Difference between revisions of "Ansible Howto"
Line 107: | Line 107: | ||
== use case add file == |
== use case add file == |
||
== use |
== use case append to file == |
||
e.g. add public key to authorized_keys |
e.g. add public key to authorized_keys |
Revision as of 22:43, 19 November 2018
ansible first steps
documentation
- https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html
- changing root passwords: https://www.redpill-linpro.com/sysadvent/2017/12/02/ansible-change-passwords.html
installation
on ubuntu >= 18.04
sudo apt install ansible
on ubuntu older than 18.04 and debian (up to 9/stretch)
These systems ship with ansible versions older than 2.4. For apt module to work smoothly (e.g. autoremove) we really should have ansible 2.4 or above.
sudo echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" >> /etc/apt/sources.list sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 sudo apt update sudo apt upgrade sudo apt install ansible
prepare a client for ansible usage
using user tim for ssh sessions, setting user up for sudo, ssh pub key auth
as root user
useradd -m tim -s /bin/bash passwd tim
add user to sudo group
grep sudo /etc/group sudo:x:<id>:tim
allow sudo group to use all commands via sudo
grep sudo /etc/sudoers %sudo ALL=(ALL:ALL) ALL
from here in user context
su - tim mkdir /home/tim/.ssh chmod 700 /home/tim/.ssh echo "<ssh-public-key>" >> /home/tim/.ssh/authorized_keys chmod 600 /home/tim/.ssh/authorized_keys
initial ansible serverconfig
fill /etc/ansible/hosts
add all your hosts/groups to your /etc/ansible/hosts file
setup ssh shell
tim@spike-vm:~/ansi$ ssh-agent bash tim@spike-vm:~/ansi$ ssh-add /home/tim/.ssh/id_rsa Enter passphrase for /home/tim/.ssh/id_rsa: Identity added: /home/tim/.ssh/id_rsa (/home/tim/.ssh/id_rsa) tim@spike-vm:~/ansi$
or better:
sudo apt install keychain echo "eval `keychain --eval id_rsa`" >>/home/tim/.bashrc
test client connectivity
tim@spike-vm:~/ansi$ ansible itchy -m ping itchy | SUCCESS => { "changed": false, "ping": "pong" } tim@spike-vm:~/ansi$
Logging
Ansible has built-in support for logging. Add the following lines to your ansible configuration file:
[defaults] log_path=/var/log/ansible.log
and then run
tim@spike-vm:~$ sudo touch /var/log/ansible.log tim@spike-vm:~$ sudo chmod 666 /var/log/ansible.log
This simply logs the command line output to the file
Debugging
Use -v switch to see playbook stdout:
tim@spike-vm:~$ ansible-playbook ansi/update-upgrade.yml -K -v Using /etc/ansible/ansible.cfg as config file SUDO password: /etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected /etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected PLAY [all] ******************************************************************************************************************************************* TASK [Gathering Facts] ******************************************************************************************************************************* ok: [itchy] ... TASK [.deb do dist-upgrade] ************************************************************************************************************************** ok: [gware] => {"changed": false, "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stderr": "", "stderr_lines": [], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."]}
ansible ad-hoc commands
use case gather system information
display os version:
tim@spike-vm:~$ ansible all -m setup -a "filter=ansible_lsb"
use case add file
use case append to file
e.g. add public key to authorized_keys
ansible all -m authorized_key -a "user=tim key='ssh-rsa AAAA...XXX == tim@hostname'"
use cases edit file
ansible all -m lineinfile -a "dest=/etc/group regexp='^(users:x:100:)(.*)' line='\1ldapusername,\2
ansible playbooks
use cases debian/ubuntu sys management using apt
update and upgrade packages
tim@spike-vm:~/ansi$ cat apt-update-upgrade.yml
--- - hosts: all become: yes tasks: - name: assert ansible version assert: that: - "{{ ansible_version.string is version_compare('2.4', '>=') }}" msg: Ansible 2.4 or above is required - name: .deb do dist-upgrade apt: > update_cache=yes cache_valid_time=1200 upgrade=dist autoremove=yes purge=yes when: > ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
autoremove unused packages
This only works for ansible >=2.4.
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-autoremove.yml -K
tim@spike-vm:~/ansi$ cat apt-autoremove.yml
--- - hosts: all become: yes tasks: - name: assert ansible version assert: that: - "{{ ansible_version.string is version_compare('2.4', '>=') }}" msg: Ansible 2.4 or above is required - name: Autoremove unused packages apt: autoremove: yes when: > ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
use case install apt package
tim@spike-vm:~/ansi$ ansible-playbook -l puppet apt-install.yml -K -e "package=apache2" SUDO password: PLAY [all] ********************************************************************* TASK [setup] ******************************************************************* ok: [puppet] TASK [install package "apache2"] *********************************************** ok: [puppet] PLAY RECAP ********************************************************************* puppet : ok=2 changed=0 unreachable=0 failed=0
tim@spike-vm:~/ansi$ cat apt-install.yml --- - hosts: all become: yes tasks: - name: install package "Template:Package" apt: name: apache2 when: > ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
use case change passwords for linux systems
To make password encryption work:
apt install python-passlib
Change password for your own user on all targets
tim@spike-vm:~/ansi$ ansible-playbook change-user-password.yml -l spike -K SUDO password: Enter New Password: confirm Enter New Password: PLAY [all] ****************************************************************************************************************************** TASK [Gathering Facts] ****************************************************************************************************************** ok: [spike] TASK [Change password of calling user] ************************************************************************************************** changed: [spike] PLAY RECAP ****************************************************************************************************************************** spike : ok=2 changed=1 unreachable=0 failed=0 tim@spike-vm:~/ansi$
playbook:
tim@spike-vm:~/ansi$ cat change-user-password.yml --- - hosts: all become: yes gather_facts: yes vars_prompt: - name: "new_password" prompt: "Enter New Password" private: yes encrypt: "sha512_crypt" confirm: yes salt_size: 7 tasks: - name: Change password of calling user user: name={{ lookup('env', 'USER') }} update_password=always password={{new_password}} tim@spike-vm:~/ansi$
change root password
tim@spike-vm:~/ansi$ cat change-root-password.yml --- - hosts: all become: yes gather_facts: yes vars_prompt: - name: "new_password" prompt: "Enter New Password" private: yes encrypt: "sha512_crypt" confirm: yes salt_size: 7 tasks: - name: Change password of root user user: name=root update_password=always password={{new_password}} tim@spike-vm:~/ansi$
call with:
tim@spike-vm:~/ansi$ ansible-playbook change-root-password.yml -l puppet -K