Ansible
Ansible

The Ansible tutorials will cover the following topics.

  • What is Ansible?
  • How to install Ansible?
  • The Ansible architecture
  • Configuration of Ansible
  • How to work with Playbook in Ansible?
  • How to work with Inventory Files in Ansible?
  • How to work with modules in Ansible?
  • How to develop test and release a playbook?
  • How to take Ansible to Production?
  • How to handle Errors in Ansible?
  • How to Rollback in Ansible?
  • How to work with Reporting in Ansible?
  • How to create a custom module in Ansible?
  • How to create provisioning for Docker?
  • How to deploy Ansible in large organization?
  • What is Ansible tower?

What is Ansible?

Ansible is a very simple IT automation engine that automate provisioning ,configuration, application deployment, intra service orchestration whose aim is to provide enlarge productivity. It is written in Python and can be installed as Linux machine only.

Ansible is the infrastructure automation tool. It can set up several built agents in continuous integration(CI) system. Using ansible building or rebuilding infrastructure is easy, fast and error free. All setup can be done by just one click. Ansible provides a fuel towards devops journey.The primary aim of configuration management is to provide  machines to a denied state as fast as possible.

Other infrastructure automation tools are-

  • Chef
  • Puppet
  • Satt
  • etc

Infrastructure testing tools are: –

  • Serverspce
  • Test kitchen
  • etc.

Provisioning tools are: –

    • Docker
    • Lxca
    • Vagrant
    • etc

Deployment tools are:-

  • Thoughtworks Go
  • Atlassion bamboo
  • Jenkins
  • etc

Orchestration tools are

  • Mcollective
  • Satt
  • Serf
  • Chef

Monitoring tools are:-

  • Nagi OS
  • Ganglia
  • Zenoss
  • Graphite
  • Sensu
  • Riemann

Logging tools are:-

  • Logstash-kibana
  • Sumologic
  • Psyslog

Ansible needs to be installed on a single machine which will manage your whole infrastructure.For remaining clients machine either we need their hostname or IP address.

Client server-Ansible
Client server-Ansible

Push and pull based mechanism

There are two mechanisms available.Pull based mechanism and push based mechanism.

Pull based

In pull based mechanism,client will contact the server and check if any config applicable for the machine.If any, server will provide the client with the configuration or other details.

Puppet and chef follow pull based mechanism.Agent on the server periodically checks for the configuration information from central server.

Pull based
Pull based
Push based

In push based mechanism, server will push the applicable config/or other details to client if applicable without the agent.

push based mechanism
push based mechanism

Ansible follows push based mechanism.Central server pushes the configuration information on target client.

Normal/ pull based
ServerClient
Responsible for providing the serviceAccess the server
Need some utility to access the server
Ansible/ push based
Ansible server config changes in serverNo need to install some utility to access the server
The Architecture of Ansible
Agent Based SystemAgentless  system
These kind of system needs an external agent along with the dependencies.No agent is required only a proper SSH daemon setup is required.
Agent based systems need to invoke the agent in order to run and pull the latest configuration .Either the agent runs as service or cron job.These system pushes the configuration remotely without the agent.
Parallel agents execution may slow down the server. Serverless execution can make the process faster.Parallel execution is faster as long as parallel execution count is lesser than SSH connection allowed count.
Agents installation and permissions are headache.Only SSH based remote connection is required.

Puppet needs agent on puppet server .Agent program needs some space and CPU prioritization.

Ansible by default runs on push mode but using ansible –pull, ansible provides an agent that can work as pull mode.To make default SSH connections faster, we can always enable control persist and pipeline mode.

Tools like chef, puppet are agent based and they by default work on pull mode. Using serverless chef and master less puppet we can scale up large machines.

Ansible architecture

Ansible architecture
Ansible architecture

Ansible tasks defined in the playbooks can execute sequentially by default. However, we can insert conditions and loops so that selective execution can happen.Ansible provides set of API s to run a script. Mostly when we create our own task set we call these APIs with the help of custom wrappers.All playbooks are written in YAML language. They are simple and declarative.Ansible can execute N threads in parallel.

