book

Ansible: Up and Running, 3rd Edition

by Bas Meijer, Lorin Hochstein, René Moser

July 2022

Intermediate to advanced

470 pages

10h 22m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsFrom LorinFrom RenéFrom Bas
A Note About VersionsAnsible: What Is It Good For?How Ansible WorksWhat’s So Great About Ansible?SimplePowerfulSecureIs Ansible Too Simple?What Do I Need to Know?What Isn’t CoveredMoving Forward
Installing AnsibleLoose DependenciesRunning Ansible in ContainersAnsible DevelopmentSetting Up a Server for TestingUsing Vagrant to Set Up a Test ServerTelling Ansible About Your ServersSimplifying with the ansible.cfg FileKill Your DarlingsConvenient Vagrant Configuration OptionsPort Forwarding and Private IP AddressesEnabling Agent ForwardingThe Docker ProvisionerThe Ansible Local ProvisionerWhen the Provisioner RunsVagrant Plug-insHostmanagerVBGuestVirtualBox CustomizationVagrantfile Is RubyProduction SetupConclusion
PreliminariesA Very Simple PlaybookSpecifying an NGINX Config FileCreating a Web PageCreating a GroupRunning the PlaybookPlaybooks Are YAMLStart of DocumentEnd of FileCommentsIndentation and WhitespaceStringsBooleansListsDictionariesMultiline StringsPure YAML Instead of String ArgumentsAnatomy of a PlaybookPlaysTasksModulesViewing Ansible Module DocumentationPutting It All TogetherDid Anything Change? Tracking Host StateGetting Fancier: TLS SupportGenerating a TLS CertificateVariablesQuoting in Ansible StringsGenerating the NGINX Configuration TemplateLoopHandlersA Few Things to Keep in Mind About HandlersTestingValidationThe PlaybookRunning the PlaybookConclusion
Inventory/Hosts FilesPreliminaries: Multiple Vagrant MachinesBehavioral Inventory ParametersChanging Behavioral Parameter DefaultsGroups and Groups and GroupsExample: Deploying a Django AppAliases and PortsGroups of GroupsNumbered Hosts (Pets Versus Cattle)Hosts and Group Variables: Inside the InventoryHost and Group Variables: In Their Own FilesDynamic InventoryInventory Plug-insAmazon EC2Azure Resource ManagerThe Interface for a Dynamic Inventory ScriptWriting a Dynamic Inventory ScriptBreaking the Inventory into Multiple FilesAdding Entries at Runtime with add_host and group_byadd_hostgroup_byConclusion
Defining Variables in PlaybooksDefining Variables in Separate FilesDirectory LayoutViewing the Values of VariablesVariable InterpolationRegistering VariablesFactsViewing All Facts Associated with a ServerViewing a Subset of FactsAny Module Can Return Facts or InfoLocal FactsUsing set_fact to Define a New VariableBuilt-In Variableshostvarsinventory_hostnamegroupsExtra Variables on the Command LinePrecedenceConclusion
Why Is Deploying to Production Complicated?Postgres: The DatabaseGunicorn: The Application ServerNGINX: The Web ServerSupervisor: The Process ManagerConclusion
Listing Tasks in a PlaybookOrganization of Deployed FilesVariables and Secret VariablesInstalling Multiple PackagesAdding the Become Clause to a TaskUpdating the apt CacheChecking Out the Project Using GitInstalling Mezzanine and Other Packages into a Virtual EnvironmentComplex Arguments in Tasks: A Brief DigressionConfiguring the DatabaseGenerating the local_settings.py File from a TemplateRunning django-manage CommandsRunning Custom Python Scripts in the Context of the ApplicationSetting Service Configuration FilesEnabling the NGINX ConfigurationInstalling TLS CertificatesInstalling Twitter Cron JobThe Full PlaybookRunning the Playbook Against a Vagrant MachineTroubleshootingCannot Check Out Git RepositoryCannot Reach 192.168.33.10.nip.ioBad Request (400)Conclusion
Humane Error MessagesDebugging SSH IssuesCommon SSH ChallengesPasswordAuthentication noSSH as a Different UserHost Key Verification FailedPrivate NetworksThe debug ModulePlaybook DebuggerThe assert ModuleChecking Your Playbook Before ExecutionSyntax CheckList HostsList TasksCheck ModeDiff (Show File Changes)TagsLimitsConclusion
Basic Structure of a RoleExample: Deploying Mezzanine with RolesUsing Roles in Your PlaybooksPre-Tasks and Post-TasksA database Role for Deploying the DatabaseA mezzanine Role for Deploying MezzanineCreating Role Files and Directories with ansible-galaxyDependent RolesAnsible GalaxyWeb InterfaceCommand-Line InterfaceRole Requirements in PracticeContributing Your Own RoleConclusion

