Bearbeiten von „KIF490:Einführung in Ansible (einfach wartbare, reproduzierbare Systemkonfigurationen)“


= Ansible Quickstart =


== What? ==

* Automation framework
* Open Source
* use cases
** software deployment
** configuration management
** infrastructure service orchestration
** security automation


Docs: [https://docs.ansible.com/ https://docs.ansible.com/]

== How? ==


=== Define hosts (hosts file) ===

* in <code>/etc/ansible/hosts</code> or whatever is configured in <code>/etc/ansible/ansible.cfg</code>
* or by supplying it to an ansible command with <code>-i</code>
* which hosts are we addressing? how to connect to them?
* in ini format or YAML
* hosts will later be identified by this name
* hosts can be grouped to apply actions to whatever hosts are in a group
* ini example:

<syntaxhighlight lang="ini">
mail.example.com

[webservers]
foo.example.com
bar.example.com

[webservers:vars]
port_for_thing=8080

[dbservers]
one.example.com
two.example.com
test_server ansible_host=three.example.com
</syntaxhighlight>
* YAML example:

<syntaxhighlight lang="yaml">
all:
  hosts:
    mail.example.com:
  children:
    webservers:
      hosts:
        foo.example.com:
        bar.example.com:
      vars:
        port_for_thing: 8080
    dbservers:
      hosts:
        one.example.com:
        two.example.com:
        test_server:
            ansible_host: three.example.com
</syntaxhighlight>
* default groups: <code>all</code> and <code>ungrouped</code>
* also nice: ranges of hosts

<syntaxhighlight lang="yaml">
webservers:
    hosts:
        www[01:50].example.com
</syntaxhighlight>
* example host file from the kif minetest server:

<syntaxhighlight lang="yaml">
all:
  hosts:
    kif_minetest:
</syntaxhighlight>
* ...and the rest is specified in the <code>~/.ssh/config</code> (ssh jumps, key file etc.)
* dynamic inventory possible


=== Writing playbooks ===

* in YAML
* specify tasks which will be run in sequence
* descriptive: tasks describe desired state, we don't worry about how it is achieved
* name for identification
* module with parameters ([https://docs.ansible.com/ansible/latest/collections/ look at the docs])
* optional meta stuff
** <code>vars</code>: variables to pass in (e.g. if templating a file)
** <code>with_items</code> etc.: items for each to run this task
** <code>when</code>: conditionals to skip the task if not met
** <code>tags</code> to attach to run only or exclude specific subsets of tasks on runtime
* rule of thumb: don't be more clever than you need to, simplicity &amp; readability first!
* run playbooks with <code>ansible-playbook -i my_hosts_file.yml example_playbook.yml</code>


Example 1: Simple minetest server install on Ubuntu
<syntaxhighlight lang="yaml">
---
- hosts: all
  tasks:
    - name: Install newest minetest server
      apt:
        pkg:
          - minetest-server
        state: latest
        update_cache: true
        cache_valid_time: 86400  # One day
      become: true
</syntaxhighlight>

This playbook has just one task it will run on any target specified in the inventory.<br>
We use [https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html the <code>apt</code> module] to update the cache if older than a day and install the <code>minetest-server</code> package. By specifying <code>state: latest</code>, we instruct it to ensure the newest available version is installed (the default <code>state: present</code> would already be satisfied if the package would be installed). Leaving out <code>cache_valid_time</code> would cause the module to always update the cache (and take up time), keeping the default of <code>update_cache: false</code> would base actions just on the existing cache every time<br>
The whole task needs <code>become: true</code> to meet the elevated user rights required by changing system critical aspects. <code>become</code> can be thought of as an abstraction from <code>sudo</code> in the case of linux, as Ansible can be used to manage a multitude of different systems, including Windows.<ref>Though it may require [https://docs.ansible.com/ansible/latest/user_guide/windows.html system specific modules]</ref>
<hr>

Example 2: Repeating steps, evaluating variables
<syntaxhighlight lang="yaml">
...

