DevOps/Ansible

Ansible is software for automate task, you can automates software provisioning, configuration management, application deployment and general orchestration, ansible design is based on modules, execute ansible-doc -l to view your available modules or check list of official modules in the documentation: https://docs.ansible.com/ansible/latest/modules/modules_by_category.html.

Install Ansible binaries using yum or apt-get depending on your linux distribution, or pip on MacOS on your computer, not necessary on your managed nodes, then allows server access to your managed clients configuring automatic ssh key authentication.

• macOS: brew install ansible
• Ubuntu (latest version): sudo apt update && sudo apt install software-properties-common && sudo apt-add-repository -y ppa:ansible/ansible && sudo apt update && sudo apt install ansible -y^[1]

Following binaries will be installed:

/usr/bin/ansible
/usr/bin/ansible-playbook

/usr/bin/ansible-config                           View, edit, and manage ansible configuration.
/usr/bin/ansible-console                          REPL console for executing Ansible tasks
/usr/bin/ansible-galaxy                           Command to manage Ansible roles in shared repostories, the default of which is Ansible Galaxy https://galaxy.ansible.com

/usr/bin/ansible-pull                             Pulls playbooks from a VCS repo and executes them for the local host        

/usr/bin/ansible-doc                              Displays information on modules installed in Ansible libraries
/usr/bin/ansible-inventory                        Used to display or dump the configured inventory as Ansible sees it

/usr/bin/ansible-connection                       -
/usr/bin/ansible-vault                            Encryption/decryption utility for Ansible data files

• ansible-config view

There are at least two configuration files in Ansible:

• /etc/ansible/hosts^[2], text configuration file for managed nodes, or inventory in Ansible terminology, in INI or YAML format.
• /etc/ansible/ansible.cfg^[3][4] general configuration file.

https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible Inventory is defined in /etc/ansible/hosts file. It allows you to define your managed hosts by hostname or IP address, and group them, such as "my_webservers_group" in our example in INI format.

Groups of groups, hierarchies, is also supported using (:children) keyword: [YOUR_NEW_GROUP_OF_GROUPS:children] ^[5]

#This is a example of a host configuration file. You can use # to include your comments on hosts file

foo_server.example.com
192.168.6.1
bar_server.example.com

[my_webservers_group]
foo5.example.com
bar6.example.com

[my_dbservers_group]
onedb1.example.com
twodb.example.com

#Example of a server alias on standard Ansible port
my_local_defined_hostname ansible_host=192.0.2.50

#Example of a server alias on a non standard Ansible port

my_jumper_server_alias ansible_host=192.0.2.50 ansible_port=5555

You can also read Ansible best practices^[6]

Basic operations with your inventory:

• List managed hosts:

ansible all --list-hosts

ansible YOUR_GROUP --list-hosts

ansible-inventory --graph

ansible-inventory --list

To filter just one group of host: ansible-inventory --list | jq '.["YOUR_GROUP_NAME"]'

• List defined groups

ansible localhost -m debug -a 'var=groups.keys()'

ansible localhost -m debug -a 'var=groups'

• Connect to remote host and verify python, it will not do a network ping to remote host, connect to host and test python:

ansible HOSTNAME -m ping (-m parameter stands for module)^[7]

• Execute "uptime" in HOSTNAME:

ansible HOSTNAME -a "uptime" (-a module arguments, in this case command to execute)

• Connect to HOSTNAME and execute uptime command with raw module, raw module do not need python.

ansible HOSTNAME -m raw -a uptime

• Execute "echo hello" in all your managed nodes:

ansible all -a "/bin/echo hello" (-a expect module arguments)

• Connect and display gathered facts, do not setup anything.

ansible all -m setup

ansible all -m setup --tree out/

• Execute commands on a machine:

ansible MACHINE_NAME -m shell -a COMMAND

• List available modules:

ansible-doc -l

• Execute a user defined task definition or playbook:

ansible-playbook my_new_created_playbook.yml

• Execute a user defined task definition or playbook with command line variables:

ansible-playbook my_new_created_playbook.yml -e "YOUR_USERNAME_VAR=YOUR_USERNAME_VALUE"

-e: --extra-vars as key=value or YAML/JSON

ansible-galaxy^[8] to manage roles

• ansible-galaxy init <ROLE_NAME>
• ansible-galaxy search YOUR_SEARCH
• ansible-galaxy list
• Installing roles:
  • ansible-galaxy installoVirt.ovirt-ansible-roles^[9]
  • ansible-galaxy installPaloAltoNetworks.paloaltonetworks

See also: import_role https://docs.ansible.com/ansible/latest/modules/import_role_module.html#import-role-module

• Support for saving encrypted information (passwords, API Keys ...) in playbooks using Ansible Vault (ansible-vault^[10]) since 2014

Configuration of ansible is done in /etc/ansible/ansible.cfg, you can tune some configurations. Check official documentation ^[11] or some example configuration file.^[12].

Use become^[13] in your playbook and execute with --ask-become-pass parameter.

Use --ask-pass if you do not have private public key configuration.

vi create_user.yml

#!/usr/bin/env ansible-playbook --ask-become-pass

- hosts: REMOTE_SERVER
  become: yes
  tasks:

  - user:
      name: USERNAME
      shell: /bin/bash
      groups: sudo 
      append: yes
      password_lock: yes

  - authorized_key:
      user: USERNAME
      state: present
      key: "{{ lookup('file', '/home/USERNAME/.ssh/id_ed25519_USERNAME.pub') }}"

./create_user.yml

See also: Create a new user in a group of servers and provided ssh access using its public ssh key

Beginner:

1. Read how to use Ansible cheatsheet: https://www.digitalocean.com/community/tutorials/how-to-use-ansible-cheat-sheet-guide
2. Read Ansible blog: https://www.ansible.com/blog
3. Read StackOverflow questions about Ansible: https://stackoverflow.com/questions/tagged/ansible?tab=Votes
4. Create your first playbooks:
   1. Create a new user in a group of servers and provided ssh access using its public ssh key
   2. Configure user to be able to use sudo with no password
   3. Add a repository (apt_repository module)
   4. Use loops in task

Intermediate

1. Install and configure sysstat using Ansible
2. Modify ssh client Ansible uses to connect: change it from Paramiko to openssh client and modify ControlPersist in ssh_args option. Do it in your ansible.cfg file. (Note than Ansible will use a different ControlPath that your openssh configuration. Default to: ~/.ansible/cp)
3. Read about Ansible Roles (similar to modules in puppet and cookbooks in Chef): https://linuxacademy.com/blog/linux-academy/ansible-roles-explained/: ansible-galaxy init <ROLE_NAME>
4. Read about Reusable Playbooks: Dynamic vs. Static and Tradeoffs and Pitfalls Between Includes and Imports ^[14]

Advanced:

1. Increase default forks configuration variable (default configuration is 5 forks) in /etc/ansible/ansible.cfg and verify how your execution time increase or decrease. Use: ^[15]
2. Use Ansible ovirt-RHV module (ovirt_vm) to create KVM virtual machines^[16]
3. Read Release Notes: Ansible changelog and versions: v2.9^[17], v2.8^[18], v2.7^[19].
4. Read Ansible Code: git clone https://github.com/ansible/ansible.git

• Chef, cdist, capistrano and puppet
• Terraform
• ansible-cmdb $ mkdir out && ansible all -m setup --tree out/ && ansible-cmdb out/ > overview.html
• DevOps/SaltStack
• lookup
• Playbooks, Modules, Blocks^[20] (since 2016) and Roles
• Configuration management software: https://en.m.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software