Ansible

DO Servers: 161.35.14.48, 67.205.181.1

Inventory Resource:

How To Set Up Ansible Inventories | DigitalOcean

In this guide, we'll demonstrate how to create Ansible inventory files and organize
servers into groups and subgroups, how to set up host variables, and how to use
patterns to control the execution of Ansible commands and playbooks per host and per
https://www.digitalocean.com/community/tutorials/how-to-set-up-ansible-inventories

How to install
Ansible server ssh query:

$ apt-get install -y python-pip

$ pip install ansible
$ ansible --version

Configuring SSH and sudo

Key-based login with public-privatekeypair to allow login without password.

On DigitalOcean
Create Droplet - Authentication - New SSH Key

Ansible 1
 Generate public-private key on ansible server / controller computer:

$ ssh-keygen

You will be prompted to save and name the key.

Generating public/private rsa key pair. Enter file in which to save the key (/

Next you will be asked to create and confirm a passphrase for the key (highly recommended):

Enter passphrase (empty for no passphrase):Enter same passphrase again:

This will generate two files, by default called id_rsa and id_rsa.pub . Next, add this public key.

Add the public key to remote server

Copy and paste the contents of the .pub file, typically id_rsa.pub, into the SSH key content field on
DigitalOcean popup screen.

cat ~/.ssh/id_rsa.pub

Click on Add SSH Key button.

Also:
Be able to become root user and run sudo without password.

$ vim /etc/sudoers.d/90-cloud-init-users

Ansible ping
Ansible server ssh query:

$ ansible all -i [email protected], -m ping

Remote server response:

[email protected] | SUCCESS => {

"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}

Ansible 2
 Ansible commands
$ ansible all -i root@ip1,root@ip2 -m ping
$ ansible all -i root@ip1,root@ip2 -m command --args 'uptime'
$ ansible all -i root@ip1,root@ip2 -m command --args 'apt-get install -y apach

Configuring systems for SSH

It's possible to add entities into SSH configuration file $HOME/.ssh/config on ansible server in order to run
ansible commands smoothly.

P.S. Not version-controlled by easy to update in the system, for example, when IPs change frequently.
Config file example:

//File ~/.ssh/config
Host database* dotcms* ansible server* web*
User root
IdentifyFile ~/.ssh/id_rsa_aws
Host web01
Hostname 161.35.14.48
Host web02
Hostname 67.205.181.1

Creating ansible inventory

Inventory file which specify entities.

[database]
database01

[dotcms]
dotcms01

[web]
web01
web02

Running ansible-playbook
Playbook is a list of commands to be run.

Ansible 3
 $ ansible-playbook -i inventory playbook.yaml --vault-password-file .vault-pas

Playbooks, plays and YAML

A playbook groups plays together.

Playbook file example in YAML

---
- hosts: all #play1
become: true
tasks:
- name: install jre #play1-task1
package: name=openjdk-8-jre state=installed
- name: group #play1-task2
group:
name: dotcms
state: present
- hosts: balancer #play2
become: true
tasks:
- name: install haproxy #play2-task1
package: name=haproxy state=installed

Basic YAML syntax

Ansible 4
 Tasks and handlers
Tasks are the smallest units of automation.

Handlers are similar to tasks, but only run conditionally.

Ansible 5
 Example above, when database configuration file is copied from ansible server to remote server, then
restart the database server on remote server.

Tasks and handlers on a playbook

File example:

Inventory with SSH credentials

Example:

[database]
database01 ansible_host=67.205.181.1 ansible_user=root

[web]
web01 ansible_host=161.35.14.48 ansible_user=root

Ansible 6
 web02 ansible_host=67.205.181.1 ansible_user=root

[dotcms]
dotcms01

Ansible Become
Allows ansible to change from root to another user to apply run commands.

Ansible groups and variables

It's possible to group entities and create variables to groups, such as:

[database]
database01 ansible_host=67.205.181.1

[web]
web01 ansible_host=161.35.14.48
web02 ansible_host=67.205.181.1

[balancers]
balancer01

[ubuntu:children]
database
web

[ubuntu:vars]

Ansible 7
 ansible_user=root

[alpine:children]
balancers

[alpine:vars]
ansible_user=alpine_user

Running delimited tasks by group or system

To run plays of just groups or systems using limiter -l, can use:

$ ansible-playbook -i inventory playbook.yaml -l balancers

// where balancers is a group

$ ansible-playbook -i inventory playbook.yaml -l balancer01

// where balancer01 is a system

Running delimited tasks using tags

Also, is possible to add tags to tasks in order to delimit which ones to run.

