TECH BASICS, CODEX

Getting Started with Ansible

Arun Kumar Singh
Jan 21 · 11 min read

This post outlines details regarding Ansible an automation tool. It assumes that you have good understanding of Linux and concepts of DevOps.

Configuration management

Configuration management refers to the task or process, in which we track and control changes to a managed systems, keeping integrity in place. Managed systems can include software, servers, infrastructure components, etc.

Doubt: What will happen if we do not have CM?

Modern IT systems are often deployed in a large-scale manner including on cloud and on-premises using automation. Think about what will happen, if we can not keep track of configuration! Furthermore, it can lead to increased risk if we do it manually.

Doubt: What is the Benefit of CM?

The primary benefit of configuration management is the consistency of managed systems. If we have an automated system in place to take care of CM, then you can sleep peacefully.

Doubt: What are the Options?

Ansible, Chef, Puppet, etc.

Mutable vs Immutable Server Infrastructure

In mutable server infrastructure, systems receive continuous updates and patches, probably configuration also gets updated from time to time. In Immutable infrastructure, server configuration never gets change after they are deployed.

Doubt: Immutable Infra does not receive patch or update ?

Immutable Infra also receives/follows the patch or deployment life cycle but instead of updating the server, we tend to rebuild it using the latest patch or configuration. We provision the new infra, replacing or decommissioning the existing one.

Doubt: What’s the benefit, can't we patch the existing one ?

With Immutable infra, we achieve consistency, a faster automation cycle, and a smooth deployment process. If I have a word to select, I will go with DevOps!

Idempotent Application

Idempotence is a concept borrowed from mathematics. It is the property in which you apply configuration changes on an item, the exact same result is produced each time, leaving the item in the same state. Now replace “item” with Server or Application!

Idempotence is considered important when you are implementing DevOps.

Doubt: How Idempotence is related with DevOps?

DevOps is a fancy name, I consider it automation. In automation, you may have to validate or perform the same operation a number of times. If every time you perform the same operation and it starts giving different results, then bring a lot of coffee before coming to the office! You may need one. The idempotent behavior of an application handles this issue conveniently.

Doubt: Give me one example.

I need to create one configuration file to be available on the server with standard settings. Modern DevOps tools are able to automate the server build process and can keep consistency. In this scenario, if I use Ansible, then it can consistently ensure one configuration file gets created only if it does not already exist. If the file exists it will simply ignore. It seems simple but gets pretty complex in different scenarios.

Windows Subsystem for Linux

The Windows Subsystem for Linux (WSL) lets you run a GNU/Linux environment that includes most of the command-line utilities, tools, and applications directly on Windows. You do not need to set up a dual boot system.

Introduction to Ansible

Ansible is an open-source automation tool primarily used for software provisioning, configuration management, and application deployment. It enables you to achieve infrastructure as code. Ansible uses SSH and WinRM to deploy applications and systems consistently and repeatably. Ansible can help you to create/deploy immutable Infrastructure.

  • Configuration management platform
  • Agentless Architecture
  • Ansible modules are idempotent.
  • Can push changes parallelly on all machine
  • Require Python
  • Open-source tool

Is Ansible free?

Ansible is an absolutely free and open-source tool that can be utilized for commercial purposes. Apart from Open Source Ansible, the Red Hat Ansible Automation Platform is also available in two editions that are differentiated by support and features. Pricing is based on the number of nodes. Ansible Tower offers free handling of up to 10 nodes.

Red Hat® Ansible® Automation Platform

Red Hat Ansible Automation Platform integrates Red Hat’s automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine, and few other feature products to serve all enterprise automation needs.

Image for post
Image for post
Image from RedHat

There are few important concepts in Ansible, you should aware of:-

  1. Modules — Ansible uses modules to execute tasks. (Core and Custom)
  2. Playbook — playbooks in a file which is having a list of commands to execute on target servers.
  3. Inventory File — Defines a collection of hosts managed by Ansible (Static and Dynamic)
  4. Ansible roles — Roles provide a framework for fully independent, or interdependent collections of variables, tasks, files, templates, and modules.
  5. Task — Unit of work
  6. APIs — Ansible Tower’s REST API, provides the REST interface to the automation platform
Image for post
Image for post
Ansible

Architecture

In the Ansible ecosystem, there are two types of nodes available.

Control Node

The control node is our master ansible server. All Ansible magic happens here. Please note, you can use a Windows machine as a control node.

Management nodes

Management nodes are those machines that we are going to manage using Ansible. You do not have to install Ansible or additional software on the management nodes, that's why Ansible is referred to as agentless.

Image for post
Image for post
Control node and Management Node

How does Ansible connect to Management Nodes?

Ansible’s agent-less architecture leverage natively available communication services to connect hosts which you want to manage. Ansible uses the SSH protocol to communicate with Linux hosts and WinRM or Powershell with Windows hosts.

  • Ansible gets the list of nodes from the inventory file.
  • Ansible needs to know what user should be used to log in, if the user is not root then privilege escalation is required or not?
  • Ansible supports password and passwordless authentication. In most of the scenarios, you will find SSH keys for authentication in use.

