It uses SSH to communicate with the clients.
provided all the nodes should have python installed in them + every step should not be carried with root user instead with ansible user.
Ansible needs:
- SSH connection
- a user
- python 2.4+
- It works on the principle of 'PUSH Based', means it pushes modules from VCS to servers directly without intervention of any intermediate client/agent
- it contains Playbooks which are written in YAML code ( YAML aint markup language)
Overview of ansible playbook
Ansible Contain Playbooks
Playbook have number of plays
Play contain tasks
Task calls core or custom modules
Task can use templates
Handlers triggers from notify
executed at the end and only once
- For connectivity it use
- SSH password less connection by generating Public key install on all your nodes
- Connection Plugins
- export ANSIBLE_HOST_KEY_CHECKING=False
pull : docker pull punitporwal07/ansible:2.6
run : docker run -it punitporwal07/ansible:2.6
test: ./runansibletest.sh
By default ansible package is not available in some yum repositories, so you need to enable/add EPEL(extra package for Enterprise Linux) repository which is maintained over at Fedora Project
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
$ yum install ansible -y
Installing Ansible on Ubuntu:
$ yum update -y
$ apt-get update
$ apt-get install ansible
or
$ sudo yum install ansible -y
$ ansible --version
SETTING SSH COMMUNICATION BETWEEN SERVERS
prepare SSH key for remote hosts
switch to ansible user:
$ ssh-keygen -t rsa --> enter enter enter
$ ssh-copy-id -i ansible@nodes --> enter passwords
or
$ export ANSIBLE_HOST_KEY_CHECKING=False
(which will bypass the host-key-check)
test using
$ ansible
$ sudo pass command --> ansible-playbook
HOST INVENTORY
$ /etc/ansible/hosts/ (default Location)
provide list of target IP address which can be grouped
**
[local]
localhost ansible_connection=local
[appserver]
1.2.3.4
2.3.4.5
[dbserver]
3.4.5.6
**
How ansible commands are structured
ansible + host-group + module + argument to module
ansible + localhost + -m yum + -a "name=nginx state=latest"
ansible + allserver + -m shell + -a 'uptime'
ansible + appserver + -m user + -a "name=red group=oracle shell=bin/bash/"
Ad-hoc commands
ansible all -a 'uptime' (determine uptime of all machines)
ansible -m ping all (test connection with all the host defined in host_inventory)
some example of playbook
#simple playbook to install apache(apache.yml)
---
- hosts: webserver
sudo: yes
tasks:
- name: install apache2
apt: name=apache2 update_cache=yes state=latest
...
run as:
$ ansible-playbook apache.yml --ask-sudo-pass
# simple playbook to install java(java.yml)
---
- hosts: appserver
remote_user: red
tasks:
- name: Unpack java archive
unarchive:
src: /software/bea/java/jdk-8u172-linux-x64.tar.gz
dest: /software/bea/java/
remote_src: yes
...
run as:
$ ansible-playbook java.yml
# simple playbook to install nginx(nginx.yml)
- hosts : webserver
tasks :
-name : install nginx web server
apt: pkg=nginx state=installed update_cache=true
notify:
-start nginx
handlers :
-name: start nginx
service : name=nginx state=started
...
run as:
$ ansible-playbook nginx.yml
Ansible vault
you can use this ansible utility to secure you sensitive data like password keys etc
some useful commands of ansible-vault
$ ansible-vault encrypt
$ ansible-vault edit
$ ansible-vault view
$ ansible-vault rekey
$ ansible-playbook -i inv.ini
using Ansible-vault without inline command
Create ansible inventory using ansible-vault
encrypt command
Once created define your inventory pass in some
hidden text file as .my-pass.txt
Add vault_password_file =
/path/to_your_file/.my-pass.txt in ansible.cfg
Now next time when you run any playbook to use
encrypted inventory file it will pick up your inventory pass from txt file
defined in ansible.cfg
Rundeck also uses same mechanism when you define
your ansible.cfg as configuration file.
All about Ansible inventory
Designing your inventory
- Inventory is the expression of your environment
- Hostnames, groups, vars are for YOUR use, they have to make sense to YOU
- Ansible cares about hosts and tasks, everything else is in support of that
- Select a single source of truth. or try to minimize duplication of data
- Normally, there is a simpler way to do it
- Ansible makes it easy to switch approaches, don't be afraid to test and try
- Mistakes are not failures
Basic Layout of Inventory
ansible/
inventory
group vars/
all.yml
app server.yml
databases.yml
loadbalancer.yml
network.yml
webservers/
secrets.yml
service vars.yml
host_vars/
webserver01.yml
webserver02.yml
Complicating layout
ansible/inventory/
production (groups: del,dc2)
development (idf)
staging (dc1)
group_vars/
all.yml
appservers.yml
databases. yml
loadbalancers.yml
network.yml
webservers/
secrets.yml
service_vars.yml
dc1.yml
dc2.yml
idf.yml
host vars/
benefit of complicate inv: can target environment by files
TIPS: vars can go in many places
Variable Sources PRECEDENCE (low to high):
role defaults
inventory file vars
inventory group_vars host_vars
playbook group_vars, host_vars
host facts
play vars, vars prompt vars_files
registered vars
set_fact
role parameters and include vars
block(only for tasks in block) task vars
extra vars (CLI. global, precedence)
- Where do I define my var?
Locality (host, group, play, role, task)
Use only what you need, ignore rest
Inheritance and scope (play, host)
- group/host_vars are always loaded
- variables are flattened per host
k/r,
P
P