Showing posts with label ansible. Show all posts
Showing posts with label ansible. Show all posts

11 July 2017

ANSIBLE: Configuration management tool for Infra automation

https://www.middlewareandme.tech/search/label/ansible
Ansible is an agent-less task execution engine, used for configuring, managing and installing softwares on to clients and nodes without any downtime and without any agent installed on them.
It uses SSH to communicate with the clients.
provided all the nodes should have python installed in them + every step should not be carried with root user instead with ansible user.
Ansible needs:
  • SSH connection
  • a user
  • python 2.4+

  • It works on the principle of 'PUSH Based', means it pushes modules from VCS to servers directly without intervention of any intermediate client/agent
  • it contains Playbooks which are written in YAML code ( YAML aint markup language)


                             Overview of ansible playbook




Ansible Contain Playbooks 
Playbook have number of plays
Play contain tasks
Task calls core or custom modules
Task can use templates
Handlers triggers from notify
executed at the end and only once

- Ansible contains more than 750 modules and can be customized and turned into custom modules.
- Modules gets executed when you run Playbook on to your 1..n nodes.
- For connectivity it use
  • SSH password less connection by generating Public key install on all your nodes
  • Connection Plugins
  • export ANSIBLE_HOST_KEY_CHECKING=False

Quickly start with Ansible, try using my docker image


pull : docker pull punitporwal07/ansible:2.6
run : docker run -it punitporwal07/ansible:2.6
test: ./runansibletest.sh

By default ansible package is not available in some yum repositories, so you need to enable/add EPEL(extra package for Enterprise Linux) repository which is maintained over at Fedora Project

$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
$ yum install ansible -y

Installing Ansible on Ubuntu:
$ yum update -y
$ apt-get update
$ apt-get install ansible
or
$ sudo yum install ansible -y
$ ansible --version

SETTING SSH COMMUNICATION BETWEEN SERVERS
prepare SSH key for remote hosts
switch to ansible user:
$ ssh-keygen -t rsa                              --> enter enter enter
$ ssh-copy-id -i ansible@nodes   --> enter passwords
                                   or
$ export ANSIBLE_HOST_KEY_CHECKING=False
(which will bypass the host-key-check)

test using
$ ansible -m ping all
$ sudo pass command --> ansible-playbook --ask-sudo-pass (it will prompt for sudo password) 

HOST INVENTORY

$ /etc/ansible/hosts/ (default Location)
provide list of target IP address which can be grouped

**
[local]
localhost ansible_connection=local

[appserver]
1.2.3.4
2.3.4.5

[dbserver]
3.4.5.6
**

How ansible commands are structured

ansible host-group  + module    +   argument to module
ansible  localhost      -m yum    +  -a "name=nginx state=latest"
ansible  allserver       + -m shell   +   -a 'uptime'
ansible  appserver     -m user    +   -a "name=red group=oracle shell=bin/bash/"

Ad-hoc commands
ansible all -a 'uptime' (determine uptime of all machines)
ansible -m ping all (test connection with all the host defined in host_inventory)

some example of playbook

#simple playbook to install apache(apache.yml)
---
- hosts: webserver
  sudo: yes
  tasks:
    - name: install apache2
      apt: name=apache2 update_cache=yes state=latest
...

run as:
$ ansible-playbook apache.yml --ask-sudo-pass

# simple playbook to install java(java.yml)
---
- hosts: appserver
  remote_user: red
  tasks:
   - name: Unpack java archive
     unarchive:
        src: /software/bea/java/jdk-8u172-linux-x64.tar.gz
        dest: /software/bea/java/
        remote_src: yes
...

run as:
$ ansible-playbook java.yml

# simple playbook to install nginx(nginx.yml)
---
- hosts : webserver
tasks :
-name : install nginx web server
apt: pkg=nginx state=installed update_cache=true
notify:
-start nginx

handlers :
-name: start nginx
service : name=nginx state=started
...

run as:
$ ansible-playbook nginx.yml

Ansible vault

you can use this ansible utility to secure you sensitive data like password keys etc
some useful commands of ansible-vault

$ ansible-vault encrypt    (encrypt any file)
$ ansible-vault edit       (edit encrypted file)
$ ansible-vault view       (view encrypted file)
$ ansible-vault rekey      (change the pass of encrypted file)
$ ansible-playbook -i inv.ini playbook.yml --ask-vault-pass (this will ask for vault pass while running playbook)

using Ansible-vault without inline command

             Create ansible inventory using ansible-vault encrypt command

       Once created define your inventory pass in some hidden text file as .my-pass.txt

       Add vault_password_file = /path/to_your_file/.my-pass.txt in ansible.cfg

        Now next time when you run any playbook to use encrypted inventory file it will pick up your       inventory pass from txt file defined in ansible.cfg

        Rundeck also uses same mechanism when you define your ansible.cfg as configuration file.


    All about Ansible inventory 

Designing your inventory

- Inventory is the expression of your environment
- Hostnames, groups, vars are for YOUR use, they have to make sense to YOU
- Ansible cares about hosts and tasks, everything else is in support of that
- Select a single source of truth. or try to minimize duplication of data
- Normally, there is a simpler way to do it
- Ansible makes it easy to switch approaches, don't be afraid to test and try
- Mistakes are not failures

Basic Layout of Inventory

ansible/
    inventory 
    group vars/ 
        all.yml 
        app server.yml 
        databases.yml 
        loadbalancer.yml 
        network.yml 
        webservers/ 
               secrets.yml 
               service vars.yml
    host_vars/
        webserver01.yml
        webserver02.yml

Complicating layout

ansible/inventory/
    production (groups: del,dc2)
    development (idf)
    staging     (dc1)
    group_vars/ 
         all.yml
         appservers.yml
         databases. yml
         loadbalancers.yml
         network.yml
         webservers/
             secrets.yml
             service_vars.yml
        dc1.yml
        dc2.yml
        idf.yml
    host vars/

benefit of complicate inv: can target environment by files

TIPS: vars can go in many places

Variable Sources PRECEDENCE (low to high):

role defaults
inventory file vars 
inventory group_vars host_vars 
playbook group_vars, host_vars
host facts 
play vars, vars prompt vars_files
registered vars 
set_fact 
role parameters and include vars 
block(only for tasks in block) task vars 
extra vars (CLI. global, precedence)

- Where do I define my var?
        Locality (host, group, play, role, task)
        Use only what you need, ignore rest
        Inheritance and scope (play, host)

- group/host_vars are always loaded
- variables are flattened per host

k/r,
P