DevOps Tools/Configuration/Ansible
From r00tedvw.com wiki
(Difference between revisions)
(→Playbooks) |
(→Playbooks) |
||
| Line 112: | Line 112: | ||
Basic example: | Basic example: | ||
| − | <nowiki>--- | + | <nowiki>--- |
| − | - | + | - name: haproxy |
| − | + | hosts: haproxy | |
| − | + | become: yes | |
| − | + | become_method: sudo | |
| − | + | tasks: | |
| − | + | - name: Install HAProxy on CentOS | |
| − | + | yum: | |
| − | + | name: haproxy | |
| − | + | state: latest | |
| − | + | - name: enable service haproxy and ensure it is not masked | |
| − | + | systemd: | |
| − | + | name: haproxy | |
| − | + | enabled: yes | |
| − | + | masked: no | |
| − | - | + | - name: update haproxy conf |
| − | + | blockinfile: | |
| − | + | path: /etc/haproxy/haproxy.cfg | |
| − | service: | + | block: | |
| − | + | # [HTTP Site Configuration] | |
| − | + | listen http_web 0.0.0.0:80 | |
| + | mode http | ||
| + | balance leastconn # Load Balancing algorithm | ||
| + | option httpchk | ||
| + | option forwardfor | ||
| + | server apache01 ncrv-apache01:80 weight 1 maxconn 512 check | ||
| + | server apache02 ncrv-apache01:80 weight 1 maxconn 512 check | ||
| + | - name: open http | ||
| + | firewalld: | ||
| + | zone: public | ||
| + | service: http | ||
| + | permanent: yes | ||
| + | immediate: yes | ||
| + | state: enabled | ||
| + | - name: restart haproxy service | ||
| + | service: | ||
| + | name: haproxy | ||
| + | state: restarted</nowiki> | ||
===Install base packages, independent on package manager=== | ===Install base packages, independent on package manager=== | ||
The package module can be used to install packages across distributions, but it has some serious limitations when compared to the yum and apt modules, primarily concerning the options to define state, version, etc. | The package module can be used to install packages across distributions, but it has some serious limitations when compared to the yum and apt modules, primarily concerning the options to define state, version, etc. | ||
Revision as of 18:24, 12 August 2020
Overview | Continuous Integration (CI) | Source Control Management (SCM) | Containerization | Configuration | Integration
Ansible | Playbook Examples
Contents |
Ansible
Installation
Ansible does not require any server component, no daemon needs to be running. Ansible runs over SSH.
Where ever you are going to run your playbooks from, needs to have ansible installed, the clients do not.
To get ansible 2.0+, at the time of this writing, use the epel repo
~$ sudo yum install -y epel-release ~$ sudo yum install -y git python python-devel python-pip openssl ansible ~$ ansible --version ansible 2.7.0 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/fgiuliani/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
Configuration
Basic configuration, define the inventory path & specify the sudo user
~$ sudo vim /etc/ansible/ansible.cfg uncomment ... inventory = /etc/ansible/hosts ... [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=False
Nodes are determined by their names. These live in the inventory hosts file: /etc/ansible/hosts. By default there is a file there that can be used as an example.
~$ sudo vim /etc/ansible/hosts [local] localhost [group1] ansible2.r00tedvw.local [group2] ansible3.r00tedvw.local
Ansible User
Ansible needs to run as a non-privileged user with sudo rights. It also needs to be able to run commands without specifying a password as the playbooks will fail with password prompts.
NOTE: This will need to be done on EACH Node.
~$ sudo adduser ansible ~$ sudo passwd ansible ~$ visudo ... ## Allow root to run any commands anywhere root ALL=(ALL) ALL ansible ALL=(ALL) NOPASSWD: ALL
SSH key exchange
You can opt to either:
- define the SSH password for ansible in the playbook
- setup ssh key pairs so that no password is needed for login/authentication.
Below i'll quickly go over setting up ssh key exchange since this is the obvious choice.
On your control server, setup the key exchange so ansible can get to all the nodes without a password.
~$ sudo su ansible - ~$ ssh-keygen ~$ ssh-copy-id [email protected] ~$ ssh-copy-id [email protected] ~$ ssh-copy-id [email protected]
Basic Commands
You can specify the group or all to apply the ansible command to.
~$ ansible all -s -a "ls -la /etc/ansible"
- -s
- this flag runs the command as sudo on the node
- -a
- this flag runs a specified command defined after it.
copy file to node
~$ ansible group1 -m copy -a "src=/home/ansible/test.txt dest=/tmp/test.txt"
install & remove package
~$ ansible group1,group2 -m yum -s -a "name=lynx state=latest" ~$ ansible group1,group2 -m yum -s -a "name=lynx state=absent"
run local command across nodes
~$ ansible env -m shell -s -a "firewall-cmd --get-active-zone"
add firewalld rule
~$ ansible env -m firewalld -s -a "zone=public service=nfs permanent=true state=enabled" -vvv
modify service
~$ ansible env -m service -s -a "name=firewalld state=reloaded enabled=yes"
add new firewalld service
~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --new-service-from-file=/usr/lib/firewalld/services/nfs3.xml --name=nfs4" ~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --service=nfs4 --add-port=111/tcp" ~$ ansible env -m shell -s -a "sudo firewall-cmd --permanent --service=nfs4 --add-port=111/udp" ~$ ansible env -m firewalld -s -a "zone=public service=nfs4 permanent=true state=enabled" ~$ ansible env -m service -s -a "name=firewalld state=reloaded enabled=yes"
~$ ansible env -m shell -s -a "sudo mkdir /mnt/nfsshare" ~$ ansible env -m mount -s -a "state=mounted fstype=nfs path=/mnt/nfsshare src=ansible1.r00tedvw.local:/nfsshare"
Playbooks
See what hosts the playbook would apply to:
~$ ansible-playbook {playbook.yml} --list-hosts
$ ansible-playbook /etc/ansible/playbooks/centos_base_packages.yml --list-hosts
playbook: /etc/ansible/playbooks/centos_base_packages.yml
play #1 (centos): centos TAGS: []
pattern: [u'centos']
hosts (3):
jenkins01.ncvw.org
ansible01.ncvw.org
gitlab01.ncvw.org
Basic example:
---
- name: haproxy
hosts: haproxy
become: yes
become_method: sudo
tasks:
- name: Install HAProxy on CentOS
yum:
name: haproxy
state: latest
- name: enable service haproxy and ensure it is not masked
systemd:
name: haproxy
enabled: yes
masked: no
- name: update haproxy conf
blockinfile:
path: /etc/haproxy/haproxy.cfg
block: |
# [HTTP Site Configuration]
listen http_web 0.0.0.0:80
mode http
balance leastconn # Load Balancing algorithm
option httpchk
option forwardfor
server apache01 ncrv-apache01:80 weight 1 maxconn 512 check
server apache02 ncrv-apache01:80 weight 1 maxconn 512 check
- name: open http
firewalld:
zone: public
service: http
permanent: yes
immediate: yes
state: enabled
- name: restart haproxy service
service:
name: haproxy
state: restarted
Install base packages, independent on package manager
The package module can be used to install packages across distributions, but it has some serious limitations when compared to the yum and apt modules, primarily concerning the options to define state, version, etc.
- hosts: all
tasks:
- name: Ensure base packages are installed
package:
name: telnet
state: present
package:
name: net-tools
state: present
package:
name: tcpdump
state: present
package:
name: bind-utils
state: present
package:
name: redhat-lsb-core
state: present
package:
name: wget
state: present
package:
name: nfs-utils
state: present