---
- hosts: dotcms
become: true
tasks:
- name: install jre
package: name=openjdk-8-jre state=installed
tag: dotcmstask
- name: group
group:
name: dotcms
state: present
- hosts: balancer
become: true
tasks:
- name: install haproxy
package: name=haproxy state=installed
tag: balancertask

Shell command:

Ansible 8
 $ ansible-playbook -i inventory playbook.yaml --tags balacertask

P.S. Is also possible to run both delimiters -l and --tags to narrow it down even more.

Using roles
Playbooks quickly get large and hard to maintain, so we want to breakup our tasks into modules to be
reused.
Roles can modularize:

tasks - actions for automatic install and config

files - regular files to be copied over such as configuration files, and templates, that are files that can be
modified before copying them to ansible servers

variables - separate configuration choices

Role directory components

Folders are:

defaults - default configuration variables

files - files to deploy to remote system

handlers - conditional tasks that run if notified

meta - role metadata (for example, dependencies)

tasks - main entry point, actions to complete

templates - customizable files to deploy

vars - high priority configuration variables

How the roles directory looks like:

Ansible 9
 How the playbook for roles looks like:

With ansible 2.7 is possible to run specific roles from command line:

$ cd /path/to/ansible/
$ ansible localhost -m include_role -a name=<role_name>
localhost | SUCCESS => {
"changed": false,
"include_variables": {
"name": "<role_name>"
}
}
localhost | SUCCESS => {
"msg": "<role_name>"
}

Ansible modules
Modules are commands/funtionalities that ansible host can run onto ansible servers.

Full list of modules here:

https://docs.ansible.com/ansible/2.8/modules/modules_by_category.html

Some ansible packaging modules:

Ansible 10
 Some ansible files modules:

Ansible 11
 Some system modules:

Ansible Galaxy
It's also possible to get roles from Ansible Galaxy.
Reference:

Ansible 12
 Ansible Galaxy
Jump start your automation project with great content from the Ansible community
https://galaxy.ansible.com/

To download and install role:

$ ansible-galaxy install role-name

To run the role:

Playbook.yaml file:

---
- hosts: all
become: true
roles:
- geerlingguy.java

Command line:

$ ansible-playbook -i inventory playbook.yaml

Role dependencies
Folder structure: role-folder > meta > main.yaml

Dependent roles will run before/first, then our role will run.

Template module
Gets a source template file, add variables, check if this file is the same as the one on the server, if not the
same, then copy it to destination server.

Ansible 13
 Template module relies on python library Jinja 2:

Jinja - Jinja Documentation (2.11.x)

Jinja is a modern and designer-friendly templating language for Python, modelled after
Django's templates. It is fast, widely used and secure with the optional sandboxed
template execution environment:
https://jinja.palletsprojects.com/en/2.11.x/

Ansible template module:

ansible.builtin.template - Template a file out to a remote server - Ansible Documentation

Note The attributes the resulting file or directory should have. To get supported flags look at the
man page for chattr on the target system. This string should contain the attributes in the same
order as the one displayed by lsattr.
https://docs.ansible.com/ansible/2.5/modules/template_module.html

Template variables come from role-folder > defaults > main.yaml

It's also possible to include conditional sections in template files based on conditions and variables.

Ansible 14
 It also allows us to loop over variables to populate templates using for statement.
Variable file example:

Template file example:

Ansible 15
 Variables can also be expressed with dictionaries instead of strings, to be more easily readable.

Other topics on templates and variables manipulation:

Ansible 16
 Macros: .j2

Filters: default, join and map

Reusable blocks

Blocks can be inherited from a father/base, such as haproxy.http.cfg (child) extends haproxy.base.cfg
(base). In this example, both files need to be in the same template directory.

Variables' priorities for tasks

Variables are used in tasks to make reusable roles.

