Ansible Playbooks
What is Ansible Playbook?
Ansible Playbooks are the way of sending commands to remote systems through scripts. Ansible playbooks are used to configure complex system environments to increase flexibility by executing a script to one or more systems.
An Ansible Playbook can be as simple as running a series of commands on different server in sequence and restarting those servers in a particular order, or it could be as complex as deploying hundreds of VMs in a public and private cloud infrastructure!
---
- name: Simple Playbook
hosts: webservers
tasks:
- name: ensure apache is at the latest version
yum:
name: httpd
state: latestSample Ansible Playbooks
Here we have a simple ansible Playbook, which helps you to get the idea:
Remember the host we want to perform these operations against is always set at a play level. You could have any host or groups specified here but you must ensure that the host or group is first defined in the inventory file we created earlier. The host defined in the inventory file must match the host used in the Playbook .
We can also split the list of tasks into two separate plays (using our YAML skills):
The '-' indicates that it is an item in the list. So the Playbook is a list of dictionaries. Each play is a dictionary and has a set of properties called name, hosts and tasks . Remember these are properties of a dictionary and so the order doesn't really matter. So even if you swap the position of name and hosts, it's still a valid play.
How ever this is not the same for tasks. The tasks is a list as denoted by the dashes. List are ordered collections, So the position of entries matter. Swapping the position of entries here, really matters.
The different actions run by tasks are called modules. In our example, command, script, yum and service are Ansible Modules. There hundreds of other modules available. We will talk about them later.
The YAML format is key while developing Playbooks. We must pay extra attention to the indentation and structure of this file. For testing yaml files:
web site: http://www.yamllint.com/
ATOM ide with linter-js-yaml and remote-sync (if you need)
Running Ansible
There are Two ways of running Ansible:
ansiblecommand (ad-hoc commands) : Used when we want to use ansible for One task, such as Testing connectivity between ansible controller and target, Shutting down a set of server, ... . In that case we can run ansible with out writing a playbook.ansible-playbookcommand : used when you have a playbook.
ansible (Imperative)
ansible-playbook (Declarative)
ansible <host> -a <command>
ansible-playbook <playbook name>
ansible all -a '''/sbin/reboot'
ansible <host> -m <module>
ansible target1 -m ping
Demo - Running Ansible
We have already talked about ad-hoc commands, so go back for more examples:
Demo - Running ansible playbooks
Lets do the same thing using a playbook:
We do not need to any hosts here, because we have specified the hosts inside the playbook.
As second example lets create a new playbook using copy module, to copy some files to target systems. Always use ansible documentations it has good examples
If you check the target server(s) you would see the test-file is now there.
Know if we execute the playbook again what will happened? Copy the files? Over write it? Or just leave it as it is because the file is over there?
As we said Ansible is smart enough and detects that the file is over there and does not change any thing. And that is the concept of Ansible Idempotency.
Idempotency: In simple words, Ansible only makes a change if it has to, if it is already in the same state then it really doesn't make the change. So we can run the ansible playbook as many time as we want, it is only going to make a change when there is a need.
Use ansible-playbook with -v or --verbose switches to get more information, use -vv or even -vvv for more information. -vvvv enables connection debugging!
Privilege Escalation
We have already get familiar with privilege escalation concept and why we need that. First lets run a sample playbook with out escalating privileges and see the results:
and the results:
There are two different ways we can run this as root:
use -b switch while running playbook:
ansible-playbook -b <playbook.yaml>add a line become: yes or become: true inside playbook.
Now run it again and check the results:
use become_user the user name that we want to switch to like compare it with sudo su - user .
Handlers
Sometimes you want a task to run only when a change is made on a machine. For example, you may want to start a service if a task updates the configuration of that service, but not if the configuration is unchanged. Ansible uses handlers to address this use case. Handlers are tasks that only run when notified. If a handler get notified multiple times, it just runs once. Each handler should have a globally unique name.
As an example lets install vsftp , vsftp is the name of the package on both ubuntu and centos:
As there is no apt on centos, ignore_error cause playbook continue running other tasks even if this task fails. So if there is an error keep going!
and lets run it again!
and this time no RUNNING HANDLER [start vsftpd] if you have noticed! Because there is no changes made.
.
.
.
.
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html
https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
https://www.middlewareinventory.com/blog/ansible-playbook-example/
https://www.middlewareinventory.com/blog/ansible-sudo-ansible-become-example/
https://spacelift.io/blog/ansible-playbooks
.
Last updated
Was this helpful?