Ansible - Technological watch

What kind of tool is Ansible ?

Ansible is a software release in 2012. Developed in python, Ansible is used to do tasks like configuration management, application deployment, intraservice orchestration, and provisioning. It is an open-source tool and it is very easy to use.

Imagine you have to configure a new linux machine as a web server and want to configure it: You want to create a new user, install nginx, configure it, copy your application into your server…

Easy right ? It should only take less than one hour !

And now, imagine you have to go this for one hundred of machines !

To make it this easy, we can write simple tasks with the YAML syntax called “playbook”. Ansible will read the given tasks in these playbooks, and run them into a server list to make the modifications.

Idempotence

Ansible has an idempotent philosophy;

What is idempotent ? Simply it is: “No matter how many times you call the operation, the result will be the same”. In other words, the final state is the same if you do an action 1 time or 10 times.

For example, you want to install a package: the first time you want to install a package, you want the installation happening. But the second time, the package is already installed, so we don’t care to install it again.

With Ansible, we do not code, we actually write our desired final state.

We can imagine having a job pipeline running every day to assure the state didn’t change.

But why can’t we simply write a bash script ? It would do the same ?

Actually not. Let’s take an example:

Imagine you have written a bash script which does 3 non-idempotent operations:

To test it, you would run it, but it crashes in the middle of the script.

1. Operation 1: OK
2. Operation 2: KO
3. Operation 3: Not triggered

Here, we are now in a middle state, and we can’t re-run the script !

As the operations are not idempotent, if you run the script again, the « operation 1 » would be re-executed !

If the operations are idempotent, we can re-run the script, No matter how many times you call the operation, the result will remain the same !

Ansible Architecture

Modules

Modules are kind of functions proposed by the Ansible developers and the community.

Ansible is open source and has a big community. Most of the time, you will simply use pre-created roles.

In Ansible, you it exists hundred of modules in Ansible developed by the developers community.

Let’s take a simple example with the copy module.

- name: Copy file
  copy:
    src: /srv/myfiles/foo.conf
    dest: /etc/foo.conf

This represents a simple task. The code is very easy to read !

mkdir roles
cd roles

ansible-galaxy role init <role_name>

Inventories

An inventory represents the list of the servers we want to apply the modifications. The syntax is very simple. First, we have under parentheses the name of the group, and then we have the IPs of the servers you want to target.

[my_web_servers]
my_server_ip_1
my_server_ip_2
my_server_ip_3
my_server_ip_4

[my_web_databases]
my_server_ip_5
my_server_ip_6
my_server_ip_7
my_server_ip_8

Playbooks

Finally we have the most interesting past, the playbooks ! A playbook is a sequence of tasks we want to apply on our inventory.

---
- hosts: my_web_servers
  become: yes
  remote_user: root

  tasks:
    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/debug_module.html
    - name: Display a super debug message
      debug:
        msg: "A super debug message !"

    # https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html
    # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_templating.html
    - name: Display the current host name
      debug:
        msg: "The current host is {{ ansible_host }}" # <- We can display variables with Jinja2 syntax

    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html
    - name: Create a file called "hello.txt" on all the servers
      copy:
        dest: /hello.txt
        content: My super content !

Here, we launch two tasks on our targets. First we display a debug message, then we copy a simple file hello.txt. Easy to understand right ?

And finally, to run the playbook, you can simply run:

ansible-playbook -i hosts playbook.yml

Or you can run with the --check flag to run in dry-run and check everything will be fine.

ansible-playbook -i hosts playbook.yml --check

Ansible comes with plugins, which you can fetch environment variables, run tasks as sudo users, and much more!

And of course, we can make more complex operations like making conditions or loops, but take care because Ansible isn’t a programming language.

Ansible Vault

Sometimes, we want to securely store sensitive information, such as passwords or secret keys, in encrypted files. This ensures that confidential data remains protected, especially when sharing or version-controlling Ansible playbooks. The encrypted files can be seamlessly integrated into playbooks, and Ansible will handle the decryption process during execution.

Here’s a brief example of how to use Ansible Vault:

First, create an encrypted file. Ansible Vault will prompt you to enter a password. After entering the password, you can add sensitive information to the file. For example:

ansible-vault create secret_vars.yml

# Then you can add passwords like this in the file:
db_password: my_secure_password
api_key: my_secret_key

You can edit the secrets later with this command:

ansible-vault edit secret_vars.yml

Finally, we can use the encrypted variables we defined like this:

---
- name: Example Playbook with Vault
  hosts: servers
  vars_files:
    - secret_vars.yml

  tasks:
    - name: Ensure secure data is used
      debug:
        msg: "DB Password is {{ db_password }} and API Key is {{ api_key }}"

When running the playbook, Ansible will prompt you for the Vault password before execution. This ensures that only authorized users can access the sensitive information stored in the encrypted file.

Ansible Tower

Ansible Tower is an API, a web service and a web console designed to make it easier for use by computer teams. It is a central console for managing automation tasks. Tower is a commercial product supported by Red Hat, Inc.

There is a free version, serving as a beta version for its big sister Tower, called AWX. This version is also usable by companies, but is not guaranteed.

My opinion

I really love Ansible ! Ansible offers a simple way to automate tasks on servers.

I personally use it to generate and save my server backups, deploy SSH keys, create a specific configuration environment, and much more !

Of course, Ansible is not a mandatory, and you can do the same than Ansible does with a bash script. But Ansible offers idempotence and a simple syntax. 😌