Features of Ansible

  • Open source
  • Written on python so easy to read and extend(Built on top of python)
  • Easy installation and configuration
  • Highly scalable
  • Agent less client connection
  • SSM for secure connection
  • Simple English Language confirmation setup

Who uses Ansible

If we want to push one software or patch or want to install some packages. Manual installation is very tedious and time consuming.They are error prone too. To simplify the process we can use Ansible.These activities can be done very easily by ansible script/command/playbook.

Below are the guys who uses Ansible

  • System administrator
  • Data engineers
  • Devops Professionals
  • Developers
  • Testers
  • Database administrator
  • Network administrator

How to install Ansible?

Ansible software is available in EPEL repositories.Ansible does not come with normal unix or linux distribution.So we need to activate epel.In order to install Ansible, yum will try to contact internet and download the required software and other dependency files.

Prerequisites of Ansible

  • SSH client(Open SSH)
  • Python(PyYaml,jinja2)
  • Paramiko
  • Vagrant
  • Serverspce
  • PIP
  • Git
  • httplib2

Ansible system requirements for clients(node)

  • 2 GB RAM
  • 20 GB Hard disk
  • SSH(OpenSSH)
  • os-RHEL/CENTOS/UBUNTU/ORACLE LINUX/HAC/BSD/Solaris/Windows OS

Ansible system requirements for ansible server

  • LINUX(RHEL/CENTOS/ ORACLE LINUX)operating system.
  • 4GB RAM
  • 40 GB Hard disk space
  • SSH(open SSH)
  • Enabled EPEL repository for centos(6.8 or 7.2)
  • Internet Connection

Installing Ansible

If you have an existing infrastructure but need a server version of Ansible,we can install Ansible with “pip”.Pip tool managesthe packages of python along with library.The advantage of Pip is that all ansible releases are pushed automatically.Hence no more manual updation is required.

After Git installation
PATH=/home/vagrant/ansible/bin:/usr/local/bin:/ bin:/usr/bin:/usr/loal/sbin:/usr/sbin:/sbin:/home/vagrant/bin.
PYTHONPATH=/home/vagrant/ansible/lib
MANPATH=/home/vagrant/ansible/docs/man

Once we have installed ‘Easy_install’we can further install the remaining packages.

>sudo easy_install pip   // install pip.package

Then we need to install paramiko,PyYAML,jinja2 and httplib2

>Sudo pip install paramiko PyYAML,jinja2 and httplib2

This command will install all the other packages.

By default, ansible checks out development branch. Just in case we want some other branch we need to provide the following command-

>git branch  -a
//like
>git checkout release1.7.3

Example Once the checkout is finished and ansible switches to our denoted branch, we can cross verify the version using the following command

>ansible--version
Install Ansible from a RPM file-
>sudo rpm –uvh~/rpmbuild/ansible-*.noarch.rpm
Install via Apt

Ansible is available in ubuntu under personal package Archive(PPA)

>sudo apt-get install apt-add-repository
>sudo apt-add-repository ppa:rquillo/ansible
>sudo apt-get update
>sudo apt-get install.ansible
Installing via brew(Homebrew)
>brew update
>brew install ansible
Installing via pip(pythons package manager)
>sudo easy_install pip
>sudo pip install ansible

For installing multiple other package it is always better to install ‘easy_install’package.
Since Ansible can be installed in Linux flavour.Below are the modules to install and get the packages—

For Fedora,Red Hat enterprise Linux,CentOS and other compatible Linux distribution,all head to use the following command—-

> yum install ansible

Yum is a package management .It resolves enterprise dependency for installing epel.

>yum install –y epel –release
>Yum install –y ansible //This will install ansible.

For Ubuntu,Debian and other compatible Linux distribution,We need to use the following command——-

>apt --get install ansible

If using pip the following command need to be used——

>pip install ansible

Pip tool will resolve the other dependencies, Download the required packages and install.

