Authors Red Hat Inc.
License CC-BY-SA-4.0
Opensource.com Ansible Automation for SysAdmins A quickstart guide to Ansible Open Source Cheat Sheets Visit our cheat sheets collection for free downloads, including: Blender: Discover the most commonly and frequently used hotkeys and mouse button presses. Containers: Learn the lingo and get the basics in this quick and easy containers primer. Go: Find out about many uses of the go executable and the most important packages in the Go standard library. Inkscape: Inkscape is an incredibly powerful vector graphics program that you can use to draw scaleable illustrations or edit vector artwork that other people have created. Linux Networking: In this downloadable PDF cheat sheet, get a list of Linux utilities and commands for managing servers and networks. Python 3.7: This cheat sheet rounds up a few built-in pieces to get new Python programmers started. Raspberry Pi: See what you need to boot your Pi, how to install the operating system, how to enable SSH and connect to WiFi, how to install software and update your system, and links for where to get further help. SSH: Most people know SSH as a tool for remote login, which it is, but it can be used in many other ways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Opensource.com About Opensource.com What is Opensource.com? Opensource.com publishes stories about creating, adopting, and sharing open source solutions. Visit Opensource.com to learn more about how the open source way is improving technologies, education, business, government, health, law, entertainment, humanitarian efforts, and more. Submit a story idea: https://opensource.com/story Email us: open@opensource.com Chat with us in Freenode IRC: #opensource.com Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 3 Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction Introduction 5 Chapters Tips for success when getting started with Ansible 6 How to use Ansible to patch systems and install applications 8 A sysadmin’s guide to Ansible: How to simplify tasks 10 Testing Ansible roles with Molecule 14 Using Ansible for deploying serverless applications 17 4 Ansible playbooks you should try 19 Get Involved | Additional Resources Get involved | Additional Resources 22 Write for Us | Keep in Touch 23 4 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction Introduction by Chris Short A lot of great tools have come and gone over the years. But none of them have made an impact as large as the one that Ansible has made in the IT automation space. From servers to networks to public cloud providers to serverless to Kubernetes… Ansible has a lot of use cases. Happy birthday, Ansible! We assembled this book to celebrate Ansible’s seventh birthday. Whether you recently read the Ansible Getting Started doc [1] and are just beginning your Ansible journey or have been going at it for quite some time, this book—much like the Ansible community—offers a little something for everyone. We hope to spark your imagination about what you can automate next. Here’s to seven years of Ansible! Links [1] https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html Author Red Hat Ansible | CNCF Ambassador | DevOps | opensource.com Community Moderator | Writes devopsish.com | Partially Disabled USAF Veteran | He/Him Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 5 Tips for success when getting started with Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tips for success when getting started with Ansible by Jose Delarosa Key information for automating your data center with Ansible. Ansible is an open source automation tool used to configure servers, install software, and perform a wide variety of IT tasks from one central loca- tion. It is a one-to-many agentless mechanism where all instructions are run from a control machine that communi- cates with remote clients over SSH, although other protocols are also supported. While targeted for system administrators with privileged access who routinely perform tasks such as installing and configuring applications, Ansible can also be used by non-privileged users. For example, a database administrator using the mysql login ID could use Ansible to create databas- es, add users, and define access-level controls. One important feature in Ansible is that a playbook de- Let’s go over a very simple example where a system ad- scribes a desired state in a computer system, so a playbook ministrator provisions 100 servers each day and must run can be run multiple times against a server without impact- a series of Bash commands on each one before handing it ing its state. If a certain task has already been implemented off to users. (e.g., “user sysman already exists”), then Ansible simply ignores This is a simple example, but should illustrate how eas- it and moves on. ily commands can be specified in yaml files and executed on remote servers. In a heterogeneous environment, con- Definitions ditional statements can be added so that certain commands • Tasks: A task is the smallest unit of work. It can be an ac- are only executed in certain servers (e.g., “only execute yum tion like “Install a database,” “Install a web server,” “Create a commands in systems that are not Ubuntu or Debian”). firewall rule,” or “Copy this configuration file to that server.” 6 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tips for success when getting started with Ansible • Plays: A play is made up of tasks. For example, the play: • Test as often as you need to without fear of breaking things. “Prepare a database to be used by a web server” is made Tasks describe a desired state, so if a desired state is al- up of tasks: 1) Install the database package; 2) Set a pass- ready achieved, it will simply be ignored. word for the database administrator; 3) Create a database; • Be sure all host names defined in /etc/ansible/hosts and 4) Set access to the database. are resolvable. • Playbook: A playbook is made up of plays. A playbook • Because communication to remote hosts is done using could be: “Prepare my website with a database backend,” SSH, keys have to be accepted by the control machine, and the plays would be 1) Set up the database server; and so either 1) exchange keys with remote hosts prior to start- 2) Set up the web server. ing; or 2) be ready to type in “Yes” to accept SSH key ex- • Roles: Roles are used to save and organize playbooks and change requests for each remote host you want to manage. allow sharing and reuse of playbooks. Following the previ- • Although you can combine tasks for different Linux distribu- ous examples, if you need to fully configure a web server, tions in one playbook, it’s cleaner to write a separate play- you can use a role that others have written and shared to book for each distro. do just that. Since roles are highly configurable (if written correctly), they can be easily reused to suit any given de- In the final analysis ployment requirements. Ansible is a great choice for implementing automation in • Ansible Galaxy: Ansible Galaxy [1] is an online repository your data center: where roles are uploaded so they can be shared with oth- • It’s agentless, so it is simpler to install than other automa- ers. It is integrated with GitHub, so roles can be organized tion tools. into Git repositories and then shared via Ansible Galaxy. • Instructions are in YAML (though JSON is also supported) These definitions and their relationships are depicted here: so it’s easier than writing shell scripts. Please note this is just one way to organize the tasks that • It’s open source software, so contribute back to it and make need to be executed. We could have split up the installation it even better! of the database and the web server into separate playbooks and into different roles. Most roles in Ansible Galaxy install Links and configure individual applications. You can see exam- [1] https://galaxy.ansible.com/ ples for installing mysql [2] and installing httpd [3]. [2] https://galaxy.ansible.com/bennojoy/mysql/ [3] https://galaxy.ansible.com/xcezx/httpd/ Tips for writing playbooks [4] http://docs.ansible.com/ The best source for learning Ansible is the official documenta- tion [4] site. And, as usual, online search is your friend. I rec- Author ommend starting with simple tasks, like installing applications Jose is a Linux engineer at Dell EMC. He spends most days or creating users. Once you are ready, follow these guidelines: learning new things, keeping stuff from breaking, and keeping • When testing, use a small subset of servers so that your customers happy. plays execute faster. If they are successful in one server, they will be successful in others. Adapted from “Tips for success when getting started with Ansible” on Opensource.com, published under a Creative Commons Attribution Share- • Always do a dry run to make sure all commands are work- Alike 4.0 International License at https://opensource.com/article/18/2/tips- ing (run with --check-mode flag). success-when-getting-started-ansible. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 7 How to use Ansible to patch systems and install applications . . . . . . . . . . . . . . . . . . . . . . How to use Ansible to patch systems and install applications by Jonathan Lozada De La Matta Save time doing updates with the Ansible IT automation engine. Have you ever wondered how to patch your sys- tems, reboot, and continue working? If so, you’ll be interested in Ansible [1], a simple configu- ration management tool that can make some of the hardest work easy. For example, system administration tasks that can be complicated, take hours to complete, or have com- plex requirements for security. In my experience, one of the hardest parts of being a sys- admin is patching systems. Every time you get a Common Vulnerabilities and Exposure (CVE) notification or Informa- tion Assurance Vulnerability Alert (IAVA) mandated by secu- rity, you have to kick into high gear to close the security gaps. (And, believe me, your security officer will hunt you down async: 1 unless the vulnerabilities are patched.) poll: 0 Ansible can reduce the time it takes to patch systems by running packaging modules [2]. To demonstrate, let’s use the - name: wait for 10 seconds yum module [3] to update the system. Ansible can install, up- pause: date, remove, or install from another location (e.g., rpmbuild seconds: 10 from continuous integration/continuous development). Here is the task for updating the system: - name: wait for the system to reboot wait_for_connection: - name: update the system connect_timeout: 20 yum: sleep: 5 name: "*" delay: 5 state: latest timeout: 60 In the first line, we give the task a meaningful name so we - name: install epel-release know what Ansible is doing. In the next line, the yum module yum: updates the CentOS virtual machine (VM), then name: "*" name: epel-release tells yum to update everything, and, finally, state: latest state: latest updates to the latest RPM. After updating the system, we need to restart and re- The shell module puts the system to sleep for 5 seconds connect: then reboots. We use sleep to prevent the connection from breaking, async to avoid timeout, and poll to fire & forget. - name: restart system to reboot to newest kernel We pause for 10 seconds to wait for the VM to come back shell: "sleep 5 && reboot" and use wait_for_connection to connect back to the VM 8 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . How to use Ansible to patch systems and install applications as soon as it can make a connection. Then we install service: epel-release to test the RPM installation. You can run this name: nginx playbook multiple times to show the idempotent, and the state: restarted only task that will show as changed is the reboot since we are using the shell module. You can use changed_when: In this role, we install the RPMs nginx, python-pip, py- False to ignore the change when using the shell module if thon-devel, and devel and install uwsgi with PIP. Next, we you expect no actual changes. use the template module to copy over the nginx.conf and So far we’ve learned how to update a system, restart the index.html for the page to display. After that, we make sure VM, reconnect, and install a RPM. Next we will install NGINX the service is enabled on boot and started. Then we use the using the role in Ansible Lightbulb [4]. uri module to check the connection to the page. Here is a playbook showing an example of updating, re- - name: Ensure nginx packages are present starting, and installing an RPM. Then continue installing nginx. yum: This can be done with any other roles/applications you want. name: nginx, python-pip, python-devel, devel state: present - hosts: all notify: restart-nginx-service roles: - centos-update - name: Ensure uwsgi package is present - nginx-simple pip: name: uwsgi This was just a simple example of how to update, reboot, state: present and continue. For simplicity, I added the packages without notify: restart-nginx-service variables [5]. Once you start working with a large number of hosts, you will need to change a few settings: - name: Ensure latest default.conf is present • async & poll [6] template: • serial [7] src: templates/nginx.conf.j2 • forks [8] dest: /etc/nginx/nginx.conf This is because on your production environment you might backup: yes want to update one system at a time (not fire & forget) and notify: restart-nginx-service actually wait a longer time for your system to reboot and continue. - name: Ensure latest index.html is present template: Links src: templates/index.html.j2 [1] https://www.ansible.com/overview/how-ansible-works dest: /usr/share/nginx/html/index.html [2] https://docs.ansible.com/ansible/latest/list_of_packaging_ modules.html - name: Ensure nginx service is started and enabled [3] https://docs.ansible.com/ansible/latest/yum_module.html service: [4] https://github.com/ansible/lightbulb/tree/master/examples/ name: nginx nginx-role state: started [5] https://docs.ansible.com/ansible/latest/playbooks_ enabled: yes variables.html [6] https://docs.ansible.com/ansible/latest/playbooks_async.html - name: Ensure proper response from localhost can be received [7] https://docs.ansible.com/ansible/latest/playbooks_ uri: delegation.html#rolling-update-batch-size url: "http://localhost:80/" [8] https://docs.ansible.com/ansible/latest/intro_configuration. return_content: yes html#forks register: response until: 'nginx_test_message in response.content' Author retries: 10 Jlozadad is a Ansible Consultant. I’m from Carolina, Puerto delay: 1 Rico and I love IT & Gaming. Spend Most of my time playing video games, looking at open source software and laughing. And the handler that restarts the nginx service: Adapted from “How to use Ansible to patch systems and install applications” on Opensource.com, published under a Creative Commons Attribution Share- # handlers file for nginx-example Alike 4.0 International License at https://opensource.com/article/18/3/ansible- - name: restart-nginx-service patch-systems. