Ansible: Difference between revisions
m (→Docs) |
|||
(51 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
*[https://serversforhackers.com/an-ansible-tutorial An Ansible Tutorial] | *[https://serversforhackers.com/an-ansible-tutorial An Ansible Tutorial] | ||
*[https://www.cyberciti.biz/faq/how-to-install-and-configure-latest-version-of-ansible-on-ubuntu-linux/ How to Install and Configure latest version of Ansible on Ubuntu Linux] | *[https://www.cyberciti.biz/faq/how-to-install-and-configure-latest-version-of-ansible-on-ubuntu-linux/ How to Install and Configure latest version of Ansible on Ubuntu Linux] | ||
*[https://networklore.com/ansible-getting-started/ Getting started with Ansible] | |||
*[https://ansible-tips-and-tricks.readthedocs.io/en/latest/os-dependent-tasks/variables/ Tips and tricks] | |||
*[https://www.ansible.com/products/awx-project AWX] | |||
*[https://galaxy.ansible.com Ansible Galaxy] | |||
*[https://linuxacademy.com/blog/red-hat/ansible-roles-explained/ Ansible roles explained] | |||
*[https://docs.ansible.com/ansible/latest/user_guide/playbooks_async.html Timeouts] | |||
*[https://manintheit.org/ansible/ansible-sample-scripts/ Ansible sample scripts] | |||
*[https://gist.github.com/mgedmin/5f8ac034df0c371444be module for postfix] | |||
*[https://docs.ansible.com/ansible/latest/collections/ Ansible collections] | |||
=Tools= | |||
*[https://molecule.readthedocs.io/en/latest/ Molecule] for testing roles | |||
*ansible-lint | |||
*ansible-console | |||
*ansible-inventory | |||
=Docs= | =Docs= | ||
*[https://howto.cactus.de/index.php/Ansible_Howto Ansible Howto] | |||
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ Ansible builtin modules] | |||
*[http://ansible-docs.readthedocs.io/zh/stable-2.0/rst/playbooks_conditionals.html Conditionals] | *[http://ansible-docs.readthedocs.io/zh/stable-2.0/rst/playbooks_conditionals.html Conditionals] | ||
*[https://docs.ansible.com/ansible/2.5/user_guide/playbooks_async.html Parallel!] | |||
==Ansible style guides== | |||
*[https://docs.ansible.com/ansible/2.6/dev_guide/style_guide/index.html Style guide] | |||
*[https://redhat-cop.github.io/automation-good-practices/ Ansible good practices] | |||
*[https://spacelift.io/blog/ansible-variables Ansible variables] | |||
==Lineinfile== | |||
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html Lineinfile module] | |||
=Some terms= | |||
=Inventories= | =Inventories= | ||
*[http://docs.ansible.com/ansible/latest/intro_dynamic_inventory.html Dynamic Inventory] | *[http://docs.ansible.com/ansible/latest/intro_dynamic_inventory.html Dynamic Inventory] | ||
*[https://www.jeffgeerling.com/blog/creating-custom-dynamic-inventories-ansible Creating custom dynamic inventories] | *[https://www.jeffgeerling.com/blog/creating-custom-dynamic-inventories-ansible Creating custom dynamic inventories] | ||
*[*[https://www.digitalocean.com/community/tutorials/how-to-set-up-ansible-inventories Set up ansible inventories] | |||
=Alternatives= | =Alternatives= | ||
Line 83: | Line 114: | ||
</pre> | </pre> | ||
==Command/shell output on single line== | == comment out a line == | ||
- name: remove java line from rclocal | |||
lineinfile: | |||
dest: /etc/rc.local | |||
regexp: '^(java.*)$' | |||
line: '# \1' | |||
backrefs: yes | |||
=HOWTO= | |||
==Add user to group== | |||
name: add user to bargroup | |||
user: | |||
name: foo | |||
groups: bargroup | |||
append: yes | |||
==Run command== | |||
==Cronjobs and ssh passphrases== | |||
See https://gist.github.com/Justintime50/297d0d36da40834b037a65998d2149ca | |||
= FAQ = | |||
==Connect to a different port== | |||
Try | |||
--extra-vars="ansible_port=2345" | |||
==Error messages== | |||
===ERROR! conflicting action statements: debug, msg=== | |||
'''indentation''' | |||
===Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.=== | |||
Try | |||
ANSIBLE_HOST_KEY_CHECKING=False playbook ... | |||
===Platform linux on host backup01 is using the discovered Python interpreter at /usr/bin/python3=== | |||
one hack is adding to ~/.ansible.cfg: | |||
[defaults] | |||
interpreter_python=auto_silent | |||
but better fix it.HOW?? | |||
===The error was: 'item' is undefined"=== | |||
