Ansible

Ansible :

We can use it for configuration management, orchestration and provisioning.

Configuration Management : Whatever changes we do to our users, files, services, application related files.. etc.... is called configuration management.
                           Any setup we are doing is install the software, configure it as per our environment and start to use it.
                           We can use Ansible to do the configuration
                         
Provisioning : Building new servers.
               We can use Ansible for provisioning as well.
             
Orchestration : Executing the steps in structured way.


Latest Version of Ansible is 2.4
It is a open source tool.
It also has a enterprise product called ansible tower.
Agent less tool. (No agent need to be installed on the remote systems). It communicates to client based on SSH.

Ansible Server : On system where we install the Ansible is called controller.
                 On windows we can not install this tool. But we can manage windows machines from controller server through powershell.
                 Along with the installation of Ansible tool, python will also get installed.
                 Ansbile completely works on python code. By default we can get the python package on Linux machines.
              

Ansible Features : Agentless.
                   Idempotency.
                   Ssh/winrm.
                   In-order execution.
                   YAML.
                 
Let us go ahead and install Ansible open source.
To install this first we need to install the rpm epel-release so that it will automatically configure the open-source repo.
# yum install epel-release* -y

# yum list | grep -i ansible

# yum install ansible* -y

Now ansible is completely installed.

Eg : Configuring Webserver using Ansible.

     Generally : for configuration of web server we will follow the below procedure
                 # yum install httpd* -y
                 # cd /var/www/html
                 # vi index.html (# write some thing in to this index.html file)
                 # service httpd start
                 # chkconfig httpd on
              
    Let us configure these changes using Ansible :
                Now we need to call the modules.
                To see the list/info of modules we need to use the command ansible-doc -l
                # ansible-doc -l
              
                When you install the ansible, it will create three files in /etc/ansible
                1.ansible.cfg (This is the configuration file for controller server.)
                2.hosts file (it is just like the inventory files. on whatever the system we need to execute, those hostnames should be mentioned in hosts file.)
                3.Roles
              
            Let us install httpd on server2.
            # ansible server2 -m yum -a "name=httpd state=present"
            (if you get the error message like authentication failure.)
            # ansible -k -m yum -a "name=httpd state=present"
            (-k : prompt for password. -a : arguments)
            # vi index.html (write text as checking ansible concepts)
            # ansible -k -m copy -a "source=index.html dest=/var/www/html/"
            Now we need to start the service.
            # ansible -k -m service -a "name=httpd starte=started"
            Now try to browse the IP of server2 you should get the webpage.
          
    Playbook : Every playbook will contain four sections
                1. Setup
                2. Variables
                3. Task
                4. Handlers
              
        Every playbook will save in the format of .yml
        We need to follow the indentation while writing the playbook.
      
        Eg : sample playbook
        # vi webserver.yml
    #############   Playbook 1  #############################################  
        ---
        - hosts: server2
          become: yes
          tasks:
             - name: install httpd
               yum: name=httpd state=installed
             - name: copy index.html file
               copy: src=index.html dest=/var/www/html
             - name: starting httpd service
               service: name=httpd state=started
    ###############################################################         
        We are done writing the playbook. Let us execute the playbook.
      
        # ansible-playbook webserver.yml
        :- Whatever we have done from the command line, the same we have done using playbook.
      
    While execution of playbooks if any task fails, it will automatically stops.
    To ignore the errors we need to specify "ignore_error=yes" under the task if you want to continue execution of playbook.
  
        ---
        - hosts: server2
          become: yes
          tasks:
             - name: install httpd
               yum: name=httpd12121 state=installed
               ignore_error: yes
             - name: copy index.html file
               copy: src=index.html dest=/var/www/html
             - name: starting httpd service
               service: name=httpd state=started
      
        # Above playbook i have given the wrong package name. then it will ignore the error and continue the execution with remaining tasks.
      
        ######################################################################################
        Handlers :

        Whatever tasks  you have written under handlers section, will not execute by itself.
        It will be linked to tasks section of the playbook.

        whenever any time index.html changes, then we need to restart the httpd service.