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 9 A sysadmin’s guide to Ansible: How to simplify tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A sysadmin’s guide to Ansible: How to simplify tasks by Jonathan Lozada De La Matta There are many ways to automate common sysadmin tasks with Ansible. Here are several of them. Diving deeper into Ansible In the previous chapter, I discussed how to use Ansible to patch systems and install applications. In this chapter, I’ll Sharing ideas about how to resolve issues is one of the best things we can do in the IT and open source world, so I show you how to do other things with Ansible that will make went looking for help by submitting issues in Ansible [1] and your life as a sysadmin easier. First, though, I want to share asking questions in roles others created [2]. why I came to Ansible. Reading the documentation (including the following top- I started using Ansible because it made patching systems ics) is the best way to get started learning Ansible. easier. I could run some ad-hoc commands here and there • Getting started [3] and some playbooks someone else wrote. I didn’t get very • Best practices [4] in depth, though, because the playbook I was running used • Ansible Lightbulb [5] a lot of lineinfile modules, and, to be honest, my regex • Ansible FAQ [6] techniques were nonexistent. I was also limited in my capac- If you are trying to figure out what you can do with Ansible, ity due to my management’s direction and instructions: “You take a moment and think about the daily activities you do, can run this playbook only and that’s all you can do.” the ones that take a lot of time that would be better spent on After leaving that job, I started working on a team where other things. Here are some examples: most of the infrastructure was in the cloud. After getting used • Managing accounts in systems: Creating users, adding to the team and learning how everything works, I started try- them to the correct groups, and adding the SSH keys… ing to find ways to automate more things. We were spending these are things that used to take me days when we had a two to three months deploying virtual machines in large num- large number of systems to build. Even using a shell script, bers—doing all the work manually, including the lifecycle of this process was very time-consuming. each virtual machine, from provision to decommission. Our • Maintaining lists of required packages: This could be work often got behind schedule, as we spent a lot of time do- part of your security posture and include the packages re- ing maintenance. When folks went on vacation, others had to quired for your applications. take over with little knowledge of the tasks they were doing. • Installing applications: You can use your current docu- mentation and convert application installs into tasks by finding the correct module [7] for the job. • Configuring systems and applications: You might want to change /etc/ssh/sshd_config for different environments (e.g., production vs. development) by adding a line or two, or maybe you want a file to look a specific way in every system you’re managing. • Provisioning a VM in the cloud: This is great when you need to launch a few virtual machines that are similar for your applications and you are tired of using the UI. Now let’s look at how to use Ansible to automate some of these repetitive tasks. 10 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A sysadmin’s guide to Ansible: How to simplify tasks Managing users - { user: 'dbadmin', key: "{{ lookup('file', If you need to create a large list of users and groups with '/data/vm_temp_key.pub'), state: 'absent', the users spread among the different groups, you can use comment: 'dbadmin key' } loops. Let’s start by creating the groups: Here, we specify the user, how to find the key by using - name: create user groups lookup, the state, and a comment describing the purpose group: of the key. name: "{{ item }}" loop: Installing packages - postgresql Package installation can vary depending on the packaging - nginx-test system you are using. You can use Ansible facts [8] to de- - admin termine which module to use. Ansible does offer a generic - dbadmin module called package [9] that uses ansible_pkg_mgr and - hadoop calls the proper package manager for the system. For exam- ple, if you’re using Fedora, the package module will call the You can create users with specific parameters like this: DNF package manager. The package module will work if you’re doing a simple in- - name: all users in the department stallation of packages. If you’re doing more complex work, user: you will have to use the correct module for your system. For name: "{{ item.name }}" example, if you want to ignore GPG keys and install all the group: "{{ item.group }}" security packages on a RHEL-based system, you need to groups: "{{ item.groups }}" use the yum module. You will have different options depend- uid: "{{ item.uid }}" ing on your packaging module [10], but they usually offer state: "{{ item.state }}" more parameters than Ansible’s generic package module. loop: Here is an example using the package module: - { name: 'admin1', group: 'admin', groups: 'nginx', uid: '1234', state: 'present' } - name: install a package - { name: 'dbadmin1', group: 'dbadmin', groups: 'postgres', package: uid: '4321', state: 'present' } name: nginx - { name: 'user1', group: 'hadoop', groups: 'wheel', uid: state: installed '1067', state: 'present' } - { name: 'jose', group: 'admin', groups: 'wheel', uid: The following uses the yum module to install NGINX, disable '9000', state: 'absent' } gpg_check from the repo, ignore the repository’s certificates, and skip any broken packages that might show up. Looking at the user jose, you may recognize that state: 'ab- sent' deletes this user account, and you may be wondering - name: install a package why you need to include all the other parameters when you’re yum: just removing him. It’s because