Transcription
ANSIBLE 2.0Introduction to Ansible trainingMarco Berubesr. Cloud Solution ArchitectMichael LessardSenior Solutions ArchitectMartin SauvéSenior Solutions Architect
AGENDAAnsible Training1232Introduction to Ansible DEMOAnsible commands LABAnsible playbooksRHUG Ansible Workshop LAB456Ansible variables LABAnsible roles LABAnsible tower
INTRODUCTION TO ANSIBLE
An ansible is a fictional machine capable ofinstantaneous or superluminalcommunication. It can send and receivemessages to and from a correspondingdevice over any distance whatsoever with nodelay. Ansibles occur as plot devices inscience fiction literature-- wikipedia
Intro to AnsibleMichael DeHaan (creator cobbler and rigins-of-ansibleAnsibleSimpleCan manage almost any *IX through SSHrequires Python 2.4Windows (powershell, winrm python module)5RHUG Ansible Workshop“ Ansible owes much of it's origins totime I spent at Red Hat’s EmergingTechnologies group, which was anR&D unit under Red Hat's CTO ”- Michael DeHaan“.because Puppet was toodeclarative you couldn't use it to dothings like reboot servers or do all the"ad hoc" tasks in between “- Michael DeHaan
Ansible growth“ It's been 18 months since I've been at an OpenStack summit.One of the most notable changes for me this summit has been Ansible. Everyone seemsto be talking about Ansible, and it seems to be mainly customers rather than vendors.I'm sure if I look around hard enough I'll find someone discussing Puppet or Chef but I'dhave to go looking . “Andrew Cathrow, April 2016, on Google 6RHUG Ansible Workshop
USE-CASESSome examples.ProvisioningConfiguration managementApplication deploymentsRolling upgrades - CDSecurity and ComplianceOrchestration7RHUG Ansible Workshop
BENEFITSWhy is Ansible popular? Efficient : Agentless, minimal setup Fast : Easy to learn/to remember, simpledeclarative language Scalable : Can managed thousands of nodes Secure : SSH transport Large community : thousands of roles on AnsibleGalaxy8RHUG Ansible Workshop
ANSIBLE - THE LANGUAGE OF DEVOPS9RHUG Ansible Workshop
KEY COMPONENTSUnderstanding Ansible terms 10ModulesTasksInventoryPlaysPlaybookRHUG Ansible Workshop(Tools)(Plan)
INSTALLING ANSIBLEHow-to# ENABLE EPEL REPOyum install epel-release# INSTALL ANSIBLEyum install ansible11RHUG Ansible Workshop
MODULESWhat is this?Bits of code copied to the target system.Executed to satisfy the task declaration.Customizable.12RHUG Ansible Workshop
MODULESLots of choice / Ansible secret power.13 Cloud Modules Network Modules Clustering Modules Notification Modules Commands Modules Packaging Modules Database Modules Source Control Modules Files Modules System Modules Inventory Modules Utilities Modules Messaging Modules Web Infrastructure Modules Monitoring Modules Windows ModulesRHUG Ansible Workshop
MODULESDocumentation# LIST ALL MODULESansible-doc -l# VIEW MODULE DOCUMENTATIONansible-doc module name 14RHUG Ansible Workshop
MODULEScommonly used15RHUG Ansible Workshop
ANSIBLE COMMANDS
INVENTORYUse the default one /etc/ansible/hosts or create a host file[centos@centos1 ] mkdir ansible ; cd ansible[centos@centos1 ] vim hosts[all:vars]ansible ssh user centos[web]web1 ansible ssh host centos2[admin]ansible ansible ssh host centos117RHUG Ansible Workshop
COMMANDSRun your first Ansible command.# ansible all -i ./hosts -m command -a "uptime"192.168.250.13 success rc 0 18:57:01 up 11:03, 1 user, load average: 0.00, 0.01, 0.05192.168.250.11 success rc 0 18:57:02 up 11:03, 1 user, load average: 0.00, 0.01, 0.0518RHUG Ansible Workshop
COMMANDSOther example of commands# INSTALL HTTPD PACKAGEansible web -s -i ./hosts -m yum -a "name httpd state present"# START AND ENABLE HTTPD SERVICEansible web -s -i ./hosts -m service -a "name httpd enabled yes state started"19RHUG Ansible Workshop
