Difference between revisions of "Ansible"
(→Vault) |
|||
| Line 205: | Line 205: | ||
aws_access_key_id is a key in the vault. | aws_access_key_id is a key in the vault. | ||
| + | === Vault Password File === | ||
| + | Choose a location outside your repo, e.g.: | ||
| + | <pre> | ||
| + | mkdir -p ~/.ansible | ||
| + | echo "MySuperSecretVaultPassword" > ~/.ansible/.vault_pass | ||
| + | chmod 600 ~/.ansible/.vault_pass | ||
| + | </pre> | ||
| + | |||
| + | Create vault with password file | ||
| + | ansible-vault create playbooks/vault_aws.yml --vault-password-file ~/.ansible/.vault_pass | ||
| + | |||
| + | Run your playbook using the password file | ||
| + | ansible-playbook -i inventory/hosts playbooks/install_aws.yml \ | ||
| + | --vault-password-file ~/.ansible/.vault_pass | ||
Revision as of 12:11, 30 March 2026
Contents
Installation
Installation of the development machine
pip install ansible brew install hudochenkov/sshpass/sshpass
Installation of ubuntu server
sudo apt update sudo apt install ansible sudo apt install sshpass
Running playbooks
To run all playbooks write this command in the ansible folder.
Be sure SSH Key based authentication is sorted before. See below.
ansible-playbook ./playbooks/all.yml -i ./inventory/hosts
Folders and files
Hosts
Add / update servers to ./inventory/hosts file with either name or ip addresses
They can be grouped by tags like
[web_servers] 192.168.1.200 192.168.1.201 [database_servers] 192.168.1.204
They can be used as below in the playbook
- hosts: web_servers
Test it by
ansible -i ./inventory/hosts servers -m ping --user logicmade --ask-pass
servers is the name of the group in hosts logicmade is the username
Setting variables next to server names
[web_servers] 192.168.1.200 apache_package=apache2 php_package=libapache-mod-php 192.168.1.201 apache_package=https php_package=php [database_servers] 192.168.1.204
then we can use them in playbooks like
- hosts: all
become: true
tasks:
- name install apache and php
package:
name:
- "{{ apache_package }}"
- "{{ php_package }}"
state : latest
update_cache: yes
Playbooks
In a playbook yaml file become: true means it runs as sudo
To run a playbook :
ansible-playbook ./playbooks/apt.yml --user logicmade --ask-pass --ask-become-pass -i ./inventory/hosts
Ad-Hoc Commands
it starts with ansible and the command after -m flag
ansible all --key-file ~/.ssh/ansible -i inventory -m ping
Modules
Modules are pre-defined tasks in Ansible. Like apt, debug, git, file etc. see all module list for detail.
Conditions
"when" is used for conditions.
gather_facts
To get the facts for the nodes (or just one of them / 192.168.1.204 like below) we can run
ansible all -m gather_facts --limit 192.168.1.204
Then we can use any of them like
when: ansible_distribution == "Ubuntu"
or combine them like
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "24.0"
Key base Authentication
Setting Up SSH Key-Based Authentication
Generate Key Pair: On the Ansible controller, run command below to create keys.
ssh-keygen -t rsa -f ~/.ssh/ansible-keys
Distribute Public Key
Copy the public key to managed nodes using
ssh-copy-id -i ~/.ssh/ansible-keys.pub user@node.
Configure Ansible Inventory
Specify the private key in your inventory file:
[servers] node1 ansible_host=192.168.1.10 ansible_user=admin ansible_ssh_private_key_file=~/.ssh/ansible-keys
Fixing sudo issue
In the server run sudo visudo and add this line
logicmade ALL=(ALL) NOPASSWD: ALL
logicmade is the username to be escalated
To be safe, you can also create a dedicated file:
sudo visudo -f /etc/sudoers.d/logicmade
Now we can run a playbook like this
ansible-playbook ./playbooks/apt.yml -i ./inventory/hosts
Add:
logicmade ALL=(ALL) NOPASSWD: ALL
Tips
Vault
- No blank lines
- No special characters in password like (+)
- In playbook it's relative to playbook's folder.
like :
/playbooks/test.yml /aws_vault.yml
then
- name: Show AWS key from vault
hosts: localhost
gather_facts: false
vars_files:
- ../aws_vault.yml
tasks:
- name: Display the AWS Access Key ID
debug:
msg: "aws_access_key_id = {{ aws_access_key_id }}"
Create Vault
ansible-vault create group_vars/all/vault.yml
Edit Vault
ansible-vault edit group_vars/all/vault.yml
Verify Vault file
ansible all -i inventory/hosts -m debug -a "var=aws_access_key_id" --ask-vault-pass
aws_access_key_id is a key in the vault.
Vault Password File
Choose a location outside your repo, e.g.:
mkdir -p ~/.ansible echo "MySuperSecretVaultPassword" > ~/.ansible/.vault_pass chmod 600 ~/.ansible/.vault_pass
Create vault with password file
ansible-vault create playbooks/vault_aws.yml --vault-password-file ~/.ansible/.vault_pass
Run your playbook using the password file
ansible-playbook -i inventory/hosts playbooks/install_aws.yml \ --vault-password-file ~/.ansible/.vault_pass