- name: Assign directories to minetest group and owner
  file:
    path: "{{ minetest_base_dir }}/{{ item }}"
    state: directory
    mode: u=rwX,g=rX,o=rX
    owner: minetest
    group: minetest
  with_items:
    - minetest
    - minetest_game
    - minetest_source
    - minetest_mods
    - world
    - minetest_mapserver
  become: true

...
</syntaxhighlight>

We assume <code>minetest_base_dir</code> is a variable either defined somewhere in our playbook or supplied by us from the command line (<code>ansible-playbook -i my_hosts_file.yml</code> '''<code>-e minetest_base_dir=&quot;/var/lib/minetest&quot;</code>''' <code>example_playbook.yml</code>) or from a file (<code>ansible-playbook -i my_hosts_file.yml</code> '''<code>-e @my_variables.yml</code>''' <code>example_playbook.yml</code>).<br>
We want to change the group and owner of a bunch of directories and their contents and assign a mode: files should be readable for everyone and only writable for the user owning them.<ref>We cannot just write <code>mode: 644</code> though, because directories need to be marked as executable to list their contents – they should have mode 755. Just as on the command line using <code>chmod</code>, the <code>file</code> module also accepts the syntax shown in the example. Using the big <code>X</code> instead if the small one means the executable bit is only set for directories or if the bit was already set before.</ref><br>
The <code>{{</code> curly braces <code>}}</code> are Jinja2 syntax and here only denote variables, though we can do more complicated stuff. These should always be in quotation marks so the whole file is valid YAML syntax.<br>
<code>item</code> is only present because of our use of <code>with_items</code>: We run the task for every item in that list, at every iteration the current item is assigned to the <code>item</code> variable. Here we are just using strings, but we could use arbitrarily complex items, if our goal requires it. There are a bunch of aliases for <code>with_items</code>, another one is <code>loop</code>.
<hr>

Example 3: Checking for file properties, acting based on a previous tasks output
<syntaxhighlight lang="yaml">
- name: Get stats of a file
  ansible.builtin.stat:
    path: /etc/foo.conf
  register: st

- name: Fail if the file does not belong to 'root'
  ansible.builtin.fail:
    msg: "Whoops! file ownership has changed"
  when: st.stat.pw_name != 'root'
</syntaxhighlight>

The [https://docs.ansible.com/ansible/latest/collections/ansible/builtin/stat_module.html <code>stat</code> module] never changes anything. It just retrieves status information about a file. But by registering the result of the task to a variable, we can use it for other parts of our playbook.
<div class="info" style="padding: 15px; margin-bottom: 20px; border: 1px solid transparent; border-radius: 4px; color: #31708f; background-color: #d9edf7; border-color #bce8f1;">
Be careful though, '''if you find yourself programming in a playbook, you're doing something wrong.''' Mostly you're either over-engineering/procrastinating on other problems or you really need a module that does that complicated stuff instead.
</div><hr>

Example 4: Using commands when no modules for it are available
<syntaxhighlight lang="yaml">
- name: Get newest Minetest
  ansible.builtin.git:
    repo: "{{ minetest_git_repo }}"
    dest: "{{ minetest_base_dir }}/minetest_source"
    force: true
    version: "{{ minetest_version }}"
  diff: false
  become: true
  register: minetest_repo

- name: Build Minetest
  command:
    cmd: "{{ item }}"
    chdir: "{{ minetest_base_dir }}/minetest_source"
  with_items:
    - cmake . -DRUN_IN_PLACE=TRUE -DBUILD_SERVER=TRUE -DBUILD_CLIENT=FALSE -DPostgreSQL_TYPE_INCLUDE_DIR=/usr/include/postgresql/
    - make -j4
  become: true
  register: minetest_build
  when: minetest_repo.changed
</syntaxhighlight>

There's not always a module for everything. Sometimes the usecase is too obscure, sometimes there is no meaningful way to ensure Ansible principles like idempotence.<ref>not changing stuff if the desired state is already met</ref><br>
The above example is trying to build minetest for maximum control over the installed version. After resetting the git repository to the desired version, the binary is built. For this, we use the [https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html <code>command</code> module] – but it has no idea whether the desired state is already met or whether the command has to be run again. We manually tell it to skip this task if the repository did not change in the previous task.
<div class="info" style="padding: 15px; margin-bottom: 20px; border: 1px solid transparent; border-radius: 4px; color: #31708f; background-color: #d9edf7; border-color #bce8f1;">
There is a minor gotcha with this: Assume you abort the playbook while its running the build task because you forgot to do something else. If you run it again, the git update will be skipped, as it is already in its desired state. But now the build task will not be run again. If you have this in your playbooks, you need to be aware of this edge case.<br>
This is another reason why logical links in playbooks should be kept to a minimum.
</div><div class="warning" style="padding: 15px; margin-bottom: 20px; border: 1px solid transparent; border-radius: 4px; color: #8a6d3b; background-color: #fcf8e3; border-color: #faebcc;">
There is also the <code>shell</code> module that feels very similar. But in contrast to <code>command</code>, it runs the specified command in a shell. This opens up the use of shell features like piping, but comes at an increased security risk, especially if building the command from variables.<br>
Using <code>shell</code> is ''not'' recommended.
</div>
To make <code>command</code> report success, failure or changed properties depending on other conditions than just the return code, use [https://docs.ansible.com/ansible/latest/user_guide/playbooks_error_handling.html#defining-failure <code>failed_when</code>, <code>changed_when</code> and <code>ignore_errors</code>].

