Showing posts with label ansible. Show all posts
Showing posts with label ansible. Show all posts

11 July 2017

ANSIBLE: Configuration management tool for Infra automation
Ansible is an agent-less task execution engine, used for configuring, managing and installing softwares on to clients and nodes without any downtime and without any agent installed on them.
It uses SSH to communicate with the clients.
provided all the nodes should have python installed in them + every step should not be carried with root user instead with ansible user.
Ansible needs:
  • SSH connection
  • a user
  • python 2.4+

  • It works on the principle of 'PUSH Based', means it pushes modules from VCS to servers directly without intervention of any intermediate client/agent
  • it contains Playbooks which are written in YAML code ( YAML aint markup language)

                             Overview of ansible playbook

Ansible Contain Playbooks 
Playbook have number of plays
Play contain tasks
Task calls core or custom modules
Task can use templates
Handlers triggers from notify
executed at the end and only once

- Ansible contains more than 750 modules and can be customized and turned into custom modules.
- Modules gets executed when you run Playbook on to your 1..n nodes.
- For connectivity it use
  • SSH password less connection by generating Public key install on all your nodes
  • Connection Plugins

Quickly start with Ansible, try using my docker image

pull : docker pull punitporwal07/ansible:2.6
run : docker run -it punitporwal07/ansible:2.6
test: ./

By default ansible package is not available in some yum repositories, so you need to enable/add EPEL(extra package for Enterprise Linux) repository which is maintained over at Fedora Project

$ rpm -ivh
$ yum install ansible -y

Installing Ansible on Ubuntu:
$ yum update -y
$ apt-get update
$ apt-get install ansible
$ sudo yum install ansible -y
$ ansible --version

prepare SSH key for remote hosts
switch to ansible user:
$ ssh-keygen -t rsa                              --> enter enter enter
$ ssh-copy-id -i ansible@nodes   --> enter passwords
(which will bypass the host-key-check)

test using
$ ansible -m ping all
$ sudo pass command --> ansible-playbook --ask-sudo-pass (it will prompt for sudo password) 


$ /etc/ansible/hosts/ (default Location)
provide list of target IP address which can be grouped

localhost ansible_connection=local



How ansible commands are structured

ansible host-group  + module    +   argument to module
ansible  localhost      -m yum    +  -a "name=nginx state=latest"
ansible  allserver       + -m shell   +   -a 'uptime'
ansible  appserver     -m user    +   -a "name=red group=oracle shell=bin/bash/"

Ad-hoc commands
ansible all -a 'uptime' (determine uptime of all machines)
ansible -m ping all (test connection with all the host defined in host_inventory)

some example of playbook

#simple playbook to install apache(apache.yml)
- hosts: webserver
  sudo: yes
    - name: install apache2
      apt: name=apache2 update_cache=yes state=latest

run as:
$ ansible-playbook apache.yml --ask-sudo-pass

# simple playbook to install java(java.yml)
- hosts: appserver
  remote_user: red
   - name: Unpack java archive
        src: /software/bea/java/jdk-8u172-linux-x64.tar.gz
        dest: /software/bea/java/
        remote_src: yes

run as:
$ ansible-playbook java.yml

# simple playbook to install nginx(nginx.yml)
- hosts : webserver
tasks :
-name : install nginx web server
apt: pkg=nginx state=installed update_cache=true
-start nginx

handlers :
-name: start nginx
service : name=nginx state=started

run as:
$ ansible-playbook nginx.yml

Ansible vault

you can use this ansible utility to secure you sensitive data like password keys etc
some useful commands of ansible-vault

$ ansible-vault encrypt    (encrypt any file)
$ ansible-vault edit       (edit encrypted file)
$ ansible-vault view       (view encrypted file)
$ ansible-vault rekey      (change the pass of encrypted file)
$ ansible-playbook -i inv.ini playbook.yml --ask-vault-pass (this will ask for vault pass while running playbook)

using Ansible-vault without inline command

             Create ansible inventory using ansible-vault encrypt command

       Once created define your inventory pass in some hidden text file as .my-pass.txt

       Add vault_password_file = /path/to_your_file/.my-pass.txt in ansible.cfg

        Now next time when you run any playbook to use encrypted inventory file it will pick up your       inventory pass from txt file defined in ansible.cfg

        Rundeck also uses same mechanism when you define your ansible.cfg as configuration file.

    All about Ansible inventory 

Designing your inventory

- Inventory is the expression of your environment
- Hostnames, groups, vars are for YOUR use, they have to make sense to YOU
- Ansible cares about hosts and tasks, everything else is in support of that
- Select a single source of truth. or try to minimize duplication of data
- Normally, there is a simpler way to do it
- Ansible makes it easy to switch approaches, don't be afraid to test and try
- Mistakes are not failures

Basic Layout of Inventory

    group vars/ 
        app server.yml 
               service vars.yml

Complicating layout

    production (groups: del,dc2)
    development (idf)
    staging     (dc1)
         databases. yml
    host vars/

benefit of complicate inv: can target environment by files

TIPS: vars can go in many places

Variable Sources PRECEDENCE (low to high):

role defaults
inventory file vars 
inventory group_vars host_vars 
playbook group_vars, host_vars
host facts 
play vars, vars prompt vars_files
registered vars 
role parameters and include vars 
block(only for tasks in block) task vars 
extra vars (CLI. global, precedence)

- Where do I define my var?
        Locality (host, group, play, role, task)
        Use only what you need, ignore rest
        Inheritance and scope (play, host)

- group/host_vars are always loaded
- variables are flattened per host