ansible-pull with private Github Repository

“ansible-pull” is a simple way to provision VMs or servers.

The advantage I see is mostly that for example “runcmd” in cloud-init is pretty barebones and doesn’t provide lots of great capabilities to ensure things get done.

It silently fails which has its advantages (server is running) and disadvantages (“Why didn’t this happen? Oh, right, I need to inspect a logfile.”).

Introducing “ansible-pull”, which provides a simple yet sophisticated way to initially provision my server using the more robust framework which ansible provides..

Most examples for “ansible-pull” deal with using local.yml from some Github repository, in case you were wondering how to do this from a private Github repository, here is how:

$ export OAUTH_TOKEN=1234
$ ansible-pull \
-U https://$OAUTH_TOKEN:x-oauth-basic@github.com/org/private-repo \
-d /opt/org/private-repo

Some context

OAUTH_TOKEN is a private Github access token.

My recommendation is to setup a “robot” account (another regular Github account) and join it to your organization for tasks such as these. Create the token inside this account and ensure the account is read-only member to relevant repositories.

“ansible-pull” also requires hosts file to be setup with the current node defined. You’ll see this below!

The rest is a standard “ansible-pull” command with a custom destination.


Putting it all together!

Here’s a cloud-init (in YAML) which I use to provision servers:

#cloud-config
ssh_authorized_keys:
- ssh-rsa yourkey
manage_etc_hosts: true
package_update: true
package_upgrade: true
packages:
- ansible
runcmd:
- echo ‘[local]\n127.0.0.1 ansible_connection=local’ > /etc/ansible/hosts
- TOKEN=1234 ansible-pull -U https://$TOKEN:x-oauth-basic@github.com/org/repo -d /opt/org/repo

What do you use ansible-pull for?

We currently use “ansible-pull” for the following:
- to add support tooling (curl, …)
- provision the nodes with a specific Docker version
- install acme.sh
- register the node in DNS
- install Rancher Agent (which provisions/registers the node in Kubernetes)

… and down the road, to hook up each node to AWX.

Fin

That’s all, you have “ansible-pull” doing the initial provisioning of your server. Bonus points if you can crontab this command and can it periodically (without breaking anything).