LAB #1Ansible commandsObjectivesUsing Ansible commands, complete the following tasks:1.2.3.4.Test Ansible connection to all your hosts using ping moduleInstall EPEL repo on all your hostsInstall HTTPD only on your web hostsChange SELINUX to permissive modeModules documentation:http://docs.ansible.com/ansible/list of all modules.html20RHUG Ansible Workshop
LAB #1 - RHUG Ansible -sping-m yum -a "name epel-release state present"-m yum -a "name httpd state present"-m selinux -a "policy targeted state permissive"
ANSIBLE PLAYBOOKS
PLAYBOOK EXAMPLE- name: This is a Playhosts: web-serversremote user: mberubebecome: yesgather facts: novars:state: presenttasks:- name: Install Apacheyum: name httpd state {{ state }}23RHUG Ansible Workshop
PLAYSNaming- name: This is a Play24RHUG Ansible Workshop
PLAYSHost selection- name: This is a Playhosts: web25RHUG Ansible Workshop
PLAYSArguments- name: This is a Playhosts: webremote user: mberubebecome: yesgather facts: no26RHUG Ansible Workshop
FACTSGathers facts about remote host Ansible provides many facts about the system, automaticallyProvide by the setup moduleIf facter (puppet) or ohai (chef) are installed, variables from theseprograms will also be snapshotted into the JSON file for usagein templating These variables are prefixed with facter and ohai so it’s easy totell their source.Using the ansible facts and choosing to not install facter andohai means you can avoid Ruby-dependencies on your remotesystemshttp://docs.ansible.com/ansible/setup module.html27RHUG Ansible Workshop
PLAYSVariables & tasks- name: This is a Playhosts: web-serversremote user: mberubebecome: yesgather facts: novars:state: presenttasks:- name: Install Apacheyum: name httpd state {{ state }}28RHUG Ansible Workshop
RUN AN ANSIBLE PLAYBOOK[centos@centos7-1 ansible] ansible-playbook play.yml -i hosts29RHUG Ansible Workshop
RUN AN ANSIBLE PLAYBOOKCheck mode “Dry run”[centos@centos7-1 ansible] ansible-playbook play.yml -i hosts --check30RHUG Ansible Workshop
PLAYSLoops- name: This is a Playhosts: web-serversremote user: mberubebecome: yesgather facts: novars:state: presenttasks:- name: Install Apache and PHPyum: name {{ item }} state {{ state }}with items:- httpd- php31RHUG Ansible Workshop
LOOPSMany types of general and special purpose loops with nestedwith dictwith fileglobwith togetherwith sequenceuntilwith random choicewith first foundwith indexed itemswith lineshttp://docs.ansible.com/ansible/playbooks loops.html32RHUG Ansible Workshop
HANDLERSOnly run if task has a “changed” status- name: This is a Playhosts: web-serverstasks:- yum: name {{ item }} state installedwith items:- httpd- memcachednotify: Restart Apache- template: src templates/web.conf.j2 dest /etc/httpd/conf.d/web.confnotify: Restart Apachehandlers:- name: Restart Apacheservice: name httpd state restarted33RHUG Ansible Workshop
TAGSExample of tag usagetasks:- yum: name {{ item }} state installedwith items:- httpd- memcachedtags:- packages- template: src templates/src.j2 dest /etc/foo.conftags:- configuration34RHUG Ansible Workshop
TAGSRunning with tagsansible-playbook example.yml --tags “configuration”ansible-playbook example.yml --skip-tags "notification"35RHUG Ansible Workshop
TAGSSpecial tagsansible-playbook example.yml --tags “tagged”ansible-playbook example.yml --tags “untagged”ansible-playbook example.yml --tags “all”36RHUG Ansible Workshop
RESULTSRegistering task outputs for debugging or other purposes# Example setting the Apache version- shell: httpd -v grep version awk '{print 3}' cut -f2 -d'/'register: result- debug: var result37RHUG Ansible Workshop
CONDITIONAL TASKSOnly run this on Red Hat OS- name: This is a Playhosts: web-serversremote user: mberubebecome: sudotasks:- name: install Apacheyum: name httpd state installedwhen: ansible os family "RedHat"38RHUG Ansible Workshop
BLOCKSApply a condition to multiple tasks at oncetasks:- block:- yum: name {{ item }} state installedwith items:- httpd- memcached- template: src templates/web.conf.j2 dest /etc/httpd/conf.d/web.conf- service: name bar state started enabled Truewhen: ansible distribution 'CentOS'39RHUG Ansible Workshop
