I'm setting up a ansible server and I have a basic question.
What is the best practice regarding setting up the first ansible server itself ? (Installing specific version's python, ansible, etc.)
Ansible server is used to setup other non-ansible (and ansible servers),
but the first/root ansible server can't be helped by any ansible servers.
I'm writing a shell script just for the first one but I'm feeling I'm in early 2000.
You can get all the information you require to setup ansible at the below given links,
WATCH ANSIBLE QUICK START VIDEO
HOW ANSIBLE WORKS
DOWNLOAD ANSIBLE
I struggled with the same issue. I solved it in the following way:
Set up the first server manually (bear with me!) to a bare Ansible control server.
Create a second server with only the OS, no Ansible yet.
Write scripts on the first server to build up the second server to a fully specced Ansible control server. I did need to have an extra (shell)-script that installs the required galaxy roles. You can use Ansible to have those roles automatically installed on the second server.
On the second server, pull (you're Ansible scripts are in version control right?) the scripts and use them to keep the first server uptodate.
Switch regularly between using the first and second server as Ansible control server.
Yes, this does indeed add overhead (extra server, extra switching). But this way you make sure that when both servers die, you only need to have a first simple server with a bare Ansible and either build up itself or a second server.
Related
I manage MapR based large scale infrastructure running on on prem dc's. As part of configuration management enhancement we have written several of playbooks and keeping everything in github. Now I dont want anyone to download/clone those repo local to Ansible client nodes and run it from there. Is there a way where i can run playbooks from ansible without downloading to local machine. So basically what i want, a script/playbook where i pass which playbook to run, it should download that playbook and run it locally.
You're looking for some web interface that users will simply run your tasks, and in the background it will execute Ansible.
There are many methods to achieve what you need, however most likely you're looking for any of this:
AWX project - official ansible web interface
Jenkins or Rundeck - more bloated software that you can create your own "jobs" for users to interact with, create CI/CD flows and cron tasks to run any time you need.
You can also look into workflow automation, such as Airflow
There are alternatives to all the mentions I put, so be sure to check everything when deciding what you need.
I'm trying to achieve an "password-free" deployment workflow using Gitlab CI and Ansible.
Some steps do require a password (I'm already using SSH Keys whenever I can) so I've stored those password inside an Ansible Vault. Next, I would just need to provide the Vault password when running the playbook.
But how could I integrate this nicely with Gitlab CI?
May I register a gitlab-ci job (or jobs are suitable for builds only?), which just runs the playbook providing the vault password somehow?! Can this be achieved without a password laying around in plain text?!
Also, I would be really happy if someone can point me some material that shows how we can deploy builds using Ansible. As you can notice, I've definitively found nothing about that.
You can set an environment variable in the GitLab CI which would hold the Ansible Vault password. In my example i called it $ANSIBLE_VAULT_PASSWORD
Here is the example for .gitlab-ci.yml:
deploy:
only:
- master
script:
- echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt
- ansible-playbook -i ansible/staging.yml --vault-password-file .vault_password.txt
Hope this trick helps you out.
I'm not super familiar with gitlab ci, or ansible vault for that matter, but one strategy that I prefer for this kind of situation is to create a single, isolated, secure, and durable place where your password or other secrets exist. A private s3 bucket, for example. Then, give your build box or build cluster explicit access to that secure place. Of course, you'll then want to make sure your build box or cluster are also locked down, such as within a vpc that isn't publicly accessible and can only be accessed via vpn or other very secure means.
The idea is to give the machines that need your password explicit knowledge of where to get it AND seperately the permission & access they need to get it. The former does not have to be a secret (so it can exist in source control) but the latter is virtually impossible to attain without compromising the entire system, at which point you're already boned anyway.
So, more specifically, the machine that runs ansible could be inside the secure cluster. It knows how to access the password. It has permission to do so. So, it can simply get the pw, store as a variable, and use it to access secure resources as it runs. You'll want to be careful not to leak the password in the process (like piping ansible logs with the pw to somewhere outside the cluster, or even anywhere perhaps). If you want to kick off the ansible script from outside the cluster, then you would vpn in to run the ansible playbook on the remote machine.
I have a lot of servers and I want to use Ansible to manage all of them. The problem is what will happen if a configuration with ansible fails on some servers? Does the ansible server will automatically push the modification? Also if a machine is shutdowned, will ansible execute the script when the server will be on?
Example :
[servers]
server1
server2
....
server1000
The servers 50,51,52 are shutdowned. Should I manually execute ansible for these servers when they will be online or Ansible does it automatically?
I hope you understand me
Thanks
Regards
No. Ansible does not automatically re-run playbooks for you.
However, you could setup your playbooks on a cron job. This way when the servers come back online, they will receive the Ansible run.
Another approach could be inverting the normal "push" behavior with ansible-pull http://docs.ansible.com/ansible/playbooks_intro.html#ansible-pull This way the when the hosts come online, they run the Ansible stuff on their own.
I know Puppet can be used to keep the server in the consistent state. So for instance if someone else (perfectly legally) created a new user "bob", Puppet would spot this is not how the specification should be and then delete user "bob".
Is there a similar way to do this in Ansible?
By default Ansible is designed to work in "push" mode, ie you actively send instructions to servers to do something.
However, Ansible also has ansible-pull command. I'm quoting from http://docs.ansible.com/playbooks_intro.html#ansible-pull
Ansible-Pull
Should you want to invert the architecture of Ansible, so that nodes
check in to a central location, instead of pushing configuration out
to them, you can.
Ansible-pull is a small script that will checkout a repo of
configuration instructions from git, and then run ansible-playbook
against that content.
Assuming you load balance your checkout location, ansible-pull scales
essentially infinitely.
Run ansible-pull --help for details.
There’s also a clever playbook available to configure
ansible-pull via a crontab from push mode.
I have recently started using ansible for configuration management of linux servers.
My habbit is that if I learn one tool then I try to use it as much as possible.
Initially for my php web apps I had a long Makefile which used to download, install packages , make php.ini file chnages , extract zip files , copy files between folders etc to deploy my application in as automated way.
Now, I am thinking of converting that Makefile deployment to Ansible because then I can arrange the separate yml file for separate areas rather than one big makefile for the whole project.
I want to know that is it good idea to use ansible for that or Makefile will be good for that.
Sure, Ansible is great for that. You can separate all your different steps into different playbooks that are identified by yaml files.
You can define common tasks and then include them in your specific playbooks.
You can also make use of Ansible roles to create complete set of playbooks depending on the role of the server. For example, one set servers' role could be webservers and another set of servers' role could be databases.
You can find more info on roles here: http://docs.ansible.com/playbooks_roles.html
There are's also a few modules on the web out there that you can also use to get you started and you can also use Ansible Galaxy to import roles.
Of course, you can accomplish the same by breaking down your Makefile but maybe you want to learn a new tool.
Hope it helps.