DOKK Library

Ansible Automation for SysAdmins - A quickstart guide to Ansible

Authors Red Hat Inc.

License CC-BY-SA-4.0

Plaintext
       Opensource.com




Ansible Automation
  for SysAdmins

  A quickstart guide to Ansible
Open Source Cheat Sheets
 Visit our cheat sheets collection for
      free downloads, including:


     Blender: Discover the most commonly and frequently used
     hotkeys and mouse button presses.


     Containers: Learn the lingo and get the basics in this quick and
     easy containers primer.


     Go: Find out about many uses of the go executable and the most
     important packages in the Go standard library.


     Inkscape: Inkscape is an incredibly powerful
     vector graphics program that you can use to draw
     scaleable illustrations or edit vector artwork that
     other people have created.


     Linux Networking: In this downloadable PDF cheat
     sheet, get a list of Linux utilities and commands for
     managing servers and networks.


     Python 3.7: This cheat sheet rounds up a few
     built-in pieces to get new Python programmers
     started.


         Raspberry Pi: See what you need to
         boot your Pi, how to install the operating
         system, how to enable SSH and connect
         to WiFi, how to install software and update
         your system, and links for where to get
         further help.


         SSH: Most people know SSH as a tool for
         remote login, which it is, but it can be used
         in many other ways.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Opensource.com




About Opensource.com



                What is Opensource.com?

               Opensource.com                            publishes stories about creating,
                                                         adopting, and sharing open source
                solutions. Visit Opensource.com to learn more about how the open source
                way is improving technologies, education, business, government, health, law,
                entertainment, humanitarian efforts, and more.

                Submit a story idea: https://opensource.com/story

                Email us: open@opensource.com

                Chat with us in Freenode IRC: #opensource.com




    Ansible Automation for SysAdmins                     . CC BY-SA 4.0 . Opensource.com                                                             3
Opensource.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .




Introduction

              Introduction                                                                                                               5



Chapters

              Tips for success when getting started with Ansible                                                                         6
              How to use Ansible to patch systems and install applications 8
              A sysadmin’s guide to Ansible: How to simplify tasks                                                                    10
              Testing Ansible roles with Molecule                                                                                     14
              Using Ansible for deploying serverless applications                                                                     17
              4 Ansible playbooks you should try                                                                                      19


Get Involved | Additional Resources

            Get involved | Additional Resources                                                                                     22
            Write for Us | Keep in Touch                                                                                            23




      4                                             Ansible Automation for SysAdmins                      . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction




           Introduction
            by Chris Short




            A lot of great tools                                   have come and gone
                                                                   over the years. But none
            of them have made an impact as large as the one that Ansible has made in
            the IT automation space. From servers to networks to public cloud providers
            to serverless to Kubernetes… Ansible has a lot of use cases.
              Happy birthday, Ansible! We assembled this book to celebrate Ansible’s
            seventh birthday. Whether you recently read the Ansible Getting Started
            doc [1] and are just beginning your Ansible journey or have been going at it for
            quite some time, this book—much like the Ansible community—offers a little
            something for everyone.
              We hope to spark your imagination about what you can automate next.
            Here’s to seven years of Ansible!


            Links
            [1]	
                https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html




                                                                               Author
                                                                               Red Hat Ansible | CNCF Ambassador | DevOps
                                                                               | opensource.com Community Moderator |
                                                                               Writes devopsish.com | Partially Disabled USAF
                                                                               Veteran | He/Him




Ansible Automation for SysAdmins                       . CC BY-SA 4.0 . Opensource.com                                                                 5
Tips for success when getting started with Ansible .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .




     Tips for success when
     getting started with Ansible
      by Jose Delarosa

      Key information for automating your data center with Ansible.


      Ansible             is an open source automation tool used to
                          configure servers, install software, and
      perform a wide variety of IT tasks from one central loca-
      tion. It is a one-to-many agentless mechanism where all
      instructions are run from a control machine that communi-
      cates with remote clients over SSH, although other protocols
      are also supported.
         While targeted for system administrators with privileged
      access who routinely perform tasks such as installing
      and configuring applications, Ansible can also be used by
      non-privileged users. For example, a database administrator
      using the mysql login ID could use Ansible to create databas-
      es, add users, and define access-level controls.                             One important feature in Ansible is that a playbook de-
         Let’s go over a very simple example where a system ad-                 scribes a desired state in a computer system, so a playbook
      ministrator provisions 100 servers each day and must run                  can be run multiple times against a server without impact-
      a series of Bash commands on each one before handing it                   ing its state. If a certain task has already been implemented
      off to users.                                                             (e.g., “user sysman already exists”), then Ansible simply ignores
         This is a simple example, but should illustrate how eas-               it and moves on.
      ily commands can be specified in yaml files and executed
      on remote servers. In a heterogeneous environment, con-                   Definitions
      ditional statements can be added so that certain commands                 • Tasks: A task is the smallest unit of work. It can be an ac-
      are only executed in certain servers (e.g., “only execute yum                tion like “Install a database,” “Install a web server,” “Create a
      commands in systems that are not Ubuntu or Debian”).                         firewall rule,” or “Copy this configuration file to that server.”




      6                                           Ansible Automation for SysAdmins                    . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tips for success when getting started with Ansible



• Plays: A play is made up of tasks. For example, the play:         • Test as often as you need to without fear of breaking things.
   “Prepare a database to be used by a web server” is made              Tasks describe a desired state, so if a desired state is al-
   up of tasks: 1) Install the database package; 2) Set a pass-         ready achieved, it will simply be ignored.
   word for the database administrator; 3) Create a database;        • Be sure all host names defined in /etc/ansible/hosts
   and 4) Set access to the database.                                   are resolvable.
• Playbook: A playbook is made up of plays. A playbook              • Because communication to remote hosts is done using
   could be: “Prepare my website with a database backend,”              SSH, keys have to be accepted by the control machine,
   and the plays would be 1) Set up the database server; and            so either 1) exchange keys with remote hosts prior to start-
   2) Set up the web server.                                            ing; or 2) be ready to type in “Yes” to accept SSH key ex-
• Roles: Roles are used to save and organize playbooks and             change requests for each remote host you want to manage.
   allow sharing and reuse of playbooks. Following the previ-        • Although you can combine tasks for different Linux distribu-
   ous examples, if you need to fully configure a web server,           tions in one playbook, it’s cleaner to write a separate play-
   you can use a role that others have written and shared to            book for each distro.
   do just that. Since roles are highly configurable (if written
   correctly), they can be easily reused to suit any given de-       In the final analysis
   ployment requirements.                                            Ansible is a great choice for implementing automation in
• Ansible Galaxy: Ansible Galaxy [1] is an online repository        your data center:
   where roles are uploaded so they can be shared with oth-          • It’s agentless, so it is simpler to install than other automa-
   ers. It is integrated with GitHub, so roles can be organized         tion tools.
   into Git repositories and then shared via Ansible Galaxy.         • Instructions are in YAML (though JSON is also supported)
These definitions and their relationships are depicted here:            so it’s easier than writing shell scripts.