this is a good place to keep name: nginx documentation of important changes for audits or security state: installed compliance. By storing the roles in Git as your source of truth, disable_gpg_check: yes you can go back and look at the old versions in Git if you later validate_certs: no need to answer questions about why changes were made. skip_broken: yes To deploy SSH keys for some of the users, you can use the same type of looping as in the last example. Here is an example using Apt [11]. The Apt module tells Ansi- ble to uninstall NGINX and not update the cache: - name: copy admin1 and dbadmin ssh keys authorized_key: - name: install a package user: "{{ item.user }}" apt: key: "{{ item.key }}" name: nginx state: "{{ item.state }}" state: absent comment: "{{ item.comment }}" update_cache: no loop: - { user: 'admin1', key: "{{ lookup('file', '/data/test_ You can use loop when installing packages, but they are temp_key.pub'), state: 'present', comment: 'admin1 key' } processed individually if you pass a list: Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 11 A sysadmin’s guide to Ansible: How to simplify tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - name: This is the task that calls the handler: - nginx - postgresql-server - name: configure postgresql - ansible template: - httpd src: postgresql.service.j2 dest: /usr/lib/systemd/system/postgresql.service NOTE: Make sure you know the correct name of the pack- notify: reload postgresql for new configuration and reload age you want in the package manager you’re using. Some daemon names change depending on the package manager. It configures PostgreSQL by changing the systemd file, but Starting services instead of defining the restart in the tasks (like before), it Much like packages, Ansible has different modules to start calls the handler to do the restart at the end of the run. This is services [12]. Like in our previous example, where we used a good way to configure your application and keep it idempo- the package module to do a general installation of packag- tent since the handler only runs when a task changes—not in es, the service [13] module does similar work with services, the middle of your configuration. including with systemd and Upstart. (Check the module’s The previous example uses the template module [16] and documentation for a complete list.) Here is an example: a Jinja2 file [17]. One of the most wonderful things about configuring applications with Ansible is using templates. You - name: start nginx can configure a whole file like postgresql.service with the service: full configuration you require. But, instead of changing every name: nginx line, you can use variables and define the options some- state: started where else. This will let you change any variable at any time and be more versatile. For example: You can use Ansible’s service module if you are just starting and stopping applications and don’t need anything more so- [database] phisticated. But, like with the yum module, if you need more DB_TYPE = "{{ gitea_db }}" options, you will need to use the systemd module. For ex- HOST = "{{ ansible_fqdn}}:3306" ample, if you modify systemd files, then you need to do a NAME = gitea daemon-reload, the service module won’t work for that; you USER = gitea will have to use the systemd module. PASSWD = "{{ gitea_db_passwd }}" SSL_MODE = disable - name: reload postgresql for new configuration and reload daemon PATH = "{{ gitea_db_dir }}/gitea.db systemd: name: postgresql This configures the database options on the file app.ini state: reload for Gitea [18]. This is similar to writing Ansible tasks, even daemon-reload: yes though it is a configuration file, and makes it easy to define variables and make changes. This can be expanded fur- This is a great starting point, but it can become cumbersome ther if you are using group_vars [19], which allows you to because the service will always reload/restart. This a good define variables for all systems and specific groups (e.g., place to use a handler [14]. production vs. development). This makes it easier to man- If you used best practices and created your role using age variables, and you don’t have to specify the same ones ansible-galaxy init "role name", then you should have in every role. the full directory structure [15]. You can include the code above inside the handlers/main.yml and call it when you Provisioning a system make a change with the application. For example: We’ve gone over several things you can do with Ansible on your system, but we haven’t yet discussed how to provision handlers/main.yml a system. Here’s an example of provisioning a virtual ma- chine (VM) with the OpenStack cloud solution. - name: reload postgresql for new configuration and reload daemon - name: create a VM in openstack systemd: osp_server: name: postgresql name: cloudera-namenode state: reload state: present daemon-reload: yes cloud: openstack 12 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A sysadmin’s guide to Ansible: How to simplify tasks region_name: andromeda Links image: 923569a-c777-4g52-t3y9-cxvhl86zx345 [1] https://github.com/ansible/ansible/issues/18006 flavor_ram: 20146 [2] https://github.com/abaez/ansible-role-user/issues/1 flavor: big [3] http://docs.ansible.com/ansible/latest/user_guide/intro_ auto_ip: yes getting_started.html volumes: cloudera-namenode [4] http://docs.ansible.com/ansible/latest/user_guide/ playbooks_best_practices.html All OpenStack modules start with os, which makes it easier to [5] https://github.com/ansible/lightbulb find them. The above configuration uses the osp-server mod- [6] https://docs.ansible.com/ansible/latest/reference_ ule, which lets you add or remove an instance. It includes the appendices/faq.html name of the VM, its state, its cloud options, and how it au- [7] https://docs.ansible.com/ansible/latest/modules/modules_ thenticates to the API. More information about cloud.yml [20] by_category.html is available in the OpenStack docs, but if you don’t want to [8] https://docs.ansible.com/ansible/latest/user_guide/ use cloud.yml, you can use a dictionary that lists your creden- playbooks_variables.html#information-discovered-from- tials using the auth option. If you want to delete the VM, just systems-facts change state: to absent. [9] http://docs.ansible.com/ansible/latest/modules/package_ Say you have a list of servers you shut down because module.html you couldn’t figure out how to get the applications work- [10] http://docs.ansible.com/ansible/latest/modules/list_of_ ing, and you want to start them again. You can use os_ packaging_modules.html server_action to restart them (or rebuild them if you want [11] https://docs.ansible.com/ansible/latest/modules/apt_ to start from scratch). module.html Here is an example that starts the server and tells the [12] http://docs.ansible.com/ansible/latest/modules/list_of_ modules the name of the instance: system_modules.html [13] http://docs.ansible.com/ansible/latest/modules/service_ - name: restart some servers module.html#service-module os_server_action: [14] https://docs.ansible.com/ansible/latest/user_guide/ action: start playbooks_intro.html#handlers-running-operations-on- cloud: openstack change region_name: andromeda [15] http://docs.ansible.com/ansible/latest/user_guide/ server: cloudera-namenode playbooks_best_practices.html#directory-layout [16] https://docs.ansible.com/ansible/latest/modules/template_ Most OpenStack modules use similar options. Therefore, module.html to rebuild the server, we can use the same options but [17] https://docs.ansible.com/ansible/latest/user_guide/ change the action to rebuild and add the image we want playbooks_templating.html it to use: [18] https://gitea.io/en-us/ [19] https://docs.ansible.com/ansible/latest/user_guide/ os_server_action: playbooks_variables.html#variable-examples action: rebuild [20] https://docs.openstack.org/python-openstackclient/pike/ image: 923569a-c777-4g52-t3y9-cxvhl86zx345 configuration/index.html [21] https://docs.openstack.org/python-openstackclient/pike/ Doing other things configuration/index.html There are modules for a lot of system admin tasks, but what [22] https://docs.ansible.com/ansible/latest/modules/ should you do if there isn’t one for what you are trying to do? command_module.html Use the shell [21] and command [22] modules, which allow [23] https://docs.openstack.org/python-openstackclient/pike/ you to run any command just like you do on the command line. Here’s an example using the OpenStack CLI [23]: Author - name: run an opencli command Jlozadad is a Ansible Consultant. I’m from Carolina, Puerto command: "openstack hypervisor list" Rico and I love IT & Gaming. Spend Most of my time playing video games, looking at open source software and laughing. They are so many ways you can do daily sysadmin tasks with Ansible. Using this automation tool can transform your Adapted from “A sysadmin’s guide to Ansible: How to simplify tasks” on Opensource.com, published under a Creative Commons Attribution Share- hardest task into a simple solution, save you time, and make Alike 4.0 International License at https://opensource.com/article/18/7/sysadmin- your work days shorter and more relaxed. tasks-ansible. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 13 Testing Ansible roles with Molecule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing Ansible roles with Molecule by Jairo da Silva Junior Learn how to automate your verifications using Python. Test techniques play an important role in software de- velopment, and this is no different when we are talking about In the end, your workflow would be: 1. vagrant up Infrastructure as Code (IaC). 2. Edit playbook. Developers are always testing, and constant feedback is 3. vagrant provision necessary to drive development. If it takes too long to get feed- 4. vagrant ssh to verify VM state. back on a change, your steps might be too large, making errors 5. Repeat steps 2 to 4. hard to spot. Baby steps and fast feedback are the essence of TDD (test-driven development). But how do you apply this Occasionally, the VM should be destroyed and brought up approach to the development of ad hoc playbooks or roles? again (vagrant destroy -f; vagrant up) to increase the When you’re developing an automation, a typical workflow reliability of your playbook (i.e., to test if your automation is would start with a new virtual machine. I will use Vagrant [1] working end-to-end). to illustrate this idea, but you could use libvirt [2], Docker [3], Although this is a good workflow, you’re still doing all the VirtualBox [4], or VMware [5], an instance in a private or pub- hard work of connecting to the VM and verifying that every- lic cloud, or a virtual machine provisioned in your data center thing is working as expected. hypervisor (oVirt [6], Xen [7], or VMware, for example). When tests are not automated, you’ll face issues similar to When deciding which virtual machine to use, balance feed- those when you do not automate your infrastructure. back speed and similarity with your real target environment. Luckily, tools like Testinfra [8] and Goss [9] can help auto- The minimal start point with Vagrant would be: mate these verifications. vagrant init centos/7 # or any other box I will focus on Testinfra, as it is written in Python and is the Then add Ansible provisioning to your Vagrantfile: default verifier for Molecule. The idea is pretty simple: Auto- mate your verifications using Python: config.vm.provision "ansible" do |ansible| ansible.playbook = "playbook.yml" def test_nginx_is_installed(host): end nginx = host.package("nginx") assert nginx.is_installed assert nginx.version.startswith("1.2") def test_nginx_running_and_enabled(host): nginx = host.service("nginx") assert nginx.is_running assert nginx.is_enabled In a development environment, this script would connect to the target host using SSH (just like Ansible) to perform the above verifications (package presence/version and service state): 14 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing Ansible roles with Molecule py.test --connection=ssh --hosts=server your code? Is there a more simple and fast way to develop our playbooks and roles with automated tests? In short, during infrastructure automation development, the challenge is to provision new infrastructure, execute play- Molecule books against them, and verify that your changes reflect the Molecule [11] helps develop roles using tests. The tool can state you declared in your playbooks. even initialize a new role with test cases: molecule init • What can Testinfra verify? role –role-name foo • Infrastructure is up and running from the user’s point of Molecule is flexible enough to allow you to use different driv- view (e.g., HTTPD or Nginx is answering requests, and ers for infrastructure provisioning, including Docker, Vagrant, MariaDB or PostgreSQL is handling SQL queries). OpenStack, GCE, EC2, and Azure. It also allows the use of • OS service is started and enabled different server verification tools, including Testinfra and Goss. • A process is listening on a specific port Its commands ease the execution of tasks commonly used • A process is answering requests during development workflow: • Configuration files were correctly copied or generated • lint - Executes yaml-lint, ansible-lint, and flake8, re- from templates porting failure if there are issues • Virtually anything you do to ensure that your server state • syntax - Verifies the role for syntax errors is correct • create - Creates an instance with the configured driver • What safeties do these automated tests provide? • prepare - Configures instances with preparation playbooks • Perform complex changes or introduce new features with- • converge - Executes playbooks targeting hosts out breaking existing behavior (e.g., it still works in RHEL- • idempotence - Executes a playbook twice and fails in case based distributions after adding support for Debian-based of changes in the second run (non-idempotent) systems). • verify - Execute server state verification tools (testinfra • Refactor/improve the codebase when new versions of An- or goss) sible are released and new best practices are introduced. • destroy - Destroys instances What we’ve done with Vagrant, Ansible, and Testinfra so far • test - Executes all the previous steps is easily mapped to the steps described in the Four-Phase The login command can be used to connect to provisioned Test [10] pattern—a way to structure tests that makes the servers for troubleshooting purposes. test objective clear. It is composed of the following phases: Setup, Exercise, Verify, and Teardown: Step by step How do you go from no tests at all to a decent codebase • Setup: Prepares the environment for the test execution being executed for every change/commit? (e.g., spins up new virtual machines): 1. virtualenv (optional) vagrant up The virtualenv tool creates isolated environments, while • Exercise: Effectively executes the code against the system virtualenvwrapper is a collection of extensions that facili- under test (i.e., Ansible playbook): tate the use of virtualenv. These tools prevent dependencies and conflicts between vagrant provision Molecule and other Python packages in your machine. • Verify: Verifies the previous step output: sudo pip install virtualenvwrapper export WORKON_HOME=~/envs py.test (with Testinfra) source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv mocule • Teardown: Returns to the state prior to Setup: 2. Molecule vagrant destroy Install Molecule with the Docker driver: The same idea we used for an ad hoc playbook could be applied to role development and testing, but do you need to pip install molecule ansible docker do all these steps every time you develop something new? What if you want to use containers, or an OpenStack, in- Generate a new role with test scenarios: stead of Vagrant? What if you’d rather use Goss than Testin- fra? How do you run this continuously for every change in molecule init role -r role_name Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 15 Testing Ansible roles with Molecule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . or for existing roles: CI Continuously executing your Molecule tests is simple. The molecule init scenario -r my-role example above works for TravisCI with the Docker driver, but it could be easily adapted for any CI server and any in- All the necessary configuration is generated with your role, frastructure drivers supported by Molecule. and you need only write test cases using Testinfra: --- import os sudo: required language: python import testinfra.utils.ansible_runner services: - docker testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( before_install: os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - sudo apt-get -qq update - pip install molecule def test_jboss_running_and_enabled(host): - pip install docker jboss = host.service('wildfly') script: - molecule test assert jboss.is_enabled Visit Travis CI [13] for sample output. def test_jboss_listening_http(host): socket = host.socket('tcp://0.0.0.0:8080') Links [1] https://github.com/hashicorp/vagrant assert socket.is_listening [2] https://libvirt.org/ [3] https://www.docker.com/ def test_mgmt_user_authentication(host): [4] https://www.virtualbox.org/ command = """ curl --digest -L -D - http://localhost:9990/ \ [5] https://www.vmware.com/ management -u ansible:ansible""" [6] https://ovirt.org/ [7] https://www.xenproject.org/ cmd = host.run(command) [8] https://testinfra.readthedocs.io/en/latest/ [9] https://github.com/aelsabbahy/goss assert 'HTTP/1.1 200 OK' in cmd.stdout [10] http://xunitpatterns.com/Four Phase Test.html [11] https://molecule.readthedocs.io/en/latest/ This example test case for a Wildfly role verifies that OS [12] https://testinfra.readthedocs.io/en/latest/ service is enabled, a process is listening in port 8080, and [13] https://travis-ci.org/jairojunior/ansible-role-jboss/ authentication is properly configurated. builds/345731738 Coding these tests is straightforward, and you basi- cally need to think about an automated way to verify Author something. Jairo da Silva Junior—Developer, speaker at DevOps con- You are already writing tests when you log into a machine ferences, open source contributor, occasional writer, and ob- targeted by your playbook, or when you build verifications for sessed with tests and automation. Can’t live without CLI tools. your monitoring/alerting systems. This knowledge will con- Adapted from “Testing Ansible roles with Molecule” on Opensource.com, tribute to building something with the Testinfra API [12] or published under a Creative Commons Attribution Share-Alike 4.0 International using a system command. License at https://opensource.com/article/18/12/testing-ansible-roles-molecule. 16 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Ansible for deploying serverless applications Using Ansible for deploying serverless applications by Ryan Scott Brown Serverless is another step in the direction of managed services and plays nice with Ansible’s agentless architecture. Ansible [1] is designed as the simplest deploy- ment tool that actually works. What that means is that it’s not a full programming language. You write Ansible takes the first view. Before “serverless” was a term of art, users had to manage and provision EC2 instances, virtual private cloud (VPC) networks, and everything else. YAML templates that define tasks and list whatever tasks Serverless is another step in the direction of managed ser- you need to automate your job. vices and plays nice with Ansible’s agentless architecture. Most people think of Ansible as a souped-up version of Before we go into a Lambda [3] example, let’s look at a “SSH in a ‘for’ loop,” and that’s true for simple use cases. simpler task for provisioning a CloudFormation stack: But really Ansible is about tasks, not about SSH. For a lot of use cases, we connect via SSH but also support things - name: Build network like Windows Remote Management (WinRM) for Windows cloudformation: machines, different protocols for network devices, and the stack_name: prod-vpc HTTPS APIs that are the lingua franca of cloud services. state: present In a cloud, Ansible can operate on two separate layers: template: base_vpc.yml the control plane and the on-instance resources. The con- trol plane consists of everything not running on the OS. This Writing a task like this takes just a couple minutes, but it includes setting up networks, spawning instances, provision- brings the last semi-manual step involved in building your ing higher-level services like Amazon’s S3 or DynamoDB, infrastructure—clicking “Create Stack”—into a playbook with and everything else you need to keep your cloud infrastruc- everything else. Now your VPC is just another task you can ture secure and serving customers. call when building up a new region. On-instance work is what you already know Ansible for: Since cloud providers are the real source of truth when starting and stopping services, templating config files, it comes to what’s really happening in your account, An- installing packages, and sible has a number of ways everything else OS-related to pull that back and use that you can do over SSH. the IDs, names, and oth- Now, what about server- er parameters to filter and less [2]? Depending who you query running instances or ask, serverless is either the networks. Take for example ultimate extension of the the cloudformation_facts continued rush to the public module that we can use to cloud or a wildly new para- get the subnet IDs, network digm where everything is an ranges, and other data back API call, and it’s never been out of the template we just done before. created. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 17 Using Ansible for deploying serverless applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - name: Pull all new resources back in as a variable That’s not quite everything you need, since the serverless cloudformation_facts: project also must exist, and that’s where you’ll do the heavy stack_name: prod-vpc lifting of defining your functions and event sources. For this register: network_stack example, we’ll make a single function that responds to HTTP requests. The Serverless Framework uses YAML as its con- For serverless applications, you’ll definitely need a com- fig language (as does Ansible), so this should look familiar. plement of Lambda functions in addition to any other Dy- namoDB tables, S3 buckets, and whatever else. Fortu- # serverless.yml nately, by using the lambda modules, Lambda functions service: fakeservice can be created in the same way as the stack from the last tasks: provider: name: aws - lambda: runtime: python3.6 name: sendReportMail zip_file: "{{ deployment_package }}" functions: runtime: python3.6 main: handler: report.send handler: test_function.handler memory_size: 1024 events: role: "{{ iam_exec_role }}" - http: register: new_function path: / method: get If you have another tool that you prefer for shipping the serverless parts of your application, that works as well. The Links open source Serverless Framework [4] has its own Ansible [1] https://www.ansible.com/ module that will work just as well: [2] https://en.wikipedia.org/wiki/Serverless_computing [3] https://aws.amazon.com/lambda/ - serverless: [4] https://serverless.com/ service_path: '{{ project_dir }}' stage: dev Author register: sls Ryan is a Senior Software Engineer and spends most of - name: Serverless uses CloudFormation under the hood, so you his time on cloud-adjacent Open Source tooling, including can easily pull info back into Ansible Ansible and the Serverless Framework. cloudformation_facts: Adapted from “Using Ansible for deploying serverless applications” on Opensource. stack_name: "{{ sls.service_name }}" com, published under a Creative Commons Attribution Share-Alike 4.0 International register: sls_facts License at https://opensource.com/article/17/8/ansible-serverless-applications. 18 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Ansible playbooks you should try 4 Ansible playbooks you should try by Daniel Oh Streamline and tighten automation processes in complex IT environments with these Ansible playbooks. In a complex IT environment, even the smallest tasks can seem to take forever. Sprawling systems are hard to devel- op, deploy, and maintain. Business demands only increase complexity, and IT teams struggle with management, avail- ability, and cost. How do you address this complexity and while meeting to- day’s business demands? There is no doubt that Ansible [1] can improve your current processes, migrate applications for better optimization, and provide a single language for DevOps practices across your organization. More importantly, you can declare configurations through Ansible playbooks [2], but they orchestrate steps of any man- ual ordered process, even as different steps must bounce - name: Create a k8s namespace back and forth between sets of machines in particular orders. k8s: They can launch tasks synchronously or asynchronously. name: mynamespace While you might run the main /usr/bin/ansible program for api_version: v1 ad-hoc tasks, playbooks are more likely to be kept in source kind: Namespace control and used to push out your configuration or ensure state: present the configurations of your remote systems are in spec. Be- cause the Ansible playbooks are configuration, deployment, - name: Create a Service object from an inline definition and orchestration language, they can describe a policy you k8s: want your remote systems to enforce or a set of steps in a state: present general IT process. definition: Here are four Ansible playbooks that you should try to fur- apiVersion: v1 ther customize and configure how your automation works. kind: Service metadata: Managing Kubernetes objects name: web When you perform CRUD operations on Kubernetes [3] namespace: mynamespace objects, Ansible playbooks enable you to quickly and eas- labels: ily access the full range of Kubernetes APIs through the app: galaxy OpenShift Python client. The following playbook snippets service: web show you how to create specific Kubernetes namespace spec: and service objects: selector: Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 19 4 Ansible playbooks you should try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . app: galaxy type: dword service: web data: '0x00000000' ports: - protocol: TCP tasks: targetPort: 8000 - name: Install security updates name: port-8000-tcp win_updates: port: 8000 category_names: - SecurityUpdates - name: Create a Service object by reading the definition from notify: reboot windows system a file k8s: - name: Enable kernel protections state: present win_regedit: src: /mynamespace/service.yml path: "{{ item.path }}" name: "{{ item.name }}" # Passing the object definition from a file data: "{{ item.data }}" - name: Create a Deployment by reading the definition from a type: "{{ item.type }}" local file with_items: "{{ registry_keys }}" k8s: state: present handlers: src: /mynamespace/deployment.yml - name: reboot windows system win_reboot: Mitigate critical security concerns like Meltdown shutdown_timeout: 3600 and Spectre reboot_timeout: 3600 In the first week of January 2018, two flaws were announced: when: reboot_after_update Meltdown and Spectre [4]. Both involved the hardware at the heart of more or less every computing device on the planet: You can also find other playbooks for Linux [6]. the processor. There is a great in-depth review of the two flaws here [5]. While Meltdown and Spectre are not com- Integrating a CI/CD process with Jenkins pletely mitigated, the following playbook snippets show how Jenkins [7] is a well-known tool for implementing CI/CD. Shell to easily deploy the patches for Windows: scripts are commonly used for provisioning environments or to deploy apps during the pipeline flow. Although this could - name: Patch Windows systems against Meltdown and Spectre