I'm just getting into using Ansible - please be patient if this question is misguided.
I have a handful of servers on a network, one of which I plan to setup as the control node (Rhel7.9). I would like to use ansible locally on that system to configure itself using a few playbooks of interest, and do this as a sort of test before rolling out to other systems. I'm in the process of setting up my ansible config and inventory - from everything I'm reading it makes it seem like ansible is designed to simply push configurations to managed nodes... rather than do a 1 time run for the machine you are on.
What if I would simply like to pull a playbook from ansible galaxy and run it locally on the control node?
Would this as simple as running:
ansible-playbook -i "localhost," -c local playbook.yml
Do I even need to setup inventory and config to do this for the machine I am on? Are there best practices I'm missing because of my noobity?
Thanks!
Q: "Pull a playbook from Ansible Galaxy and run it locally on the control node."
A: Yes. For example the playbook
shell> cat playbook.yml
- hosts: all
gather_facts: false
tasks:
- debug:
var: inventory_hostname
is as simple as running
shell> ansible-playbook playbook.yml -i localhost,
PLAY [all] **********************************************************************
TASK [debug] ********************************************************************
ok: [localhost] =>
inventory_hostname: localhost
...
Best practice
Review the playbook and make sure you understand what the playbook is going to configure.
Check the syntax first
shell> ansible-playbook playbook.yml -i localhost, --syntax-check
Dry run the playbook and show the changes
shell> ansible-playbook playbook.yml -i localhost, --check --diff
If you think all is right run the playbook
shell> ansible-playbook playbook.yml -i localhost,
Privilage escalation
Run Ansible as a user and become root. See the link above on how to do it. For example, edit the playbook
shell> cat playbook.yml
- hosts: localhost
gather_facts: false
become: true
tasks:
- command: ls -la /root/.ssh
register: result
- debug:
var: result.stdout_lines
I do have a playbook which tooks a specific group and put all hosts of this group into a command on another host.
to be more precise.
all hosts from the hosts group oldservers from my inventory file must be in the /etc/ssh.conf on one or multiple clients.
the task looks like...
---
- name: echo Old Servers
debug:
var: groups["oldservers"]
- name: create ssh_conf_for_old_server
blockinfile:
path: /etc/ssh/ssh_config
backup: True
block: |
Host {{ groups["oldservers"]|join(' ') }}
user admin
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers +aes128-cbc
this should be executed on a client which is not member of the group servers.
hosts file (inventory):
[clients]
192.168.200.1
192.168.200.2
[oldservers]
192.168.201.1
192.168.201.2
My execution line is ansible-playbook -i 192.168.200.1, -u ansible ./createServerList.yml
I guess I should do it a bit different. Dont I ?
The result should be ... at first output all the oldservers (debug)
than write a block with these old server into the /etc/ssh/ssh_config
For command ansible-playbook -i 192.168.200.1 -u ansible ./createServerList.yml, you are passing the ip address directly as inventory. Because of this Ansible is unaware of the inventory file where host groups are defined. So can you try running this instead ansible-playbook -i <path_to_inventory_file> -u ansible ./createServerList.yml
And then if you have to restrict playbook running only certain hosts or group, do
ansible-playbook -i <path_to_inventory_file> -u ansible ./createServerList.yml --limit "192.168.200.1,192.168.200.2"
OR
ansible-playbook -i <path_to_inventory_file> -u ansible ./createServerList.yml --limit clients
I'm passing the IP as parameter as mentioned here: https://stackoverflow.com/a/18255256/1784001
ansible-playbook roles/example/main.yml -i 127.0.0.1,
Is there any way to access the value for the inventory parameter, "127.0.0.1" in a playbook?
I checked the special variables, but I see no mention of it: https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html
In some of the tasks I need that value, for example creating backup directories, or scp-ing to the host.
inventory_hostname always contains the inventory hostname of the host the play is running at.
The parameter -i "specify inventory host path or comma separated host list." Running the playbook main.yml
- hosts: all
tasks:
- debug: var=inventory_hostname
With the command
$ ansible-playbook -i 127.0.0.1, main.yml
gives
ok: [127.0.0.1] =>
inventory_hostname: 127.0.0.1
quick question for Ansible Guru's. I want to run an ansible playbook for a specific set of boxes that I copied to a list.txt disregarding the inventory and the target block in ansible playbook:
---
- name: Ansible Runbook v.1.0
hosts: test1
gather_facts: yes
# serial: "10%"
When I am running the following command I am getting no hosts matched:
ansible-playbook playbook.yaml --tags "simplejson" -vvv -i /x/home/list.txt
PLAY [Ansible Runbook v.1.0] **************************************************
skipping: no hosts matched
$cat list.txt
hostname2b
Any ideas for a workaround ?
