Introduction
Ansible is a system administration tool that allows for the administration of multiple devices from one central device. It compares to tools like Puppet or Chef, but whereas those packages require the installation of agents on the client systems, Ansible operates by passing commands over ssh without the need for agents at all. We’ll take a look at some of the administrative tasks Ansible is capable of so you can get a better idea of whether Ansible might be right for you.
.
Prerequisites
- A Linux, BSD, or OSX control device.
- ssh access (firewall and credentials) to client devices from your control device. Ansible prefers the use of ssh keys to access client devices, but we’ll also show you options using username and password.
- Python 2.6 or 2.7 installed on the control device.
.
Installation
Ansible is available via the package managers from the major Linux/BSD/OSX distributions. It’s also available via Python’s pip installer.
CentOS/Fedora:
sudo yum install ansible
Ubuntu (you’ll need to add the Ansible PPA first):
sudo apt-get install software-properties-common sudo apt-add-repository ppa:ansible/ansible sudo apt-get update sudo apt-get install ansible
Arch Linux:
pacman -S ansible
FreeBSD:
sudo pkg install ansible
Python package manager, pip (OSX users can install with pip as well):
sudo pip install ansible
Setting up Access to Ansible Clients
Hosts
One of the benefits of using Ansible is the ability to manage multiple clients from one control device–from the same terminal interface. You can specify various groups of client servers based on function, location, and/or OS by creating groups in the /etc/ansible/hosts file.
[mailservers] smtp.orl-fl.example.com smtp.dal-tx.example.com [db_servers] db.orl-fl.example.com db.sfo-ca.example.com [orlando] smtp.orl-fl.example.com db.orl-fl.examle.com [nameservers] ns[01:12].example.com
A name enclosed in square brackets [] defines a group name and includes hosts in the list that follows it. You may also indicate a sequential range within a hostname pattern with square brackets and a colon, as in ns[01:12].example.com above.
A client may exist in multiple groups. The group name works as an alias for the group list, making it easier to reference which group of servers you will be targeting with your particular Ansible command or playbook.
.
ssh Keys
Ansible works best when your control server–the one from which you’ll be running your Ansible commands–can use ssh keys to access client hosts. When you run an Ansible command without additional options, it defaults to attempting to access remote clients via ssh keys.
Tip: If you have secured your private ssh key with a passphrase, it can be inconvenient and inefficient to have to enter that passphrase each time you need to decrypt it for each ssh session you’ll be opening with Ansible. To simplify this process, open a separate shell with
ssh-agent. When you import a private key into this shell, you only have to enter your passphrase once to add the unencrypted private key.
ssh-agent bash
ssh-add ~/.ssh/id_rsaThe first command opens a new bash shell. The
ssh-addcommand will prompt you for your private key’s passphrase and then imports the RSA private key into this shell. You may, of course, substitute the appropriate private key, if usingid_ecdsaorid_dsa, for example..
.
ssh Access (Without ssh Keys)
If you have client servers that don’t have ssh keys set up, you can still use Ansible with your current user and prompt for your user password. For example, we might want to use the ping module to verify that all of our hosts in the db_servers group are responsive.
ansible db_servers -m ping --ask-pass
This command will first prompt for the current user’s ssh password to use to access all servers in the db_servers group before running the module on each client.
Note: This command will require that your user exists on each client, is allowed ssh access, and uses the same password.
Also, the
pingmodule isn’t related to the ICMP ping that tests network connectivity. Its use with theansiblecommand verifies that a client server is accessible with the indicated user and that the client server has a version of Python that Ansible can work with. Thepingmodule should return apongresponse upon successful completion..
.
ssh Access (With Password)
Default Ansible commands also presume that, in addition to using ssh keys, you are using passwordless sudo. If you have client servers that that require a password to obtain sudo access, you can use additional options to become sudo and prompt for a sudo password. So, for example, to reboot all servers in the mailservers group using the username username.
ansible mailservers -a "/sbin/reboot" -u username --become --ask-become-pass
The --become option indicates that the user will become a privileged user (sudo), and the --ask-become-pass option prompts Ansible to ask for the password to become that privileged user before executing the command.
The
--becomeand--ask-become-passoptions are newer options (as of Ansible version 1.9) meant to replace the older--sudoand--ask-sudo-pass(-K) options, respectively. These older versions still work. The replacement ofsudoforbecomebroadens the scope of these options to include integration with tools that use means other thansudoto enable privilege escalation.
.
Some Basic Ansible CLI Commands
While the real power of Ansible lies in the use of playbooks, you can also run the ansible command to do some quick client management for instances where it doesn’t make sense to create a playbook or where you might need to only push a single command to a group of client devices.
The ansible command follows the pattern ansible [group] OPTIONS.
.
Run Yum Updates
If, for example, you would like to run yum updates on the servers in your mailservers group, you could accomplish this task with the following Ansible command:
ansible mailservers -m yum -a "name=* state=latest" --become
This command updates all servers in the mailservers group with the yum module (-m). The -a option indicates a particular argument in double quotes–in this case, updating all installed packages (using the * wildcard) to their latest state.
.
Copy File to Clients
You can use Ansible to distribute a file to a group of client servers.
ansible orlando -m copy -a "src=/home/scripts/foo.sh dest=/opt/scripts/foo.sh"
This command invokes the copy module and indicates the src (source) and dest (destination) in quotes for the arguments. The source location defaults to the device that this Ansible command is running on and can be absolute or relative. The destination location is the location on the remote client device and must always be absolute.
You may also use the copy module to further refine the attributes of the file you are copying over.
ansible orlando -m copy -a "src=/home/scripts/foo.sh dest=/opt/scripts/foo.sh owner=foo group=bar mode=0755"
This command additionally changes the owner, group, and file permissions of the file on each client in the orlando group.
.
Execute Shell Command
You may also execute a script on each client with the shell module.
ansible orlando -m shell -a '/opt/scripts/foo.sh >> /home/foo/bar.txt'
This command would execute the foo.sh script and redirect its output to the /home/foo/bar.txt file. Note the single quotes here. You’ll need single quotes instead of double so that you can pass the >> operator to the remote shell.
.
An Ansible Amuse-Bouche
There are many more commands and modules you can use, but this sampling should provide a good introduction to how useful Ansible can be if you manage even just a small number of servers. If you find yourself in the sometimes unenviable position of having to perform repetitive tasks across your server infrastructure, we hope these examples have given you a taste of how Ansible might help you to work smarter (and more efficiently!).
Please be sure to check back with us in the future for more articles on server administration and other things you can do with Ansible. Atlantic.Net offers a broad collection of flexible VPS hosting solutions for a small start-up to a well established enterprise company.
.
.