work, it is cumbersome to maintain and reuse scripts in the hosts: "{{ target_hosts | default('all') }}" long run. The following playbook snippets show how to pro- vision infrastructure in a Continuous Integration/Continuous vars: Delivery (CI/CD) process using a Jenkins Pipeline [8]. reboot_after_update: no registry_keys: --- - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session - name: Deploy Jenkins CI Manager\Memory Management hosts: jenkins_server name: FeatureSettingsOverride remote_user: vagrant data: 0 become: yes type: dword roles: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session - geerlingguy.repo-epel Manager\Memory Management - geerlingguy.jenkins name: FeatureSettingsOverrideMask - geerlingguy.git data: 3 - tecris.maven type: dword - geerlingguy.ansible # https://support.microsoft.com/en-us/help/4072699 - name: Deploy Nexus Server - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ hosts: nexus_server QualityCompat remote_user: vagrant name: cadca5fe-87d3-4b96-b7fb-a231484277cc become: yes 20 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Ansible playbooks you should try roles: # The names of the samples that should be installed as well. - geerlingguy.java # The available samples are in the istio_simple_samples variable - savoirfairelinux.nexus3-oss # In addition to the values in istio_simple_samples, 'bookinfo' can also be specified - name: Deploy Sonar Server samples: [] hosts: sonar_server remote_user: vagrant # Whether or not to open apps in the browser become: yes open_apps: false roles: # W hether to delete resources that might exist from previous - wtanaka.unzip Istio installations - zanini.sonar delete_resources: false - name: On Premises CentOS Conclusion hosts: app_server You can find full sets of playbooks that illustrate many of remote_user: vagrant these techniques in the ansible-examples repository [10]. become: yes I recommend looking at these in another tab as you go along. roles: Hopefully, these tips and snippets of Ansible playbooks - jenkins-keys-config have provided some interesting ways to use and extend your automation journey. Starting a service mesh with Istio With a cloud platform, developers must use microservices Links to architect for portability. Meanwhile, operators are manag- [1] https://www.ansible.com/ ing extremely large hybrid and multi-cloud deployments. The [2] https://docs.ansible.com/ansible/devel/user_guide/ service mesh with Istio [9] lets you connect, secure, control, playbooks.html and observe services instead of developers through a dedi- [3] https://kubernetes.io/ cated infrastructure such as an Envoy sidecar container. The [4] https://meltdownattack.com/ following playbook snippets show how to install Istio locally [5] https://access.redhat.com/security/vulnerabilities/ on your machine: speculativeexecution [6] https://github.com/ansible/ansible-lockdown/blob/master/ --- meltdown-spectre-linux.yml [7] https://jenkins.io/ # Whether the cluster is an Openshift (ocp) or upstream [8] https://jenkins.io/doc/book/pipeline/ Kubernetes (k8s) cluster [9] https://istio.io/ cluster_flavour: ocp [10] https://github.com/ansible/ansible-examples istio: Author # Install istio with or without istio-auth module Daniel Oh—DevOps Evangelist, CNCF Ambassador, Devel- auth: false oper, Public Speaker, Writer, Opensource.com Author Adapted from “4 Ansible playbooks you should try” on Opensource.com, # A set of add-ons to install, for example kiali published under a Creative Commons Attribution Share-Alike 4.0 International addon: [] License at https://opensource.com/article/18/8/ansible-playbooks-you-should-try. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 21 Get Involved | Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Get Involved If you find these articles useful, get involved! Your feedback helps improve the status quo for all things DevOps. Contribute to the Opensource.com DevOps resource collection, and join the team of DevOps practitioners and enthusiasts who want to share the open source stories happening in the world of IT. The Open Source DevOps team is looking for writers, curators, and others who can help us explore the intersection of open source and DevOps. We’re especially interested in stories on the following topics: • D evOps practical how to’s • D evOps and open source • D evOps and talent • D evOps and culture • D evSecOps/rugged software Learn more about the Opensource.com DevOps team: https://opensource.com/devops-team Additional Resources The open source guide to DevOps monitoring tools This free download for sysadmin observability tools includes analysis of open source monitoring, log aggregation, alerting/visualizations, and distributed tracing tools. Download it now: The open source guide to DevOps monitoring tools The ultimate DevOps hiring guide This free download provides advice, tactics, and information about the state of DevOps hiring for both job seekers and hiring managers. Download it now: The ultimate DevOps hiring guide The Open Organization Guide to IT Culture Change In The Open Organization Guide to IT Culture Change, more than 25 contributors from open communities, companies, and projects offer hard-won lessons and practical ad- vice on how to create an open IT department that can deliver better, faster results and unparalleled business value. Download it now: The Open Organization Guide to IT Culture Change 22 Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Write for us Write for Us Would you like to write for Opensource.com? Our editorial calendar includes upcoming themes, community columns, and topic suggestions: https://opensource.com/calendar Learn more about writing for Opensource.com at: https://opensource.com/writers We're always looking for open source-related articles on the following topics: Big data: Open source big data tools, stories, communities, and news. Command-line tips: Tricks and tips for the Linux command-line. Containers and Kubernetes: Getting started with containers, best practices, security, news, projects, and case studies. Education: Open source projects, tools, solutions, and resources for educators, students, and the classroom. Geek culture: Open source-related geek culture stories. Hardware: Open source hardware projects, maker culture, new products, howtos, and tutorials. Machine learning and AI: Open source tools, programs, projects and howtos for machine learning and artificial intelligence. Programming: Share your favorite scripts, tips for getting started, tricks for developers, tutorials, and tell us about your favorite programming languages and communities. Security: Tips and tricks for securing your systems, best practices, checklists, tutorials and tools, case studies, and security-related project updates. Keep in touch! Sign up to receive roundups of our best articles, giveaway alerts, and community announcements. Visit opensource.com/email-newsletter to subscribe. Ansible Automation for SysAdmins . CC BY-SA 4.0 . Opensource.com 23