ERRORSIgnoring errorsBy default, Ansible stop on errors. Add the ingore error parameter to skippotential errors.- name: ping hostcommand: ping -c1 www.foobar.comignore errors: yes40RHUG Ansible Workshop
ERRORSDefining failureYou can apply a special type of conditional that if true will cause an error to bethrown.- name: this command prints FAILED when it failscommand: /usr/bin/example-command -x -y -zregister: command resultfailed when: "'FAILED' in command result.stderr"41RHUG Ansible Workshop
ERRORSManaging errors using blockstasks:- block:- debug: msg 'i execute normally'- command: /bin/false- debug: msg 'i never execute, cause ERROR!'rescue:- debug: msg 'I caught an error'- command: /bin/false- debug: msg 'I also never execute :-('always:- debug: msg "this always executes"42RHUG Ansible Workshop
LINEINFILEAdd, remove or update a particular line-lineinfile: dest /etc/selinux/config regexp SELINUX line SELINUX enforcing-lineinfile: dest /etc/httpd/conf/httpd.conf regexp " Listen "insertafter " #Listen " line "Listen 8080"Great example here ibles-lineinfilemodule-in-a-bulletproof-wayNote : Using template or a dedicated module is more powerful43RHUG Ansible Workshop
LAB #2Configure server groups using a playbookObjectivesUsing an Ansible playbook:1.2.3.4.5.6.44Change SELINUX to permissive mode on all your hostsInstall HTTPD on your web hosts onlyStart and Enable HTTPD service on web hosts only if a new httpdpackage is installed.Copy an motd file saying “Welcome to my server!” to all your hostsCopy an “hello world” index.html file to your web hosts in/var/www/htmlModify the sshd.conf to set PermitRootLogin at noRHUG Ansible Workshop
LAB #2 - SOLUTION #1--- name: Lab2 - All server setuphosts: allbecome: yesvars:selinux: permissivetasks:- name: Configure selinux to {{ selinux }}selinux:policy: targetedstate: "{{ selinux }}"- name: Copy motd filecopy: src motd dest /etc/motd- name: Lab2 - Web server setuphosts: webbecome: yestasks:- name: Install Apacheyum: name httpd state presentnotify: Restart Apache- name: Copy Index.htmlcopy: src index.html dest /var/www/html/index.html- name: Set ssh root login at nolineinfile: dest /etc/ssh/sshd configline "PermitRootLogin no"state presentnotify: RestartSSHhandlers:- name: Restart Apacheservice: name httpd state restarted enabled yes- name: RestartSSHService: name sshd state restarted enambles yes45RHUG Ansible Workshop
LAB #2 - SOLUTION #2# ansible-playbook -i ./hosts lab2.yml -e "selinux permissive"--- name: Lab2 - All server setuphosts: allbecome: yestasks:- name: Configure selinux to {{ selinux }}selinux:policy: targetedstate: "{{ selinux }}"- name: Copy motd filecopy: src motd dest /etc/motd.46RHUG Ansible Workshop
ANSIBLE VARIABLESANDCONFIGURATION MANAGEMENT
VARIABLE PRECEDENCEAnsible v21.2.3.4.5.6.7.8.48extra varstask vars (only for the task)block vars (only for tasks inblock)role and include varsplay vars filesplay vars promptplay varsset factsRHUG Ansible Workshop9.10.11.12.13.14.15.16.registered varshost factsplaybook host varsplaybook group varsinventory host varsinventory group varsinventory varsrole defaults
MAGIC VARIABLESAnsible creates and maintains information about it’s current state andother hosts through a series of “magic" variables. hostvars[inventory hostname] hostvars[ any hostname ]{{ hostvars['test.example.com']['ansible distribution'] }} group namesis a list (array) of all the groups the current host is in groupsis a list of all the groups (and hosts) in the inventory.49RHUG Ansible Workshop
MAGIC VARIABLESUsing debug mode to view content- name: debughosts: alltasks:- name: Show hostvars[inventory hostname]debug: var hostvars[inventory hostname]- name: Show ansible ssh host variable in hostvarsdebug: var hostvars[inventory hostname].ansible ssh host- name: Show group namesdebug: var group names- name: Show groupsdebug: var groupsansible-playbook -i ./hosts --limit hostname debug.yml50RHUG Ansible Workshop