wrong indentation for with_items | |||
==ansible-lint== | |||
===Use shell only when shell functionality is required=== | |||
== roles for multiple distributions == | |||
include_vars with "distro-{{ansible_distro_name}}.yml" | |||
== Escape single quote == | |||
'foo ''bar'' ' | |||
==Syntax Error while loading YAML. did not find expected key== | |||
Check indentation | |||
| |||
== Newlines in output == | |||
instead of all those '\n': | |||
In ansible.cfg: | |||
stdout_callback = yaml | |||
== Ad-hoc commands == | |||
[http://docs.ansible.com/ansible/latest/intro_adhoc.html http://docs.ansible.com/ansible/latest/intro_adhoc.html] | |||
== check python code == | |||
ansible-test sanity --test pep8 mycode.py | |||
== Command/shell output on single line == | |||
ANSIBLE_STDOUT_CALLBACK=oneline ansible-playbook foo.yml | ANSIBLE_STDOUT_CALLBACK=oneline ansible-playbook foo.yml | ||
==Storing passwords== | == Storing passwords == | ||
http://docs.ansible.com/ansible/2.4/vault.html | |||
[http://docs.ansible.com/ansible/2.4/vault.html http://docs.ansible.com/ansible/2.4/vault.html] | |||
== Show all host variables == | |||
ansible -m setup <hostname> | ansible -m setup <hostname> | ||
==Show all OS/versions== | == Show all OS/versions == | ||
ansible all -m setup -a "filter=ansible_distribution*" | ansible all -m setup -a "filter=ansible_distribution*" | ||
==Syntax highlighting for ansible== | == Syntax highlighting for ansible == | ||
*https://github.com/chase/vim-ansible-yaml | *[https://github.com/chase/vim-ansible-yaml https://github.com/chase/vim-ansible-yaml] | ||
Drop the files in ~/vim/bundle and in .vimrc: | Drop the files in ~/vim/bundle and in .vimrc: | ||
call pathogen#infect() | call pathogen#infect() | ||
call pathogen#helptags() | call pathogen#helptags() | ||
Or maybe better: | |||
*[https://github.com/pearofducks/ansible-vim https://github.com/pearofducks/ansible-vim] | |||
== Retry == | |||
--limit @/home/ansible/ssh.retry | --limit @/home/ansible/ssh.retry | ||
==Error messages== | |||
===ERROR! 'when' is not a valid attribute for a Play=== | |||
=== ERROR! this task 'import_playbook' has extra params === | |||
meh | |||
| |||
=== /usr/bin/chattr: Clearing extent flag not supported === | |||
Probably trying to make a backup of a symlink | |||
== Escape curly braces == | |||
{{ '{' }} | |||
== Check file for string == | |||
tasks: | |||
- name: grep line | |||
shell: "grep -q swap /etc/fstab" | |||
failed_when: false | |||
register: grepped | |||
- name: show grep | |||
debug: | |||
msg: "exists" | |||
when: grepped.rc == 0 | |||
== Error messages == | |||
=== msg: The PyMySQL (Python 2.7 and Python 3.X) or MySQL-python (Python 2.X) module is required === | |||
Means you need to install for example python2-PyMySQL on that host | |||
==Ansible-lint messages== | |||
===Commands should not change things if nothing needs doing=== | |||
Ignore, or use | |||
changed_when: false | |||
===Shells that use pipes should set the pipefail option=== | |||
shell: | | |||
set -o pipefail | |||
some command | |||
=Tips & tricks= | |||
==Includes only when on host group== | |||
- block: | |||
- include: foo.yml | |||
- include: bar.yml | |||
when: "'foobar' in group_names" | |||
== Show info/facts of a host == | |||
ansible somehost -m setup | |||
ansible somehost -m ansible.builtin.setup | |||
==Show distribution and version== | |||
- name: show some host info | |||
debug: | |||
msg: Dist {{ ansible_distribution }} {{ ansible_distribution_version }} | |||
[[Category:Configuration management]] |
Latest revision as of 14:55, 25 October 2024
Configuration management
Links
- Homepage
- Adding iptables Rules With Ansible
- Going Deeper into Ansible Playbooks
- An Ansible Tutorial
- How to Install and Configure latest version of Ansible on Ubuntu Linux
- Getting started with Ansible
- Tips and tricks
- AWX
- Ansible Galaxy
- Ansible roles explained
- Timeouts
- Ansible sample scripts
- module for postfix
- Ansible collections
Tools
- Molecule for testing roles
- ansible-lint
- ansible-console
- ansible-inventory
Docs
Ansible style guides
Lineinfile
Some terms
Inventories
Alternatives
Quickstart
On server as root create key:
