Ansible as configuration management tool for devops

What is SSH
• SSH have more goodies:
• Access using Keys / Password less
• Compression
• Secure File Transfer (scp, sftp)
• Tunneling
SSH is acronym for
Secure Shell
telnet = clear text
SSH = encrypted

SSH Keys
authorized_keys
server1
host1
id_rsa
id_rsa.pub
id_rsa.pub
host2
id_rsa
id_rsa.pub
id_rsa.pub
host1$ ssh-keygen
This will create 2 files:
id_rsa : private key
id_rsa.pub : public key
host1$ ssh-copy-id server1
add id_rsa.pub to server
authorized_keys
(Password is needed)
host1$ ssh server1
No Password!!

Poor Man’s Administration
$ ssh www1.example.com
www1$ sudo vi /etc/resolv.conf
www1$ sudo apt-get install nginx
:
$
:
$
:
:
: etc …
• Connecting to each server one by one
• Time consuming
• Repetitive & error prone
• Not Reproducible
• No way to track changes!

Poor Man’s Automation
#!/bin/sh
HOSTS="
www1.rayed.com
www2.rayed.com
www3.rayed.com
db1.rayed.com
db2.rayed.com
"
for host in $HOSTS
do
# Copy DNS settings to all servers
scp resolv.conf $host:/etc/resolv.conf
# Install Nginx
ssh $host “sudo apt-get install nginx”
done
• Loop in a shell script
• Hard to write
• Hard to maintain
• Error prone

What is Ansible
• Ansible is an open-source configuration management and provisioning tool.
• Ansible is agentless.
• It uses SSH to connect to servers and run the configured Tasks.
• Ansible lets you control and configure nodes from a single machine.
• Written by Michael DeHaan in 2013 and then acquired by Red Hat in 2015.

Why Ansible
●
No Agent- As long as the box can be ssh’d into and it has python, it can
be configured withAnsible.
Idempotent- Ansible’s whole architecture is structured around the concept
of idempotency. The core idea here is that you only do things if they are
needed and that things are repeatable without side effects.
Declarative Not Procedural- Other configuration tools tend to be
procedural do this and then do that and so on. Ansible works by you
writing a description of the state of the machine that you want and then it
takes steps to fulfill that description.
Tiny Learning Curve- Ansible is quite easy to learn. It doesn’t require
any extra knowledge.
●
●
●

Ansible Use Cases
● Provisioning
Configuration Management
App Deployment
Continuous Delivery
Security & Compliance
Orchestration
●
●
●
●
●

Installation
• Ubuntu
$ sudo apt update
$ sudo apt install software-properties-common
$ sudo apt-add-repository --yes --update ppa:ansible/ansible
$ sudo apt install ansible
https://docs.ansible.com/

Inventory
• The Inventory is a description of the nodes that can be accessed by Ansible.
• By default, the Inventory is described by a configuration file, whose default
location is in /etc/ansible/hosts.
•
• The configuration file lists either the IP address or hostname of each node
that is accessible by Ansible.
• Every host is assigned to a group such as web servers, db servers etc.
• The inventory file can be in one of many formats such as yaml, INI etc.

Ad-Hoc Commands
• Do something quick, not worth saving!
• Not worth writing a Playbook for, just a simple command
• e.g.: get hostname, create a file/dir etc…
• Examples:
ansible all -m ping
ansible ansible-nodes -m ping #group name
ansible 192.168.56.102 -m ping #node name/IP
ansible all -m command —a date
ansible all -a date
ansible all –a "mkdir ~/test" #create dir at all nodes
ansible all –a "touch ~/test/newfile" #create file

Modules
There are over 1000 modules provided by Ansible to automate
every part of the environment. Modules are like plugins that do
the actual work in Ansible, they are what gets executed in each
playbook task.
Each module is mostly standalone and can be written in a
standard scripting language (such as Python, Perl, Ruby, Bash,
etc.). One of the guiding properties of modules is idempotency,
which means that even if an operation is repeated multiple times,
it will always place the system into the same state.

module: ping
• Check connectivity
• If you can ssh you can ping:
$ ssh user@host
• You can specify group or “all”
• Execute in parallel
$ ansible webservers -m ping
www1.example.com | success >> {
"changed": false,
"ping": "pong"
}
$ ansible www404.example.com -m ping
www404.example.com | FAILED => SSH encountered an unknown error during
the connection. We recommend you re-run the command using -vvvv, which
will enable SSH debugging output to help diagnose the issue

Example of Modules
There are lots of modules such as :
Service, file, copy, iptables etc.
Any Module can be used as :
ansible 127.0.0.1 -m service -a "name=httpd state=started"
ansible localhost -m ping

module: setup
• Get tons of information about the machine
• Name, Disks, IP, OS version, etc …
• Can be used for conditional operations
$ ansible www1.example.com -m setup
www1.example.com | success >> {
"ansible_facts": {
"ansible_all_ipv4_addresses": [
"178.79.182.89"
],
"ansible_all_ipv6_addresses": [
"2a01:7e00::f03c:91ff:fe70:5c6a",
"fe80::f03c:91ff:fe70:5c6a"
],
"ansible_architecture": "x86_64",
"ansible_bios_date": "NA",
"ansible_bios_version": "NA",
:

module: command
• Execute command on remote machine
• e.g. reboot
$ ansible www1.example.com -m command -a “echo hello”
www1.example.com | rc=0 >> {
hello
$ ansible www1.example.com -a “echo hello”
www1.example.com | rc=0 >> {
hello

module: apt
• Package management for Debian & Ubuntu
• Install, Uninstall, Update
• There is also “yum” module for RedHat, CentOS, and Fedora.
• You might need:
• -s : command need sudo
• -K : Ask for sudo password
$ ansible www1.example.com -m apt -a “name=nginx state=present”
$ ansible www1.example.com -m apt -a “update_cache=yes upgrade=safe”

Other Interesting Modules
• user: Manage user accounts
• lineinfile: Ensure a particular line is in a file, or
replace an existing line using a back-referenced
regular expression.
• copy: Copies files to remote locations.
• template: Templates a file out to a remote server.

Other Interesting Modules
• authorized_key: Adds or removes an SSH
authorized key
• service: Manage services, start/stop/restart/ restart
on reboot.
• mysql_db, mysql_user, postgresql_db,
postgresql_user: Can you guess it!
• git: Deploy software (or files) from git checkouts

Playbook
Playbooks are simple YAML files. These files are descriptions of
the desired state of your systems. Ansible then does the hard
work of getting your systems to that state no matter what state
they are currently in. Playbooks make your installations,
upgrades and day-to-day management repeatable and reliable.
Playbooks are simple to write and maintain. Playbooks are
written in a natural language so they are very easy to evolve and
edit.
Playbook contains Plays.
Plays contain tasks.
tasks call modules.

What is a Playbook
• Ansible’s configuration,
deployment, and orchestration
language.
• Modules are the tools in your
workshop, Playbooks are your
design plans.
• Y
AML!
---
# An employee record
name: Example Developer
job: Developer
skill: Elite
employed: True
foods:
- Apple
- Orange
- Strawberry
- Mango
languages:
ruby: Elite
python: Elite
dotnet: Lame

---
- hosts: webservers
#remote_user: root
sudo: yes
tasks:
- name: Install Nginx
apt: name=nginx state=present
- name: Copy static site
copy: src=files/my_site dest=/var/www
- name: Configure Nginx
template: src=files/nginx_site.conf dest=/etc/nginx/new_site.conf
notify: my_nginx_reload
handlers:
- name: my_nginx_reload
service: name=nginx state=restarted
Playbook Example
my_playbook.yml
ansible-playbook my_playbook.yml -K
Execute Playbook

Roles
Roles are a way to group tasks together into one container. We
could have a role for setting up MySQL, another one for
configuring iptables etc.
Roles makes it easy to configure hosts. Any role can be
performed on any host or group of hosts such as:
- hosts: all
roles:
- role_1
- role_2

Configuration Management with Ansible
Ansible is the simplest solution for configuring the nodes. It’s designed
to be minimal in nature, consistent, secure and highly reliable. Any
developer, tester or IT manager can easily configure nodes. Any IT
person can write playbooks easily.
Ansible configurations are simple data descriptions of your
infrastructure (human readable) ensuring everyone on your team will be
able to understand the meaning of each configuration task.
Ansible requires nothing more than a password or SSH key in order to
start managing systems and can start managing them without installing
any agent software.

Variables
•
•
Defined
• Inventory
•Playbook
Discovered (Facts)
• Use
# playbook
- hosts: webservers
vars:
http_port: 80
# inventory file
host1 http_port=80
[webservers:vars]
http_port=80
# facts
:
"ansible_distribution": "Ubuntu",
"ansible_distribution_release": "precise",
"ansible_distribution_version": “12.04",
:
# in playbook
template: src=foo.cfg.j2 dest={{ remote_install_path }}/foo.cfg
# in template files
server {
listen 80;
root /var/www/my_site;
index index.html index.htm;
server_name {{ ansible_default_ipv4.address }};
}

Conditions
• Use Variables & Facts
• Conditional Tasks
• Conditional Includes
• Conditional Roles
- name: Install Apache (Ubuntu)
apt: name=apache state=latest
when: ansible_os_family == ‘Debian’
- name: Install Apache (CentOS)
yum: name= httpd state=latest
when: ansible_os_family == ‘RedHat’
- include: tasks/sometasks.yml
when: "'reticulating splines' in output"
- hosts: webservers
roles:
- { role: debian_stock_config, when: ansible_os_family == 'Debian' }

Loops
# With Loops
- name: Install Packages
apt: name={{item}} state=present
with_items:
- iptables-persistent
- fail2ban
- exim4-daemon-light
- apticron
- git
- figlet
- nginx
# Without Loops
apt: name= fail2ban state=present
apt: name= apticron state=present
apt: name= git state=present
apt: name= figlet state=present
apt: name= nginx state=present
# Loop with Hash (Dictionary)
- name: add several users
user: name={{ item.name }} state=present groups={{ item.groups }}
with_items:
- { name: 'testuser1', groups: 'wheel' }
- { name: 'testuser2', groups: 'root' }
Other
Loop Types
Available

Vault
• Ansible + GIT
• What about passwords?
ansible-playbook site.yml —ask-vault-pass
ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt
$ANSIBLE_VAULT;1.1;AES256
35373133613062323636623536666439396531656662313262326562353261376435343934346433
3563333532333362303430323666313931376138623437380a623461636265633561313064313564
37666561306661663237323466343166653738633765383666383066396234646539633565373636
3961643731363130340a336465666334633839333061356439316237323262633364613037623164
3965
ansible-vault create site.yml
ansible-vault edit site.yml

–Anonymous
“A lazy sysadmin is the best admin”

More
• http://www.ansible.com/
• http://docs.ansible.com/
• https://galaxy.ansible.com/
• http://docs.ansible.com/list_of_all_modules.html

Ansible as configuration management tool for devops

More Related Content

Similar to Ansible as configuration management tool for devops

More from Puneet Kumar Bhatia (MBA, ITIL V3 Certified)

Recently uploaded

Ansible as configuration management tool for devops