If you want to install from source code then you need to use the following command

>git clone git://github. com/ansible/ansible.git 
>cd ansible/ 
>sudo make install/source ./hacking/env_setup

Ansible is originally put in github.All releases are posted to git regularly.
How to check if Ansible is installed properly?

>ansible --version

This command will provide you the version of Ansible If Ansible is installed successfully.

alternatively,

>rpm-qa|grep ansible
>ansible -version.el<version>.noarch

This shows that ansible is installed correctly.

To get help in ansible
>ansible --help

Usage:

ansible <host_pattern>[options]

Options:

-a MODULE_ARGS,--args= MODULE_ARGS

Module arguments

-i INVENTORY,--inventory_file=INVENTORY

Provide which inventory host file to pick (default=/etc/ansible/hosts)

-m MODULE_NAME,--module_name= MODULE_NAME

Name of the module to run(default=command)

How to check details of ansible package?

>rpm-ql ansible-version.el<version>.noarch|more
/etc/ansible->main file
/etc/ansible/hosts->Clients ip and details
/etc/ansible/roles->all roles are defined
/user/bin/ansible->ansible commands
/user/bin/ansible-console->console command
/user/bin/galaxy-predefined templates
/user/bin/ansible-playbook->configure playbook
/user/bin/ansible-pull->enable pull mode
/user/bin/ansible-vault-> Ansible vault
[Python library]
-----
-----
[ansible modules]
-----
-----
[extras]
-----
-----

Now we need to create user who can access Ansible . By default, everything will be created as a root user.
How to check who is logged  in?

>whoami

this command will tell who is the user currently logged in.

How to create a new user for ansible?

>useradd ansuser/usedadd-d/home/ansadm-m 
>password ansuser
>new password
>Retype password     [ You need to done steps in all clients]
Password-x-1 ansuser(create a non expiry password)
The Ansible architecture

Once we have created an User for Ansible, we need to switch to new user.

How to switch to other user?

>su -ansuser

su-switch user is the command to switch user from one account to another account.

How to generate public and private key?

>su -ansuser
>ssh-keygen
>Enter passphase-No data (extra security)
//This will generate public and private key.
//We need to copy the public key to all the clients.
>ssh-copy-id-i id-rsa.pub [email protected]

Alternatively:

>su-ansuser
>ssh-keygen-t rsa
>cat rsa.pub

Copy the key.In client we have to follow the same step

>mkdir .ssh
>chmod700 .ssh
>chown ansuser:ansuser.ssh
>cd.ssh/
>vi authorized-keys

paste the key.

>chown ansuser:ansuser.authorized-keys
>chmod 600 authorized-keys

Can we avoid password while logging in to clients?

In case of SSH password less login we can avoid providing password while logging in to clients.In server we generate public and private key and send the public key to client.The client’s response is decrypted using the private key.

This is how the password less login happens between each of the client machine.

Components of Ansible

Program

  • ansible
  • ansible-doc
  • ansible-playbook
  • ansible-pull

Module

  • Perform configuration and system management.Like Copy,service,user,group,etc.

Ansible Architecture: Agentless configuration

Ansible follows a client server architecture where server is called the ansible control server. The server has to be a Linux system.The control server is written on python. The server machine is called controller machine and server is command line based.

Since ansible is config management automation tool, it neither does store huge files or server nor it places lesser files or clients.

Ansible server client architecture

Ansible server client architecture

Ansible clients are otherwise known as nodes(manage host or manage node).Clients can be on linux,Unix,(BSD,Solaris,HP-UX,MAC)or windows system. Client does not have any agent to receive the data from server.Clients gets connected over SSH with the command.

>SSH [email protected]

Server consists of inventory file, Host information (Client machine’s host and ip address). We can alter content by adding details inventory parameters in the server.

Ansible pull mode

To improve playbooks scalability to a larger extent for large project ansible supports a pull mode. In this mode ansible does not connect over SSH rather it runs only on the machine it is working. It downloads the already configured configuration file from git repository.

