Make sure you’ve set up SSH without a password from the Ansible system against the target systems.
RHEL/CentOS – make sure EPEL is available and proceed
yum install ansible
Ubuntu
apt install ansible
Setup hosts and groups to operate
cp -pi /etc/ansible/ansible.cfg /etc/ansible/ansible.cfg.dist mv /etc/ansible/hosts /etc/ansible/hosts.dist vi /etc/ansible/hosts [nginx] nginx1 [app] app1 [hosts] ansible1 ansible_connection=local nginx1 [containers] app1 ansible_connection=docker
TIP:
Keeping your inventory file and variables in a git repo (or other version control) is an excellent way to track changes to your inventory and host variables.
Clobber vs. OpenStack & mixed sources
Setup timezone, manually sync, configure ntp and hardware clock
mkdir /etc/ansible/group_vars/ vi /etc/ansible/group_vars/hosts.yml timezone: Europe/Paris ntpservers: - ntp_address1 - ntp_address2
Get some clean ntp.conf
sample for every target system and tune it accordingly
sed '/^$/d; /^#/d' /etc/ntp.conf > /etc/ansible/ntp.clean.conf vi /etc/ansible/ntp.conf {%for ntpserver in ntpservers %} server {{ ntpserver }} iburst {% endfor %}
RHEL
vi /etc/ansible/ntp.rhel.conf driftfile /var/lib/ntp/drift restrict default nomodify notrap nopeer noquery restrict 127.0.0.1 restrict ::1 {%for ntpserver in ntpservers %} server {{ ntpserver }} iburst {% endfor %} includefile /etc/ntp/crypto/pw keys /etc/ntp/keys disable monitor
Ubuntu
vi /etc/ansible/ntp.ubuntu.conf driftfile /var/lib/ntp/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable {%for ntpserver in ntpservers %} server {{ ntpserver }} iburst {% endfor %} restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited restrict 127.0.0.1 restrict ::1 restrict source notrap nomodify noquery
Slackware
vi /etc/ansible/ntp.slack.conf server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 {%for ntpserver in ntpservers %} server {{ ntpserver }} iburst {% endfor %} statsdir /var/lib/ntp/stats logfile /var/log/ntp driftfile /var/lib/ntp/drift pidfile /var/run/ntpd.pid restrict default limited kod nomodify notrap nopeer noquery restrict -6 default limited kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict ::1
RHEL
vi /etc/ansible/ntp.rhel.yml - hosts: hosts tasks: - name: timezone {{ timezone }} shell: timedatectl set-timezone {{ timezone }} - name: pkg ntpdate yum: name=ntpdate state=present - name: pkg ntp yum: name=ntp state=present - name: NTP down service: name=ntpd state=stopped enabled=yes - name: sync against {{ ntpservers[0] }} shell: ntpdate -u {{ ntpservers[0] }} - name: ntp conf pointing to {{ ntpservers }} template: src=ntp.rhel.conf dest=/etc/ntp.conf - name: NTP up service: name=ntpd state=started enabled=yes - name: hardware clock sync shell: hwclock --utc --systohc
Slackware
draft – slackpkg check works
vi /etc/ansible/ntp.slack.yml - hosts: hosts tasks: - name: install ntp on slackware slackpkg: name=ntp state=present - name: NTP down service: name=ntpd state=stopped enabled=yes - name: sync against {{ ntpservers[0] }} shell: ntpdate -u {{ ntpservers[0] }} - name: ntp conf pointing to {{ ntpservers }} template: src=ntp.clean-slack.conf dest=/etc/ntp.conf - name: NTP up service: name=ntpd state=started enabled=yes - name: hardware clock sync shell: hwclock --utc --systohc
apply and check on the target systems
ansible-playbook ntp.ubuntu.yml ansible-playbook ntp.slack.yml ansible hosts -m shell -a "ls -lhF /etc/localtime" ansible hosts -m shell -a "ntpq -p" ansible hosts -m shell -a "ntpdc -c sysinfo" ansible hosts -m shell -a "grep ^server /etc/ntp.conf" ansible hosts -m shell -a "date"
Setting up permissive selinux by default and define a variable (here enforce
) if you need enforcing
vi /etc/ansible/selinux.yml - hosts: hosts tasks: - name: enforcing selinux depending on enforce var selinux: policy: targeted state: enforcing when: enforce is defined or enforce - name: permissive selinux depending on enforce var selinux: policy: targeted state: permissive when: enforce is undefined or not enforce
also
mkdir /etc/ansible/host_vars/ vi /etc/ansible/host_var/nginx1 enforce: 1
apply and check on target systems
ansible-playbook selinux.yml #sestatus ansible hosts -m shell -a "grep ^SELINUX /etc/sysconfig/selinux" ansible hosts -m shell -a getenforce
Disabling FirewallD on RHEL7 systems and ip{6}tables on RHEL6 systems – assuming real firewalls behind the systems
vi /etc/ansible/firewalls.yml - hosts: hosts tasks: - name: firewalld disabled service: name=firewalld state=stopped enabled=no when: - ansible_os_family == "RedHat" - ansible_distribution_major_version == "7" - name: iptables disabled service: name=iptables state=stopped enabled=no when: - ansible_os_family == "RedHat" - ansible_distribution_major_version == "6" - name: ip6tables disabled service: name=ip6tables state=stopped enabled=no when: - ansible_os_family == "RedHat" - ansible_distribution_major_version == "6"
apply and check on the target systems
ansible-playbook selinux.yml ansible rhel6 -m shell -a "chkconfig --list | grep tables" ansible rhel7 -m shell -a "systemctl list-unit-files | grep tables" ansible rhel7 -m shell -a "systemctl list-unit-files | grep fire"
Check accessiblity of the managed systems
ansible all -m ping
Send raw commands without using Python on the remote host e.g.
ansible hosts -m raw -a hostname
Send shell commands using Python on the remote host e.g.
ansible hosts -m shell -a hostname
or print a remote variable e.g.
ansible hosts -m shell -a 'echo $TERM'
and if you wanna just check what would be done add -C
to the command line e.g.
ansible-playbook -C selinux.yml
Restart all NGINX instances
ansible nginx -m service -a "name=nginx state=restarted"
To fetch some informations/variables to help you design playbook
ansible <target> -m setup
If you are using ClusterIt aside Ansible, this script might be useful to maintain a shared list of hosts across both tools
echo -n converting clusterit.conf to ansible hosts file... sed 's/GROUP:\(.*\)/\[\1\]/' /etc/clusterit.conf > /etc/ansible/hosts && echo done
http://docs.ansible.com/ansible/intro_getting_started.html
http://docs.ansible.com/ansible/intro_configuration.html
http://docs.ansible.com/ansible/playbooks_conditionals.html
https://serversforhackers.com/an-ansible-tutorial
http://blog.programster.org/ansible-run-a-local-script-on-remote-server/
Ansible change ssh port in playbook https://stackoverflow.com/questions/34333058/ansible-change-ssh-port-in-playbook
community.general.slackpkg – Package manager for Slackware >= 12.2 https://docs.ansible.com/ansible/latest/collections/community/general/slackpkg_module.html
http://docs.ansible.com/ansible/selinux_module.html
http://docs.ansible.com/ansible/selinux_permissive_module.html
https://github.com/ansible/ansible-examples/blob/master/lamp_simple/roles/common/tasks/main.yml
http://www.opensourcerers.org/setting-up-ntp-via-ansible-in-my-private-lab/
https://stackoverflow.com/questions/36667042/how-to-specify-an-array-or-list-element-fact-with-yaml