Dealing with Badly Behaved CommandsFiltersThe default FilterFilters for Registered VariablesFilters That Apply to FilepathsWriting Your Own FilterLookupsfilepipeenvpasswordtemplatecsvfiledigredisWriting Your Own Lookup Plug-inMore Complicated LoopsWith Lookup Plug-inwith_lineswith_fileglobwith_dictLooping Constructs as Lookup Plug-insLoop ControlsSetting the Variable NameLabeling the OutputImports and IncludesDynamic IncludesRole IncludesRole Flow ControlBlocksError Handling with BlocksEncrypting Sensitive Data with ansible-vaultMultiple Vaults with Different PasswordsConclusion
Patterns for Specifying HostsLimiting Which Hosts RunRunning a Task on the Control MachineManually Gathering FactsRetrieving an IP Address from the HostRunning on One Host at a TimeRunning on a Batch of Hosts at a TimeRunning Only OnceLimiting Which Tasks Runstepstart-at-taskRunning TagsSkipping TagsRunning StrategiesLinearFreeAdvanced HandlersHandlers in Pre- and Post-TasksFlush HandlersMeta CommandsHandlers Notifying HandlersHandlers ListenThe SSL Case for the listen FeatureConclusion
Connection to WindowsPowerShellWindows ModulesOur Java Development MachineAdding a Local UserWindows FeaturesInstalling Software with ChocolateyConfiguration of JavaUpdating WindowsConclusion
KubernetesDocker Application Life CycleRegistriesAnsible and DockerConnecting to the Docker DaemonExample Application: GhostRunning a Docker Container on Our Local MachineBuilding an Image from a DockerfilePushing Our Image to the Docker RegistryOrchestrating Multiple Containers on Our Local MachineQuerying Local ImagesDeploying the Dockerized ApplicationProvisioning MySQLDeploying the Ghost DatabaseFrontendFrontend: GhostFrontend: NGINXCleaning Out ContainersConclusion
Installation and SetupConfiguring Molecule DriversCreating an Ansible RoleScenariosDesired StateConfiguring Scenarios in MoleculeManaging Virtual MachinesManaging ContainersMolecule CommandsLintingYAMLlintansible-lintansible-laterVerifiersAnsibleGossTestInfraConclusion
Installing CollectionsListing CollectionsUsing Collections in a PlaybookDeveloping a CollectionConclusion
Creating Images with PackerVagrant VirtualBox VMCombining Packer and VagrantCloud ImagesGoogle Cloud PlatformAzureAmazon EC2The PlaybookDocker Image: GCC 11Conclusion
TerminologyInstanceAmazon Machine ImageTagsSpecifying CredentialsEnvironment VariablesConfiguration FilesPrerequisite: Boto3 Python LibraryDynamic InventoryInventory CachingOther Configuration OptionsDefining Dynamic Groups with TagsApplying Tags to Existing ResourcesNicer Group NamesVirtual Private CloudsConfiguring ansible.cfg for Use with ec2Launching New InstancesEC2 Key PairsCreating a New KeyUploading Your Public KeySecurity GroupsPermitted IP AddressesSecurity Group PortsGetting the Latest AMICreate a New Instance and Add It to a GroupWaiting for the Server to Come UpPutting It All TogetherSpecifying a Virtual Private CloudDynamic Inventory and VPCConclusion
Stdout Plug-insARAdebugdefaultdensejsonminimalnullonelineNotification and Aggregate Plug-insPython Requirementsforemanjabberjunitlog_playslogentrieslogstashmailprofile_rolesprofile_taskssayslacksplunktimerConclusion
