansible-playbook main.yml --vault-password-file ~/.ansible/api-key-pass.txt

    [18:05] Re-Encrypt with a new key without decrypting:

    ansible-vault rekey vars/api_key.yml

    ansible-playbook main.yml --ask-vault-pass

    Include another file with import_tasks: tasks/apache.yml

  7. Molecule Testing and Linting and Ansible Galaxy

  8. Playbook testing with Molecule and GitHub Actions CI

  9. First 5 min. server security with Ansible

  10. Ansible Tower and AWX

  11. Dynamic Inventory and Smart Inventories

  12. Real-world Ansible Playbooks

  13. Ansible Collections and a Test Plugin

  14. Ansible and Windows

  15. [Blog] Ansible Final LIVE Q&A

Jeff’s https://github.com/geerlingguy/mac-dev-playbook provides tools to install executables on MacOS using Ansible.

https://github.com/geerlingguy/ansible-role-dotfiles

Ansible Vault Encryption

  1. To encrypt a file so it can be stored in a repository such as GitHub:

    ansible-vault file \
--ask-vault-password no_log

    no_log censors log output.

    Adding rekey resets the password.

Encrypted data within playbooks stored in GitHub can be unencrypted in memory using Ansible Vault.

Templates

In the templates folder are Ansible template files which specify values which resolve variables defined in other files, such as: ``.

---
hosts: webservers
tasks:
  - name: ensure apache is at the latest version
  - yum: name=httpd state=latest
  - name: write the apache config file
    template: src=/srv/httpd.j2 dest=/etc/httpd.conf

Template files have the .j2 file extension because they are processed by the Jinga2 templating program that comes with the Ansible installer. Written in Python, Jinga2 is also by Django, Flask, and other Python frameworks.

Role files

Role files encapsulate instructions on how Ansible performs a discrete unit of work, such as building a webserver.

A role folder contains sub-folders with these names:

acme_sample/
  webserver/
    README.md
    defaults/ - entered vis main.yml
    files/
    handlers/ - tasks flagged to run using the notify keyword
    meta/main.yml - role dependencies and configurations such as allow_duplicates
    tasks/
    templates/
    tests/
    vars/

The main.yml in meta defines dependencies:

---
galaxy_info:
  author: John Doe
  description: Quick and easy acme web installer.
  company: Acme
  license: MIT
  min_ansible_version: 1.9
  platforms:
  - name: EL
    versions:
    - all
  galaxy_tags:
    - acme
    - installer
    - web
dependencies:
  - { role: username.common, some_parameter: 3 }
  - { role: username.iptables, open_port: 80 }

The role_use.yml file?

Tasks

Ansible tasks are commands executed from command line terminals.

Tasks are shereable and repeatable.

Inventory file

Ansible inventory files lists hosts can be defined within:

/etc/ansible/hosts

The folder contains .ini format or yml format:

   [webservers]
   192.168.33.20
   192.168.33.30  ansible_connection=ssh ansible_user=mpdehaan

   [webservers:vars]
   webserver_port=2222

   [db]
   db-a.example.com

   [lbservers]
   lbserver  http_port=80 maxRequestsPerChild=808

   [monitoring]
   nagios

Group names are defined within square brackets. Groups are referenced in playbooks.

Variables applicable to all items within a group can be defined. What’s wrong with the example?

To get the status of servers under [webservers] in the inventory file above:

ansible webservers -m ping

PROTIP: Inventory files should not contain variables.

In addition to this ad-hoc run, Ansible can be run based on the contents of Playbooks with a command such as:

ansible-playbook file.yml

Add -v for more detailed response.

Such inventory files are typically kept in a Git repository.

Inventory files can be dynamic, issued by a program that returns to STDOUT. Examples is Cobbler, LDAP, cloud such as AWSEC2, retrieving from CMDB, etc.

ansible all -l dynamic.py -m ping

Notice two parameters: -l (--list) and --host.

There are two arguments a dynamic inventory must respond to: –list and –host [hostname]

The –list argument must return a JSON-encoded hash or dictionary containing all groups that are part of the inventory. The groups must include all host and child group information.

{
   "httpd": {
       "hosts": ["httpd1","httpd2"],
       "vars": {
           "httpd_port": 80
       },
       "children": ["cdn"]
   },
   "cdn": {
       "hosts": ["cdn1","cdn2"],
       "vars": {
           "content_dir": "/var/www/content"
       },
       "children":[]
   }

}

The –host [hostname] argument must return either an empty JSON hash or dictionary or a hash or dictionary of variables to make available to templates and playbooks.

{
    "VAR001": "VALUE",
    "VAR002": "VALUE",
}

Create inventory

To ccreate a simple Ansible inventory on the control node in /home/ansible/inventory containing node1 and node2

  1. keyboard_arrow_up

  2. On the control host:

    sudo su - ansible (if not already ansible user)
touch /home/ansible/inventory
echo "node1" >> /home/ansible/inventory
echo "node2" >> /home/ansible/inventory

Modules in various languages

Unlike Puppet, Ansible does not require agent software to be installed and thus potentially leave residual bits on servers.