Who populates the inventory file?

Ansible supports two kinds of inventory files, Static and Dynamic. As the name suggests Static inventory is populated by users manually and Dynamic inventories can populate themselves automatically. Dynamic inventory is useful in scenarios where hosts are added and removed frequently and automatically. Dynamic inventory uses plugins.

In the simplest form, the inventory file can be INI formatted and look like -

Inventory file can utilize the concept of groups and subgroups. Please refer to the documentation for more details. The file can be formatted in YAML format as well.

What is the purpose of Modules?

Ansible ships with a number of modules that can be executed directly on remote hosts or through playbooks. These modules stay in the modules library. Tasks in the playbook can invoke modules to do the work. Ansible modules are Idempotent, it means they only make changes if a change is needed. To list all available modules, please run the following command

Why we need Playbook?

You create a playbook to define a list of tasks. Playbooks are reusable. They are in YAML format and can be managed in the version control system. A play is a list of ordered tasks that run against inventory. An alternative to playbook is ad-hoc commands.

While creating a playbook please be careful with identation. Example Playbook -

How above playbook has been organized?

You can validate the syntax as well before running.

To run this playbook

Ansible Ad-Hoc Commands?

Ansible ad-hoc command uses the ansible command-line tool to automate a task on managed nodes. These tasks avoid using playbooks and use modules to perform any operation quickly on nodes.

e.g. ping all nodes

e.g. ensure service is started on all webservers:

Ansible Configuration file

This Ansible file is a master configuration file where all settings and configuration resides. There are multiple sections in the configuration file. Each section has its own purpose. To find out what location is the file being referred to, run the following command

Ansible provides you flexibility in terms of the configuration file. Precedence as follows

  • ANSIBLE_CONFIG (environment variable if set)
  • ansible.cfg (in the current directory)
  • ~/.ansible.cfg (in the home directory)
  • /etc/ansible/ansible.cfg

I have demonstrated one quick example for you in the screenshot. Try to spend some time and understand what happened?

Image for post
Image for post

Demo Deployment

We are going to deploy an open-source version of Ansible for the demo.
Ansible Tower is a paid version that is supported by Red Hat,

In this demo we are going to use 1 node for Ansible Control node and we will manage 1 machine using this node. Both of the machines are Ubuntu 18.04.

Control Node Name — Ubuntu
Management Node Name — Worker

Let’s prepare the control node first. In this step, we are going to generate a key-pair for password-less authentication. Please note this is not mandatory, if you are okay to provide the password when Ansible run its playbook, you can avoid this step :-

Image for post
Image for post

We will use ssh-copy-id to copy the keys to remote managed server and add it to authorized_keys.

You should verify it, via ssh to server

Ansible Installation will be performed using Package Manager. The steps are simple and pretty straight forward.

Image for post
Image for post

Ansible version command is important, it will tell which configuration file is in use! In the default section on this file, you can find details about inventory.

By Default all entries in configuration file are commented. The commented values which are mentioned in the file are default values. You can use this file for Ansible or you can create a copy out of it and configure it as per your requirement.

Image for post
Image for post

Open default inventory file and place management nodes entries in that.

Image for post
Image for post

You can verify inventory as well.

Image for post
Image for post

How Ansible will connect to management nodes?

Settings used for connections are defined in the Ansible configuration file. By default, it uses root as user and port 22 for connection along with other variables.

Apart from this, you can control privilege escalation settings as well.

What is privilege escalation in Ansible?

Ansible uses existing privilege escalation systems to execute tasks on the management nodes. This feature allows you to ‘become’ another user, different from the user that logged into the machine (remote user)

Why we need privilege escalation?

As we are aware, not all of the operations on Linux/Unix based systems can be run using generic users. You may need privileged users in most of the cases. Ansible uses privilege escalation to work this out. This setting is part of the configuration file.

After configuring the inventory and Configuration file, we are ready to use Ansible. Let’s perform a quick test using Ad-Hoc Command.

Image for post
Image for post

Running a Sample Playbook

In this play, we are creating a user group on the management node.

Let’s run this

Image for post
Image for post

Verify the changes on the target machine

That’s the way to run the playbook.

One very helpful command to list all changed variables in the config file

Ansible Variables

Ansible support variables that can be reusable in the project. Variables provide the way to handle dynamic values. Variables are scoped as well.

Global — Set for all hosts
Host — For particular host
Play — Set for all but in the context of the play

Please refer to documentation for more details.

Preparing Ansible Project

In a real-world scenario, there are multiple types of servers available in a deployment. You can manage the Ansible project differently in those cases. You can create your structure and utilize the concept of host_vars. Any setting placed inside host_vars will override the settings in ansible.cfg

That’s all for now. I will cover more advanced topics on Ansible in upcoming posts.

Debug

Use -v flag to debug the connectivity

You can perform dry-run as well.

Issues

If you see ECDSA warning, after password-less authentication

Image for post
Image for post

This is because of cached Key, run following command to sort out

Keep Learning and Stay Safe !

Everything connected with Code & Tech!

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store