Hierarchy of dominant variables:

(Command line level) $ ansible-playbook -i ... - e 'variable-name="variable-value"' >

(Playbook level) playbook.yaml >

(Group level) roles/role-name/group_vars/all.yaml >

(Role level) roles/role-name/defaults/main.yaml >

(Task level) roles/role-name/tasks/main.yaml
Variables declared straight into the playbook (variable me) overwrites all other subgroups above:

Ansible 17
 However, in the command line has top priority and even overwrites playbook variables:

Ansible Facts
What are facts?

Facts are variables that Ansible collects automatically when controlling a remote system

Facts provide information that is specific to the remote system

Fact are collected by the setup module

Can run setup module from command line:

Some important remote server variables:

Variables for groups

Add them to group_vars directory. These variables apply to specific groups defined inside inventory file.
For example, for a group [database] inside inventory, the group_var/database.yaml can be:

Ansible 18
 In the example above, the variables are being pulled from group_var/all.yaml variable file, which are
variables available for all groups, hosts and systems.

Variables for hosts

Variable for a host will win over any specific variable for groups: group_vars/all.yaml < group_vars/group-
name.yaml < host_vars/localhost.yaml
Reference:

https://www.udemy.com/course/devops-automate-your-infrastructure-using-ansible-in-9hours/learn/lecture/12479508#questions

Variable hierarchy/priority recap

1. Command line

2. Host variables *normally not used

3. Group variables

4. Role variables

Ansible 19
 Using variables to control tasks
Use variable for conditional tasks.
Example, we have a task to install java on ansible node.

To do it, use a when clause.

Terminal results:

Ansible 20
 Compound conditions:

P.S. Last example is using a Jinja filter to compare with an integer.

Ansible 21
 Registering results in variables
For example, command register gets the response from stat and insert into variable vp, which is used on
later conditional when statements.

Using lists and dictionaries to repeat tasks and populate template files
To use a list to repeat tasks, use with_items:

Can also use lists and dictionaries as variables to do the same as above. Reference:

https://www.udemy.com/course/devops-automate-your-infrastructure-using-ansible-in-9hours/learn/lecture/12479532#questions

Ansible 22
 Using directories across tasks and templates to populate files inside /etc/profile.d/ folder. In the example
below, ansible will run the template command 3 times, one for java key/component, another for maven and
latter for gradle key/component.

Ansible and version control

Ansible YAML files are prefect to fit version control.

Version control makes it easy to share Ansible configuration with a team and to see how content changes
over time.
Can use Atom editor with Git or GitHub.

Ansible 23
 Ansible Vault
Ansible Vault is used in order to be able to check in sensitive files into version control.
It's important to note that Ansible Vault works with any data file - variables, templates or plain files.

Example of encrypted group variables inside a ansible vault at /group_vars/all.yaml

P.S. AES256 is the standard of the encryption.

Encrypt files
Example, file /group_vars/all.yaml before encryption:

To encrypt a variable file:

Ansible 24
 P.S. Type in the (new) vault password.

If try to run the playbook directly, it will prompt an error message.

To run it, add --ask-vault-pass to command line, and type in the vault password.

The simplest way to edit a vault encrypted file is to use the command:

$ ansible-vault edit group_vars/all.yaml

Vault passowrd:

Ansible 25
 Able to edit it in terminal:

P.S. After the edit, it encrypts the file and save to its original location.

Decrypt files
Use code:

$ ansible-vault decrypt group_vars/all.yaml

Example:

Create Vault password files

This way we don't need to type in the password everytime we want to run a playbook command.
To generate random passwords:

$ openssl rand -hex 16

$ openssl rand -base64 12
$ pwgen 16 1 #ubuntu

Pipe the result into a password file:

$ pwgen 16 1 > vault-password

Example:

Note: Never check this vault-password file into version control

And to encrypt files without prompting/asking the password, use:

$ ansible-vault encrypt group_vars/all.yaml --vault-password-file vault-passwo

Ansible 26
 Example:

And to run the playbook:

$ ansible-playbook -i inventory playbook.yaml --vault-password-file vault-pass

Example:

Encrypt files for delivery

To encrypt files for delivery, such as in the case of important ssl certificates, check the video reference:

https://www.udemy.com/course/devops-automate-your-infrastructure-using-ansible-in-9hours/learn/lecture/12479548#questions

Ansible 27
Ansible 28