Ansible

Ansible is an open source tool for IT automation by Red Hat. Written in Python it provides CLI tooling to maintain nodes from one node via ssh.

It can automate deployment, orchestration of software, infrastructure management and other tasks.

Ansible connects to managed nodes and copy “modules” there. These achieve the desired state of the system defined in a declarative fashion. The tasks are idempotent (ideally).

Ansible comes with many modules for package installation and file and service management.

It doesn’t require installing anything on the managed nodes, it is agent-less.

Inventory

A list of managed nodes kept in simple INI files. It allows you to organize and categorize target systems into groups.

One machine can be in several groups.

Inventory can be executable.

By default, /etc/ansible/hosts is read, but you can provide your own file with -i <hosts_file>.

Playbooks

Are written in YAML and contain

• hosts to apply the play to
• name of play (optional but highly recommended)
• a list of tasks

- hosts: all
  vars:
    cache_valid_time: 123456
    packages:
      - python
      - ruby
  tasks:
  - name: test
    apt:
      update_cache: yes
      cache_valid_time: "{{cache_valid_time}}"
  - name: Install packages
    apt:
      name: "{{item}}"
      state: present
    with_items:
      - vim
      - htop
  - name: Install a list of packages
    apt:
      name: "{{item}}"
      state: present
    with_items: packages

Handlers are a special form of tasks that execute when notified (notify: <name of handler task>) by a task resulted in changed status.

In YAML, you can write lists and dictionaries in abbreviated form:

test: {key: value}
list: ['String1', 'String2']

Multiline values:

include_newlinews: |
  something very
  long text spanning
  over more than one line  

fold_newlines: >
  this text will be
  joined so newlines
  become spaces  

Templates

Ansible uses Jinja2 syntax for templating. See the playbook example above. The module template takes (copies) files and replaces expressions using variables.

Roles

Way of grouping set of functionality: playbooks, templates, default variables, files. Facilitate modularization of Ansible code.

roles/
  common/
    defaults/
      main.yml
    tasks/
      main.yml
    files/
      script.py
    templates/
      config.py.j2
    meta/
      main.yml # specify dependencies here
  database/

Files main.yml are imported by default. Others can be imported with e.g. include_tasks: other_tasks.yml (located in <role>/tasks/other_tasks.yml).

Local files are automatically searched in role’s files directory.

Permissions

For serious work, you need sudo on the remote machines as Ansible escalates to root priviledges (using sudo, su etc.). The keyword become, become_user is controlling the behaviour.

Beware: become_user doesn’t imply become: false.

Modules

There are many built-in modules.

• copy, file, command, cron, template, service, systemd, tempfile
• import_role, import_tasks, include_tasks
• git
• docker_image, docker_container, docker_volume
• apt, dnf, pip, rpm, yum

Command line tools

The default module is ansible.builtin.command so you can e.g. restart all group nodes with:

$ ansible <group|machine|all> -a "/sbin/reboot"

• -i <inventory>
• -m <module>
• -a <arguments>

By default Ansible uses only 5 simultaneous processes.

Maintaining secrets with Ansible Vault

You can use ansible-vault to encrypt and decrypt files or variables using a password which you need to securely store and share on your own.

Usage:
ansible-vault encrypt_string secret.txt and ansible-vault encrypt file.txt --ask-vault-pass.

Ansible Tower

• a GUI framework for Ansible

Similar tools

• Chef
• Puppet
• SaltStack
• Jenkins

Links

• Official documentation
• Best practices