Cancel

Automation with Ansible

Automation with Ansible

Ansible is Configuration Management (CM) tool, CM is a process for maintaining computer systems, servers, and softwares automatically.

Prerequisites

You may need to install sshpass and ansible on your system.

Linux (Debian, Ubuntu, Mint)

1
sudo apt install ansible sshpass

MacOSx (don’t forget to install Homebrew if you don’t have one)

1
2
brew install esolitos/ipa/sshpass # OR, brew install http://git.io/sshpass.rb
brew install ansible

Windows (don’t forget to install Chocolatey if you don’t have one)

1
2
# click here to install for sshpass https://stackoverflow.com/a/43068475/9045405
choco install ansible

Now lets understand how Ansible works

  Ansible Variables
Ansible Node ansible_nodename
FQDN ansible_fqdn
IP Address ansible_eth0.ipv4.address
Distribution ansible_distribution, ansible_distribution_release, ansible_distribution_version
Kernel ansible_kernel
Python Version ansible_python_version
CPUs ansible_processor_vcpus
Memory ansible_memtotal_mb
Virtualization ansible_virtualization_type
user ansible_env.SUDO_USER
uid ansible_env.SUDO_UID
gid ansible_env.SUDO_GID
home ansible_env.HOME
pwd ansible_env.PWD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Take a backup first before doing anything in `ansible.cfg` file or you can download a new one
sudo curl \
  -L \
  -o /etc/ansible/ansible.cfg \
  https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg

# if you want to enable host_key_checking,
# then run following commands to uncomment it.
sudo sed -i.bak \
  's/#host_key_checking/host_key_checking/g' \
  /etc/ansible/ansible.cfg \
  && grep host_key_checking /etc/ansible/ansible.cfg

# if you want to login ssh via password,
# then login first with root and
# then run following commands to enable it
# if MacOS then use, -i ''
sed -i \
  's/PasswordAuthentication no/PasswordAuthentication yes/g' \
  /etc/ssh/sshd_config \
  && systemctl restart sshd

# remove host key from known_hosts file to
# avoid errors while running ansible-playbook
# if MacOS then use, -i ''
sed -i "/^192\.168\.*\.*/d" ~/.ssh/known_hosts

Ansible Inventory

It defines the hosts and groups which operates by ansible-playbook and ad-hoc commands.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat <<EOF > /etc/ansible/hosts
[webservers]
webserver1 ansible_host=192.168.x.x ansible_user=USERNAME
example.com ansible_user=USERNAME
# .....

[dbservers]
dbserver1 ansible_host=192.168.x.x ansible_user=USERNAME
# .....

# Connection variables to support servers
[all:vars]
ansible_connection=ssh
ansible_ssh_extra_args='-o StrictHostKeyChecking=no -o IdentitiesOnly=yes'
ansible_python_interpreter=/usr/bin/python3
# ansible_ssh_pass=USERNAME
# ansible_sudo_pass=USERNAME
EOF

Ansible Playbook

It contain steps or tasks which you can execute on a remote machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# create a playbook called filename.yml
cat <<EOF > filename.yml
- hosts: all
  remote_user: <USERNAME>
  become: true
  become_method: sudo
  become_user: root
  tasks:
    - name: Ping me
      ping:
      tags:
        - ping-me
    - name: make a dir
      shell: mkdir -p $HOME/test
      tags:
        - make-a-dir
EOF

# execute with private key, no password needed
ansible-playbook -l <SERVER_NAME> -u <USERNAME> filename.yml --private-key <.ssh/id_rsa>

# execute with password, no ssh key needed
ansible-playbook -l server1 -u <USERNAME> -k filename.yml

# execute with envrionment variables
ansible-playbook -l server2 -u <USERNAME> -k filename.yml -e <key>=<value>

# execute only specific tag
ansible-playbook -l all -u <USERNAME> -k filename.yml --tags 'tag-name,'

# ask password before execute
ansible-playbook -l all -u <USERNAME> -k filename.yml --ask-vault-pass

# get the password from passwdfile.txt before execute
ansible-playbook -l all -u <USERNAME> -k filename.yml --vault-password-file passwdfile.txt

Ad-Hoc Commands

Instead of writing ansible-playbook, you can use ad-hoc commands. They are quick, easy, but not reusable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# execute with private key, no password needed
ansible <SERVER_NAME> -u <USERNAME> -i <HOSTS_FILE> -m <MODULE> -a <ARGUMENTS> --private-key <.ssh/id_rsa>

# execute with password, no ssh key needed
ansible <SERVER_NAME> -u <USERNAME> -k -m ping

# check date and time
ansible <SERVER_NAME> -u <USERNAME> -k -a 'uptime'

# run any command within the VM
ansible <SERVER_NAME> -u <USERNAME> -k -m shell/command -a 'any-linux-command'

# check status within the VM
ansible <SERVER_NAME> -u <USERNAME> -k -m shell/command -a '/sbin/service sshd status'

# start sshd within the VM
ansible <SERVER_NAME> -u <USERNAME> -k -m service -a 'name=sshd state=started'

# install pkg if redhat family
ansible <SERVER_NAME> -u <USERNAME> -k -m yum -a 'name=wget state=present/absent'

# install pkg if deb family
ansible <SERVER_NAME> -u <USERNAME> -k -m apt -a 'name=sysstat state=latest' --become

# copy a file from local to remote
ansible <SERVER_NAME> -u <USERNAME> -k -m copy -a 'src=filename.txt dest=/home/$USER/filename.txt'

# remove a file from remote
ansible <SERVER_NAME> -u <USERNAME> -k -m file -a 'dest=/root/filename.txt state=absent'

# copy a file from remote to local
ansible <SERVER_NAME> -u <USERNAME> -k -m fetch -a 'src=remote_machine.txt dest=host_machine.txt'

# create a user in remote
ansible <SERVER_NAME> -u <USERNAME> -k -m user -a 'name=redhat password=redhat'

Ansible Vault

Your ansible-playbook can be password encrypted or decrypted.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# encrypt a file
ansible-vault encrypt filename.yml

# decrypt a file
ansible-vault decrypt filename.yml

# to regenerate an ecrypted file
ansible-vault rekey filename.yml

# to view an ecrypted file
ansible-vault view filename.yml

# to edit an ecrypted file
ansible-vault edit filename.yml

# encrypt your string
ansible-vault encrypt_string <ANY_ANYTHING>

Ansible Roles

A role is a complete unit of automation that can be reused and shared. When you create a role, the default directory structure contains variables, tasks, files, templates, and modules.

Ansible Galaxy

It helps you to generate/create Ansible Roles. https://galaxy.ansible.com is a website where you can host/share your own role(s)._

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# create Ansible Roles or package
ansible-galaxy init <PROJECT_NAME>

# search a role
ansible-galaxy search <ROLE_NAME> --author <AUTHOR_NAME>

# install a role
ansible-galaxy install <AUTHOR_NAME>.<ROLE_NAME>

# get infromation about the role
ansible-galaxy info <AUTHOR_NAME>.<ROLE_NAME>

# Installed roles will be found here
ls -la /etc/ansible/roles