Please note this is just one way to organize the tasks that          • It’s open source software, so contribute back to it and make
need to be executed. We could have split up the installation            it even better!
of the database and the web server into separate playbooks
and into different roles. Most roles in Ansible Galaxy install       Links
and configure individual applications. You can see exam-             [1]	https://galaxy.ansible.com/
ples for installing mysql [2] and installing httpd [3].              [2]	https://galaxy.ansible.com/bennojoy/mysql/
                                                                     [3]	https://galaxy.ansible.com/xcezx/httpd/
Tips for writing playbooks                                           [4]	http://docs.ansible.com/
The best source for learning Ansible is the official documenta-
tion [4] site. And, as usual, online search is your friend. I rec-   Author
ommend starting with simple tasks, like installing applications      Jose is a Linux engineer at Dell EMC. He spends most days
or creating users. Once you are ready, follow these guidelines:      learning new things, keeping stuff from breaking, and keeping
• When testing, use a small subset of servers so that your          customers happy.
   plays execute faster. If they are successful in one server,
   they will be successful in others.                                Adapted from “Tips for success when getting started with Ansible” on
                                                                     Opensource.com, published under a Creative Commons Attribution Share-
• Always do a dry run to make sure all commands are work-           Alike 4.0 International License at https://opensource.com/article/18/2/tips-
   ing (run with --check-mode flag).                                 success-when-getting-started-ansible.




Ansible Automation for SysAdmins                 . CC BY-SA 4.0 . Opensource.com                                                               7
How to use Ansible to patch systems and install applications .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .




    How to use Ansible to
    patch systems and
    install applications
     by Jonathan Lozada De La Matta

     Save time doing updates with the Ansible IT automation engine.


    Have you                   ever wondered how to patch your sys-
                               tems, reboot, and continue working?
        If so, you’ll be interested in Ansible [1], a simple configu-
     ration management tool that can make some of the hardest
     work easy. For example, system administration tasks that
     can be complicated, take hours to complete, or have com-
     plex requirements for security.
        In my experience, one of the hardest parts of being a sys-
     admin is patching systems. Every time you get a Common
     Vulnerabilities and Exposure (CVE) notification or Informa-
     tion Assurance Vulnerability Alert (IAVA) mandated by secu-
     rity, you have to kick into high gear to close the security gaps.
     (And, believe me, your security officer will hunt you down             async: 1
     unless the vulnerabilities are patched.)                               poll: 0
        Ansible can reduce the time it takes to patch systems by
     running packaging modules [2]. To demonstrate, let’s use the         - name: wait for 10 seconds
     yum module [3] to update the system. Ansible can install, up-          pause:
     date, remove, or install from another location (e.g., rpmbuild           seconds: 10
     from continuous integration/continuous development). Here
     is the task for updating the system:                                 - name: wait for the system to reboot
                                                                            wait_for_connection:
         - name: update the system                                            connect_timeout: 20
          yum:                                                                sleep: 5
            name: "*"                                                         delay: 5
            state: latest                                                     timeout: 60


     In the first line, we give the task a meaningful name so we          - name: install epel-release
     know what Ansible is doing. In the next line, the yum module           yum:
     updates the CentOS virtual machine (VM), then name: "*"                  name: epel-release
     tells yum to update everything, and, finally, state: latest              state: latest
     updates to the latest RPM.
        After updating the system, we need to restart and re-            The shell module puts the system to sleep for 5 seconds
     connect:                                                            then reboots. We use sleep to prevent the connection from
                                                                         breaking, async to avoid timeout, and poll to fire & forget.
         - name: restart system to reboot to newest kernel               We pause for 10 seconds to wait for the VM to come back
          shell: "sleep 5 && reboot"                                     and use wait_for_connection to connect back to the VM



     8                                         Ansible Automation for SysAdmins               . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . How to use Ansible to patch systems and install applications



as soon as it can make a connection. Then we install                  service:
epel-release to test the RPM installation. You can run this               name: nginx
playbook multiple times to show the idempotent, and the                   state: restarted
only task that will show as changed is the reboot since we
are using the shell module. You can use changed_when:             In this role, we install the RPMs nginx, python-pip, py-
False to ignore the change when using the shell module if         thon-devel, and devel and install uwsgi with PIP. Next, we
you expect no actual changes.                                     use the template module to copy over the nginx.conf and
  So far we’ve learned how to update a system, restart the        index.html for the page to display. After that, we make sure
VM, reconnect, and install a RPM. Next we will install NGINX      the service is enabled on boot and started. Then we use the
using the role in Ansible Lightbulb [4].                          uri module to check the connection to the page.
                                                                    Here is a playbook showing an example of updating, re-
  - name: Ensure nginx packages are present                       starting, and installing an RPM. Then continue installing nginx.
    yum:                                                          This can be done with any other roles/applications you want.
      name: nginx, python-pip, python-devel, devel
      state: present                                                - hosts: all
    notify: restart-nginx-service                                     roles:
                                                                          - centos-update
  - name: Ensure uwsgi package is present                                 - nginx-simple
    pip:
      name: uwsgi                                                 This was just a simple example of how to update, reboot,
      state: present                                              and continue. For simplicity, I added the packages without
    notify: restart-nginx-service                                 variables [5]. Once you start working with a large number of
                                                                  hosts, you will need to change a few settings:
  - name: Ensure latest default.conf is present                   • async & poll [6]
    template:                                                     • serial [7]
      src: templates/nginx.conf.j2                                • forks [8]
      dest: /etc/nginx/nginx.conf                                 This is because on your production environment you might
      backup: yes                                                 want to update one system at a time (not fire & forget) and
    notify: restart-nginx-service                                 actually wait a longer time for your system to reboot and
                                                                  continue.
  - name: Ensure latest index.html is present
    template:                                                     Links
      src: templates/index.html.j2                                [1]	https://www.ansible.com/overview/how-ansible-works
      dest: /usr/share/nginx/html/index.html                      [2] https://docs.ansible.com/ansible/latest/list_of_packaging_
                                                                       modules.html
  - name: Ensure nginx service is started and enabled             [3]	https://docs.ansible.com/ansible/latest/yum_module.html
    service:                                                      [4]	https://github.com/ansible/lightbulb/tree/master/examples/
      name: nginx                                                      nginx-role
      state: started                                              [5]	https://docs.ansible.com/ansible/latest/playbooks_
      enabled: yes                                                     variables.html
                                                                  [6] https://docs.ansible.com/ansible/latest/playbooks_async.html
  - name: Ensure proper response from localhost can be received   [7]	https://docs.ansible.com/ansible/latest/playbooks_
    uri:                                                               delegation.html#rolling-update-batch-size
      url: "http://localhost:80/"                                 [8]	https://docs.ansible.com/ansible/latest/intro_configuration.
      return_content: yes                                              html#forks
    register: response
    until: 'nginx_test_message in response.content'               Author
    retries: 10                                                   Jlozadad is a Ansible Consultant. I’m from Carolina, Puerto
    delay: 1                                                      Rico and I love IT & Gaming. Spend Most of my time playing
                                                                  video games, looking at open source software and laughing.
And the handler that restarts the nginx service:
                                                                  Adapted from “How to use Ansible to patch systems and install applications”
                                                                  on Opensource.com, published under a Creative Commons Attribution Share-
# handlers file for nginx-example                                 Alike 4.0 International License at https://opensource.com/article/18/3/ansible-
  - name: restart-nginx-service                                   patch-systems.




