Ansible: Including non-managed systems into the configuration - ansible

I'm writing an Ansible playbook, that sets up systems, where in certain configurations, some systems might be provided by another organization. A very simple example:
Inventory:
An app server
A db server
Playbook:
Setup up both servers, and add application.properties file to app server with IP, port and user/pass of the db server.
Works so far, but then a requirement comes, that in some deployments the DB server is provided by another organization, so I can't include it in inventory, as the setup step fails, yet I still want to generate the properties file for the app server (with db server info I get from other people).
What would be the least painful solution that would cover both scenarios (my own db server and provided db server), considering there's 6 such server types, not just 2 (so not just 2 different scenarios, there are many permutations of which server is provided for me and which is mine).
Edit:
To be more specific, the problem I have is that if I use vars when a system is not mine and facts when it is mine, then I have problems writing application.properties.j2 template, since facts and vars are referenced differently. How would use var in a template, but use a fact if var isn't defined?

I assume you have an inventory file per deployment. So an inventory file might look like this:
[app]
an-app.server
[db]
a-db.server
[deploymentA:children]
app
db
[deploymentA:vars]
db_ip=foo
dp_port=foo
db_user=foo
db_pass=foo
The deploymentA:vars you probably would store as group_vars/deploymentA but for simplicity I just put it into the inventory.
Now the playbook:
- hosts: db
roles:
- setup-db-server
- hosts: app
roles:
- setup-app-server
In a deployment where the db server is not managed by yourself, you simply would not have a db server defined in your inventory. The group db would be empty. In that case the first play will simply print "no hosts matched" or something like that and proceed to the next play.
In a deployment where the db server is managed by you, the role setup-db-server will be run and you can use the deploymentA:vars for configuration.
In your app play you have the deploymentA:vars no matter if the host is yours or not and can roll out the application.properties file.

Related

Manage custom, machine specific configuration files in Salt

I am relatively new to Configuration Management tools for big infrastructure. The company will be using Salt for Linux and Windows, but I guess the question does not relate to specific tool.
The thing I don't get is, let's imagine we have 30 machines in cloud and couple of custom services installed for each of them. Versions can be different, depending on customer subscription. And each service has a config file that can have machine specific data. How you update config files for those services using Salt, or Puppet, Chef, Ansible kind of tools.
I don't know about Salt but in general in Configuration Management tools there is groups of hosts for several machines with the same configuration, templates and variables for customization for each machine
for example you can specify variable port=8888 for host1 and port=9999 for host2 but nginx-template will be something like this:
server {
listen {{port}};
}
for the both servers.
The same idea with machine specific data example(ansible):
- name: start container with mon
docker:
name: test-mongo
state: reloaded
image: mongo
when: master_ip == ansible_default_ipv4.address
where master_ip is my variable and ansible_default_ipv4.address is ip which ansible was connected to this host.
Hope this helps.
With Chef you would use an Erb template for the config and interpolate based on node attributes in most cases. Those might be set directly on the node itself, or you could make a role per customer and set customer-specific attribute data in there.

Manage pairs of servers with Ansible

My setup contains "pairs of servers" in the sense that every "instance" of my service consists of two servers (say database and web) on (usually) different hosts. That is, I don't have a single database server that many web servers talk to -- instead, each web server talks to its own database server. I want to manage multiple such pairs, but I don't know the best way to model the pairs using Ansible.
The main host organization tools in Ansible seem to be groups and roles. However, these only group together hosts of the same kind. I can use that to, for example, set up the necessary software on my database and web servers. However, I don't think I can use groups or roles to tell every web server to use exactly one of the database servers.
It also makes little sense to use an Ansible group to model one server pair, since I then cannot distinguish between the two different roles in these groups.
Although my setup consists of server pairs I'd also be interested in modeling multiple instances of n-to-m host relations (say n database servers and m web servers) in general.
You could just use ansible variables to provide the necessary links. E.g., in your inventory:
[webservers]
web0 dbserver=db0
web1 dbserver=db1
[dbservers]
db0
db1
Now, when running tasks on your web servers, you can simply refer to the dbserver variable to find the appropriate server. Assuming a standard naming scheme, you could automate this through the use of the set_fact module.
Update
You don't need to specify the links in both directions; you could use
something like this to find the webservers which should have access to
a given database server:
- name: allow access to webserver
command: >
iptables -A INPUT
-s {{hostvars[item].ansible_default_ipv4.address}}
with_items: "{{groups.webservers}}"
when: "hostvars[item].dbserver == {{inventory_hostname}}"
I ended up using the following approach: Each pair of servers gets their own group, and group variables are used to define which server runs on which host:
[test]
test-host
[test:vars]
web_server = test-host
db_server = test-host
[production]
web
db
[production:vars]
web_server = web
db_server = db
The tasks for web and database servers are then put into separate roles (web_server and db_server). I then switch between those roles based on the group variables:
- hosts: all
roles:
- { role: web_server, when: "web_server == inventory_hostname" }
- { role: db_server, when: "db_server == inventory_hostname" }
This setup allows me to easily define shared variables for roles and pairs, and it also allows me to easily target just one pair (via --limit).

