A Linux Engineer’s guide to Ansible

This guide is created for system administrators who already know their way around RedHat or Centos. I will cover what you need to deploy to your production environment with the aim of fast-tracking your learning. You should already know about ansible playbook, ansible tower and ansible galaxy.

What is Ansible

Ansible is a configuration management tool and Orchestration tool. I tend to use it for bulk tasks such as bulk-adding users and creating the desired state configuration across the infrastructure that I manage. 

The Basics 

This ansible tutorial is to recap the fundamental concepts:

• An Ansible command will always use the PUSH method
• You must know what a YAML script is, and the basics of writing YAML
• Python 2.7 is a minimum requirement although it would be advisable to have at least version 3 installed across the estate

What is needed to start with Ansible 

First, you need to build or nominate a primary controller node. I would always recommend having a standalone server running RedHat 8

The first tasks to complete are:

• create an ansible user account
• set SELinux to permissive for ansible
• create playbooks using mkdir
• When working in production you will need to create SSH Key between ALL your servers (Multidirectional

Installing Ansible

How to add Ansible Repository and Install Ansible

Unless you use RedHat, the Ansible repository is not available by default. To configure your Linux distro type:

Install Ansible on RedHat / CentOS

For RedHat 8 – Enable the Ansible RHEL8 Repo

$ sudo subscription-manager repos --enable ansible-2.9-for-rhel-8-x86_64-rpms

For RedHat 7 – Enable the Ansible RHEL7 Repo

$ sudo subscription-manager repos --enable rhel-7-server-ansible-2.9-rpms

Install

sudo yum install ansible

Install Ansible on Ubuntu

Follow these steps to install on Ubuntu

$ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo apt-add-repository ppa:ansible/ansible

$ sudo apt-get update

$ sudo apt-get install ansible

Ansible is a small installation of only about 16MB at the time of writing.

Install Ansible on mac

The easiest way is to install from the terminal using brew.sh

brew install --cask ansible-dk

Ansible Host file

The Ansible host file contains many attributes in your Ansible environment. Includes the IP. DNS or hostname details of your Linux servers

Default location is /etc/ansible/hosts

Ansible uses the entries in a hosts file, you call the group of servers using [my-servers] 

ansible all --list-hosts

Example output below

The first test is to ping the hosts to make sure there are no network issues:

The “all” refers to the hosts in your host file (see above)

ansible all -m ping

192.168.1.181 | SUCCESS => {

“changed”: false,

“ping”: “pong”

}

192.168.1.178 | SUCCESS => {

“changed”: false,

“ping”: “pong”

}

192.168.1.179 | SUCCESS => {

“changed”: false,

“ping”: “pong”

}

You can override the host file using the dash -i

Ansible can ping all hosts

ansible -m shell -a 'hostname' all

192.168.1.178 | SUCCESS | rc=0 >>

ansible-webserver

192.168.1.181 | SUCCESS | rc=0 >>

ansible-dbserver

192.168.1.179 | SUCCESS | rc=0 >>

ansible-appserver

What is the ansible.cfg file?

Certain settings in Ansible are adjustable via a configuration file (ansible.cfg). The stock configuration should be sufficient for most users, but there may be reasons you would want to change them. Paths where configuration file is searched are listed in reference documentation.

Create an Ansible User ID

An ansible system account can be set up to use no password

 sudo useradd ansible

 sudo passwd ansible

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Add user to sudoers file

Adding your ansible user account to the sudoers makes administration a lot easier

sudo visudo

Next log in as the ansible user with the password created above

 su ansible

Now you wont be prompted for password every time you run sudo

Then check the ansible config file

Next add key to local host

Ssh-copy-id-localhost.localdomain

REPEAT THIS PROCESS ON ALL ANSIBLE CONTROL SERVERS

Ansible – Basic Commands

Ping all hosts

ansible all -m ping

List packages installed

ansible all -s -m shell -a 'apt list --installed | grep python' –ask-become-pass

Install software on all ansible nodes

ansible all -s -m shell -a 'apt-get install telnet' --ask-become-pass

Install Lynx web browser

ansible all -s -m shell -a 'apt-get install lynx -y' --ask-become-pass

Check disk space on all servers

ansible -m shell -a 'df -h' all

192.168.1.178 | SUCCESS | rc=0 >>

Filesystem Size Used Avail Use% Mounted on

udev 926M 0 926M 0% /dev

tmpfs 191M 5.9M 185M 4% /run

/dev/mapper/ansible–webserver–vg-root 18G 2.1G 15G 13% /

tmpfs 953M 0 953M 0% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 953M 0 953M 0% /sys/fs/cgroup

