Getting started with Ansible on CentOS 7

Ansible is excellent tools for automating deployment and provisioning on your network systems. It comunicates over ssh and does not require any additional software installed on client side. We will take a look at very basic setup and configuration on CentsOS 7.

LAB Environment
In our LAB we have one system running ansible and two clent systems setup all running CentOS 7.
ansible.local 192.168.0.100
client1.local 192.168.0.101
client2.local 192.168.0.102

Installing Ansible
First we need to install EPEL repo

yum install epel-release

Now install ansible

yum install ansible

Make sure ansible installed

[root@ansibol ansible]# ansible --version
ansible 2.2.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

Preparing environment
We will need to prepare few things before we start using ansible.
First we will need to make sure our clients host names are resolvable by DNS. If not we can add them to local host file

vi /etc/hosts
192.168.0.101   client1.local
192.168.0.102   client2.local
                              

Now we need to setup ssh keys for passwordless authentication and copy keys to our client systems

[root@ansibol ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
9e:57:10:4b:b0:f6:fe:2e:a2:be:a6:c8:64:0b:40:d6 root@ansible.local
The key's randomart image is:
+--[ RSA 2048]----+
|        ..o      |
|  .      o o     |
| o E    o o      |
|o      . . .     |
|.       S . .    |
|.      . o .     |
|. o     o o      |
| = o  . ....     |
|  + .++o . oo    |
+-----------------+

Now you can copy keys to our two clients

[root@ansibol ~]# ssh-copy-id root@client1.local
The authenticity of host 'client1.local (192.168.0.101)' can't be established.
ECDSA key fingerprint is 42:00:44:9c:7d:ea:d2:1f:22:b2:51:40:e3:08:fc:2a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@client1.local's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@client1.local'"
and check to make sure that only the key(s) you wanted were added.

[root@ansibol ~]# ssh-copy-id root@client2.local
The authenticity of host 'client2.local (192.168.0.103)' can't be established.
ECDSA key fingerprint is 42:00:44:9c:7d:ea:d2:1f:22:b2:51:40:e3:08:fc:2a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@client2.local's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@client2.local'"
and check to make sure that only the key(s) you wanted were added.


Now test to make sure we cal login without password

[root@ansibol ~]# ssh root@client1.local
Last login: Tue Feb  7 12:44:52 2017
[root@client1 ~]# 

Getting started with ansible
First we need to setup inventory file

vi /etc/ansible/hosts
[labsystems]
client1.local
client2.local

Please note if you have ssh setup on different port for example 222 you can specify it like this client1.local:222

and now we test to make sure we can ping all systems

 ansible all -m ping

or alternatively we can ping labsystems group

ansible labsystems -m ping

Executing Ad-Hoc commands is also quite easy. Example below will run yum update on client1.local

ansible client1.local -a "yum update -y"

or to run it for all systems in the group

ansible labsystems -a "yum update -y"

In the example below we will transfer file test.txt to all systems in labsystems group

 ansible labsystems -m copy -a "src=/root/test.txt dest=/root/test.txt"

Here is how we would create a user john with password john123 on all systems

ansible all -m user -a "name=john password="


Playbooks

Playbooks consist of modules. You can use existing modules or write your own modules. To see list of available modules.

ansible-doc -l

We now will look at example of deploying Nagios client using Ansible playbook
We will first create a file called nrpe.tpml which will have some configuration changes in it. Now example of playbook in our case will look like this. Create playbook1.yml

---
- hosts: client2.local
  tasks:

  - name: Add repository
    yum_repository:
      name: epel
      description: EPEL YUM repo
      baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
      gpgkey: https://dl.fedoraproject.org/pub/epel/
      gpgcheck: no


  - name: Install nrpe
    yum:
      name: nrpe
      state: present
  - name: Install nagios-plugins
    yum:
      name: nagios-plugins-all
      state: present
  - name: Install openssl
    yum:
      name: openssl
      state: present
  - name: write the nrpe config file
    template: src=/etc/ansible/nrpe.tmpl dest=/etc/nagios/nrpe.conf
    notify:
    - restart nrpe
  - name: open firewalld port
    command: firewall-cmd --zone=public --permanent --add-port=5666/tcp
    command: firewall-cmd --reload

This is just an example of how it may look like.
To execute a playbook

ansible-playbook playbook1.yml -f 10