=== Testing things ===

* syntax check with <code>yamllint</code> and <code>ansible-lint</code>
* on real targets (e.g. different host files to ''not'' mess up production stuff)
* in containers or VMs
** Vagrant (see below: [[#Further_reading|Further reading]])


=== Keeping secrets ===


It is common practice to store important variables alongside playbooks and roles in even public repositories by encryping them with [https://docs.ansible.com/ansible/latest/cli/ansible-vault.html Ansible Vault].
<div class="warning" style="padding: 15px; margin-bottom: 20px; border: 1px solid transparent; border-radius: 4px; color: #8a6d3b; background-color: #fcf8e3; border-color: #faebcc;">
These are production secrets, but never management access to the target machines. Jump hosts are one popular solution to grant access to many machines to various actors: Only this host stores the admins pubkeys, while the target machines only have the key from jump host.
</div>
=== Roles ===


Roles are re-usable playbooks that come with default variables, files and can be shared in collections using [https://docs.ansible.com/ansible/latest/galaxy/user_guide.html Ansible Galaxy]. Roles are even easier to develop and test using [https://molecule.readthedocs.io/en/latest/getting-started.html Molecule] to automate different testing stages (linting, provisioning, testing for idempotence, testing for side effects).

== interesting stuff ==

* create container &amp; deploy (example from [http://docs.ansible.com docs.ansible.com])

<syntaxhighlight lang="yaml">
- name: Create a jenkins container
  community.general.docker_container:
    docker_host: myserver.net:4243
    name: my_jenkins
    image: jenkins

- name: Add the container to inventory
  ansible.builtin.add_host:
    name: my_jenkins
    ansible_connection: docker
    ansible_docker_extra_args: "--tlsverify --tlscacert=/path/to/ca.pem --tlscert=/path/to/client-cert.pem --tlskey=/path/to/client-key.pem -H=tcp://myserver.net:4243"
    ansible_user: jenkins
  changed_when: false

- name: Create a directory for ssh keys
  delegate_to: my_jenkins
  ansible.builtin.file:
    path: "/var/jenkins_home/.ssh/jupiter"
    state: directory
</syntaxhighlight>

== Further reading ==

* Ansible docs: Group tasks to blocks: [https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html]
* Ansible docs: Guide on using Vagrant with Ansible: [https://docs.ansible.com/ansible/latest/scenario_guides/guide_vagrant.html https://docs.ansible.com/ansible/latest/scenario_guides/guide_vagrant.html]
** Vagrant can use various virtualization backends
** Images (&quot;boxes&quot;) are available for specific backends; when running Vagrant with QEMU/KVM, you cannot use &quot;ubuntu/bionic64&quot;, use &quot;generic/ubuntu2004&quot;
** [https://ostechnix.com/how-to-use-vagrant-with-libvirt-kvm-provider/ https://ostechnix.com/how-to-use-vagrant-with-libvirt-kvm-provider/]
* another Ansible beginners tutorial that looks easy to start with: [https://learnxinyminutes.com/docs/ansible/ https://learnxinyminutes.com/docs/ansible/]
* an article on using Ansible to spawn and destroy Podman containers: [https://fedoramagazine.org/using-ansible-to-configure-podman-containers/ https://fedoramagazine.org/using-ansible-to-configure-podman-containers/]

<hr>
* Ansible roles/playbooks to deploy the server in our current configuration or test locally: [https://gitlab.fachschaften.org/minetest/minetest_scripts https://gitlab.fachschaften.org/minetest/minetest_scripts]
* Ansible roles by TU Dortmund: [https://gitlab.fachschaften.org/fsi-ansible https://gitlab.fachschaften.org/fsi-ansible]