DO410 Ansible and Ansible Tower training notes

Ansible

- Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2024-05-05 ) - 4 min read

Notes taken during Red Hat course D410 Ansible and Ansible Tower.

Ansible installation

  • make sure that libselinux-python is installed

  • Ansible 2.7 requires python 2.6 or 3.5

yum list installed python

  • windows modules implemented in powershell

  • ansible requires at least .net 4.0

Configuration files

Ansible searches for ansible.cfg in the following order:

  • $ANSIBLE_CFG

  • ansible.cfg in the current directory

  • $HOME/ansible.cfg

  • /etc/ansible/ansible.cfg

whichever it finds first will be used.

use

ansible --version

to see which config file is currently used. you can view/dump/see what changed with

ansible-config [list|dump|view]

Default modules

List all available modules via

ansible-doc -l

For getting help on a specific module use

ansible-doc ping

Ad-hoc commmands

To display ansible output on a single line per host for easier readablility use the -o option

ansible all -m command -a /bin/hostname -o

Use the raw module for directly executing commands on remote systems that do not have python installed.

ansible -m raw

Custom Facts

Ansible uses custom facts from /etc/ansible/facts.d/. Facts can be stored in .ini style or you can place executable scripts in this directory. The script needs to output JSON. Custom facts are available via ansible_facts.ansible_local.

Magic variables available

  • hostvars: variables defined for this host

  • group_names: list of groups this host is a member of

  • groups: list of all groups and hosts in the inventory

  • inventory_hostname: host name of the current host as configured in the inventory

Matching hosts in the inventory

Some examples on how to match hosts defined in the inventory

  • '*.lab.com': match all hosts starting with lab.com

  • 'lab,datacenter': match all hosts either in lab or datacenter

  • 'datacenter*': match all host and host groups starting with datacenter

  • 'lab,&datacenter': match hosts in the lab and datacenter group

  • 'datacenter,!test.lab.com': match all hosts in datacenter, except test.lab.com

Dynamic inventory

Example scripts for dynamic inventories can be found at https://github.com/ansible/ansible/tree/devel/contrib/inventory.

You can use ansible-inventory to take a look a the current inventory as json. This also works for static inventories.

Inventories can be combined. Just create a directory containing a static inventory and script to create a dynamic inventory, ansible will happily execute the scripts and merge everything together.

Debugging

The following might be useful when debugging ansible roles and playbooks

ansible-playbook play.yml --syntax-check
ansible-playbook play.yml --step
ansible-playbook play.yml --start-at-task="start httpd service"
ansible-playbook --check play.yml
ansible-playbook --check --diff play.yml

Ansible Tower

Notes on deploying and working with ansible tower.

Installation

System requirements:

  • at least 4GB of RAM

  • actual requirement depends on forks variable

  • recommendation is 100MB memory for each for + 2GB of memory for tower services

  • 20GB of disk storage, at least 10GB in /var

Steps for installing:

Authentication

Authentication settings can be changed under Settings / Authentication. E.g for configuring Azure AD authentication we are going to need

  • an Azure AD oauth2 key and

  • a Azure AD oauth2 secret

RBAC

  • separate roles for organizations and inventories

  • you need to assign roles to organizations and inventories

The Tower Flow

These are the steps to run playbooks against managed nodes in Tower:

  • Create an organization if required

  • Create users

  • Create teams and assign users

  • Create credentials for accessing managed nodes

  • Assign credential to organization

  • Create credentials for accessing SCM repositories (e.g. git)

  • Assign credentials to users or teams

  • Create a project

  • Assign Teams to project

  • Create a job template for executing playbooks

Ansible Roles support

If the project includes a requirements.txt file in the roles/ folder, tower will automatically run

ansible-galaxy install -r roles/requirements.yml -p ./roles/ --force

at the end of an update. So this could be used to include external dependencies (like SAP ansible roles).