Example: Checking That You Can Reach a Remote ServerUsing the Script Module Instead of Writing Your Owncan_reach as a ModuleShould You Develop a Module?Where to Put Your Custom ModulesHow Ansible Invokes ModulesGenerate a Standalone Python Script with the Arguments (Python Only)Copy the Module to the HostCreate an Arguments File on the Host (Non-Python Only)Invoke the ModuleExpected OutputsOutput Variables That Ansible ExpectsImplementing Modules in PythonParsing ArgumentsAccessing ParametersImporting the AnsibleModule Helper ClassArgument OptionsAnsibleModule Initializer ParametersReturning Success or FailureInvoking External CommandsCheck Mode (Dry Run)Documenting Your ModuleDebugging Your ModuleImplementing the Module in BashSpecifying an Alternative Location for BashConclusion
SSH Multiplexing and ControlPersistManually Enabling SSH MultiplexingSSH Multiplexing Options in AnsibleMore SSH TuningAlgorithm RecommendationsPipeliningEnabling PipeliningConfiguring Hosts for PipeliningMitogen for AnsibleFact CachingJSON File Fact-Caching BackendRedis Fact-Caching BackendMemcached Fact-Caching BackendParallelismConcurrent Tasks with AsyncConclusion
Network ManagementSupported VendorsAnsible Connection for Network AutomationPrivileged ModeNetwork InventoryNetwork Automation Use CasesSecurityComply with Compliance?Secured, but Not SecureShadow ITSunshine ITZero TrustConclusion
Continuous IntegrationElements in a CI SystemJenkins and AnsibleRunning CI for Ansible RolesStagingAnsible Plug-inAnsible Tower Plug-inConclusion
Subscription ModelsAnsible Automation Platform TrialWhat Ansible Automation Platform SolvesAccess ControlProjectsInventory ManagementRun Jobs by Job TemplatesRESTful APIAWX.AWXInstallationCreate an OrganizationCreate an InventoryRunning a Playbook with a Job TemplateUsing Containers to Run AnsibleCreating Execution EnvironmentsConclusion
Simplicity, Modularity, and ComposabilityOrganize ContentDecouple Inventories from ProjectsDecouple Roles and CollectionsPlaybooksCode StyleTag and Test All the ThingsDesired StateDeliver ContinuouslySecurityDeploymentPerformance IndicatorsBenchmark EvidenceFinal Words

Content preview from Ansible: Up and Running, 3rd Edition

Chapter 21. Networking and Security

Network Management

Managing and configuring network devices always makes us feel nostalgic. Log in to a console by telnet, type some commands, save the configuration to startup config, and you’re done. For a long time, we had two types of management strategies for network devices:

Buy an expensive proprietary software that configures your devices.
Develop minimal tooling around your configuration files: back up your configs locally, make some changes by editing them, and copy the result back onto the devices through the console.

We have seen some movement in this space. The first thing we noticed was that network device vendors started to create or open their APIs for everyone. The second thing is that the Ansible community did not stop going lower down the stack, to the core: hardware servers, load-balancer appliances, firewall appliances, network devices, and even routers and specialized appliances. Red Hat coordinated Ansible for Network Automation in release 2.5 of Ansible. Between the 2.5 and 2.9 versions of Ansible, the focus was on network modules. For maintainability reasons, this idea has since been abandoned in favor of collections, and networking is maybe the best evidence that it was a good decision to follow up on JP Mens’s blog post by focusing on ansible-core with the Ansible team, as well as to delegate certified content creation to Red Hat partners and the rest to the community. Network vendors jumped on the bandwagon, ...