Template moduleUsing Jinja2Templates allow you to create dynamic configuration files using variables.- template: src /mytemplates/foo.j2 dest /etc/file.conf owner bin group wheel mode template module.html51RHUG Ansible Workshop
JINJA2DelimitersAnsible uses Jinja2. Highly recommend reading about Jinja2 to understand howtemplates are built.{{ variable }}{% for server in groups.webservers %}52RHUG Ansible Workshop
JINJA2LOOPS{% for server in groups.web %}{{ server }} {{ hostvars[server].ansible default ipv4.address }}{% endfor %}web1 10.0.1.1web2 10.0.1.2web3 10.0.1.353RHUG Ansible Workshop
JINJA2Conditional{% if ansible processor cores 2 %}-smp enable{% else %}-smp disable{% endif %}54RHUG Ansible Workshop
JINJA2Variable filters{% set my var 'this-is-a-test' %}{{ my var replace('-', ' ') }}this is a test55RHUG Ansible Workshop
JINJA2Variable filters{%{%{{{%set servers "server1,server2,server3" %}for server in servers.split(",") %}server }}endfor %}server1server2server356RHUG Ansible Workshop
JINJA2, more filtersLots of options.# Combine two lists{{ list1 union(list2) }}# Get a random number{{ 59 random }} * * * * root /script/from/cron# md5sum of a filename{{ filename md5 }}# Comparisons{{ ansible distribution version version compare('12.04', ' ') }}# Default if undefined{{ user input default(‘Hello World') }}57RHUG Ansible Workshop
JINJA2Testing{% if variable is defined %}{% if variable is none %}{% if variable is even %}{% if variable is string %}{% if variable is sequence %}58RHUG Ansible Workshop
Jinja2Template comments{% for host in groups['app servers'] %}{# this is a comment and won’t display #}{{ loop.index }} {{ host }}{% endfor %}59RHUG Ansible Workshop
YAML vs. Jinja2 Template GotchasYAML values beginning with a template variable must be quotedvars:var1: {{ foo }} ERROR!var2: “{{ bar }}”var3: Echoing {{ foo }} here is fine60RHUG Ansible Workshop
FactsSetting facts in a play# Example setting the Apache version- shell: httpd -v grep version awk '{print 3}' cut -f2 -d'/'register: result- set fact:apache version: ”{{ result.stdout }}"61RHUG Ansible Workshop
LAB #3Configuration management using variablesObjectivesModify you lab2 playbook to add the following:1.2.3.Convert your MOTD file in a template saying : “Welcome to hostname !”Install facter to all your hosts using an ansible commandConvert your index.html file into a template to output the followinginformation:Web Serverslab1 192.168.3.52 - free memory: 337.43 MBlab2 192.168.3.53 - free memory: 346.82 MB62RHUG Ansible Workshop
LAB #3 - Help (debug file)--- name: debughosts: alltasks:- name: Show hostvars[inventory hostname]debug: var hostvars[inventory hostname]- name: Show hostvars[inventory hostname].ansible ssh hostdebug: var hostvars[inventory hostname].ansible ssh host- name: Show group namesdebug: var group names- name: Show groupsdebug: var groups63RHUG Ansible Workshop
LAB #3 - SOLUTION - playbook--- name: Lab3 - All server setuphosts: allbecome: yestasks:- name: Configure selinux to permissiveselinux:policy: targetedstate: permissive- name: Copy motd templatetemplate: src motd.j2 dest /etc/motd- name: Lab3 - Web server setuphosts: webbecome: yestasks:- name: Install Apacheyum: name httpd state presentnotify: Restart Apache- name: Copy Index.html templatetemplate: src index.html.j2 dest /var/www/html/index.htmlnotify: Restart Apachehandlers:- name: Restart Apacheservice: name httpd state restarted enabled yes64MARCO BERUBE, sr. Cloud Solutions Architect
LAB #3 - SOLUTION - template filesmotd.j2Welcome to {{ hostvars[inventory hostname].inventory hostname }}!index.html.j2Web Servers br {% for server in groups.web %}{{ server }} {{ hostvars[server].ansible default ipv4.address }} - free memory: {{ hostvars[server].facter memoryfree}} br {% endfor %}65MARCO BERUBE, sr. Cloud Solutions Architect