Job Templates

Ansible playbooks are stored in GIT repositories. A job template defines

  • the inventory used for this job template

  • the project for executing this job

  • this connects the GIT repository used in this project with the template

  • the playbook to execute

  • the credentials for executing jobs

  • permissions for users / teams (e.g. admin, execute)

Tower creates jobs from those templates, which are ansible runs executed against managed nodes.

Fact Caching

It might be a good idea to use the tower facts cache. To speed up playbook runs set gather_facts: no in the play. Then enable the facts cache in tower.

  • In tower settings set a timeout for the cache

  • In job templates enable Use facts cache

  • Create a playbook that runs on a regular basis to gather facts, e.g.

- name: Refresh fact cache
  hosts: all
  gather_facts: yes

Inventory options

These are the options for creating inventories in Ansible Tower

  • static inventory defined in tower

  • importing static inventories via awx-manage

  • static inventory defined in git repository

  • dynamic inventory via a custom script

  • dynamic inventory provides by tower (e.g. satellite)

A special feature in Tower are so called smart inventories. A smart inventory combines all static and dynamic inventories and allows filtering based on facts. Filtering requires a valid fact cache.

Troubleshooting

Tower uses the following components:

  • postgresql

  • nginx

  • memcached

  • rabbitmq

  • supervisord

Useful tools

  • ansible-tower-service (e.g. status / restart)

  • supervisorctl (e.g. status)

  • awx-manage

Tower stores log files in

  • /var/log/tower/ (e.g. tower.log).

  • /var/log/supervisor/

  • /var/log/nginx/

Other important directories

  • /var/lib/awx/public/static static files served by django

  • /var/lib/awx/projects stores all project related files e.g. git checkouts)

  • /var/lib/awx/jobs_status job status output

by default playbook runs are confined to /tmp this might lead to problems with tasks running on the local system.

In case of a lost admin password you can use awx-manage to reset the password or create a new superuser:

awx-manage changepassword admin
awx-manage createsuperuser

Replacing the default TLS certificates

Ansible tower uses nginx to service it’s web interface over TLS. Nginx uses the configuration file /etc/nginx/nginx.conf.

To deploy custom TLS certificates used by tower replace the certificate and private key in /etc/tower. You have to replace

  • /etc/tower/tower.crt and

  • /etc/tower/tower.key

It might be a good idea to create a backup copy before overwriting those files.

Backup and restore

Of course backup and restore are done via ansible. The ansible tower setup script setup.sh provides a wrapper around these playbooks. Execute

setup.sh -b

to perform a backup. This creates a backup .tar.gz file in the current directory.

To restore a backup use

setup.sh -r

this restores the latest backup per default.

Things to remember

  • Workflow job templates

  • add autocmd FileType yaml setlocal ai ts=2 sw=2 et to .vimrc

  • use sudo yum install python-cryptography if there are many vault files to speed up ansible

See Also:

  • Ansible Style Guide

    You should always follow the Best Practices and Ansible Lint rules defined by the Ansible documentation when developing playbooks. Although very basic, the Best Practices document gives a few guidelines to be able to carry out well-structured playbooks and roles, it contains recommendations that evolve with the project, so it is recommended to review it regularly. It is advisable to review the organization of content in Ansible. The Ansible Lint documentation shows us through this tool the syntax rules that will be checked in the testing of roles and playbooks, the rules that will be checked are indicated in this document in their respective section.

  • Automation Controller and LDAP Authentication

    The following article shall quickly, without huge background information, deploy an Identity Management Server (based on FreeIPA) and connect this IDM to an existing Automation Controller so authentication can be tested and verified based on LDAP.

  • Ansible Tower and downloading collections

    Every wondered why Ansible Tower does not start downloading required collections when you synchronize a project? Here are the stumbling blocks we discovered so far:

  • Ansible - Azure Resource Manager Example

    Using Ansible Resource Manager with an ARM template and a simple Ansible playbook to deploy a Virtual Machine with Disk, virtual network, public IP and so on.

Copyright © 2020 - 2024 Toni Schmidbauer & Thomas Jungbauer