   
          ---
          - hosts: server2
            remote_user: test
            become: yes
            tasks:
              - name: install httpd
                yum: name=httpd state=installed
              - name: copy index.html file
                copy: src=index.html dest=/var/www/html/
                notify: restarting httpd
              - name: starting httpd service
                service: name=httpd state=started
            handlers:
              - name: restarting httpd
                service: name=httpd state=restart
           
        ##########################################################################################
      
Variables :


---
- hosts: server2
  remote_user: test
  become: yes
  vars:
        pkg: httpd
  tasks:
    - name: install httpd
      yum: name={{pkg}} state=installed
    - name: copy index.html file
      copy: src=index.html dest=/var/www/html/
    - name: starging {{pkg}} service   
      service: name={{pkg}} state=restart
   
We can also pull the variables from the file.
in play book we need to instruct to pull the variables from the file.

vars_files:
        - abc.yml

Variable file should also be in yml format.

We can also take the variables input from the user
we need to use the parameter :

vars_prompt:
        - name: pkg2
          prompt: Enter the package name
       
If you execute the playbook with the prompt parameter it will not show you the package name that you have typed.
To get the visibility we need to use the extra parameter as private: no

vars_prompt:
        - name: pkg2
          prompt: Enter the package name
          private: no
       
###############################################################################
Conditionals in Ansible :

You can also use parentheses to group conditions:

tasks:
  - name: "shut down CentOS 6 and Debian 7 systems"
    command: /sbin/shutdown -t now
    when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "6") or
          (ansible_distribution == "Debian" and ansible_distribution_major_version == "7")

Multiple conditions that all need to be true (a logical ‘and’) can also be specified as a list:

tasks:
  - name: "shut down CentOS 6 systems"
    command: /sbin/shutdown -t now
    when:
      - ansible_distribution == "CentOS"
      - ansible_distribution_major_version == "6"
   
#####################################################################################

Linux Patching through Ansible :

Ansible comes with a module named YUM with the help of which the activities of package installation, upgradation and removal can be automated.
Below are few practical examples of YUM module
1) Install latest version of particular package e.g httpd
– name: install the latest version of Apache
   yum:
      name: httpd
      state: latest
2) Remove a package with all its dependencies
– name: remove the Apache package
   yum:
     name: httpd
     state: absent
3) Install package using .rpm file present locally

– name: install nginx rpm from a local file
   yum:
     name: /usr/local/src/nginx-release-centos-6-0.el6.ngx.noarch.rpm
     state: present
4) Update all installed packages
– name: upgrade all packages
   yum:
        name: ‘*’
        state: latest
5) Update all packages excluding java and httpd related packages
– name: upgrade all packages
  yum:
       name: ‘*’
       exclude: java*,httpd*
       state: latest
Below is complete playbook which can be used to apply patches on all your servers. We assume that you can put all your server IPs/hostnames in inventory file.

---
 - name:Playbook to Patch Linux Server  
   hosts: all
   gather_facts: no
   tasks:
     - name: Upgrade all packages exluding JAVA & HTTPD
       yum: 
         name: '*'
         exclude: java*,httpd*
         state: latest

########################################################################## 

Copied from http://www.theunixmantra.com/automate-linux-patching-activity-using-ansible/ 

Ansible Architecture :




Below diagram illustrates the ansible architecture.




 In this topic we are going to discuss all the components of this architecture.

1. Inventory : This is a text file which describes servers and systems.
                       We can also define host-level variables, groups and your roles.
                       In general we will consider this as a ansible hosts file.