Modules are the “brains” of Ansible.

Various modules running on remote hosts provide the plumbing for other networking protocols, such as HTTP, runing on remote machines.

List of available modules, or locally:

ansible-doc -l

Press q to quit list, cursor up/down individual line, or space bar to page down.

Responses returned to the Ansible Control Server are in JSON messages.

Write Custome Module

Modules (hopefully written by following Module Development Guide) can be selected from various sources:

Ansible Module development can be in any dynamic language, not just Python on the server.

Windows support

Ansible’s native Windows support uses Windows PowerShell remoting to manage Windows like Windows in the same Ansible agentless way that Ansible manages Linux like Linux.

SSH into Hosts

To configure sudo access for Ansible on node1 and node2 such that Ansible may use sudo for any command with no password prompt.

  1. keyboard_arrow_up

  2. Log in to node1 and edit the sudoers file to contain appropriate access for the ansible user:

    ssh cloud_user@node1
    sudo visudo

  3. Add the following line to the file and save:

    ansible    ALL=(ALL)       NOPASSWD: ALL

  4. Repeate above steps for node2.

    Next, verify that each managed node is able to be accessed by Ansible from the control node using the ping module. Redirect the output of a successful command to /home/ansible/output.

  5. To verify each node, run the following as the ansible user from the control host:

    ansible -i /home/ansible/inventory node1 -m ping

    ansible -i /home/ansible/inventory node2 -m ping

  6. To redirect output of a successful command to /home/ansible/output:

    ansible -i /home/ansible/inventory node1 -m ping > /home/ansible/output

Python Ansible Control Server on Linux, not Windows

New major releases of Ansible come out approximately every two months, with release cycles of about four months.

PROTIP: Ansible was written in Python 2.6+ and open-sourced within GitHub’s ansible organization. Thus, it can run natively on NIX (Linux/Unix/Mac), but Windows not currently supported nor recommended. However, run virtual instances on a Windows, Mac, or other native OS if you want to use them to run Ansible.

To build Ansible from source on GitHub:

git clone https://github.com/ansible/ansible.git --recursive
cd ./ansible
make rpm
sudo rpm -Uvh ./rpm-build/ansible-*.noarch.rpm

--recursive is needed because the repo contains sub-repos.

The “ansible_python_interpreter” variable in inventory points to the Python executable folder.

Python to WinRM

To enable Python to talk with Windows WinRM:

sudo pip install pywinrm

  1. Test whether a connection can be made:

    Test-WsMan 192.168.5.3

    https://github.com/PowerShell/PowerShell/issues/1883

https://github.com/PowerShell/PowerShell/blob/master/docs/KNOWNISSUES.md#remoting-support (WinRM does not run within MacOS 10) PowerShell https://quizlet.com/178078947/ansible-devops-automation-mamun-flash-cards/

https://github.com/PowerShell/psl-omi-provider

VIDEO: Getting Started with Ansible on Windows 1h 23m Released 21 Jun 2016 by JP Toto (@jptoto, jptoto.jp) shows use of a Mac running Vagrant VirtualBox to emulate Windows.

Windows

This yaml file launches the hello.ps1 PowerShell script:

- name: Run Powershell Scripts
  hosts: test
  tasks:
    - name: run a powershell script
      script: scripts/hello.ps1
      register: out
    - debug: var=out

The script:

https://github.com/dstamen/Ansible/tree/master/ansible_powershell

See http://davidstamen.com/ansible/using-ansible-to-run-powershell-scripts/

To execute the script, run:

ansible-playbook powershell.yml -i hosts

Videos:

Playbooks

Play behavior can be controlled several ways:

   with_items,
   failed_when,
   changed_when,
   until,
   ignore_errors

Register Output to Variable

To capture the result or output of a task so that follow-on tasks can act accordingly:

  tasks:
    - shell: /usr/bin/whoami
      register: username
    - debug: msg="Host=, User="
    - file: path=/home/myfile.txt
            owner=

Conditional Handlers

An example:

  tasks:
    - name: Deploy configuration file
      template: src=templates/httpd.j2 dest=/etc/httpd/conf/httpd.conf
      notify:
        - Restart Apache
  handlers:
    - name: Restart Apache
      service: name=httpd state=restarted

NOTE: .j2 files are processed by Jinja2, the template engine for Python, which replace variables with data values in static files.

