I've been trying to install NewRelic agent for PHP on Amazon Linux 2 the "ansible way", but I cannot get it to work with either rpm_key or yum_repository. I've also tried just copying the repo file to /etc/yum.repos.d/newrelic.repo, but it's supposed to use a GPG key and the only one I found is 548C16BF.gpg and at that point I felt this was getting to hacky.
My current setup is:
- name: add the new relic repository
# noqa 303
command: rpm -Uvh http://yum.newrelic.com/pub/newrelic/el5/x86_64/newrelic-repo-5-3.noarch.rpm
but that doesn't sit well with ansible-lint (hence the rule exception).
Am I missing something here or maybe my preconception of what the "ansible-way" would be is incorrect. Asking for a friend (with a lot of Ansible experience).
To add the GPG key:
- name: Adding RPM key
rpm_key:
state: present
key: https://download.newrelic.com/548C16BF.gpg
and Add the repository:
- name: Add repository
yum_repository:
name: rewrelic
description: Newrelic YUM repo
baseurl: http://yum.newrelic.com/pub/newrelic/el5/x86_64/newrelic-repo-5-3.noarch.rpm
Finally install the yum:
- name: install Rewrelic
yum:
name: rewrelic
state: present
Related
Before apt-key was deprecated, I was using Ansible playbooks to add and update keys in my servers. At the moment, apt-key no longer updates the keys. In few searches, I found that I need to use gpg now. However, I have many servers and I don't want to do this manually for each one of them. Is there a way to manage my keyrings with gpg with Ansible?
Here are my Ansible tasks, with deprecated apt-key:
- apt_key:
url: "https://packages.treasuredata.com/GPG-KEY-td-agent"
state: present
- apt_repository:
repo: "deb http://packages.treasuredata.com/3/ubuntu/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
state: present
filename: "treasure-data" # Name of the pre-compiled fluentd-agent
I tried apt-key update but it is not working for me. If a key already exists but it is expired, it doesn't update it anymore.
In short, you need to put the GPG keys in a modern format into a separate folder that is not searched by default, and point your repository configuration at it.
For reasoning why a separate folder, see: https://stackoverflow.com/a/71384057/8962143
You can verify whether you have the old ASCII GPG format or the newer binary GPG format via file:
# file elastic-old.gpg
elastic-old.gpg: PGP public key block Public-Key (old)
# file elastic.gpg
elastic.gpg: PGP/GPG key public ring (v4) created Mon Sep 16 17:07:54 2013 RSA (Encrypt or Sign) 2048 bits MPI=0xd70ed6cd267c5b3e...
If your key is the old format, you will need to de-armor it via gpg --dearmor elastic.gpg into the new binary format.
On Ubuntu 22.04, there's a folder you're expected to use that is not preloaded - /etc/apt/keyrings - or you can create your own directory and use that.
As for the Ansible part, you can use get_url or file to push the modern-format GPG key onto the system, and then use apt_repository like before to add the repo, with the addition of specifying the keyring.
- name: Add Example GPG key
ansible.builtin.get_url:
url: https://example.com/example.gpg
dest: /etc/apt/keyrings/example.asc
mode: '0644'
force: true
- name: Add Example repo
ansible.builtin.apt_repository:
filename: example-repo
repo: 'deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/packages/8.x/apt stable main'
To expand a bit on #geerlingguy's comment regarding using the .asc extension, this is how I ended up adding the repository for Telegraf. Take note of the use of influxdb.asc in both the get_url and apt_repository tasks.
- name: Install InfluxDB key
get_url:
url: https://repos.influxdata.com/influxdb.key
dest: /etc/apt/trusted.gpg.d/influxdb.asc
- name: Add InfluxDB repository
apt_repository:
repo: "deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.asc] https://repos.influxdata.com/debian stable main"
state: present
update_cache: yes
- name: Install telegraf
package:
name: telegraf
state: present
You can completely bypass the gpg --dearmor step with this method.
Created a takeoff on the above contents that utilizes set_fact. Makes it easier to copy / paste to other needs using the same code.
Supply 3 vars and your off and running. I've inserted the sm- prefix just so I can clearly see my script put them there and not any other process.
- set_fact:
repoid: nginx
repo_key_url: https://nginx.org/keys/nginx_signing.key
repo_sources_list_url: "http://nginx.org/packages/ubuntu {{ os_release_name }} nginx"
- name: nginx repo - add gpg key as asc so apparmor fix not needed
get_url:
url: "{{ repo_key_url }}"
dest: /etc/apt/keyrings/sm-{{ repoid }}.asc
mode: '0644'
force: true
- name: nginx repo - add to sources.list.d
apt_repository:
filename: sm-{{repoid}}-repository
repo: 'deb [signed-by=/etc/apt/keyrings/sm-{{ repoid }}.asc] {{ repo_sources_list_url }}'
state: present
I'm trying to run a shell command to install a package downloaded from my local Artifactory repository, as I don't have access to download it straight from the internet.
When I run the command directly on the node as such
rpm -ivh kubectl-1.1.1.x86_64.rpm --nodigest --nofiledigest
It works perfectly.
But then put in Ansible playbook as such
- name: Install Kubectl
shell: rpm -ivh kubectl-1.1.1.x86_64.rpm --nodigest --nofiledigest
Nothing happens.
It doesn't error.. It just doesn't install.