ssh-keygen
(go for defaults) and then get content of ~/.ssh/id_rsa.pub in your copypastebuffer
On 'clients' edit /etc/ssh/sshd_config to
PermitRootLogin without-password
and restart sshd
Edit/create ~root/.ssh/authorized_keys and add:
from="ip.of.ansible.server" <paste public key here>
Scripts/playbooks
Maintain useraccounts
--- - name: remove users user: name=exuser state=absent force=yes groups='' with_dict: accounts tags: - delusers - name: sync group group: name: sync gid: 999 state: "present" - name: fix homedir rights lineinfile: dest=/etc/login.defs regexp=^UMASK line="UMASK 007" - name: useraccounts user: name: "{{ item.key }}" comment: "{{ item.value.name }}" uid: "{{ item.value.uid }}" state: "present" shell: "/bin/bash" groups: sudo with_dict: accounts tags: - accounts - name: userpasswords user: name: "{{ item.key }}" password: "{{ lookup('csvfile',item.key + ' file=/etc/shadow delimiter=: col=1' ) }}" with_dict: accounts #ssh keys - name: userkeys authorized_key: user={{ item.key }} key="{{ lookup('file','/home/' + item.key + '/.ssh/authorized_keys' ) }}" exclusive=yes with_dict: accounts tags: - keys - name: nofoobar user: name=foobar state=absent remove=yes tags: - foobar
comment out a line
- name: remove java line from rclocal lineinfile: dest: /etc/rc.local regexp: '^(java.*)$' line: '# \1' backrefs: yes
HOWTO
Add user to group
name: add user to bargroup user: name: foo groups: bargroup append: yes
Run command
Cronjobs and ssh passphrases
See https://gist.github.com/Justintime50/297d0d36da40834b037a65998d2149ca
FAQ
Connect to a different port
Try
--extra-vars="ansible_port=2345"
Error messages
ERROR! conflicting action statements: debug, msg
indentation
Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.
Try
ANSIBLE_HOST_KEY_CHECKING=False playbook ...
Platform linux on host backup01 is using the discovered Python interpreter at /usr/bin/python3
one hack is adding to ~/.ansible.cfg:
[defaults] interpreter_python=auto_silent
but better fix it.HOW??
The error was: 'item' is undefined"
wrong indentation for with_items
ansible-lint
Use shell only when shell functionality is required
roles for multiple distributions
include_vars with "distro-Template:Ansible distro name.yml"
Escape single quote
'foo bar '
Syntax Error while loading YAML. did not find expected key
Check indentation
Newlines in output
instead of all those '\n':
In ansible.cfg:
stdout_callback = yaml
Ad-hoc commands
http://docs.ansible.com/ansible/latest/intro_adhoc.html
check python code
ansible-test sanity --test pep8 mycode.py
Command/shell output on single line
ANSIBLE_STDOUT_CALLBACK=oneline ansible-playbook foo.yml
Storing passwords
http://docs.ansible.com/ansible/2.4/vault.html
Show all host variables
ansible -m setup <hostname>
Show all OS/versions
ansible all -m setup -a "filter=ansible_distribution*"
Syntax highlighting for ansible
Drop the files in ~/vim/bundle and in .vimrc:
call pathogen#infect() call pathogen#helptags()
Or maybe better:
Retry
--limit @/home/ansible/ssh.retry
Error messages
ERROR! 'when' is not a valid attribute for a Play
ERROR! this task 'import_playbook' has extra params
meh
/usr/bin/chattr: Clearing extent flag not supported
Probably trying to make a backup of a symlink
Escape curly braces
{{ '{' }}
Check file for string
tasks: - name: grep line shell: "grep -q swap /etc/fstab" failed_when: false register: grepped
- name: show grep debug: msg: "exists" when: grepped.rc == 0
Error messages
msg: The PyMySQL (Python 2.7 and Python 3.X) or MySQL-python (Python 2.X) module is required
Means you need to install for example python2-PyMySQL on that host
Ansible-lint messages
Commands should not change things if nothing needs doing
Ignore, or use
changed_when: false
Shells that use pipes should set the pipefail option
shell: | set -o pipefail some command
Tips & tricks
Includes only when on host group
- block: - include: foo.yml - include: bar.yml when: "'foobar' in group_names"
Show info/facts of a host
ansible somehost -m setup ansible somehost -m ansible.builtin.setup
Show distribution and version
- name: show some host info debug: msg: Dist Template:Ansible distribution Template:Ansible distribution version