tmpfs 191M 0 191M 0% /run/user/1000

192.168.1.179 | SUCCESS | rc=0 >>

Filesystem Size Used Avail Use% Mounted on

udev 926M 0 926M 0% /dev

tmpfs 191M 5.9M 185M 4% /run

/dev/mapper/ansible–appserver–vg-root 18G 2.1G 15G 13% /

tmpfs 953M 0 953M 0% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 953M 0 953M 0% /sys/fs/cgroup

tmpfs 191M 0 191M 0% /run/user/1000

192.168.1.181 | SUCCESS | rc=0 >>

Filesystem Size Used Avail Use% Mounted on

udev 1.9G 0 1.9G 0% /dev

tmpfs 393M 11M 382M 3% /run

/dev/mapper/ansible–dbserver–vg-root 16G 2.1G 13G 14% /

tmpfs 2.0G 0 2.0G 0% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup

tmpfs 393M 0 393M 0% /run/user/1000

When running commands ansible uses my credentials Richard

ansible -m shell -a 'whoami' all

192.168.1.178 | SUCCESS | rc=0 >>

richard

192.168.1.179 | SUCCESS | rc=0 >>

richard

192.168.1.181 | SUCCESS | rc=0 >>

Richard

How to create users on all servers

ansible -b -K -m user -a 'name=testuser' all

SUDO password:

192.168.1.178 | SUCCESS => {

“changed”: true,

“comment”: “”,

“createhome”: true,

“group”: 1001,

“home”: “/home/testuser”,

“name”: “testuser”,

“shell”: “”,

“state”: “present”,

“system”: false,

“uid”: 1001

}

192.168.1.179 | SUCCESS => {

“changed”: true,

“comment”: “”,

“createhome”: true,

“group”: 1001,

“home”: “/home/testuser”,

“name”: “testuser”,

“shell”: “”,

“state”: “present”,

“system”: false,

“uid”: 1001

}

192.168.1.181 | SUCCESS => {

“changed”: true,

“comment”: “”,

“createhome”: true,

“group”: 1001,

“home”: “/home/testuser”,

“name”: “testuser”,

“shell”: “”,

“state”: “present”,

“system”: false,

“uid”: 1001

}

Use Ansible to check if users have been created

ansible -m shell -a 'getent passwd | grep testuser' all

192.168.1.179 | SUCCESS | rc=0 >>

testuser:x:1001:1001::/home/testuser:

192.168.1.178 | SUCCESS | rc=0 >>

testuser:x:1001:1001::/home/testuser:

192.168.1.181 | SUCCESS | rc=0 >>

testuser:x:1001:1001::/home/testuser:

Use Ansible to remove test user

ansible -b -K -m user -a 'name=testuser state=absent' all

SUDO password:

192.168.1.178 | SUCCESS => {

“changed”: true,

“force”: false,

“name”: “testuser”,

“remove”: false,

“state”: “absent”

}

192.168.1.179 | SUCCESS => {

“changed”: true,

“force”: false,

“name”: “testuser”,

“remove”: false,

“state”: “absent”

}

192.168.1.181 | SUCCESS => {

“changed”: true,

“force”: false,

“name”: “testuser”,

“remove”: false,

“state”: “absent”

}

Test its been removed

ansible -m shell -a 'getent passwd | grep testuser' all

192.168.1.179 | FAILED | rc=1 >>

non-zero return code

192.168.1.178 | FAILED | rc=1 >>

non-zero return code

192.168.1.181 | FAILED | rc=1 >>

non-zero return code

Use ansible to learn system information

This is a file used by ansible that queries the computer information

ansible local -m setup

You can write it to tmp

ansible local -m setup --tree /tmp/facts

you can cat it for information

ansible local -m setup -a 'filter=*ipv4*'

NB – if you grep it will grep blank info

System Facts – common values for playbooks

ansible apacheweb -m setup -a "filter=ansible_architecture"

ansible all -m setup -a "filter=ansible_fqdn"

ansible all -m setup -a "filter=ansible_kernel"

ansible all -m setup -a "filter=ansible_memtotal_mb"

ansible all -m setup -a "filter=ansible_proc*"

ansible all -m setup -a "filter=ansible_vir*"

What are Ansible Roles

Role is a list of commands that Ansible will execute on target machine in given order. Every role is in the directory:

ROLES > TASKS > Main.yml

What are Ansible Playbooks

Playbook is used to define which roles are applied against a target machine

If Ansible modules are the tools in your workshop, playbooks are your instruction manuals, and your inventory of hosts are your raw material.

Running playbooks when SUDO

Must use –ask-become-pass

Documentation / man /help

Ansible documentation man ansible doc

Ansible-doc ec2

Ansible-doc htaccess

Eg

EXAMPLES:

# Note: These examples do not set authentication details, see the AWS Guide for details.

# Basic provisioning example

– ec2:

key_name: mykey

instance_type: t2.micro

image: ami-123456

wait: yes

group: webserver

count: 3

vpc_subnet_id: subnet-29e63245

assign_public_ip: yes