I've tried the command and ansible.builtin.shell module as well, but nothing works.
Is there a way to do this please?
There are different topics in your question.
Regarding
to install a package downloaded from my local Artifactory repository, as I don't have access to download it straight from the internet.
you can use different approaches.
1. Direct download
- name: Make sure package becomes installed from internal repository
yum:
name: https://{{ REPOSITORY_URL }}/artifactory/kube/kubectl-{{ KUBE_VERSION }}.x86_64.rpm
state: present
2. Configure local repository
The next one is to provide a .repo template file like
[KUBE]
name = Kubectl - $basearch
baseurl = https://{{ REPOSITORY_URL }}/artifactory/kube/
username = {{ API_USER }}
password = {{ API_KEY }}
sslverify = 1
enabled = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-KUBE
and to perform
- name: Make sure package becomes installed from internal repository
yum:
name: kubectl
state: present
This is possible because JFrog Artifactory can provide local RPM repositories if configured correctly. For more information you research the documentation there since it is almost only about proper configuration.
Regarding
Nothing happens. It doesn't error.. It just doesn't install.
you can use several task to split up your steps, make them idempotent and get an better insight how they are working.
3. shell, rpm and debug
- name: Make sure destination folder for package download (/opt/packages) exists
file:
path: "/opt/packages/"
state: directory
- name: Download RPM to remote hosts
get_url:
url: "https://{{ REPOSTORY_URL }}/artifactory/kube/kubectl-{{ KUBE_VERSION }}.x86_64.rpm"
dest: "/opt/packages/kubectl-{{ KUBE_VERSION }}.x86_64.rpm"
- name: Check package content
shell:
cmd: "rpm -qlp /opt/packages/kubectl-{{ KUBE_VERSION }}.x86_64.rpm"
register: rpm_qlp
- name: STDOUT rpm_qlp
debug:
msg: "{{ rpm_qlp.stdout.split('\n')[:-1] }}"
- name: Install RPM using 'command: rpm -ivh'
shell:
cmd: "rpm -ivh /opt/packages/kubectl-{{ KUBE_VERSION }}.x86_64.rpm"
register: rpm_ivh
- name: STDOUT rpm_ivh
debug:
msg: "{{ rpm_ivh.stdout.split('\n')[:-1] }}"
Depending on the RPM package, environment and configuration, all may just work good.
Try use command module and register the output i use it to install oci8 by pecl for oracle database on linux
This is the puppet code managing a service:
class fred::service {
service { 'bob':
enable => true,
ensure => 'running',
require => Package['bob-5.4']
}
}
My translation in Ansible role
---
- name: check bob
service:
name: bob
enabled: true
state: running
package:
name: bob-5.4
state: present
My question is:
Is the translation correct?
I am told package comes before service?
Do I require package:
The order is incorrect. You should first attempt to install the package. It will automatically skip this (resulting in ok) if the package is already present.
When checking if the service is running, state: running is not valid in Ansible, it should be state: started.
- name: Install package
apt:
name: bob-5.4
state: present
- name: Check if service is running
service:
name: bob
state: started
enabled: yes
Depending on what you install the package with, this may require a little modification (package or yum instead of apt for example).
Reference for apt in Ansible
Reference for package in Ansible
Reference for yum in Ansible
Hi i am new to ansible i have to deploy nodejs12.8.4, SSL and ngnix latest to Ubuntu 20.04 server can someone guide me how to do it thank you.
this is my yml file:
hosts: all
become: true
tasks:
- name: install nodejs prerequisites
apt:
name:
- apt-transport-https
- gcc
- g++
- make
state: present
- name: add nodejs apt key
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
state: present
- name: add nodejs repository
apt_repository:
repo: deb https://deb.nodesource.com/node_12.x {{ ansible_lsb.codename }} main
state: present
update_cache: yes
- name: install nodejs
apt:
name: nodejs
state: present
it install nodejs 12 now i want to install nginx in same file how i add new task.
Try Ansible NGINX Role. See details at Github.
Q: "I want to install Nginx in the same file how I add a new task?"
A: Include the role
- include_role:
name: nginx
Download the role. See Roles and Using Roles in particular.
I have a number of different Centos7 servers running. I like to use ansible to update them all at once.
As one of my servers has an additional repository enabled, which I do not want to update. I've added to the playbook the option to disable this repo. This works as expected.
However, on my other servers, I did not install and enable this repo. When using the disablerepo in my ansible playbook, I get an error: repository not found.
How do I solve this in the ansible-playbook? Is it possible to add an condition like, if repo installed; then disablerepo; else do nothing?
Is it possible to ignore these errors?
ansible-playbook:
---
- hosts: [all]
tasks:
- name: update all packages to lastest version
yum:
name: '*'
state: latest
disablerepo: sernet-samba-4.2
you can put ignore_errors: yes as in the link from the comment, or you can put when, only if certain package is installed, sure you have to register them to variables first, I'm thinking something like:
- name: check if installed
shell: rpm -qa sernet-samba-4.2
register: is_installed
- name: update all packages to lastest version
yum:
name: '*'
state: latest
disablerepo: sernet-samba-4.2
when: is_installed.rc == 1
Warning: Untested.
After a day of research in internet and experiments finally found a solution that worked. Try to use wildcard.. then it will not fail when repo is missing.
yum:
name: ''
state: latest
disablerepo: sernet-samba