The reason of no host matching is that host test1, which is hardcoded in playbook, is not present in the inventory file that you specified from command line. The problem is ansible-playbook command does not accept any hosts parameter. So there is no direct way of getting around the hardcoded hosts test1.
However, there is a workaround for this as explained here. You can use a variable for hosts and specify all from command line for that variable. Something like this:
---
- name: Ansible Runbook v.1.0
hosts: "{{ host_param }}"
gather_facts: yes
Then pass that variable with extra-vars:
ansible-playbook playbook.yaml -i /x/home/list.txt --extra-vars="host_param=all" --tags "simplejson" -vvv
I'm using Ansible for some simple user management tasks with a small group of computers. Currently, I have my playbooks set to hosts: all and my hosts file is just a single group with all machines listed:
# file: hosts
[office]
imac-1.local
imac-2.local
imac-3.local
I've found myself frequently having to target a single machine. The ansible-playbook command can limit plays like this:
ansible-playbook --limit imac-2.local user.yml
But that seems kind of fragile, especially for a potentially destructive playbook. Leaving out the limit flag means the playbook would be run everywhere. Since these tools only get used occasionally, it seems worth taking steps to foolproof playback so we don't accidentally nuke something months from now.
Is there a best practice for limiting playbook runs to a single machine? Ideally the playbooks should be harmless if some important detail was left out.
Turns out it is possible to enter a host name directly into the playbook, so running the playbook with hosts: imac-2.local will work fine. But it's kind of clunky.
A better solution might be defining the playbook's hosts using a variable, then passing in a specific host address via --extra-vars:
# file: user.yml (playbook)
---
- hosts: '{{ target }}'
user: ...
Running the playbook:
ansible-playbook user.yml --extra-vars "target=imac-2.local"
If {{ target }} isn't defined, the playbook does nothing. A group from the hosts file can also be passed through if need be. Overall, this seems like a much safer way to construct a potentially destructive playbook.
Playbook targeting a single host:
$ ansible-playbook user.yml --extra-vars "target=imac-2.local" --list-hosts
playbook: user.yml
play #1 (imac-2.local): host count=1
imac-2.local
Playbook with a group of hosts:
$ ansible-playbook user.yml --extra-vars "target=office" --list-hosts
playbook: user.yml
play #1 (office): host count=3
imac-1.local
imac-2.local
imac-3.local
Forgetting to define hosts is safe!
$ ansible-playbook user.yml --list-hosts
playbook: user.yml
play #1 ({{target}}): host count=0
There's also a cute little trick that lets you specify a single host on the command line (or multiple hosts, I guess), without an intermediary inventory:
ansible-playbook -i "imac1-local," user.yml
Note the comma (,) at the end; this signals that it's a list, not a file.
Now, this won't protect you if you accidentally pass a real inventory file in, so it may not be a good solution to this specific problem. But it's a handy trick to know!
This approach will exit if more than a single host is provided by checking the play_hosts variable. The fail module is used to exit if the single host condition is not met. The examples below use a hosts file with two hosts alice and bob.
user.yml (playbook)
---
- hosts: all
tasks:
- name: Check for single host
fail: msg="Single host check failed."
when: "{{ play_hosts|length }} != 1"
- debug: msg='I got executed!'
Run playbook with no host filters
$ ansible-playbook user.yml
PLAY [all] ****************************************************************
TASK: [Check for single host] *********************************************
failed: [alice] => {"failed": true}
msg: Single host check failed.
failed: [bob] => {"failed": true}
msg: Single host check failed.
FATAL: all hosts have already failed -- aborting
Run playbook on single host
$ ansible-playbook user.yml --limit=alice
PLAY [all] ****************************************************************
TASK: [Check for single host] *********************************************
skipping: [alice]
TASK: [debug msg='I got executed!'] ***************************************
ok: [alice] => {
"msg": "I got executed!"
}
There's IMHO a more convenient way.
You can indeed interactively prompt the user for the machine(s) he wants to apply by using vars_prompt:
---
- hosts: "{{ setupHosts }}"
vars_prompt:
- name: "setupHosts"
prompt: "Which hosts would you like to setup?"
private: false
tasks:
- shell: echo
A slightly different solution is to use the special variable ansible_limit which is the contents of the --limit CLI option for the current execution of Ansible.