Another example:

---
- name: Testing forced handler
  hosts: testsys_only
  gather_facts: True

  tasks:
    - name: 'Run legacy script and power off'
      debug: msg="Preparing for reboot"
      changed_when: true
      notify: Legacy sysprep

  handlers:
    - name: Enable Service1
      service: name=service1 enabled=yes state=restarted

    - name: Legacy sysprep
      shell: /var/scripts/prep-reboot.sh

To set a register to put result in a variable, then if the debug sees that a previous task failed, it would send a message.

  tasks:
    - command: ls /bad/path
      register: result
      ignore_errors: yes

    - debug: msg="Failure!"
      when: result|failed

NOTE: Handlers don’t run until all playbook tasks have executed.

  tasks:
    - copy: src=files/httpd.conf
            dest=/etc/httpd/conf/
      notify:
        - Apache Restart
  handlers:
    - name: Apache Restart
      service: name=httpd state=restarted

NOTE: A particular handler only executes once if needed.

NOTE: Handlers don’t run until all playbook tasks have executed.

VIDEO

Config. settings

Variables can be defined in different locations. Ansible looks for configuration variables in this sequence, and stops searching once it finds one.

  1. $ANSIBLE_CONFIG system environment variable
  2. ./ansible_cfg in current directory
  3. ~/ansible.cfg ($HOME directory of currently logged in account)
  4. /etc/ansible/ansible.cfg global config. file installed by default

ansible.cfg

Edit the file to make common changes, such as:

$ANSIBLE_CONFIG

An example $ANSIBLE_CONFIG environment variable from the full list is:

   $ANSIBLE_FORKS=5

This sets the maximum number of parallel operations allowed on an Ansible server, determined through performance and capacity testing.

Include files

  tasks:
    - include: wordpress.yml
      vars:
        sitename: My Site
    - include_vars: variables.yml

Roles

Daemon Sets

Scalyr.com has a DaemonSet for Kubernetes monitoring.

Rolling updates

Ansible achieves zero-downtime deployments with multi-tear rolling updates to each specific node in a cluster.

This specifies taking 5 machines at a time out of a cluster:

   - hosts: webservers
     serial: 5

   pre_tasks:

   - name: take out of load balancer pool
     local_action: command /usr/bin/take_out_of_pool 

  roles:
   - common
   - webserver
   - monitored

  post_tasks:
   - name: add back to load balancer pool
     local_action: command /usr/bin/add_back_to_pool

Social Community

  1. Link to GitHub https://galaxy.ansible.com/accounts/github/login/
  2. Confirm email.

Tutorials

Ansible Basics: Automation Technical Overview (DO007)

$10,000 10-day Ansible Automation Platform Boot Camp (DO710) for Linux administrators and developers to learn how to automate Linux system administration tasks with Ansible Automation Platform, manage complex automation workflows at scale, and evaluate automation performance. With enrollment is 1 year of Red Hat Learning Subscription Standard with unlimited access to all online courses and up to 5 certification exams.

DO007: ANSIBLE BASICS: AUTOMATION TECHNICAL OVERVIEW Create, scale, and manage automation with Red Hat Ansible Automation Platform with Ansible Basics: Automation Technical Overview (DO007).

EX374: RED HAT CERTIFIED SPECIALIST IN DEVELOPING AUTOMATION WITH ANSIBLE AUTOMATION PLATFORM EXAM This exam tests your ability to automate system administration tasks using Ansible Automation Platform.

RH294: Red Hat Linux Automation with Ansible (RH294) teaches how to automate provisioning, configuration, app deployment, and orchestration.

Certifications

Red Hat Certified Specialist in Managing Automation.

EX467: Red Hat Certified Specialist in Managing Automation with Ansible Automation Platform exam tests your ability to automate system administration tasks at scale using Ansible Automation Platform automation hub and automation controller.

EX417: Red Hat Certified Specialist in Microsoft Windows Automation with Ansible Exam A performance based exam to assess candidates’ skills and knowledge of managing Microsoft Windows® systems using Red Hat Ansible Automation Platform.

EX457: Red Hat Certified Specialist in Ansible Network Automation exam A performance-based test used to assess the skills and knowledge to manage network infrastructure using Red Hat® Ansible®.

EX447: Retired - Red Hat Certified Specialist in Advanced Automation: Ansible Best Practices exam A Red Hat Certified Specialist in Advanced Automation: Ansible Best Practices has validated mastery of Red Hat Ansible and knowledge of Ansible Tower.

Videos

Videos of AnsibleFest going back to 2016 in London and 2017 San Francisco.

MEH: Red Hat’s video channel and Red Hat Summit doesn’t have a playlist specifically for Ansible.

Tim Gerla of Ansibleworks:

Gwyn Price:

Misc

The diagram is based on https://www.ansible.com/how-ansible-works:

https://github.com/sthulb-attic/laptop-osx by @sthulb, an Amazon Solution Architect

https://hvops.com/articles/ansible-post-install/

ansible-node-454x408-13043

Resources

https://learning.oreilly.com/course/ansible-from-basics/9780137894949/

https://github.com/sandervanvugt/ansiblefundamentals

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API

  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow

  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options

  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)

  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications

  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute

  31. Azure Monitoring

  32. Digital Ocean

  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation

  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS

  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs

  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps

  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators

  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling

  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft

  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering