Lab: Intro To Ansible

Introduction

Today we will explore a leading tool for automated systems configuration management. We will use Ansible to configure systems as web servers.

A useful short introduction can be found in this Ansible Video, the first 9 and half minutes are the most valuable.

Part A: Install Ansible on cn01

Ansible is part of the standard RHEL repos but it is not included on the ISO that we used to build our repos on Yoda.

1. Add the Ansible packages, and dependencies, to Yoda.
   1. Expand the supplied tar ball on Yoda

      cd /var/www/html
      tar xf /tmp/ansible_repo.tar
      

   2. Create the matching .repo file on cn01

      cat > /etc/yum.repos.d/yodaAnsible.repo <<EOF
      [yodaAnsible]
      metadata_expire=-1
      name=yodaAnsible
      baseurl=http://yoda/ansible
      enabled=1
      gpgcheck=1
      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      EOF
      

   3. Install ansible

      yum install ansible-core
      

Part B: Set up ssh

Ansible uses ssh to communicate between the control node and the managed nodes. We learned how to do this in our ssh lab.

1. Create a key pair for root on cn01
2. Distribute the public key to /root/.ssh/authorized_keys on web01 and web02
3. Verify that our keys are good and accept the ssh fingerprints

   ssh web01 hostname
   ssh web02 hostname
   

Part C: Tell Ansible where to find our managed nodes

Note: all Ansible configuration and commands will be run on cn01

1. Declare our inventory by making /etc/ansible/hosts look like this:

   [web]
   web01
   web02
   

2. Test our work

   ansible -m ping all
   

   should return something like...

   web01 | SUCCESS => {
       "ansible_facts": {
           "discovered_interpreter_python": "/usr/bin/python"
       }, 
       "changed": false, 
       "ping": "pong"
   }
   web02 | SUCCESS => {
       "ansible_facts": {
           "discovered_interpreter_python": "/usr/bin/python"
       }, 
       "changed": false, 
       "ping": "pong"
   }
   

Part D: Write a Playbook

Ansible uses playbooks to group commands. Playbooks are YML files. YML is picky about spacing and indentation. Even more picky thank Python. We can setup vim or nano defaults to help us. Note:For the .vimrc setting to apply, you must invoke vim not vi.

1. Make vim YML friendly by using spaces instead of tabs. Make your ~/.virc file look like this:

   set expandtab
   set tabstop=4
   

   or if you must... Make your ~/.nanorc file look like this:

   set tabsize 4
   set tabstospaces
   

2. Create a simple playbook to install httpd on all web servers. Call your playbook, ~/ansible/web_config.yml

   ---
   - name: configure web server
     hosts: web
     remote_user: root
   
     tasks:
      - name: Install the latest version of Apache
        ansible.builtin.dnf:
          name: httpd
          state: latest
   

3. Run our first playbook

   ansible-playbook  web_config.yml
   

4. Demonstrate that our playbook is idempotent by running it again

   ansible-playbook  web_config.yml
   

Part E: Expand our playbook to include filewall settings:

1. Here's the tasks to add..

      - name: permit traffic in default zone for https service
        ansible.posix.firewalld:
          service: http
          permanent: yes
          immediate: yes
          state: enabled
   

2. Run our playbook..

   ansible-playbook  web_config.yml
   

3. How did that go?
   Not so well. Our friends at RH don't include many Ansible modules in 'core'.
4. Download and add the Ansible posix module:
   1. Fetch the code as a tar ball from https://galaxy.ansible.com
      • Select Download tarball
   2. Copy the tarball to root's home directory on cn01
   3. Write a configuration playbook to install the posix module on cn01

      cat > ~/ansible/posix_requirements.yml <<EOF
      ---
      
      collections:
          - name: ../ansible-posix-1.5.1.tar.gz
            type: file
      EOF
      

      Note: Your tar ball may have a newer version number than this example.
   4. Run our configuration playbook

      ansible-galaxy install -r posix_requirements.yml
      

5. Try running our firewall playbook again

   ansible-playbook  web_config.yml
   

6. Check our work... (http should be open)

   ssh web01 firewall-cmd --reload
   ssh web01 firewall-cmd --list-all
   

Part F: Check our work - access the web server

• From cn01, use curl

  curl http://web01/
  

How did that go?
Not so well. We installed httpd, but did not enable/start it

Part G: Fix our work

• Update web_config.yml

     - name: Enable service httpd and ensure it is not masked
       ansible.builtin.systemd:
         name: httpd
         enabled: yes
         masked: no
  
     - name: start service httpd 
       ansible.builtin.systemd:
         name: httpd
         state: started
  

• Run our new playbook

  ansible-playbook  web_config.yml
  

• Check again..

  curl http://web01/
  

Part H: Our Second Playbook

Create a second play book named home_page.yml containing the task(s) required to get publish a simple homepage on our web servers.

1. Create a simple home page of your own design (index.html).
2. Use the Ansible built in module copy to publish your home page on web01 and web02 (copy module docs)

Grading

Submit your web_config.yml and home_page.yml to Canvas.

Reference:

• Playbook Intro From Ansible
• Playbook Tips from Ansible
• Systemd Ansible docs
• DNF Ansible docs
• YAML Guide