Ansible Playbooks vs Roles

According to the Ansible docs, a Playbook
is:
...the basis for a really simple configuration management and multi-machine deployment system, unlike any that already exist, and one that is very well suited to deploying complex applications.
And, again, according to those same docs, a Role
are:
...ways of automatically loading certain vars_files, tasks, and handlers based on a known file structure. Grouping content by roles also allows easy sharing of roles with other users.
However the distinction between these and their different use cases is not immediately obvious to me. For instance, if I configure my /etc/ansible/hosts file to look like:
[databases]
mydb01.example.org
mydb02.example.org
[mail_servers]
mymail01.example.org
mymail_dr.example.org
...then what is this "[databases]" entry...a role? Or the name of a playbook YAML file somewhere? Or something else?!?
If someone could explain to me the differences on these, my understanding of Ansible would be greatly enhance!
Playbook vs Role vs [databases] and similar entries in /etc/ansible/hosts
If Playbooks are defined inside of YAML files, then where are Roles defined?
Aside from the ansible.cfg living on the Ansible server, how do I add/configure Ansible with available Playbooks/Roles? For instance, when I run ansible-playbook someplaybook.yaml, how does Ansible know where to find that playbook?
Playbook vs Role vs [databases] and similar entries in /etc/ansible/hosts
[databases] is a single name for a group of hosts. It allows you to reference multiple hosts by a single name.
Role is a set of tasks and additional files to configure host to serve for a certain role.
Playbook is a mapping between hosts and roles.
Example from documentation describes example project. It contains two things:
Playbooks. site.yml, webservers.yml, fooservers.yml are playbooks.
Roles: roles/common/ and roles/webservers/ contain definitions of common and webservers roles accordingly.
Inside playbook (webservers.yml) you have something like:
---
- hosts: webservers <- this group of hosts defined in /etc/ansible/hosts, databases and mail_servers in example from your question
roles: <- this is list of roles to assign to these hosts
- common
- webservers
If Playbooks are defined inside of YAML files, then where are Roles defined?
They are defined inside roles/* directories. Roles are defined mostly using YAML files, but can also contain resources of any types (files/, templates/). According to documentation role definition is structured this way:
If roles/x/tasks/main.yml exists, tasks listed therein will be added to the play
If roles/x/handlers/main.yml exists, handlers listed therein will be added to the play
If roles/x/vars/main.yml exists, variables listed therein will be added to the play
If roles/x/meta/main.yml exists, any role dependencies listed therein will be added to the list of roles (1.3 and later)
Any copy tasks can reference files in roles/x/files/ without having to path them relatively or absolutely
Any script tasks can reference scripts in roles/x/files/ without having to path them relatively or absolutely
Any template tasks can reference files in roles/x/templates/ without having to path them relatively or absolutely
Any include tasks can reference files in roles/x/tasks/ without having to path them relatively or absolutely
The most important file is roles/x/tasks/main.yml, here you define tasks, which will be executed, when role is executed.
Aside from the ansible.cfg living on the Ansible server, how do I add/configure Ansible with available Playbooks/Roles? For instance, when I run ansible-playbook someplaybook.yaml, how does Ansible know where to find that playbook?
$ ansible-playbook someplaybook.yaml
Will look for a playbook inside current directory.
$ ansible-playbook somedir/somedir/someplaybook.yaml
Will look for a playbook inside somedir/somedir/ directory.
It's your responsibility to put your project with all playbooks and roles on server. Ansible has nothing to do with that.
Playbook vs Role vs [databases] and similar entries in /etc/ansible/hosts
Roles are a way to group tasks together into one container. You could have a role for setting up MySQL, another one for setting up Postfix etc.
A playbook defines what is happening where. This is the place where you define the hosts (hostgroups, see below) and the roles which will be applied to those hosts.
[databases] and the other entries in your inventory are hostgroups. Hostgroups define a set of hosts a play will run on.
