Setting up Ansible

Requirements

Make sure you’ve set up SSH without a password from the Ansible system against the target systems.

Installation

RHEL/CentOS – make sure EPEL is available and proceed

yum install ansible

Ubuntu

apt install ansible

Manual inventory

Setup hosts and groups to operate

cp -pi /etc/ansible/ansible.cfg /etc/ansible/ansible.cfg.dist
mv /etc/ansible/hosts /etc/ansible/hosts.dist
vi /etc/ansible/hosts

[nginx]
nginx1

[app]
app1

[hosts]
ansible1                ansible_connection=local
nginx1

[containers]
app1                    ansible_connection=docker

TIP:

Keeping your inventory file and variables in a git repo (or other version control) is an excellent way to track changes to your inventory and host variables.

Dynamic inventory

Clobber vs. OpenStack & mixed sources

http://docs.ansible.com/ansible/intro_dynamic_inventory.html#example-the-cobbler-external-inventory-script

http://docs.ansible.com/ansible/intro_dynamic_inventory.html#example-openstack-external-inventory-script

http://docs.ansible.com/ansible/intro_dynamic_inventory.html#using-inventory-directories-and-multiple-inventory-sources

Time config example

Setup timezone, manually sync, configure ntp and hardware clock

mkdir /etc/ansible/group_vars/
vi /etc/ansible/group_vars/hosts.yml

timezone: Europe/Paris
ntpservers:
  - ntp_address1
  - ntp_address2

Get some clean ntp.conf sample for every target system and tune it accordingly

sed '/^$/d; /^#/d' /etc/ntp.conf > /etc/ansible/ntp.clean.conf
vi /etc/ansible/ntp.conf

{%for ntpserver in ntpservers %}
    server {{ ntpserver }} iburst
{% endfor %}

RHEL

vi /etc/ansible/ntp.rhel.conf

driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

{%for ntpserver in ntpservers %}
    server {{ ntpserver }} iburst
{% endfor %}

includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor

Ubuntu

vi /etc/ansible/ntp.ubuntu.conf

driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

{%for ntpserver in ntpservers %}
    server {{ ntpserver }} iburst
{% endfor %}

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery

Slackware

vi /etc/ansible/ntp.slack.conf

server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

{%for ntpserver in ntpservers %}
    server {{ ntpserver }} iburst
{% endfor %}

statsdir /var/lib/ntp/stats
logfile /var/log/ntp
driftfile /var/lib/ntp/drift
pidfile /var/run/ntpd.pid
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

Playbooks

RHEL

vi  /etc/ansible/ntp.rhel.yml

- hosts: hosts
  tasks:
  - name: timezone {{ timezone }}
    shell: timedatectl set-timezone {{ timezone }}

  - name: pkg ntpdate
    yum: name=ntpdate state=present

  - name: pkg ntp
    yum: name=ntp state=present

  - name: NTP down
    service: name=ntpd state=stopped enabled=yes

  - name: sync against {{ ntpservers[0] }}
    shell: ntpdate -u {{ ntpservers[0] }}

  - name: ntp conf pointing to {{ ntpservers }}
    template: src=ntp.rhel.conf dest=/etc/ntp.conf

  - name: NTP up
    service: name=ntpd state=started enabled=yes

  - name: hardware clock sync
    shell: hwclock --utc --systohc

Slackware

draft – slackpkg check works

vi  /etc/ansible/ntp.slack.yml

- hosts: hosts
  tasks:
  - name: install ntp on slackware
    slackpkg: name=ntp state=present

  - name: NTP down
    service: name=ntpd state=stopped enabled=yes

  - name: sync against {{ ntpservers[0] }}
    shell: ntpdate -u {{ ntpservers[0] }}

  - name: ntp conf pointing to {{ ntpservers }}
    template: src=ntp.clean-slack.conf dest=/etc/ntp.conf

  - name: NTP up
    service: name=ntpd state=started enabled=yes

  - name: hardware clock sync
    shell: hwclock --utc --systohc

Ready to go

apply and check on the target systems

ansible-playbook ntp.ubuntu.yml
ansible-playbook ntp.slack.yml

ansible hosts -m shell -a "ls -lhF /etc/localtime"
ansible hosts -m shell -a "ntpq -p"
ansible hosts -m shell -a "ntpdc -c sysinfo"
ansible hosts -m shell -a "grep ^server /etc/ntp.conf"
ansible hosts -m shell -a "date"