We need to use ansible pull in the below written scenarios
  • If the node is a member of auto scaling server farm and not available when configuring them.
  • We have a large machine base to configure with equally higher numbers of forks. They make fake huge time to get configured.
  • All our machines need to update their configuration automatically when repository in updated.
  • We are working on a machine where we do not have network access.
The disadvantages of pull mode
  • We need credentials to access other machines, gather variables and a copy of files.
  • We need to manually co-ordinate to run the playbooks across a server farm.
  • Servers may be behind Strict firewalls that may not allow SSH connection(incoming)

Pull mode does not require any major changes in the playbook rather, we need to setup a cron job that will run the ansible-pull mode configuration on every predefined minutes.

Playbook example of pull mode

---
  -name: setup cron
    cron:
     name:"ansible-pull"
     user: ansadmin
     minute:"/10"
     state:"present"
     job:"ansible-pull-u" http://git.int.example.com.com/gitrepos/ansiblepull.git-D/opt/ansiblepull
         {{inventory_ hostname_short}}.yml
...

How to test connectivity between server and clients?

Ansible provides a module called ping that helps us to test the connectivity.

>ansible appserver1.techtravelhub.com—u root—m ping

O/P-

appserver1.techtravelhub.com | success >>{
"changed" : false ,
"ping":"pong"
}

In case if you have setup SSH key you don’t need to use –k argument.If you have set up ansible user then you do not need to specify the user(root) also.

How to setup username globally?

In order to set up username globally we need to configure ansible.cfg.Open the same file in vi editor and the file will look like below—-

Now navigate to remote—user under default section .We can also change the default part where ansible connects using SSH.To add username in the inventory file we need to add the below line—

ansible—ssh—user

like

[Web] 
webserver1.techtravelhub.com ansible—ssh—user = ansadmin
webserver2.techtravelhub.com ansible—ssh—user = testuser

Provide user a sudo privileges

To provide an user a sudo privileges, we need to use -–become command.

Open sudoers. in vi editor

>vi /etc/ sudoers

Now goto the line

Root ALL = (ALL) ALL

Provide your user name like

ansadmin | ALL =(ALL) NO PASSWD:ALL

Now we need to change this line (add this line) in all client machines in order to provide this user (ansadmin) sudo privilege in every machine.

>ansible all – m user-a  "name=ansadmin state=present” -- become

You can use password with sudo or you can use passwordless sudo.

If you want to use the password ,you need to use-k argument or set the ask –sudo-pass value to true .You can use – – sudo command in command line as well.

Adhoc Commands

Adhoc commands are useful to provide some generic commands.Like copy a file ,ping a machine.Assume that we have the below inventory file

[Web]
webserver1.techtravelhub.com
[db] 
dbserver1.techtravelhub.com

We want to copy a file from to web server.
The ad hoc command syntax –

>ansible<[group Name]/machine name/ip>-m<module-name>-a<attributes>
>ansible-all /web/10.0.0.1 -m file/copy/user/yum/ping

Like

>ansible all-m ping =>pings all machines
>ansible all-m shell-a "hostname" =>Gives hostname
>ansible all-m shell-a "uname" =>Gives username
>ansible all-m shell-a "etc/os_release"=> Gives OS name
>ansible all-m user-a "name=techtravelhub state=present"

This command checks all machines where name = techtravelhub is present.

Variables in Ansible

Concept of variables in Ansible is defined in the variable section.

Ansible facts

Ansible facts are the info of the node or client machine.Like

  • host_name
  • ipaddress(ipv 4,ipv 6…)
  • karnel version
  • network devices
  • hard disk etc

Ansible facts are the read only information and cannot be changed from ansible server.

>ansible web –m setup =>(provides us the setup info)

The info will give us lots of other information which we may not be interested.So we can filter the information that we require.

>ansible web –m setup -a "filter=ansible-architecture”

Provides you all client related OS details

>ansible web –m setup -a "filter=ansible-distribution"
>ansible web -m setup -a "filter=ansible-date-time"

To print these information ,we can use debug module and use “msg” command to get these.

How to work with Inventory files in Ansible?

Inventory files plays a great roles in Ansible configuration. The link shows details on Inventory file.