Ansible Automation for SysAdmins                  . CC BY-SA 4.0 . Opensource.com                                                              9
A sysadmin’s guide to Ansible: How to simplify tasks . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .




      A sysadmin’s guide
      to Ansible: How to
      simplify tasks
      by Jonathan Lozada De La Matta

      There are many ways to automate common sysadmin tasks with Ansible. Here are several of them.

                                                                                Diving deeper into Ansible
     In the previous                            chapter, I discussed
                                                how to use Ansible
      to patch systems and install applications. In this chapter, I’ll
                                                                                Sharing ideas about how to resolve issues is one of the
                                                                                best things we can do in the IT and open source world, so I
      show you how to do other things with Ansible that will make               went looking for help by submitting issues in Ansible [1] and
      your life as a sysadmin easier. First, though, I want to share            asking questions in roles others created [2].
      why I came to Ansible.                                                        Reading the documentation (including the following top-
         I started using Ansible because it made patching systems               ics) is the best way to get started learning Ansible.
      easier. I could run some ad-hoc commands here and there                   • Getting started [3]
      and some playbooks someone else wrote. I didn’t get very                  • Best practices [4]
      in depth, though, because the playbook I was running used                 • Ansible Lightbulb [5]
      a lot of lineinfile modules, and, to be honest, my regex                  • Ansible FAQ [6]
      techniques were nonexistent. I was also limited in my capac-              If you are trying to figure out what you can do with Ansible,
      ity due to my management’s direction and instructions: “You               take a moment and think about the daily activities you do,
      can run this playbook only and that’s all you can do.”                    the ones that take a lot of time that would be better spent on
         After leaving that job, I started working on a team where              other things. Here are some examples:
      most of the infrastructure was in the cloud. After getting used           • Managing accounts in systems: Creating users, adding
      to the team and learning how everything works, I started try-                them to the correct groups, and adding the SSH keys…
      ing to find ways to automate more things. We were spending                   these are things that used to take me days when we had a
      two to three months deploying virtual machines in large num-                 large number of systems to build. Even using a shell script,
      bers—doing all the work manually, including the lifecycle of                 this process was very time-consuming.
      each virtual machine, from provision to decommission. Our                 • Maintaining lists of required packages: This could be
      work often got behind schedule, as we spent a lot of time do-                part of your security posture and include the packages re-
      ing maintenance. When folks went on vacation, others had to                  quired for your applications.
      take over with little knowledge of the tasks they were doing.             • Installing applications: You can use your current docu-
                                                                                   mentation and convert application installs into tasks by
                                                                                   finding the correct module [7] for the job.
                                                                                • Configuring systems and applications: You might want
                                                                                   to change /etc/ssh/sshd_config for different environments
                                                                                   (e.g., production vs. development) by adding a line or two,
                                                                                   or maybe you want a file to look a specific way in every
                                                                                   system you’re managing.
                                                                                • Provisioning a VM in the cloud: This is great when you
                                                                                   need to launch a few virtual machines that are similar for
                                                                                   your applications and you are tired of using the UI.
                                                                                Now let’s look at how to use Ansible to automate some of
                                                                                these repetitive tasks.



      10                                           Ansible Automation for SysAdmins                    . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A sysadmin’s guide to Ansible: How to simplify tasks


Managing users                                                            - { 
                                                                              user: 'dbadmin', key: "{{ lookup('file',
If you need to create a large list of users and groups with                      '/data/vm_temp_key.pub'), state: 'absent',
the users spread among the different groups, you can use                         comment: 'dbadmin key' }
loops. Let’s start by creating the groups:
                                                                       Here, we specify the user, how to find the key by using
- name: create user groups                                             lookup, the state, and a comment describing the purpose
  group:                                                               of the key.
    name: "{{ item }}"
  loop:                                                                Installing packages
    - postgresql                                                       Package installation can vary depending on the packaging
    - nginx-test                                                       system you are using. You can use Ansible facts [8] to de-
    - admin                                                            termine which module to use. Ansible does offer a generic
    - dbadmin                                                          module called package [9] that uses ansible_pkg_mgr and
    - hadoop                                                           calls the proper package manager for the system. For exam-
                                                                       ple, if you’re using Fedora, the package module will call the
You can create users with specific parameters like this:               DNF package manager.
                                                                          The package module will work if you’re doing a simple in-
- name: all users in the department                                    stallation of packages. If you’re doing more complex work,
  user:                                                                you will have to use the correct module for your system. For
    name:     "{{ item.name }}"                                        example, if you want to ignore GPG keys and install all the
    group: "{{ item.group }}"                                          security packages on a RHEL-based system, you need to
    groups: "{{ item.groups }}"                                        use the yum module. You will have different options depend-
    uid: "{{ item.uid }}"                                              ing on your packaging module [10], but they usually offer
    state: "{{ item.state }}"                                          more parameters than Ansible’s generic package module.
  loop:                                                                   Here is an example using the package module:
    - {
        name: 'admin1', group: 'admin', groups: 'nginx', uid:
           '1234', state: 'present' }                                   - name: install a package
    - {
        name: 'dbadmin1', group: 'dbadmin', groups: 'postgres',           package:
           uid: '4321', state: 'present' }                                  name: nginx
    - { 
        name: 'user1', group: 'hadoop', groups: 'wheel', uid:               state: installed
           '1067', state: 'present' }
    - { 
        name: 'jose', group: 'admin', groups: 'wheel', uid:            The following uses the yum module to install NGINX, disable
           '9000', state: 'absent' }                                   gpg_check from the repo, ignore the repository’s certificates,
                                                                       and skip any broken packages that might show up.
Looking at the user jose, you may recognize that state: 'ab-
sent' deletes this user account, and you may be wondering               - name: install a package
why you need to include all the other parameters when you’re              yum:
just removing him. It’s because this is a good place to keep                name: nginx
documentation of important changes for audits or security                   state: installed
compliance. By storing the roles in Git as your source of truth,            disable_gpg_check: yes
you can go back and look at the old versions in Git if you later            validate_certs: no
need to answer questions about why changes were made.                       skip_broken: yes
To deploy SSH keys for some of the users, you can use the
same type of looping as in the last example.                           Here is an example using Apt [11]. The Apt module tells Ansi-
                                                                       ble to uninstall NGINX and not update the cache:
- name: copy admin1 and dbadmin ssh keys
  authorized_key:                                                       - name: install a package
    user: "{{ item.user }}"                                               apt:
    key: "{{ item.key }}"                                                   name: nginx
    state: "{{ item.state }}"                                               state: absent
    comment: "{{ item.comment }}"                                           update_cache: no
  loop:
    - { 
        user: 'admin1', key: "{{ lookup('file', '/data/test_           You can use loop when installing packages, but they are
           temp_key.pub'), state: 'present', comment: 'admin1 key' }   processed individually if you pass a list:



Ansible Automation for SysAdmins                    . CC BY-SA 4.0 . Opensource.com                                               11
A sysadmin’s guide to Ansible: How to simplify tasks . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


        - name:                                                                 This is the task that calls the handler:
             - nginx
             - postgresql-server                                                   - name: configure postgresql
             - ansible                                                               template:
             - httpd                                                                   src: postgresql.service.j2
                                                                                       dest: /usr/lib/systemd/system/postgresql.service
      NOTE: Make sure you know the correct name of the pack-                         notify: 
                                                                                             reload postgresql for new configuration and reload
      age you want in the package manager you’re using. Some                                  daemon
      names change depending on the package manager.
                                                                                It configures PostgreSQL by changing the systemd file, but
      Starting services                                                         instead of defining the restart in the tasks (like before), it
      Much like packages, Ansible has different modules to start                calls the handler to do the restart at the end of the run. This is
      services [12]. Like in our previous example, where we used                a good way to configure your application and keep it idempo-
      the package module to do a general installation of packag-                tent since the handler only runs when a task changes—not in
      es, the service [13] module does similar work with services,              the middle of your configuration.
      including with systemd and Upstart. (Check the module’s                      The previous example uses the template module [16] and
      documentation for a complete list.) Here is an example:                   a Jinja2 file [17]. One of the most wonderful things about
                                                                                configuring applications with Ansible is using templates. You
        - name: start nginx                                                     can configure a whole file like postgresql.service with the
           service:                                                             full configuration you require. But, instead of changing every
             name: nginx                                                        line, you can use variables and define the options some-
             state: started                                                     where else. This will let you change any variable at any time
                                                                                and be more versatile. For example:
      You can use Ansible’s service module if you are just starting
      and stopping applications and don’t need anything more so-                [database]
      phisticated. But, like with the yum module, if you need more              DB_TYPE   = "{{ gitea_db }}"
      options, you will need to use the systemd module. For ex-                 HOST      = "{{ ansible_fqdn}}:3306"
      ample, if you modify systemd files, then you need to do a                 NAME      = gitea
      daemon-reload, the service module won’t work for that; you                USER      = gitea
      will have to use the systemd module.                                      PASSWD    = "{{ gitea_db_passwd }}"
                                                                                SSL_MODE = disable
        - name: 
                reload postgresql for new configuration and reload daemon       PATH      = "{{ gitea_db_dir }}/gitea.db
           systemd:
            name: postgresql                                                    This configures the database options on the file app.ini
            state: reload                                                       for Gitea [18]. This is similar to writing Ansible tasks, even
            daemon-reload: yes                                                  though it is a configuration file, and makes it easy to define
                                                                                variables and make changes. This can be expanded fur-
      This is a great starting point, but it can become cumbersome              ther if you are using group_vars [19], which allows you to
      because the service will always reload/restart. This a good               define variables for all systems and specific groups (e.g.,
      place to use a handler [14].                                              production vs. development). This makes it easier to man-
        If you used best practices and created your role using                  age variables, and you don’t have to specify the same ones
      ansible-galaxy init "role name", then you should have                     in every role.
      the full directory structure [15]. You can include the code
      above inside the handlers/main.yml and call it when you                   Provisioning a system
      make a change with the application. For example:                          We’ve gone over several things you can do with Ansible on
                                                                                your system, but we haven’t yet discussed how to provision
      handlers/main.yml                                                         a system. Here’s an example of provisioning a virtual ma-
                                                                                chine (VM) with the OpenStack cloud solution.
        - name: 
                reload postgresql for new configuration and reload
                  daemon                                                           - name: create a VM in openstack
           systemd:                                                                  osp_server:
             name: postgresql                                                          name: cloudera-namenode
             state: reload                                                             state: present
             daemon-reload: yes                                                        cloud: openstack




      12                                           Ansible Automation for SysAdmins                     . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A sysadmin’s guide to Ansible: How to simplify tasks


     region_name: andromeda                                       Links
     image: 923569a-c777-4g52-t3y9-cxvhl86zx345                   [1]	 https://github.com/ansible/ansible/issues/18006
     flavor_ram: 20146                                            [2]	 https://github.com/abaez/ansible-role-user/issues/1
     flavor: big                                                  [3]	 http://docs.ansible.com/ansible/latest/user_guide/intro_
     auto_ip: yes                                                       getting_started.html
     volumes: cloudera-namenode                                   [4]	 http://docs.ansible.com/ansible/latest/user_guide/
                                                                        playbooks_best_practices.html
All OpenStack modules start with os, which makes it easier to     [5]	 https://github.com/ansible/lightbulb
find them. The above configuration uses the osp-server mod-       [6] https://docs.ansible.com/ansible/latest/reference_
ule, which lets you add or remove an instance. It includes the          appendices/faq.html
name of the VM, its state, its cloud options, and how it au-      [7]	 https://docs.ansible.com/ansible/latest/modules/modules_
thenticates to the API. More information about cloud.yml [20]           by_category.html
is available in the OpenStack docs, but if you don’t want to      [8] https://docs.ansible.com/ansible/latest/user_guide/
use cloud.yml, you can use a dictionary that lists your creden-         playbooks_variables.html#information-discovered-from-
tials using the auth option. If you want to delete the VM, just         systems-facts
change state: to absent.                                          [9]	 http://docs.ansible.com/ansible/latest/modules/package_
   Say you have a list of servers you shut down because                 module.html
you couldn’t figure out how to get the applications work-         [10]	http://docs.ansible.com/ansible/latest/modules/list_of_
ing, and you want to start them again. You can use os_                  packaging_modules.html
server_action to restart them (or rebuild them if you want        [11]	https://docs.ansible.com/ansible/latest/modules/apt_
to start from scratch).                                                 module.html
   Here is an example that starts the server and tells the        [12]	http://docs.ansible.com/ansible/latest/modules/list_of_
modules the name of the instance:                                       system_modules.html
                                                                  [13]	http://docs.ansible.com/ansible/latest/modules/service_
 - name: restart some servers                                           module.html#service-module
   os_server_action:                                              [14]	https://docs.ansible.com/ansible/latest/user_guide/
     action: start                                                      playbooks_intro.html#handlers-running-operations-on-
     cloud: openstack                                                   change
     region_name: andromeda                                       [15]	http://docs.ansible.com/ansible/latest/user_guide/
     server: cloudera-namenode                                          playbooks_best_practices.html#directory-layout
                                                                  [16]	https://docs.ansible.com/ansible/latest/modules/template_
Most OpenStack modules use similar options. Therefore,                  module.html
to rebuild the server, we can use the same options but            [17]	https://docs.ansible.com/ansible/latest/user_guide/
change the action to rebuild and add the image we want                  playbooks_templating.html
it to use:                                                        [18]	https://gitea.io/en-us/
                                                                  [19]	https://docs.ansible.com/ansible/latest/user_guide/
 os_server_action:                                                      playbooks_variables.html#variable-examples
   action: rebuild                                                [20]	https://docs.openstack.org/python-openstackclient/pike/
   image: 923569a-c777-4g52-t3y9-cxvhl86zx345                           configuration/index.html
                                                                  [21]	https://docs.openstack.org/python-openstackclient/pike/
Doing other things                                                      configuration/index.html
There are modules for a lot of system admin tasks, but what       [22]	https://docs.ansible.com/ansible/latest/modules/
should you do if there isn’t one for what you are trying to do?         command_module.html
Use the shell [21] and command [22] modules, which allow          [23]	https://docs.openstack.org/python-openstackclient/pike/
you to run any command just like you do on the command
line. Here’s an example using the OpenStack CLI [23]:
                                                                  Author
 - name: run an opencli command                                   Jlozadad is a Ansible Consultant. I’m from Carolina, Puerto
   command: "openstack hypervisor list"                           Rico and I love IT & Gaming. Spend Most of my time playing
                                                                  video games, looking at open source software and laughing.
They are so many ways you can do daily sysadmin tasks
with Ansible. Using this automation tool can transform your       Adapted from “A sysadmin’s guide to Ansible: How to simplify tasks” on
                                                                  Opensource.com, published under a Creative Commons Attribution Share-
hardest task into a simple solution, save you time, and make      Alike 4.0 International License at https://opensource.com/article/18/7/sysadmin-
your work days shorter and more relaxed.                          tasks-ansible.