A play is a set of tasks or roles (or both) inside a playbook. In most cases (and examples) a playbook will contain only one single play. But you can have as many as you like. That means you could have a playbook which will run the role postfix on the hostgroup mail_servers and the role mysql on the hostgroup databases:
- hosts: mail_servers
roles:
- postfix
- hosts: databases
roles:
- mysql
If Playbooks are defined inside of YAML files, then where are Roles defined?
In Ansible pretty much everything is defined in YAML, that counts for roles and playbooks.
Aside from the ansible.cfg living on the Ansible server, how do I add/configure Ansible with available Playbooks/Roles? For instance, when I run ansible-playbook someplaybook.yaml, how does Ansible know where to find that playbook?
AFAIK you have to provide the path to the playbook when invoking ansible-playbook. So ansible-playbook someplaybook.yaml would expect someplaybook.yaml to be in you current directory. But you can provide the full path: ansible-playbook /path/to/someplaybook.yaml
It's a terminology/semantic question. It can be subjective, even though there is a baseline definition.
My view is as follows:
Any configuration management/deployment system has:
source data - data used to create target host's configuration
target data - data used to identify target hosts
config changes - list/set of rules/actions we apply with source data over target host based on target data
In Ansible terms:
source data - is the various places we can put data - group_vars, playbook vars, role vars, etc., These places affect precedence (if a variable named the same is re-defined in different locations, there are very specific rules of what would be the value of the variable during ansible/ansible-playbook execution
target data - is the inventory (And, It's also possible to define inventory/hostgroup variables inside inventory!)
config changes - ansible has 4 levels of abstraction for it:
task - single action
task list - list of actions
role - list of actions (or list of lists) grouped by the same 'subject', usually all targets are operating on the same host/hostgroup
playbook - list of plays, each operating on possibly different hostgroup, applying several roles/tasks/tasklists (and special tasks like handlers)
From 'software' aspect - role should be generic enough to be reused.
Also in some (rather big) organizations, 'roles' are shipped by group A, while used in playbooks maintained by group B.
summary
All the above allows grouping of similar configurations - into a role.
grouping related subsystems/components into one playbook.
Also, worth mentioning, 1 YAML item in a playbook (including hosts: and either or tasks, pre_tasks, post_tasks, roles) is called a play
Now for your question:
Yes, it is confusing at first.
You usually connect your source data to your role's semantics, so when you see that role setup_db is applied in a play onto related hostgroup (e.g. db_hosts)
But a play can be running over a union of several hostgroups.
It's just a matter of convention vs flexibility.
P.S.
Please write me back whether this added to the confusion, or clarified.
Thanks.
Simply put:
A playbook is like the main program, it contents complete instructions to finish the job. However, for big projects, it is not desirable to actually put every detail in it. So you need role.
A role is a subroutine and usually achieves one goal, e.g. setup a database server. You can put it in roles/ directory, or download 3rd party roles by providing URIs in rolesfile.yml and ask ansible-galaxy to download them for you.
The [database] is a host group defined in inventory file that lists hosts that belong to the database group. You can also specify a group of web servers by specifying something like
[web]
web1.example.com
web2.example.com
Group web or database can then be used in playbooks or roles to specify the hosts to apply.
The groups can also be used in command ansible to run ad-hoc commands.
Also keep in mind a playbook can call more than one role if a meta file is used that is intended to affect the different roles.
Example Playbook: dual_role-playbook.yml
- name: Some Action for two roles
hosts: localhost
vars_files:
- roles/dual_role/meta/main.yml
roles:
- dual_role/container-1
- dual_role/container-2
The role folder and files scheme will look like this:
dual_role-playbook.yml
-- roles
-- dual_role
-- meta/main.yml
-- container-1
-- tasks/main.yml
-- templates/template.j2
-- container-2
-- tasks/main.yml
-- templates/template.j2

ansible design help (servers, teams, roles, playbooks and more)