How to Work with Ansible Loop and conditions?

Loops and Conditions are powerful tool to customize the Ansible tasks.

How to use external data lookups?

Ansible supports look up plugins that allow ansible to gather data from outside sources. Ansible has several data lookup plugins.The plugins are flexible so that we can write our own plugins for data lookup. Mainly the data lookups are written in python on the controlling machine.

Data lookups are executed in two different ways
  • Direct calls with “with_*” key.they can be used as a variable or they are used in a loop.

Like with_fileglob

  • Direct injection-In this way,we directly inject lookup plugin in the playbook.
---
   -name:download a file
     hosts:all
      tasks
        -name:download  file.
          get_url:
           dest:"/var/temp/myfile.tar.gz"
           url:"http://server/myfile.tar.gz"
          environment:
           http-proxy:{{lookup('env','http-proxy')}}”

The lookup plugins can be used in ansible variable section too. The way it works is that it runs every time to pick data from external file.

We use lookup plugins in the below conditions –

  1. Copying a whole directory of apache config to a conf.d style directory.
  2. Using environment variables to adjust what the playbook does .
  3. Getting configuration from DNS TXT records .
  4. Fetching the output of a command into a variable.

How to work with Handlers in ansible?

Handlers are important to customize and make playbook efficient.

How to execute or run operations parallely?

As per configuration file, ansible will only fork up to five times or five different machines at a single go. So if we have a huge number of machines to manage, we need to increase the fork value.apart from these,we need to launch ansible tasks asynchronously. These two factors make ansible to run in maximum forks. Now to run operations parallel, we need to use async and poll keywords. The async keywords allows ansible to run jobs parallel, and ansible will wait till it finishes. The poll command checks the status of the task if the given job is completed or not.

run operations parallel
-hosts:all
   tasks:
    -name:Install httpd
      Yum:
       name:"httpd"
       state:"installed"
    -name:Run update
      command: /user/bin/httpd
      async:"400"
      poll:"15"

while combined with command module with yum module, yum module acts differently. The command module runs across all machines whereas only yum module works on a batch of five machines, once finished yum takes up next five.

If the command module starts a daemon, then we can start it without further polling to check the status. We can use wait _for module to check for completion. If we set poll: 0 (zero) then ansible will not wait for the job to complete. Now on the other hand if the job takes huge time to complete the task, we can wait for undefined period by setting async to 0 (zero).

The ansible polling can be used if

  • We have a long running task that may reach timeout.
  • We need to run same operations on a huge set of client machines.
  • We have such operations for which we do not need to wait to complete.

In the below written scenarios, we cannot use async or polling-

  • If our job acquires a lock that prevent other thing from running.
  • If our job takes short time to run.

How to delegate task in ansible?

By default, ansible runs all required tasks “all at once” on the configured client machine. This feature is good when we have huge machine base that needs to be configured. In this case, each of the machine is responsible for communicating its status to the remote machines. Now if we need to perform an action on a different host than the one Ansible is working, we can use delegation mechanism.

The delegation of task is done via delegate_to key. The module will help running the task on delegated machine (not on all target machines).Delegation can be done in local machine (local host) or it can be done to any host that is in inventory.

The reasons for delegation are as follows-

  • Removing a host from a load balancer before deployment.
  • Changing DNS direct traffic away from a server where we are about to change.
  • Creating an iSCSI volume on a storage device.
  • Using an external server to check that access outside the network works.

Tags in Ansible

Ansible tags allow us to select a part or parts from a Playbook to run. The remaining section will be stopped.

Let’s create a Playbook called playtags.yml

---
  -hosts:db
   user:ansadmin
   become:true
   become_ method:sudo
   tasks:
    -name: installing httpd package
     yum: 
      name:"httpd"
      state:"installed"
      tags:
       -install
    -name:starting the service
      service:
       name:"httpd"
       state:"started"
       tags:
        -service
    -name:copying the index file
      copy:
       src:"/er/ansible/index.html"
       dest:"/var/www/html/index.html”
     tags:
       -copy
       -deploy
       -configure
...