Ansible Automation for SysAdmins                . CC BY-SA 4.0 . Opensource.com                                                               13
Testing Ansible roles with Molecule .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .




       Testing Ansible roles
       with Molecule
       by Jairo da Silva Junior


       Learn how to automate your verifications using Python.


       Test techniques                            play an important
                                                  role in software de-
       velopment, and this is no different when we are talking about
                                                                                                  In the end, your workflow would be:

                                                                                                  1. vagrant up
       Infrastructure as Code (IaC).                                                              2. Edit playbook.
          Developers are always testing, and constant feedback is                                 3. vagrant provision
       necessary to drive development. If it takes too long to get feed-                          4. vagrant ssh to verify VM state.
       back on a change, your steps might be too large, making errors                             5. Repeat steps 2 to 4.
       hard to spot. Baby steps and fast feedback are the essence
       of TDD (test-driven development). But how do you apply this                                Occasionally, the VM should be destroyed and brought up
       approach to the development of ad hoc playbooks or roles?                                  again (vagrant destroy -f; vagrant up) to increase the
          When you’re developing an automation, a typical workflow                                reliability of your playbook (i.e., to test if your automation is
       would start with a new virtual machine. I will use Vagrant [1]                             working end-to-end).
       to illustrate this idea, but you could use libvirt [2], Docker [3],                           Although this is a good workflow, you’re still doing all the
       VirtualBox [4], or VMware [5], an instance in a private or pub-                            hard work of connecting to the VM and verifying that every-
       lic cloud, or a virtual machine provisioned in your data center                            thing is working as expected.
       hypervisor (oVirt [6], Xen [7], or VMware, for example).                                      When tests are not automated, you’ll face issues similar to
          When deciding which virtual machine to use, balance feed-                               those when you do not automate your infrastructure.
       back speed and similarity with your real target environment.                                  Luckily, tools like Testinfra [8] and Goss [9] can help auto-
          The minimal start point with Vagrant would be:                                          mate these verifications.
       vagrant init centos/7 # or any other box                                                      I will focus on Testinfra, as it is written in Python and is the
          Then add Ansible provisioning to your Vagrantfile:                                      default verifier for Molecule. The idea is pretty simple: Auto-
                                                                                                  mate your verifications using Python:
       config.vm.provision "ansible" do |ansible|
          ansible.playbook = "playbook.yml"                                                       def test_nginx_is_installed(host):
       end                                                                                             nginx = host.package("nginx")
                                                                                                       assert nginx.is_installed
                                                                                                       assert nginx.version.startswith("1.2")


                                                                                                  def test_nginx_running_and_enabled(host):
                                                                                                       nginx = host.service("nginx")
                                                                                                       assert nginx.is_running
                                                                                                       assert nginx.is_enabled


                                                                                                  In a development environment, this script would connect to
                                                                                                  the target host using SSH (just like Ansible) to perform the
                                                                                                  above verifications (package presence/version and service
                                                                                                  state):



       14                                                     Ansible Automation for SysAdmins                               . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing Ansible roles with Molecule



py.test --connection=ssh --hosts=server                               your code? Is there a more simple and fast way to develop
                                                                      our playbooks and roles with automated tests?
In short, during infrastructure automation development, the
challenge is to provision new infrastructure, execute play-           Molecule
books against them, and verify that your changes reflect the          Molecule [11] helps develop roles using tests. The tool can
state you declared in your playbooks.                                 even initialize a new role with test cases: molecule init
• What can Testinfra verify?                                         role –role-name foo
   • Infrastructure is up and running from the user’s point of          Molecule is flexible enough to allow you to use different driv-
      view (e.g., HTTPD or Nginx is answering requests, and           ers for infrastructure provisioning, including Docker, Vagrant,
      MariaDB or PostgreSQL is handling SQL queries).                 OpenStack, GCE, EC2, and Azure. It also allows the use of
   • OS service is started and enabled                               different server verification tools, including Testinfra and Goss.
   • A process is listening on a specific port                          Its commands ease the execution of tasks commonly used
   • A process is answering requests                                 during development workflow:
   • Configuration files were correctly copied or generated          • lint - Executes yaml-lint, ansible-lint, and flake8, re-
      from templates                                                     porting failure if there are issues
   • Virtually anything you do to ensure that your server state      • syntax - Verifies the role for syntax errors
      is correct                                                      • create - Creates an instance with the configured driver
• What safeties do these automated tests provide?                    • prepare - Configures instances with preparation playbooks
   • Perform complex changes or introduce new features with-         • converge - Executes playbooks targeting hosts
      out breaking existing behavior (e.g., it still works in RHEL-   • idempotence - Executes a playbook twice and fails in case
      based distributions after adding support for Debian-based          of changes in the second run (non-idempotent)
      systems).                                                       • verify - Execute server state verification tools (testinfra
   • Refactor/improve the codebase when new versions of An-             or goss)
      sible are released and new best practices are introduced.       • destroy - Destroys instances
What we’ve done with Vagrant, Ansible, and Testinfra so far           • test - Executes all the previous steps
is easily mapped to the steps described in the Four-Phase             The login command can be used to connect to provisioned
Test [10] pattern—a way to structure tests that makes the             servers for troubleshooting purposes.
test objective clear. It is composed of the following phases:
Setup, Exercise, Verify, and Teardown:                                Step by step
                                                                      How do you go from no tests at all to a decent codebase
• Setup: Prepares the environment for the test execution             being executed for every change/commit?
   (e.g., spins up new virtual machines):
                                                                      1. virtualenv (optional)
 vagrant up
                                                                      The virtualenv tool creates isolated environments, while
• Exercise: Effectively executes the code against the system         virtualenvwrapper is a collection of extensions that facili-
   under test (i.e., Ansible playbook):                               tate the use of virtualenv.
                                                                         These tools prevent dependencies and conflicts between
 vagrant provision                                                    Molecule and other Python packages in your machine.

• Verify: Verifies the previous step output:                         sudo pip install virtualenvwrapper
                                                                      export WORKON_HOME=~/envs
 py.test (with Testinfra)                                             source /usr/local/bin/virtualenvwrapper.sh
                                                                      mkvirtualenv mocule
• Teardown: Returns to the state prior to Setup:
                                                                      2. Molecule
 vagrant destroy
                                                                      Install Molecule with the Docker driver:
The same idea we used for an ad hoc playbook could be
applied to role development and testing, but do you need to           pip install molecule ansible docker
do all these steps every time you develop something new?
What if you want to use containers, or an OpenStack, in-              Generate a new role with test scenarios:
stead of Vagrant? What if you’d rather use Goss than Testin-
fra? How do you run this continuously for every change in             molecule init role -r role_name




Ansible Automation for SysAdmins                  . CC BY-SA 4.0 . Opensource.com                                                    15
Testing Ansible roles with Molecule .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


       or for existing roles:                                                                     CI
                                                                                                  Continuously executing your Molecule tests is simple. The
       molecule init scenario -r my-role                                                          example above works for TravisCI with the Docker driver,
                                                                                                  but it could be easily adapted for any CI server and any in-
       All the necessary configuration is generated with your role,                               frastructure drivers supported by Molecule.
       and you need only write test cases using Testinfra:
                                                                                                  ---
       import os                                                                                  sudo: required
                                                                                                  language: python
       import testinfra.utils.ansible_runner                                                      services:
                                                                                                    - docker
       testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(                            before_install:
             os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')                                - sudo apt-get -qq update
                                                                                                    - pip install molecule
       def test_jboss_running_and_enabled(host):                                                    - pip install docker
             jboss = host.service('wildfly')                                                      script:
                                                                                                    - molecule test
             assert jboss.is_enabled
                                                                                                  Visit Travis CI [13] for sample output.
       def test_jboss_listening_http(host):
             socket = host.socket('tcp://0.0.0.0:8080')                                           Links
                                                                                                  [1] https://github.com/hashicorp/vagrant
             assert socket.is_listening                                                           [2]	 https://libvirt.org/
                                                                                                  [3] https://www.docker.com/
       def test_mgmt_user_authentication(host):                                                   [4]	 https://www.virtualbox.org/
             command = """
                          curl --digest -L -D - http://localhost:9990/ \                          [5]	 https://www.vmware.com/
                              management -u ansible:ansible"""                                    [6]	 https://ovirt.org/
                                                                                                  [7]	 https://www.xenproject.org/
             cmd = host.run(command)                                                              [8]	 https://testinfra.readthedocs.io/en/latest/
                                                                                                  [9]	 https://github.com/aelsabbahy/goss
             assert 'HTTP/1.1 200 OK' in cmd.stdout                                               [10]	http://xunitpatterns.com/Four Phase Test.html
                                                                                                  [11]	https://molecule.readthedocs.io/en/latest/
       This example test case for a Wildfly role verifies that OS                                 [12]	https://testinfra.readthedocs.io/en/latest/
       service is enabled, a process is listening in port 8080, and                               [13] https://travis-ci.org/jairojunior/ansible-role-jboss/
       authentication is properly configurated.                                                         builds/345731738
          Coding these tests is straightforward, and you basi-
       cally need to think about an automated way to verify                                       Author
       something.                                                                                 Jairo da Silva Junior—Developer, speaker at DevOps con-
          You are already writing tests when you log into a machine                               ferences, open source contributor, occasional writer, and ob-
       targeted by your playbook, or when you build verifications for                             sessed with tests and automation. Can’t live without CLI tools.
       your monitoring/alerting systems. This knowledge will con-
                                                                                                  Adapted from “Testing Ansible roles with Molecule” on Opensource.com,
       tribute to building something with the Testinfra API [12] or                               published under a Creative Commons Attribution Share-Alike 4.0 International
       using a system command.                                                                    License at https://opensource.com/article/18/12/testing-ansible-roles-molecule.




       16                                                     Ansible Automation for SysAdmins                               . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Ansible for deploying serverless applications




Using Ansible for deploying
serverless applications
by Ryan Scott Brown


Serverless is another step in the direction of managed services and plays nice with Ansible’s
agentless architecture.


Ansible              [1] is designed as the simplest deploy-
                     ment tool that actually works. What that
means is that it’s not a full programming language. You write
                                                                   Ansible takes the first view. Before “serverless” was a term
                                                                of art, users had to manage and provision EC2 instances,
                                                                virtual private cloud (VPC) networks, and everything else.
YAML templates that define tasks and list whatever tasks        Serverless is another step in the direction of managed ser-
you need to automate your job.                                  vices and plays nice with Ansible’s agentless architecture.
   Most people think of Ansible as a souped-up version of          Before we go into a Lambda [3] example, let’s look at a
“SSH in a ‘for’ loop,” and that’s true for simple use cases.    simpler task for provisioning a CloudFormation stack:
But really Ansible is about tasks, not about SSH. For a lot
of use cases, we connect via SSH but also support things        - name: Build network
like Windows Remote Management (WinRM) for Windows                cloudformation:
machines, different protocols for network devices, and the          stack_name: prod-vpc
HTTPS APIs that are the lingua franca of cloud services.            state: present
   In a cloud, Ansible can operate on two separate layers:          template: base_vpc.yml
the control plane and the on-instance resources. The con-
trol plane consists of everything not running on the OS. This   Writing a task like this takes just a couple minutes, but it
includes setting up networks, spawning instances, provision-    brings the last semi-manual step involved in building your
ing higher-level services like Amazon’s S3 or DynamoDB,         infrastructure—clicking “Create Stack”—into a playbook with
and everything else you need to keep your cloud infrastruc-     everything else. Now your VPC is just another task you can
ture secure and serving customers.                              call when building up a new region.
   On-instance work is what you already know Ansible for:          Since cloud providers are the real source of truth when
starting and stopping services, templating config files,        it comes to what’s really happening in your account, An-
installing packages, and                                                                        sible has a number of ways
everything else OS-related                                                                      to pull that back and use
that you can do over SSH.                                                                       the IDs, names, and oth-
   Now, what about server-                                                                      er parameters to filter and
less [2]? Depending who you                                                                     query running instances or
ask, serverless is either the                                                                   networks. Take for example
ultimate extension of the                                                                       the cloudformation_facts
continued rush to the public                                                                    module that we can use to
cloud or a wildly new para-                                                                     get the subnet IDs, network
digm where everything is an                                                                     ranges, and other data back
API call, and it’s never been                                                                   out of the template we just
done before.                                                                                    created.



