Ansible
Agentless Push-based Configuration Management Tool
- The Control node is where Ansible is installed
- The Ansible Inventory contains all known nodes
- A Managed Node is a Host that Ansible controls
- Ansible Playbooks contain multiple plays that define commands and modules to run the Nodes
- Use Ansible Roles to load related vars, files, tasks, handlers, and other Ansible artifacts based on a known file structure
- Ansible Handlers are tasks that only run when notified.
- Ansible tries to be indempotent, only applying changes if the desired state is achieved
- Customize Ansible with Ansible Modules and Ansible Plugins
- Configuration Example File https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
Pros
- Agent less
- YAML is easy to learn
Cons
- Performance speed less then other tools
- YAML not as powerful as Ruby
Getting Started
- Ping all known hosts in group home-lab
ansible home-lab -m ping
- Install Ansible
pmi ansible sshpass
- Create configuration file and add hosts in
/etc/ansible/ansible.cfg
or a local repo
[ubuntu]
homelab.wg
- Run commands
ansible -i hosts ubuntu -m ping --user unfa --ask-pass
Ansible CLI
- Command Pattern
ansible [pattern] -m [module] -a "[module options]"
- Run one-off / Ad-hoc Commands with
# get hostname
ansible localhost -m command -a hostname
# print date
ansible localhost -m command -a date
# reboot servers (default module is command)
ansible atlanta -a "/sbin/reboot"`
Ansible Authentication
- Ansible connects to all remote devices with the user name you are using on the control node.
- Ansible assumes you are using SSH keys to connect to remote machines
- use a ssh agent, use the
--private-key
flag to specify a pem file, or add the private key file to an inventory withansible_ssh_private_key_file
.
- use a ssh agent, use the
- Understanding privilege escalation: become — Ansible Documentation
Ansible Variables
- Using Variables — Ansible Documentation
- Cache task output into a registers
- Specify
--extra-vars
on the CLI likekey=value
tasks:
- name: Run a shell command and register its output as a variable
ansible.builtin.shell: /usr/bin/foo
register: foo_result
ignore_errors: true
Ansible Secrets
- Interactive Prompts
- hosts: all
gather_facts: false
vars_prompt:
- name: api_key
prompt: Enter the API key
tasks:
- name: Ensure API key is present in config file
ansible.builtin.lineinfile:
path: /etc/app/configuration.ini
line: "API_KEY={{ api_key }}"
- Or use Ansible Vault
Ansible Conditionals
- Specify a Jinja2 Test Expression with
when
Tests — Ansible Documentation - Tasks that pass the test are executud
- Can also use Ansible Facts Conditionals Facts— Ansible Documentation
tasks:
- name: Configure SELinux to start mysql on any port
ansible.posix.seboolean:
name: mysql_connect_any
state: true
persistent: true
when: ansible_selinux.status == "enabled"
# all variables can be used directly in conditionals without double curly braces
tasks:
- name: Shut down Debian flavored systems
ansible.builtin.command: /sbin/shutdown -t now
when: ansible_facts['os_family'] == "Debian"
Ansible Filters
- Ansible Filters are the preferred way to manipulate data in Ansible
- Default variables
{{ some_variable | default(5) }}
- Omit variables
{{ item.mode | default(omit) }}
- Transforming dictionaries into lists with
{{ dict | dict2items }}
- Combining and selecting data
- Default variables
- Ansible can manage Windows machines as long as they have Powershell installed. Ansible uses PowerShell Remoting to execute commands on remote Windows hosts.