How to use Ansible to ensure server maintains specified state? - ansible

I know Puppet can be used to keep the server in the consistent state. So for instance if someone else (perfectly legally) created a new user "bob", Puppet would spot this is not how the specification should be and then delete user "bob".
Is there a similar way to do this in Ansible?

By default Ansible is designed to work in "push" mode, ie you actively send instructions to servers to do something.
However, Ansible also has ansible-pull command. I'm quoting from http://docs.ansible.com/playbooks_intro.html#ansible-pull
Ansible-Pull
Should you want to invert the architecture of Ansible, so that nodes
check in to a central location, instead of pushing configuration out
to them, you can.
Ansible-pull is a small script that will checkout a repo of
configuration instructions from git, and then run ansible-playbook
against that content.
Assuming you load balance your checkout location, ansible-pull scales
essentially infinitely.
Run ansible-pull --help for details.
There’s also a clever playbook available to configure
ansible-pull via a crontab from push mode.

Related

Ansible to run playbooks from github

I manage MapR based large scale infrastructure running on on prem dc's. As part of configuration management enhancement we have written several of playbooks and keeping everything in github. Now I dont want anyone to download/clone those repo local to Ansible client nodes and run it from there. Is there a way where i can run playbooks from ansible without downloading to local machine. So basically what i want, a script/playbook where i pass which playbook to run, it should download that playbook and run it locally.
You're looking for some web interface that users will simply run your tasks, and in the background it will execute Ansible.
There are many methods to achieve what you need, however most likely you're looking for any of this:
AWX project - official ansible web interface
Jenkins or Rundeck - more bloated software that you can create your own "jobs" for users to interact with, create CI/CD flows and cron tasks to run any time you need.
You can also look into workflow automation, such as Airflow
There are alternatives to all the mentions I put, so be sure to check everything when deciding what you need.

How to repeatedly/automatically setup ansible server itself

I'm setting up a ansible server and I have a basic question.
What is the best practice regarding setting up the first ansible server itself ? (Installing specific version's python, ansible, etc.)
Ansible server is used to setup other non-ansible (and ansible servers),
but the first/root ansible server can't be helped by any ansible servers.
I'm writing a shell script just for the first one but I'm feeling I'm in early 2000.
You can get all the information you require to setup ansible at the below given links,
WATCH ANSIBLE QUICK START VIDEO
HOW ANSIBLE WORKS
DOWNLOAD ANSIBLE
I struggled with the same issue. I solved it in the following way:
Set up the first server manually (bear with me!) to a bare Ansible control server.
Create a second server with only the OS, no Ansible yet.
Write scripts on the first server to build up the second server to a fully specced Ansible control server. I did need to have an extra (shell)-script that installs the required galaxy roles. You can use Ansible to have those roles automatically installed on the second server.
On the second server, pull (you're Ansible scripts are in version control right?) the scripts and use them to keep the first server uptodate.
Switch regularly between using the first and second server as Ansible control server.
Yes, this does indeed add overhead (extra server, extra switching). But this way you make sure that when both servers die, you only need to have a first simple server with a bare Ansible and either build up itself or a second server.

How to check Ansible through gitlab CI?

Our whole infrastructure is managed through ansible. We have a gitlab repo where all our ansible playbooks and roles are stored in. We recently added working gitlab-runner working, therefore we have to possibility to have a CI for each project. As our ansible repo is quite important, I was wondering if there is anything interesting to check ? I thought doing a ansible-playbook --syntax-check, but I'd like to know if there are more tests useful (maybe a linter ?).
I don't want to automatically run the playbooks, but only assert that the newly pushed roles/modifications are "good".
Thanksies,
The first thing you definitely want to run is yamllint which will make sure that all your yaml files are ok and respecting your coding standard. Make sure you configure the checks correctly in your .yamllint to be compatilble with ansible-lint below if you decide to use it (especially the line length). The following basic config should be a good start:
extends: default
rules:
line-length:
max: 160
level: warning
You can then have your current syntax check
Finally, you probably want to run ansible-lint. Although it will report most errors you will find above, this one will concentrate on good ansible practices, like not using shell when there is a module available, having names for all tasks, etc...
Side note: These are all default basic checks made by molecule when you use it to test your roles. If you are developing independant reusable roles, I suggest you have a look at this tool.
If you don't want to run your playbooks, this is pretty much all I can see.

Deployment with Ansible from Gitlab CI, dealing with passwords

I'm trying to achieve an "password-free" deployment workflow using Gitlab CI and Ansible.
Some steps do require a password (I'm already using SSH Keys whenever I can) so I've stored those password inside an Ansible Vault. Next, I would just need to provide the Vault password when running the playbook.
But how could I integrate this nicely with Gitlab CI?
May I register a gitlab-ci job (or jobs are suitable for builds only?), which just runs the playbook providing the vault password somehow?! Can this be achieved without a password laying around in plain text?!
Also, I would be really happy if someone can point me some material that shows how we can deploy builds using Ansible. As you can notice, I've definitively found nothing about that.
You can set an environment variable in the GitLab CI which would hold the Ansible Vault password. In my example i called it $ANSIBLE_VAULT_PASSWORD
Here is the example for .gitlab-ci.yml:
deploy:
only:
- master
script:
- echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt
- ansible-playbook -i ansible/staging.yml --vault-password-file .vault_password.txt
Hope this trick helps you out.
I'm not super familiar with gitlab ci, or ansible vault for that matter, but one strategy that I prefer for this kind of situation is to create a single, isolated, secure, and durable place where your password or other secrets exist. A private s3 bucket, for example. Then, give your build box or build cluster explicit access to that secure place. Of course, you'll then want to make sure your build box or cluster are also locked down, such as within a vpc that isn't publicly accessible and can only be accessed via vpn or other very secure means.
The idea is to give the machines that need your password explicit knowledge of where to get it AND seperately the permission & access they need to get it. The former does not have to be a secret (so it can exist in source control) but the latter is virtually impossible to attain without compromising the entire system, at which point you're already boned anyway.
So, more specifically, the machine that runs ansible could be inside the secure cluster. It knows how to access the password. It has permission to do so. So, it can simply get the pw, store as a variable, and use it to access secure resources as it runs. You'll want to be careful not to leak the password in the process (like piping ansible logs with the pw to somewhere outside the cluster, or even anywhere perhaps). If you want to kick off the ansible script from outside the cluster, then you would vpn in to run the ansible playbook on the remote machine.

What happens if Ansible fails of a couple of Server

I have a lot of servers and I want to use Ansible to manage all of them. The problem is what will happen if a configuration with ansible fails on some servers? Does the ansible server will automatically push the modification? Also if a machine is shutdowned, will ansible execute the script when the server will be on?
Example :
[servers]
server1
server2
....
server1000
The servers 50,51,52 are shutdowned. Should I manually execute ansible for these servers when they will be online or Ansible does it automatically?
I hope you understand me
Thanks
Regards
No. Ansible does not automatically re-run playbooks for you.
However, you could setup your playbooks on a cron job. This way when the servers come back online, they will receive the Ansible run.
Another approach could be inverting the normal "push" behavior with ansible-pull http://docs.ansible.com/ansible/playbooks_intro.html#ansible-pull This way the when the hosts come online, they run the Ansible stuff on their own.

Resources