RHEL/CentOS sysprep

Setting up permissive selinux by default and define a variable (here enforce) if you need enforcing

vi /etc/ansible/selinux.yml

- hosts: hosts
  tasks:

  - name: enforcing selinux depending on enforce var
    selinux:
      policy: targeted
      state: enforcing
    when: enforce is defined or enforce

  - name: permissive selinux depending on enforce var
    selinux:
      policy: targeted
      state: permissive
    when: enforce is undefined or not enforce

also

mkdir /etc/ansible/host_vars/
vi /etc/ansible/host_var/nginx1

enforce: 1

apply and check on target systems

ansible-playbook selinux.yml

#sestatus
ansible hosts -m shell -a "grep ^SELINUX /etc/sysconfig/selinux"
ansible hosts -m shell -a getenforce

Disabling FirewallD on RHEL7 systems and ip{6}tables on RHEL6 systems – assuming real firewalls behind the systems

vi /etc/ansible/firewalls.yml

- hosts: hosts
  tasks:

  - name: firewalld disabled
    service: name=firewalld state=stopped enabled=no
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == "7"

  - name: iptables disabled
    service: name=iptables state=stopped enabled=no
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == "6"

  - name: ip6tables disabled
    service: name=ip6tables state=stopped enabled=no
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == "6"

apply and check on the target systems

ansible-playbook selinux.yml

ansible rhel6 -m shell -a "chkconfig --list | grep tables"
ansible rhel7 -m shell -a "systemctl list-unit-files | grep tables"
ansible rhel7 -m shell -a "systemctl list-unit-files | grep fire"

Operations

Check accessiblity of the managed systems

ansible all -m ping

Send raw commands without using Python on the remote host e.g.

ansible hosts -m raw -a hostname

Send shell commands using Python on the remote host e.g.

ansible hosts -m shell -a hostname

or print a remote variable e.g.

ansible hosts -m shell -a 'echo $TERM'

and if you wanna just check what would be done add -C to the command line e.g.

ansible-playbook -C selinux.yml

Restart all NGINX instances

ansible nginx -m service -a "name=nginx state=restarted"

To fetch some informations/variables to help you design playbook

ansible <target> -m setup

Alternatives & inter-operatbility

If you are using ClusterIt aside Ansible, this script might be useful to maintain a shared list of hosts across both tools

echo -n converting clusterit.conf to ansible hosts file...
sed 's/GROUP:\(.*\)/\[\1\]/' /etc/clusterit.conf > /etc/ansible/hosts && echo done

Resources

http://docs.ansible.com/ansible/intro_getting_started.html

http://docs.ansible.com/ansible/intro_configuration.html

http://docs.ansible.com/ansible/playbooks_conditionals.html

https://serversforhackers.com/an-ansible-tutorial

http://blog.programster.org/ansible-run-a-local-script-on-remote-server/

Ansible change ssh port in playbook https://stackoverflow.com/questions/34333058/ansible-change-ssh-port-in-playbook

community.general.slackpkg – Package manager for Slackware >= 12.2 https://docs.ansible.com/ansible/latest/collections/community/general/slackpkg_module.html

more

http://docs.ansible.com/ansible/selinux_module.html

http://docs.ansible.com/ansible/selinux_permissive_module.html

https://github.com/ansible/ansible-examples/blob/master/lamp_simple/roles/common/tasks/main.yml

ntp

http://www.opensourcerers.org/setting-up-ntp-via-ansible-in-my-private-lab/

https://github.com/ansible/ansible-examples/blob/master/lamp_simple/roles/common/templates/ntp.conf.j2

https://stackoverflow.com/questions/24798382/how-to-assign-an-array-to-a-variable-in-an-ansible-playbook

https://stackoverflow.com/questions/41610207/how-to-get-the-first-element-of-a-list-from-the-output-of-setup-module-in-ansibl

https://stackoverflow.com/questions/36667042/how-to-specify-an-array-or-list-element-fact-with-yaml


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH