yum list installed python
- By: Thomas Jungbauer ( Lastmod: 2021-08-14 )
Notes taken during Red Hat course D410 Ansible and Ansible Tower.
make sure that libselinux-python is installed
Ansible 2.7 requires python 2.6 or 3.5
yum list installed python
windows modules implemented in powershell
ansible requires at least .net 4.0
Ansible searches for ansible.cfg in the following order:
$ANSIBLE_CFG
ansible.cfg in the current directory
$HOME/ansible.cfg
/etc/ansible/ansible.cfg
whichever it finds first will be used.
use
ansible --version
to see which config file is currently used. you can view/dump/see what changed with
ansible-config [list|dump|view]
List all available modules via
ansible-doc -l
For getting help on a specific module use
ansible-doc ping
To display ansible output on a single line per host for easier readablility use the -o option
ansible all -m command -a /bin/hostname -o
Use the raw module for directly executing commands on remote systems that do not have python installed.
ansible -m raw
Ansible uses custom facts from /etc/ansible/facts.d/. Facts can be stored in .ini style or you can place executable scripts in this directory. The script needs to output JSON. Custom facts are available via ansible_facts.ansible_local.
hostvars: variables defined for this host
group_names: list of groups this host is a member of
groups: list of all groups and hosts in the inventory
inventory_hostname: host name of the current host as configured in the inventory
Some examples on how to match hosts defined in the inventory
'*.lab.com': match all hosts starting with lab.com
'lab,datacenter': match all hosts either in lab or datacenter
'datacenter*': match all host and host groups starting with datacenter
'lab,&datacenter': match hosts in the lab and datacenter group
'datacenter,!test.lab.com': match all hosts in datacenter, except test.lab.com
Example scripts for dynamic inventories can be found at https://github.com/ansible/ansible/tree/devel/contrib/inventory.
You can use ansible-inventory
to take a look a the current inventory
as json. This also works for static inventories.
Inventories can be combined. Just create a directory containing a static inventory and script to create a dynamic inventory, ansible will happily execute the scripts and merge everything together.
The following might be useful when debugging ansible roles and playbooks
ansible-playbook play.yml --syntax-check
ansible-playbook play.yml --step
ansible-playbook play.yml --start-at-task="start httpd service"
ansible-playbook --check play.yml
ansible-playbook --check --diff play.yml
Notes on deploying and working with ansible tower.
System requirements:
at least 4GB of RAM
actual requirement depends on forks variable
recommendation is 100MB memory for each for + 2GB of memory for tower services
20GB of disk storage, at least 10GB in /var
Steps for installing:
download setup tar.gz from http://releases.ansible.com/ansible-tower/setup/
set passwords in inventory
run ./setup.sh
Authentication settings can be changed under Settings / Authentication. E.g for configuring Azure AD authentication we are going to need
an Azure AD oauth2 key and
a Azure AD oauth2 secret
separate roles for organizations and inventories
you need to assign roles to organizations and inventories
These are the steps to run playbooks against managed nodes in Tower:
Create an organization if required
Create users
Create teams and assign users
Create credentials for accessing managed nodes
Assign credential to organization
Create credentials for accessing SCM repositories (e.g. git)
Assign credentials to users or teams
Create a project
Assign Teams to project
Create a job template for executing playbooks
If the project includes a requirements.txt
file in the roles/ folder, tower will automatically run
ansible-galaxy install -r roles/requirements.yml -p ./roles/ --force
at the end of an update. So this could be used to include external dependencies (like SAP ansible roles).
Ansible playbooks are stored in GIT repositories. A job template defines
the inventory used for this job template
the project for executing this job
this connects the GIT repository used in this project with the template
the playbook to execute
the credentials for executing jobs
permissions for users / teams (e.g. admin, execute)
Tower creates jobs from those templates, which are ansible runs executed against managed nodes.
It might be a good idea to use the tower facts cache. To speed up
playbook runs set gather_facts: no
in the play. Then enable the
facts cache in tower.
In tower settings set a timeout for the cache
In job templates enable Use facts cache
Create a playbook that runs on a regular basis to gather facts, e.g.
- name: Refresh fact cache
hosts: all
gather_facts: yes
These are the options for creating inventories in Ansible Tower
static inventory defined in tower
importing static inventories via awx-manage
static inventory defined in git repository
dynamic inventory via a custom script
dynamic inventory provides by tower (e.g. satellite)
A special feature in Tower are so called smart inventories. A smart inventory combines all static and dynamic inventories and allows filtering based on facts. Filtering requires a valid fact cache.
Tower uses the following components:
postgresql
nginx
memcached
rabbitmq
supervisord
Useful tools
ansible-tower-service (e.g. status / restart)
supervisorctl (e.g. status)
awx-manage
Tower stores log files in
/var/log/tower/ (e.g. tower.log).
/var/log/supervisor/
/var/log/nginx/
Other important directories
/var/lib/awx/public/static static files served by django
/var/lib/awx/projects stores all project related files e.g. git checkouts)
/var/lib/awx/jobs_status job status output
by default playbook runs are confined to /tmp this might lead to problems with tasks running on the local system. |
In case of a lost admin password you can use awx-manage to reset the password or create a new superuser:
awx-manage changepassword admin
awx-manage createsuperuser
Ansible tower uses nginx to service it’s web interface over TLS. Nginx uses the configuration file /etc/nginx/nginx.conf.
To deploy custom TLS certificates used by tower replace the certificate and private key in /etc/tower. You have to replace
/etc/tower/tower.crt and
/etc/tower/tower.key
It might be a good idea to create a backup copy before overwriting those files.
Of course backup and restore are done via ansible. The ansible tower
setup script setup.sh
provides a wrapper around these playbooks. Execute
setup.sh -b
to perform a backup. This creates a backup .tar.gz file in the current directory.
To restore a backup use
setup.sh -r
this restores the latest backup per default.
Workflow job templates
add autocmd FileType yaml setlocal ai ts=2 sw=2 et
to .vimrc
use sudo yum install python-cryptography
if there are many vault files to speed up ansible
Copyright © 2020 - 2023 Toni Schmidbauer & Thomas Jungbauer
Built with Hugo Learn Theme and Hugo