Ansible Automation for SysAdmins             . CC BY-SA 4.0 . Opensource.com                                                17
Using Ansible for deploying serverless applications .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


      - name: Pull all new resources back in as a variable                     That’s not quite everything you need, since the serverless
        cloudformation_facts:                                                  project also must exist, and that’s where you’ll do the heavy
           stack_name: prod-vpc                                                lifting of defining your functions and event sources. For this
        register: network_stack                                                example, we’ll make a single function that responds to HTTP
                                                                               requests. The Serverless Framework uses YAML as its con-
      For serverless applications, you’ll definitely need a com-               fig language (as does Ansible), so this should look familiar.
      plement of Lambda functions in addition to any other Dy-
      namoDB tables, S3 buckets, and whatever else. Fortu-                     # serverless.yml
      nately, by using the lambda modules, Lambda functions                    service: fakeservice
      can be created in the same way as the stack from the
      last tasks:                                                              provider:
                                                                                 name: aws
      - lambda:                                                                  runtime: python3.6
           name: sendReportMail
           zip_file: "{{ deployment_package }}"                                functions:
           runtime: python3.6                                                    main:
           handler: report.send                                                     handler: test_function.handler
           memory_size: 1024                                                        events:
           role: "{{ iam_exec_role }}"                                                 - http:
        register: new_function                                                             path: /
                                                                                           method: get
      If you have another tool that you prefer for shipping the
      serverless parts of your application, that works as well. The            Links
      open source Serverless Framework [4] has its own Ansible                 [1] https://www.ansible.com/
      module that will work just as well:                                      [2]	https://en.wikipedia.org/wiki/Serverless_computing
                                                                               [3] https://aws.amazon.com/lambda/
      - serverless:                                                            [4] https://serverless.com/
           service_path: '{{ project_dir }}'
           stage: dev                                                          Author
        register: sls                                                          Ryan is a Senior Software Engineer and spends most of
      - name: 
              Serverless uses CloudFormation under the hood, so you            his time on cloud-adjacent Open Source tooling, including
               can easily pull info back into Ansible                          Ansible and the Serverless Framework.
        cloudformation_facts:
                                                                               Adapted from “Using Ansible for deploying serverless applications” on Opensource.
           stack_name: "{{ sls.service_name }}"                                com, published under a Creative Commons Attribution Share-Alike 4.0 International
        register: sls_facts                                                    License at https://opensource.com/article/17/8/ansible-serverless-applications.




      18                                          Ansible Automation for SysAdmins                      . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Ansible playbooks you should try




4                Ansible playbooks
                 you should try
                 by Daniel Oh

Streamline and tighten automation processes in complex IT environments
with these Ansible playbooks.

In a complex IT environment, even the smallest tasks can
seem to take forever. Sprawling systems are hard to devel-
op, deploy, and maintain. Business demands only increase
complexity, and IT teams struggle with management, avail-
ability, and cost.
  How do you address this complexity and while meeting to-
day’s business demands? There is no doubt that Ansible [1]
can improve your current processes, migrate applications for
better optimization, and provide a single language for DevOps
practices across your organization.
  More importantly, you can declare configurations through
Ansible playbooks [2], but they orchestrate steps of any man-
ual ordered process, even as different steps must bounce          - name: Create a k8s namespace
back and forth between sets of machines in particular orders.       k8s:
They can launch tasks synchronously or asynchronously.                name: mynamespace
  While you might run the main /usr/bin/ansible program for           api_version: v1
ad-hoc tasks, playbooks are more likely to be kept in source          kind: Namespace
control and used to push out your configuration or ensure             state: present
the configurations of your remote systems are in spec. Be-
cause the Ansible playbooks are configuration, deployment,        - name: Create a Service object from an inline definition
and orchestration language, they can describe a policy you          k8s:
want your remote systems to enforce or a set of steps in a            state: present
general IT process.                                                   definition:
  Here are four Ansible playbooks that you should try to fur-           apiVersion: v1
ther customize and configure how your automation works.                 kind: Service
                                                                        metadata:
Managing Kubernetes objects                                                name: web
When you perform CRUD operations on Kubernetes [3]                         namespace: mynamespace
objects, Ansible playbooks enable you to quickly and eas-                  labels:
ily access the full range of Kubernetes APIs through the                     app: galaxy
OpenShift Python client. The following playbook snippets                     service: web
show you how to create specific Kubernetes namespace                    spec:
and service objects:                                                       selector:




Ansible Automation for SysAdmins              . CC BY-SA 4.0 . Opensource.com                                                 19
4 Ansible playbooks you should try .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


                     app: galaxy                                                                              type: dword
                     service: web                                                                             data: '0x00000000'
                  ports:
                  - protocol: TCP                                                                     tasks:
                     targetPort: 8000                                                                    - name: Install security updates
                     name: port-8000-tcp                                                                   win_updates:
                     port: 8000                                                                               category_names:
                                                                                                                - SecurityUpdates
       - name: 
               Create a Service object by reading the definition from                                      notify: reboot windows system
                   a file
          k8s:                                                                                           - name: Enable kernel protections
             state: present                                                                                win_regedit:
             src: /mynamespace/service.yml                                                                    path: "{{ item.path }}"
                                                                                                              name: "{{ item.name }}"
       # Passing the object definition from a file                                                            data: "{{ item.data }}"
       - name: 
               Create a Deployment by reading the definition from a                                           type: "{{ item.type }}"
                   local file                                                                              with_items: "{{ registry_keys }}"
          k8s:
             state: present                                                                           handlers:
             src: /mynamespace/deployment.yml                                                            - name: reboot windows system
                                                                                                           win_reboot:
       Mitigate critical security concerns like Meltdown                                                      shutdown_timeout: 3600
       and Spectre                                                                                            reboot_timeout: 3600
       In the first week of January 2018, two flaws were announced:                                        when: reboot_after_update
       Meltdown and Spectre [4]. Both involved the hardware at the
       heart of more or less every computing device on the planet:                                 You can also find other playbooks for Linux [6].
       the processor. There is a great in-depth review of the two
       flaws here [5]. While Meltdown and Spectre are not com-                                     Integrating a CI/CD process with Jenkins
       pletely mitigated, the following playbook snippets show how                                 Jenkins [7] is a well-known tool for implementing CI/CD. Shell
       to easily deploy the patches for Windows:                                                   scripts are commonly used for provisioning environments or
                                                                                                   to deploy apps during the pipeline flow. Although this could
       - name: Patch Windows systems against Meltdown and Spectre                                  work, it is cumbersome to maintain and reuse scripts in the
          hosts: "{{ target_hosts | default('all') }}"                                             long run. The following playbook snippets show how to pro-
                                                                                                   vision infrastructure in a Continuous Integration/Continuous
          vars:                                                                                    Delivery (CI/CD) process using a Jenkins Pipeline [8].
             reboot_after_update: no
             registry_keys:                                                                        ---
                 - path: 
                         HKLM:\SYSTEM\CurrentControlSet\Control\Session                            - name: Deploy Jenkins CI
                            Manager\Memory Management                                              hosts: jenkins_server
                  name: FeatureSettingsOverride                                                    remote_user: vagrant
                  data: 0                                                                          become: yes
                  type: dword
                                                                                                   roles:
                 - path: 
                         HKLM:\SYSTEM\CurrentControlSet\Control\Session                               - geerlingguy.repo-epel
                            Manager\Memory Management                                                 - geerlingguy.jenkins
                  name: FeatureSettingsOverrideMask                                                   - geerlingguy.git
                  data: 3                                                                             - tecris.maven
                  type: dword                                                                         - geerlingguy.ansible