ANSIBLE ROLES
ROLESA redistributable and reusable collection of: tasks files scripts templates variables67RHUG Ansible Workshop
ROLESOften used to setup and configure services install packages copying files starting deamonsExamples: Apache, MySQL, Nagios, etc.68RHUG Ansible Workshop
ROLESDirectory Structureroles myapp defaults files handlers meta tasks templates vars69RHUG Ansible Workshop
ROLESCreate folder structure automaticallyansible-galaxy init role name 70RHUG Ansible Workshop
ROLESPlaybook examples--- hosts: webserversroles:- common- webservers71RHUG Ansible Workshop
ROLESPlaybook examples--- hosts: webserversroles:- common- { role: myapp, dir: '/opt/a',- { role: myapp, dir: '/opt/b',72RHUG Ansible Workshopport: 5000 }port: 5001 }
ROLESPlaybook examples--- hosts: webserversroles:- { role: foo, when: "ansible os family 'RedHat'" }73RHUG Ansible Workshop
ROLESPre and Post - rolling upgrade example--- hosts: webserversserial: 1pre tasks:- command:lb rm.sh {{ inventory hostname }}delegate to: lb- command: mon rm.sh {{ inventory hostname }}delegate to: nagiosroles:- myapppost tasks:- command: mon add.sh {{ inventory hostname }}delegate to: nagios- command: lb add.sh {{ inventory hostname }}delegate to: lb74RHUG Ansible Workshophttp://docs.ansible.com/ansible/playbooks delegation.html
http://galaxy.ansible.com75RHUG Ansible Workshop
ROLES - INTEGRATION WITH TRAVIS CIAnsible 2 , magic is in .travis.yml76RHUG Ansible Workshop
LAB #4Web server load-balancing over 3 rolesObjectives1.2.Create 3 roles: common, apache and haproxyCreate a playbook to apply those roles.a.b.c.3.4.“common” should be applied to all servers“apache” should be applied to your “web” group“haproxy” should be applied to your “lb” groupYour index.html should return the web server name.selinux state should be a set as a variable in group vars “all”HAPROXY role available tar.gz77RHUG Ansible Workshop
LAB4 - File structure. group vars all lb install.yml roles apache handlers main.yml tasks main.yml templates index.html.j2 common defaults main.yml tasks main.yml templates motd.j2 haproxy handlers main.yml tasks main.yml templates haproxy.cfg.j278RHUG Ansible Workshop
Lab 4 : Example HUG Ansible Workshop
ANSIBLE TOWERWhat are the added values ? Role based access control Push button deployment Centralized logging & deployment System tracking API80RHUG Ansible Workshop
ANSIBLE TOWERWhat are the added values ?81RHUG Ansible Workshop
82RHUG Ansible Workshop
ANSIBLE TOWER20 minutes demo : https://www.ansible.com/tower
THANK YOUplus.google.com/ tVideos
FIXING VIM FOR YAML EDITION# yum install git (required for plug-vim) cd curl -fLo /.vim/autoload/plug.vim --create-dirs g/master/plug.vim vim .vimrccall plug#begin(' /.vim/plugged')Plug 'pearofducks/ansible-vim'call plug#end() vim:PlugInstallWhen you edit a file type ::set ft ansible85RHUG Ansible Workshop
TRAVIS CI INTEGRATIONSetupProcedure : https://galaxy .ansible.com/intro86RHUG Ansible Workshop
TRAVIS CI INTEGRATION[centos@centos7-1 nginx] vim .travis.yml--language: pythonpython: "2.7"# Use the new container infrastructuresudo: required# Install ansibleaddons:apt:packages:- python-pipinstall:# Install ansible- pip install ansible# Check ansible version- ansible --version# Create ansible.cfg with correct roles path- printf '[defaults]\nroles path ./' ansible.cfgscript:# Basic role syntax check- ansible-playbook tests/test.yml -i tests/inventory --syntax-checknotifications:webhooks: RHUG Ansible Workshop
Change SELINUX to permissive mode on all your hosts 2. Install HTTPD on your web hosts only 3. Start and Enable HTTPD service on web hosts only if a new httpd package is installed. 4. Copy an motd file saying "Welcome to my server!" to all your hosts 5. Copy an "hello world" index.html file to your web hosts in /var/www/html 6.
