DO410 Ansible and Ansible Tower training notes

- By: Thomas Jungbauer ( Lastmod: 2021-08-14 )

Notes taken during Red Hat course D410 Ansible and Ansible Tower.

Ansible installation

  • make sure that libselinux-python is installed

  • Ansible 2.7 requires python 2.6 or 3.5

yum list installed python

  • windows modules implemented in powershell

  • ansible requires at least .net 4.0

Configuration files

Ansible searches for ansible.cfg in the following order:

  • $ANSIBLE_CFG

  • ansible.cfg in the current directory

  • $HOME/ansible.cfg

  • /etc/ansible/ansible.cfg

whichever it finds first will be used.

use

ansible --version

to see which config file is currently used. you can view/dump/see what changed with

ansible-config [list|dump|view]

Default modules

List all available modules via

ansible-doc -l

For getting help on a specific module use

ansible-doc ping

Ad-hoc commmands

To display ansible output on a single line per host for easier readablility use the -o option

ansible all -m command -a /bin/hostname -o

Use the raw module for directly executing commands on remote systems that do not have python installed.

ansible -m raw

Custom Facts

Ansible uses custom facts from /etc/ansible/facts.d/. Facts can be stored in .ini style or you can place executable scripts in this directory. The script needs to output JSON. Custom facts are available via ansible_facts.ansible_local.

Magic variables available

  • hostvars: variables defined for this host

  • group_names: list of groups this host is a member of

  • groups: list of all groups and hosts in the inventory

  • inventory_hostname: host name of the current host as configured in the inventory

Matching hosts in the inventory

Some examples on how to match hosts defined in the inventory

  • '*.lab.com': match all hosts starting with lab.com

  • 'lab,datacenter': match all hosts either in lab or datacenter

  • 'datacenter*': match all host and host groups starting with datacenter

  • 'lab,&datacenter': match hosts in the lab and datacenter group

  • 'datacenter,!test.lab.com': match all hosts in datacenter, except test.lab.com

Dynamic inventory

Example scripts for dynamic inventories can be found at https://github.com/ansible/ansible/tree/devel/contrib/inventory.

You can use ansible-inventory to take a look a the current inventory as json. This also works for static inventories.

Inventories can be combined. Just create a directory containing a static inventory and script to create a dynamic inventory, ansible will happily execute the scripts and merge everything together.

Debugging

The following might be useful when debugging ansible roles and playbooks

ansible-playbook play.yml --syntax-check
ansible-playbook play.yml --step
ansible-playbook play.yml --start-at-task="start httpd service"
ansible-playbook --check play.yml
ansible-playbook --check --diff play.yml

Ansible Tower

Notes on deploying and working with ansible tower.

Installation

System requirements:

  • at least 4GB of RAM

  • actual requirement depends on forks variable

  • recommendation is 100MB memory for each for + 2GB of memory for tower services

  • 20GB of disk storage, at least 10GB in /var

Steps for installing:

Authentication

Authentication settings can be changed under Settings / Authentication. E.g for configuring Azure AD authentication we are going to need

  • an Azure AD oauth2 key and

  • a Azure AD oauth2 secret

RBAC

  • separate roles for organizations and inventories

  • you need to assign roles to organizations and inventories

The Tower Flow

These are the steps to run playbooks against managed nodes in Tower:

  • Create an organization if required

  • Create users

  • Create teams and assign users

  • Create credentials for accessing managed nodes

  • Assign credential to organization

  • Create credentials for accessing SCM repositories (e.g. git)

  • Assign credentials to users or teams

  • Create a project

  • Assign Teams to project

  • Create a job template for executing playbooks

Ansible Roles support

If the project includes a requirements.txt file in the roles/ folder, tower will automatically run

ansible-galaxy install -r roles/requirements.yml -p ./roles/ --force

at the end of an update. So this could be used to include external dependencies (like SAP ansible roles).

Job Templates

Ansible playbooks are stored in GIT repositories. A job template defines

  • the inventory used for this job template

  • the project for executing this job

  • this connects the GIT repository used in this project with the template

  • the playbook to execute

  • the credentials for executing jobs

  • permissions for users / teams (e.g. admin, execute)

Tower creates jobs from those templates, which are ansible runs executed against managed nodes.

Fact Caching

It might be a good idea to use the tower facts cache. To speed up playbook runs set gather_facts: no in the play. Then enable the facts cache in tower.

  • In tower settings set a timeout for the cache

  • In job templates enable Use facts cache

  • Create a playbook that runs on a regular basis to gather facts, e.g.

- name: Refresh fact cache
  hosts: all
  gather_facts: yes

Inventory options

These are the options for creating inventories in Ansible Tower

  • static inventory defined in tower

  • importing static inventories via awx-manage

  • static inventory defined in git repository

  • dynamic inventory via a custom script

  • dynamic inventory provides by tower (e.g. satellite)

A special feature in Tower are so called smart inventories. A smart inventory combines all static and dynamic inventories and allows filtering based on facts. Filtering requires a valid fact cache.

Troubleshooting

Tower uses the following components:

  • postgresql

  • nginx

  • memcached

  • rabbitmq

  • supervisord

Useful tools

  • ansible-tower-service (e.g. status / restart)

  • supervisorctl (e.g. status)

  • awx-manage

Tower stores log files in

  • /var/log/tower/ (e.g. tower.log).

  • /var/log/supervisor/

  • /var/log/nginx/

Other important directories

  • /var/lib/awx/public/static static files served by django

  • /var/lib/awx/projects stores all project related files e.g. git checkouts)

  • /var/lib/awx/jobs_status job status output

by default playbook runs are confined to /tmp this might lead to problems with tasks running on the local system.

In case of a lost admin password you can use awx-manage to reset the password or create a new superuser:

awx-manage changepassword admin
awx-manage createsuperuser

Replacing the default TLS certificates

Ansible tower uses nginx to service it’s web interface over TLS. Nginx uses the configuration file /etc/nginx/nginx.conf.

To deploy custom TLS certificates used by tower replace the certificate and private key in /etc/tower. You have to replace

  • /etc/tower/tower.crt and

  • /etc/tower/tower.key

It might be a good idea to create a backup copy before overwriting those files.

Backup and restore

Of course backup and restore are done via ansible. The ansible tower setup script setup.sh provides a wrapper around these playbooks. Execute

setup.sh -b

to perform a backup. This creates a backup .tar.gz file in the current directory.

To restore a backup use

setup.sh -r

this restores the latest backup per default.

Things to remember

  • Workflow job templates

  • add autocmd FileType yaml setlocal ai ts=2 sw=2 et to .vimrc

  • use sudo yum install python-cryptography if there are many vault files to speed up ansible

Copyright © 2020 - 2023 Toni Schmidbauer & Thomas Jungbauer

Built with Hugo Learn Theme and Hugo