We are trying to design an Ansible system for our crew.
We have some open questions that cause us to stop and think and maybe hear other ideas.
The details:
4 development teams.
We hold CI servers, DB servers, and a personal virtual machine for each programer.
A new programer receives a clean VM and we would like to use Ansible to "prepare" it for him according to team he is about to join.
We also want to use Ansible for weekly updates (when needed) on some VMs - it might be for a whole team or for all our VMs.
Team A and Team B shares some of their needs (for example, they both use Django) but there are naturally applications that Team A uses and Team B does not.
What we have done:
We had old "maintenance" bash scripts that we translate to YAML scripts.
We grouped them into Ansible roles
We have an inventory file which contains group for each team and our servers:
`
[ALL:children]
Team A
Team B
...
[Team A]
...
[Team B]
...
[CIservers]
...
[DBservers]
...
We have large playbook that contains all our roles (with tag to each):
- hosts: ALL
roles:
- { role x, tags: 'x' }
- { role y, tags: 'y' }
...
We invoke Ansible like that:
ansible-playbook -i inventory -t TAG1,TAG2 -l TeamA play.yml
The Problems:
We have a feeling we are not using roles as we should. We ended up with roles like "mercurial" or "eclipse" that install and configure (add aliases, edit PATH, creates symbolic links, etc) and role for apt_packages (using apt module to install the packages we need) and role for pip_packages (using pip module to install the packages we need).
Some of our roles depends on other roles (we used the meta folder to declare those dependencies). Because our playbook contains all the roles we have, when we run it without tags (on a new programer VM for example) the roles that other roles depends on are running twice (or more) and it is a waste of time. We taught to remove the roles that other depends on from our playbook, but it is not a good solution because in this way we loose the ability to run that role by itself.
We are not sure how to continue from this point. Whether to yield roles dependencies and create playbooks that implement those dependencies by specify the roles in the right order.
Should we change our roles into something like TeamA or DBserver that will unite many of our current roles (in such case, how do we handle the common tasks between TeamA and TeamB and how do we handle the tasks that relevant only for TeamA?)
Well, that is about everything.
Thanks in advance!
Sorry for the late answer and I guess your team has probably figured out the solution by now. I suspect you'll have the standard ansible structure with group_vars, hosts_vars, a roles folder and a site.yml as outlines below
site.yml
group_vars
host_vars
roles
common
dbserver
ciserver
I suspect your team is attempting to link everything into a single site.yml file. This is fine for the common tasks which operate based on roles and tags. I suggest for those edge cases, you create a second or third playbook at the root level, which can be specific to a team or a weekly deployment. In this case, you can still keep the common tasks in the standard structure, but you are not complicating your tasks with all the meta stuff.
site.yml // the standard ansible way
teamb.yml // we need to do something slightly different
Again, as you spot better ways of implementing a task, the playbooks can be refactored and tasks moved from the specific files to the standard roles
Seems you are still trying to see whats the best way to use ansible when you have multiple teams which will work on the same and don't want to affect others task. Have a look at this boilerplate it might help.
If you look in that repo. You will see there are multiple roles and you can design the playbook as per your requirement.
Example:
- common.yml (This will be common between all the team)
- Else you can create using by teamname.yml or project.yml
If you use any of the above you just need to define the proper role in the playbook & it should associate with the right host & group vars.

Ansible ntp server + several clients deployment

I know this is kind of a newbie question but: How should I define my hosts file? if I want a NTP server and several clients and still have the ability to do common things to all the hosts?
I have, let's say, 10 servers. One of them will be the NTP server and the rest will sync against it. I could define my hosts file like:
[ntp-server]
hostA
[ntp-slaves]
hostB
hostC
hostD
...
[my_servers]
ntp-server
ntp-slaves
So, I can apply common config (ssh, iptables) to all of them. I can have other classifications like webservers, loadbalancers or any other. So, far I can't figure out how to solve this the "elegant" way.
Also, related to this, should I have two roles? (ntp_server, ntp_client) or a single one with differente behaviour if it's inside the client or server group?
Thank You
You're on the right track, but the correct syntax for my_servers is :
[my_servers:children]
ntp-server
ntp-slaves
Yes, Ansible needs a little help when building groups from other groups.
Note that you can combine [my_servers:children] (to add groups) and [my_servers] (to add hosts) in the same inventory file.

Resources