In Ansible, we can assign multiple tags with a task

> ansible-playbook playtags.yml--tags copy
> ansible-playbook playtags.yml--tags service
> ansible-playbook playtags.yml--tags install

To list down the tags

> ansible-playbook playtags.yml--list-tags

Ansible Vault

Ansible Vault is helpful to keep something like Playbooks safe and secret. If we do not use vault, any user may login and read the content of our playbook.

The ansible vault is made off AES 256 cyber technology to encrypt a playbook with proper authentication and authorization. However, if anybody knows the authorization key(password) he can decrypt the encrypted playbook.

To encrypt and already existing playbook
> ansible-vault encrypt PlaybookName.yml
New vault password:// set the new password
Confirm password:// confirm the password

The data is encrypted completely. Now if we wish to see using cat or vi, we can see an encrypted version of the playbook. We cannot even change content of the playbook.

To view the Playbook
 >ansible-vault view PlaybookName.yml

It will ask for password.If the correct password is given, we can see the original content.To edit an already encrypted playbook

ansible-vault edit PlaybookName.yml
To decrypt an encrypted Playbook
>ansible-vault decrypt PlaybookName.yml
How to create a new Playbook in encrypted using vault?
> ansible-vault create NewPlaybookName.yml
New vault password:
Confirm vault password:
How to change vault password?
> ansible-vault rekey NewPlaybookName.yml
New vault password:
rekey vault password:
How to execute an encrypted Playbook?
> ansible-playbook NewPlaybookName.yml--ask-vault-pass
Vault password:

We can save the password in a file and refer  the file from command line.

> ansible-playbook playbookName.yml--vault-pass-file passwordFile

Ansible configuration

Ansible configuration file is similar to INI file format. The file ansible.cfg placement depends on installation.

  • If we have installed ansible via system manager or pip the ansible.cfg file will be automatically available under /etc/ ansible directory.
  • In case we have installed via GitHub, the ansible.cfg will be present on example directory we need to copy or clone it.

Ansible configuration

In order to get the configuration file Ansible will follow the below steps:-

  • It checks in environment variable for the entry of ANSIBLE_CONFIG and which file it is pointing to .
  • In case it does not find any entry there it will check for current directory (./ansible.cfg)
  • In case it does not find it in the current directory,It will search the file in users home directory (~/.ansible.cfg).
  • If all the above searches fail,it will search in the config file in (/etc/ansible/) directory.
  • In case if we have installed Ansible via yum or package manager the config file should get autocreated.

Most of the configuration parameters can be accessed via environment variable. The common way to construct a configuration parameter is

Ansible_(Parameter in upper case )

Elements of configuration file

Ansible has many configuration parameters namely-

  • hosfile–>Path to the inventory file .The inventory file consists of list of machines that ansible will try to connect.
hostfile=/etc/ansible/hosts
  • Library–> Actions that can be performed via ansible (some piece of code ) module, resides in library.
library=/use/share/ansible.
  • forks–> Number of parallel threads allowed to run.
forks=5
  • sudo_user–> The access level of default user to work with the ansible command.
sudo_user=root
  • remote_port–> In which port can be used for SSH connection.(default is 22).
remote_port=22
  • host_key_checking–> disable the SSh host key checking(by default it is true).
host_key_checking=False
  • Timeout–> The timeout value for SSH connection attempts.
timeout=60

log_ path–> Enable logging for ansible.(by default ansible does not log anything)

log_ path=/var/log/ansible.log
Don't miss out!
Subscribe To Newsletter

Receive top technical news, lesson ideas, travel tips and more!

Invalid email address
Give it a try. You can unsubscribe at any time.

I am the founder and owner of the blog - TechTravelHub.com, always love to share knowledge on test automation,tools,techniques and tips.I am a passionate coder of Java and VBScript.I also publish articles on Travel ideas and great honeymoon destinations.Apart from these, I am a gear-head,love to drive across India. I have shared lots of articles here on How to travel several parts of India.Customization of cars aka car modification is my another hobby.Get in touch with me on [email protected]

Write A Comment