DevOps has become an increasingly important aspect of daily life for many systems administrators. The demand to automate as much as possible, combined with the needs for flexibility and scalability, can give the most seasoned veteran a headache. Ansible will help ease a lot of those pains.
Ansible is an opensource tool used for configuration management. It is lightweight; it does not require an agent on a remote host, but rather performs tasks over SSH. Ansible is a python based tool that uses YAML for configuration, giving it an easier learning curve. Ansible can be used for a variety of automation tasks including OS and application configuration management, PaaS orchestration in VMWare or cloud environment, application deployment, and many others. Setting up Ansible incorrectly can have ramifications against security and scalability. Spend some time setting up Ansible to use a non-privileged user and roles.
Installation of Ansible on Ubuntu 16.04
The first step is to install prerequisite packages.
$ sudo apt-get install software-properties-common
Next, install the Ansible apt repository, update the apt cache, and finally install Ansible.
$ sudo apt-add-repository ppa:ansible/ansible
$ sudo apt-get update
$ sudo apt-get install ansible
Note: Installation for Ubunutu 14.04 and 15.10 are the same.
Installation of Ansible on CentOS 7
First, setup the EPEL (Extra Packages for Enterprise Linux) repository then install Ansible.
$ sudo yum -y install epel-release
$ sudo yum -y install ansible
Note: Installation for CentOS 6 is the same.
Configure Ansible User
As mentioned earlier, Ansible uses SSH to connect to remote hosts. Creating an ansible user will allow Ansible to connect as a non-privileged user and utilize sudo for escalated privileges. Create an ansible user on the host that Ansible is installed on.
$ sudo groupadd -g 5001 ansible
$ sudo useradd -u 5001 -g 5001 -c "Ansible User" -m ansible
Create an SSH key for the ansible user to use for remote connections. For easier automation, generate the SSH key without a password.
$ sudo su - ansible
$ ssh-keygen -t rsa -b 4096
The default Ansibile configuration is ready to go out of the box. By default, it uses the root user for remote connections. To use the ansible user, edit this line in /etc/ansible/ansible.cfg.
The inventory is the list of hosts that Ansible will connect to. The inventory can be organized into logical groups to allow Ansible tasks to be run on multiple hosts. A host can also be unassigned, meaning it is not part of a host group. Hostnames or IP addresses can be used.
For example, to setup a group of web servers:
Creating a Role
A role within Ansible is a way to organize a group of tasks. Roles are beneficial in an environment where multiple hosts require the same tasks, but may not necessarily perform the same function. Roles are located under /etc/ansible/roles by default and are organized with a folder structure.
When a play (a task or series of tasks) is run, Ansible will look for main.yml under tasks/ handlers/ var/ and meta/ and add the items to the play. Any files or scripts used in a task can be referenced by the absolute path or placed under the files/ templates/ or tasks/ folders.
An example role would be to create the ansible user on a remote host. This role will create a local ansible user on the remote host, copy the user's SSH key to an authorized_keys file, and add sudo privileges for future tasks.
Creating a Playbook
A playbook in Ansible gives the ability to run one or more plays against a host or hosts.
Playbooks can contain any elements used in a role. For example, variables can be assigned for a hostname or a password within a playbook. Using roles simplifies and organizes Ansible. It allows for creation of a single role to use across multiple hosts; for example, changing only the variables assigned to that host.
A playbook can contain as many plays as needed. For example, a playbook to build a web server might have a play to provision a VM, apply OS updates, install and configure Apache, and add it to a load balancer.
Running a Playbook
Use the "ansible-playbook" command to run a playbook. Ansible will report on the status of a playbook run in real-time. To run the playbook against one host, use this command:
$ ansible-playbook ansible-user.yml -l 172.30.0.150 -k
The "-l" flag limits the run to the IP address. The "-k" flag is used to prompt for a user password, in this case the ubuntu user created on the remote host. For all future playbooks, if run as the ansible user from the Ansible server, no password will be required and SSH key-based authentication will be used.
Ansible is a powerful tool for any DevOps arsenal. When setup correctly from the start, it will provide flexibility to perform any task within an environment, and do so securely. Taking the time to do it right at the start will save headaches later on. Read more about ansible at their documentation page.