2. Modules : Modules are command center of the system.
                     Without modules we really cant perform any operation on the servers.
                     Some modules are built into the core of the product, means ansible developers will fully support them and they are called core modules.
                     Other modules are considered as extras. It comes with ansible but developed by other people.
                    In simple, a programmed unit of work to be done.
                    eg: yum module, copy module, service module...etc...,

3. Playbooks: Playbooks are files that we are going to create to accomplish a task.



                   
Process of execution :
    1. It will evaluate the playbook that we have created.
    2. Playbook identifies the systems to deploy and modules to call.
    3. Once it identifies and does that evaluation, it packages everything up into a neat little python package.
    4. Using the inventory module, it deploys the SSH session to the remote system and deploy the package according to the ansible.
    5. It will copy the package to the created temp directory on remote server.
    6. Once its copied, the python frame work on the remote system will then execute that package and then identifies which steps completed successfully.
    7. The remote system will return the results back to ansible server using JSON.
    8. Before terminating the SSH session, it will delete the python package which has copied to the remote server in temp directory.
    9. Ansible will now move on to the next play in that playbook.
  
Execution types : Two types
    Remote execution
    Local execution
  
    Remote execution : The package is deployed to the remote system and then executed on that remote system.
    Local execution : Ansible server is actually executing the package, not the remote system that you are targeting

###########################################################################
Connecting to a different SSH port on Linux servers :

Specify the port in the inventory or hosts file –
Under hosts file set the hostname to have the format ‘server:port’ –
[docker-hosts]
docker1:2222

############################################################################
 Multiple Ansible Config files are present on the server which one it will use by default

/etc/ansible/ansible.cfg – Config file, used if present
~/.ansible.cfg – User config file, overrides the default config if present

############################################################################# 

Privilege escalation :
   Users  -  Root which is disabled
   admin
   developer who access the environment
   
   we have nginx monitor and database running in the env
   
   become: super user using sudo utility. There is  also a become method
   Become method - sudo (pfexec, doad,ksu,runas....)
   Become another user
   
  Eg: inventory :-
        lamp-dev1 ansible_host=192.168.0.170 ansible_user=admin
      
      Playbook :-
      ---
      - name: Install nginx
        become: yes
        hosts: all
        tasks:
        - yum:
            name: nginx
            state: latest
       
As per the above eg we used become method to install the package nginx on the sever. It runs with the sudo privileges.
***************************************************
we can also use become_method as below


Eg: inventory :-
        lamp-dev1 ansible_host=192.168.0.170 ansible_user=admin
      
      Playbook :-
      ---
      - name: Install nginx
        become: yes
        become_method: doas   (but this utility should be available in all the ansible client machines)
        hosts: all
        tasks:
        - yum:
            name: nginx
            state: latest
***************************************************
To execute the playbook as another user :

Eg: inventory :-
        lamp-dev1 ansible_host=192.168.0.170 ansible_user=admin
      
      Playbook :-
      ---
      - name: Install nginx
        become: yes
        become_user: nginx
        hosts: all
        tasks:
        - yum:
            name: nginx
            state: latest
***************************************************           
even we can prefix this become parameters in inventory file itself. below the eg:

     inventory :-
        lamp-dev1 ansible_host=192.168.0.170 ansible_user=admin ansible_become=yes ansible_become_user=nginx (we have just appended ansible_ to the parameters)
       
    
    Playbook :-
      ---
      - name: Install nginx
        hosts: all
        tasks:
        - yum:
            name: nginx
            state: latest

***************************************************   
These can be set in the configuration file as well without ansible_ prefix.
config file : /etc/ansible/ansible.cfg

become        =         True
become_method    =     doas
become_user     = nginx
***************************************************

Note : If you provide parameters in multiple places like above all then
       the value configured in the Inventory file overrides the value provided in config file.
       The values in the playbook overrides the values of inventory file.
       If you pass these as command line parameters, they will be considered over everything
      
    eg:-   Command line :  ansible-playbook --become --become-method=doas --become-user=nginx

so blindly  it is : command line values highest precedence
                    config file has the lowest precedence
                   
Sometimes escalating prvileges require a sudo password, we can configure the option to prompt for password by using --ask-become-pass
Next time when we run the playbook, it will prompt for sudo password.

----------------------------------------------------------------------------------------------