                 # https://support.microsoft.com/en-us/help/4072699                                - name: Deploy Nexus Server
                 - path: 
                         HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\                          hosts: nexus_server
                            QualityCompat                                                          remote_user: vagrant
                  name: cadca5fe-87d3-4b96-b7fb-a231484277cc                                       become: yes




       20                                                     Ansible Automation for SysAdmins                                . CC BY-SA 4.0 . Opensource.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Ansible playbooks you should try



roles:                                                              # The names of the samples that should be installed as well.
  - geerlingguy.java                                                # The available samples are in the istio_simple_samples variable
  - savoirfairelinux.nexus3-oss                                     # 
                                                                      In addition to the values in istio_simple_samples,
                                                                       'bookinfo' can also be specified
- name: Deploy Sonar Server                                         samples: []
hosts: sonar_server
remote_user: vagrant                                                # Whether or not to open apps in the browser
become: yes                                                         open_apps: false


roles:                                                              # W
                                                                      hether to delete resources that might exist from previous
  - wtanaka.unzip                                                      Istio installations
  - zanini.sonar                                                    delete_resources: false


- name: On Premises CentOS                                        Conclusion
hosts: app_server                                                 You can find full sets of playbooks that illustrate many of
remote_user: vagrant                                              these techniques in the ansible-examples repository [10].
become: yes                                                       I recommend looking at these in another tab as you go
                                                                  along.
roles:                                                               Hopefully, these tips and snippets of Ansible playbooks
  - jenkins-keys-config                                           have provided some interesting ways to use and extend your
                                                                  automation journey.
Starting a service mesh with Istio
With a cloud platform, developers must use microservices          Links
to architect for portability. Meanwhile, operators are manag-     [1]	https://www.ansible.com/
ing extremely large hybrid and multi-cloud deployments. The       [2]	https://docs.ansible.com/ansible/devel/user_guide/
service mesh with Istio [9] lets you connect, secure, control,          playbooks.html
and observe services instead of developers through a dedi-        [3] https://kubernetes.io/
cated infrastructure such as an Envoy sidecar container. The      [4] https://meltdownattack.com/
following playbook snippets show how to install Istio locally     [5]	https://access.redhat.com/security/vulnerabilities/
on your machine:                                                        speculativeexecution
                                                                  [6]	https://github.com/ansible/ansible-lockdown/blob/master/
---                                                                     meltdown-spectre-linux.yml
                                                                  [7]	https://jenkins.io/
# 
  Whether the cluster is an Openshift (ocp) or upstream           [8]	https://jenkins.io/doc/book/pipeline/
  Kubernetes (k8s) cluster                                        [9] https://istio.io/
cluster_flavour: ocp                                              [10]	https://github.com/ansible/ansible-examples

istio:                                                            Author
  # 
    Install istio with or without istio-auth module               Daniel Oh—DevOps Evangelist, CNCF Ambassador, Devel-
  auth: false                                                     oper, Public Speaker, Writer, Opensource.com Author

                                                                  Adapted from “4 Ansible playbooks you should try” on Opensource.com,
  # A set of add-ons to install, for example kiali
                                                                  published under a Creative Commons Attribution Share-Alike 4.0 International
  addon: []                                                       License at https://opensource.com/article/18/8/ansible-playbooks-you-should-try.




Ansible Automation for SysAdmins               . CC BY-SA 4.0 . Opensource.com                                                                21
Get Involved | Additional Resources .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


Get Involved

                 If you find these articles useful, get involved! Your feedback helps improve the status
                 quo for all things DevOps.
                 Contribute to the Opensource.com DevOps resource collection, and join the team of
                 DevOps practitioners and enthusiasts who want to share the open source stories
                 happening in the world of IT.
                 The Open Source DevOps team is looking for writers, curators, and others who can help
                 us explore the intersection of open source and DevOps. We’re especially interested in
                 stories on the following topics:

                    • D
                       evOps practical how to’s
                    • D
                       evOps and open source
                    • D
                       evOps and talent
                    • D
                       evOps and culture
                    • D
                       evSecOps/rugged software

                 Learn more about the Opensource.com DevOps team: https://opensource.com/devops-team



Additional Resources

                 The open source guide to DevOps monitoring tools
                 This free download for sysadmin observability tools includes analysis of open source
                 monitoring, log aggregation, alerting/visualizations, and distributed tracing tools.
                 Download it now: The open source guide to DevOps monitoring tools

                 The ultimate DevOps hiring guide
                 This free download provides advice, tactics, and information about the state of DevOps
                 hiring for both job seekers and hiring managers.
                 Download it now: The ultimate DevOps hiring guide

                 The Open Organization Guide to IT Culture Change
                 In The Open Organization Guide to IT Culture Change, more than 25 contributors from
                 open communities, companies, and projects offer hard-won lessons and practical ad-
                 vice on how to create an open IT department that can deliver better, faster results and
                 unparalleled business value.
                 Download it now: The Open Organization Guide to IT Culture Change




       22                                                     Ansible Automation for SysAdmins                               . CC BY-SA 4.0 . Opensource.com
     . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Write for us



Write for Us

     Would you like to write for Opensource.com? Our editorial calendar includes upcoming themes,
     community columns, and topic suggestions: https://opensource.com/calendar
     Learn more about writing for Opensource.com at: https://opensource.com/writers
     We're always looking for open source-related articles on the following topics:
                Big data: Open source big data tools, stories, communities, and news.
                Command-line tips: Tricks and tips for the Linux command-line.
                Containers and Kubernetes: Getting started with containers, best practices,
                security, news, projects, and case studies.
                Education: Open source projects, tools, solutions, and resources for educators,
                students, and the classroom.
                Geek culture: Open source-related geek culture stories.
                Hardware: Open source hardware projects, maker culture, new products, howtos,
                and tutorials.
                Machine learning and AI: Open source tools, programs, projects and howtos for
                machine learning and artificial intelligence.
                Programming: Share your favorite scripts, tips for getting started, tricks for
                developers, tutorials, and tell us about your favorite programming languages and
                communities.
                Security: Tips and tricks for securing your systems, best practices, checklists,
                tutorials and tools, case studies, and security-related project updates.



                                              Keep in touch!
                 Sign up to receive roundups of our best articles,
                giveaway alerts, and community announcements.
            Visit opensource.com/email-newsletter to subscribe.




     Ansible Automation for SysAdmins                       . CC BY-SA 4.0 . Opensource.com                                                                23