- hosts: "{{ ansible_limit | default(omit) }}"
No need to define an extra variable here, just run the playbook with the --limit flag.
ansible-playbook --limit imac-2.local user.yml
To expand on joemailer's answer, if you want to have the pattern-matching ability to match any subset of remote machines (just as the ansible command does), but still want to make it very difficult to accidentally run the playbook on all machines, this is what I've come up with:
Same playbook as the in other answer:
# file: user.yml (playbook)
---
- hosts: '{{ target }}'
user: ...
Let's have the following hosts:
imac-10.local
imac-11.local
imac-22.local
Now, to run the command on all devices, you have to explicty set the target variable to "all"
ansible-playbook user.yml --extra-vars "target=all"
And to limit it down to a specific pattern, you can set target=pattern_here
or, alternatively, you can leave target=all and append the --limit argument, eg:
--limit imac-1*
ie.
ansible-playbook user.yml --extra-vars "target=all" --limit imac-1* --list-hosts
which results in:
playbook: user.yml
play #1 (office): host count=2
imac-10.local
imac-11.local
I really don't understand how all the answers are so complicated, the way to do it is simply:
ansible-playbook user.yml -i hosts/hosts --limit imac-2.local --check
The check mode allows you to run in dry-run mode, without making any change.
AWS users using the EC2 External Inventory Script can simply filter by instance id:
ansible-playbook sample-playbook.yml --limit i-c98d5a71 --list-hosts
This works because the inventory script creates default groups.
Since version 1.7 ansible has the run_once option. Section also contains some discussion of various other techniques.
We have some generic playbooks that are usable by a large number of teams. We also have environment specific inventory files, that contain multiple group declarations.
To force someone calling a playbook to specify a group to run against, we seed a dummy entry at the top of the playbook:
[ansible-dummy-group]
dummy-server
We then include the following check as a first step in the shared playbook:
- hosts: all
gather_facts: False
run_once: true
tasks:
- fail:
msg: "Please specify a group to run this playbook against"
when: '"dummy-server" in ansible_play_batch'
If the dummy-server shows up in the list of hosts this playbook is scheduled to run against (ansible_play_batch), then the caller didn't specify a group and the playbook execution will fail.
This shows how to run the playbooks on the target server itself.
This is a bit trickier if you want to use a local connection. But this should be OK if you use a variable for the hosts setting and in the hosts file create a special entry for localhost.
In (all) playbooks have the hosts: line set to:
- hosts: "{{ target | default('no_hosts')}}"
In the inventory hosts file add an entry for the localhost which sets the connection to be local:
[localhost]
127.0.0.1 ansible_connection=local
Then on the command line run commands explicitly setting the target - for example:
$ ansible-playbook --extra-vars "target=localhost" test.yml
This will also work when using ansible-pull:
$ ansible-pull -U <git-repo-here> -d ~/ansible --extra-vars "target=localhost" test.yml
If you forget to set the variable on the command line the command will error safely (as long as you've not created a hosts group called 'no_hosts'!) with a warning of:
skipping: no hosts matched
And as mentioned above you can target a single machine (as long as it is in your hosts file) with:
$ ansible-playbook --extra-vars "target=server.domain" test.yml
or a group with something like:
$ ansible-playbook --extra-vars "target=web-servers" test.yml
I have a wrapper script called provision forces you to choose the target, so I don't have to handle it elsewhere.
For those that are curious, I use ENV vars for options that my vagrantfile uses (adding the corresponding ansible arg for cloud systems) and let the rest of the ansible args pass through. Where I am creating and provisioning more than 10 servers at a time I include an auto retry on failed servers (as long as progress is being made - I found when creating 100 or so servers at a time often a few would fail the first time around).
echo 'Usage: [VAR=value] bin/provision [options] dev|all|TARGET|vagrant'
echo ' bootstrap - Bootstrap servers ssh port and initial security provisioning'
echo ' dev - Provision localhost for development and control'
echo ' TARGET - specify specific host or group of hosts'
echo ' all - provision all servers'
echo ' vagrant - Provision local vagrant machine (environment vars only)'
echo
echo 'Environment VARS'
echo ' BOOTSTRAP - use cloud providers default user settings if set'
echo ' TAGS - if TAGS env variable is set, then only tasks with these tags are run'
echo ' SKIP_TAGS - only run plays and tasks whose tags do not match these values'
echo ' START_AT_TASK - start the playbook at the task matching this name'
echo
ansible-playbook --help | sed -e '1d
s#=/etc/ansible/hosts# set by bin/provision argument#
/-k/s/$/ (use for fresh systems)/
/--tags/s/$/ (use TAGS var instead)/
/--skip-tags/s/$/ (use SKIP_TAGS var instead)/
/--start-at-task/s/$/ (use START_AT_TASK var instead)/
'
I would suggest using --limit <hostname or ip>