Ansible is excellent tools for automating deployment and provisioning on your network systems. It comunicates over ssh and does not require any additional software installed on client side. We will take a look at very basic setup and configuration on CentsOS 7.
In our LAB we have one system running ansible and two clent systems setup all running CentOS 7.
First we need to install EPEL repo
yum install epel-release
Now install ansible
yum install ansible
Make sure ansible installed
[root@ansibol ansible]# ansible --version ansible 18.104.22.168 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides
We will need to prepare few things before we start using ansible.
First we will need to make sure our clients host names are resolvable by DNS. If not we can add them to local host file
vi /etc/hosts 192.168.0.101 client1.local 192.168.0.102 client2.local
Now we need to setup ssh keys for passwordless authentication and copy keys to our client systems
[root@ansibol ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 9e:57:10:4b:b0:f6:fe:2e:a2:be:a6:c8:64:0b:40:d6 firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | ..o | | . o o | | o E o o | |o . . . | |. S . . | |. . o . | |. o o o | | = o . .... | | + .++o . oo | +-----------------+
Now you can copy keys to our two clients
[root@ansibol ~]# ssh-copy-id email@example.com The authenticity of host 'client1.local (192.168.0.101)' can't be established. ECDSA key fingerprint is 42:00:44:9c:7d:ea:d2:1f:22:b2:51:40:e3:08:fc:2a. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys firstname.lastname@example.org's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added. [root@ansibol ~]# ssh-copy-id firstname.lastname@example.org The authenticity of host 'client2.local (192.168.0.103)' can't be established. ECDSA key fingerprint is 42:00:44:9c:7d:ea:d2:1f:22:b2:51:40:e3:08:fc:2a. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
Now test to make sure we cal login without password
[root@ansibol ~]# ssh email@example.com Last login: Tue Feb 7 12:44:52 2017 [root@client1 ~]#
Getting started with ansible
First we need to setup inventory file
vi /etc/ansible/hosts [labsystems] client1.local client2.local
Please note if you have ssh setup on different port for example 222 you can specify it like this client1.local:222
and now we test to make sure we can ping all systems
ansible all -m ping
or alternatively we can ping labsystems group
ansible labsystems -m ping
Executing Ad-Hoc commands is also quite easy. Example below will run yum update on client1.local
ansible client1.local -a "yum update -y"
or to run it for all systems in the group
ansible labsystems -a "yum update -y"
In the example below we will transfer file test.txt to all systems in labsystems group
ansible labsystems -m copy -a "src=/root/test.txt dest=/root/test.txt"
Here is how we would create a user john with password john123 on all systems
ansible all -m user -a "name=john password=
Playbooks consist of modules. You can use existing modules or write your own modules. To see list of available modules.
We now will look at example of deploying Nagios client using Ansible playbook
We will first create a file called nrpe.tpml which will have some configuration changes in it. Now example of playbook in our case will look like this. Create playbook1.yml
--- - hosts: client2.local tasks: - name: Add repository yum_repository: name: epel description: EPEL YUM repo baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/ gpgkey: https://dl.fedoraproject.org/pub/epel/ gpgcheck: no - name: Install nrpe yum: name: nrpe state: present - name: Install nagios-plugins yum: name: nagios-plugins-all state: present - name: Install openssl yum: name: openssl state: present - name: write the nrpe config file template: src=/etc/ansible/nrpe.tmpl dest=/etc/nagios/nrpe.conf notify: - restart nrpe - name: open firewalld port command: firewall-cmd --zone=public --permanent --add-port=5666/tcp command: firewall-cmd --reload
This is just an example of how it may look like.
To execute a playbook
ansible-playbook playbook1.yml -f 10