Revision as of 11:56, 16 November 2018

Configuration
Ansible

Installation

Ansible does not require any server component, no daemon needs to be running. Ansible runs over SSH.
Where ever you are going to run your playbooks from, needs to have ansible installed, the clients do not.
To get ansible 2.0+, at the time of this writing, use the epel repo

~$ sudo yum install epel-release
~$ sudo yum install git python python-devel python-pip openssl ansible -y
~$ ansible --version
ansible 2.7.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/fgiuliani/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Configuration

Basic configuration, define the inventory path & specify the sudo user

~$ sudo vim /etc/ansible/ansible.cfg
uncomment
...
inventory      = /etc/ansible/hosts
...
sudo_user      = root

Nodes are determined by their names. These live in the inventory hosts file: /etc/ansible/hosts. By default there is a file there that can be used as an example.

~$ sudo vim /etc/ansible/hosts
[local]
localhost

[group1]
ansible2.r00tedvw.local

[group2]
ansible3.r00tedvw.local

Ansible User

Ansible needs to run as a non-privileged user with sudo rights. It also needs to be able to run commands without specifying a password as the playbooks will fail with password prompts.
NOTE: This will need to be done on EACH Node.

~$ sudo adduser ansible
~$ sudo passwd ansible
~$ visudo
...
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
ansible ALL=(ALL)       NOPASSWD: ALL

SSH key exchange

You can opt to either:

• define the SSH password for ansible in the playbook
• setup ssh key pairs so that no password is needed for login/authentication.

Below i'll quickly go over setting up ssh key exchange since this is the obvious choice.
On your control server, setup the key exchange so ansible can get to all the nodes without a password.

~$ sudo su ansible -
~$ ssh-keygen
~$ ssh-copy-id [email protected]
~$ ssh-copy-id [email protected]
~$ ssh-copy-id [email protected]

Basic Commands

You can specify the group or all to apply the ansible command to.

~$ ansible all -s -a "ls -la /etc/ansible"

-s

this flag runs the command as sudo on the node

-a

this flag runs a specified command defined after it.

copy file to node

~$ ansible group1 -m copy -a "src=/home/ansible/test.txt dest=/tmp/test.txt"

install & remove package

~$ ansible group1,group2 -m yum -s -a "name=lynx state=latest"
~$ ansible group1,group2 -m yum -s -a "name=lynx state=absent"

run local command across nodes

~$ ansible env -m shell -s -a "firewall-cmd --get-active-zone"

add firewalld rule

~$ ansible env -m firewalld -s -a "zone=public service=nfs permanent=true state=enabled" -vvv

modify service

~$ ansible env -m service -s -a "name=firewalld state=reloaded enabled=yes"

add new firewalld service

~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --new-service-from-file=/usr/lib/firewalld/services/nfs3.xml --name=nfs4"
~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --service=nfs4 --add-port=111/tcp"
~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --service=nfs4 --add-port=111/udp"
~$ ansible env -m firewalld -s -a "zone=public service=nfs4 permanent=true state=enabled"
~$ ansible env -m service -s -a "name=firewalld state=reloaded enabled=yes"

Playbooks

Basic example:

---YAML example to install HTTPD on CentOS
- hosts: group1
   remote_user: ansible
   become: yes
   become_method: sudo
   connection: ssh
   gather_facts: yes
   vars:
      username: myuser
   tasks:
   - name: Install HTTPD server on CentOS nodes
      yum: 
         name: httpd
         state: latest
      notify:
      - startservice
   handlers:
   - name: startservice
      service:
         name: httpd
         state: restarted