Ansible¶
What Is It?¶
Ansible is an agentless configuration management and IT automation tool. It uses SSH to connect to managed hosts and YAML playbooks to declare desired system states. Key concepts include inventory, playbooks, roles, modules, and variables.
Installation¶
dnf install ansible
Key Files and Directories¶
| Path | Purpose |
|---|---|
| inventory/hosts | Managed host inventory |
| playbook.yml | Main playbook |
| roles/ | Role task definitions |
| roles/ | Event-driven handlers |
| roles/ | Jinja2 templates |
Configuration¶
Ansible uses a specific directory structure to organise automation code:
ansible/
├── inventory/
│ └── hosts # Managed host inventory
├── roles/
│ ├── etais/
│ │ └── tasks/main.yml
│ ├── dns/
│ │ ├── tasks/main.yml
│ │ ├── templates/ # Jinja2 templates (.j2)
│ │ ├── files/ # Static files to copy
│ │ └── handlers/main.yml
│ └── web/
│ └── tasks/main.yml
└── playbook.yml # Main playbook
Minimal Working Configuration¶
Inventory (inventory/hosts) — defines which hosts to manage:
[vm]
localhost
# Or for remote execution:
# 172.17.64.X
Playbook (playbook.yml) — the main entry point:
---
- hosts: all
user: centos
become: yes
become_user: root
vars:
hostname: example
domain_name: sysadm.ee
roles:
- { role: etais, tags: etais }
- { role: dns, tags: dns }
- { role: web, tags: web }
Key playbook directives:
hosts: all— target all hosts in inventorybecome: yes— escalate to root via sudovars:— define variables usable in tasks and templatesroles:— list of roles to apply (executed beforetasks:)
Role tasks (roles/etais/tasks/main.yml):
- name: Add user scoring
user:
name: scoring
- name: Create .ssh directory
file:
path: /home/scoring/.ssh
state: directory
owner: scoring
group: scoring
mode: '0700'
- name: Download scoring public key
get_url:
url: https://scoring.sysadm.ee/files/id_rsa.pub
dest: /home/scoring/.ssh/authorized_keys
owner: scoring
group: scoring
mode: '0600'
- name: Create sudoers file for scoring
lineinfile:
dest: /etc/sudoers.d/scoring
line: "scoring ALL=(ALL) NOPASSWD: ALL"
state: present
create: yes
Important Directives¶
Modules — each task uses a module to perform an action:
| Module | Purpose | Example |
|---|---|---|
user | Manage user accounts | user: name=scoring |
file | Create files/directories, set permissions | file: path=/dir state=directory mode='0700' |
copy | Copy static files from controller to host | copy: src=file.conf dest=/etc/file.conf |
template | Copy files with Jinja2 variable substitution | template: src=hosts.j2 dest=/etc/hosts |
dnf | Install/remove packages | dnf: name=httpd state=present |
systemd | Manage services | systemd: name=httpd state=restarted enabled=yes |
lineinfile | Ensure a line exists in a file | lineinfile: dest=/etc/file line="key=value" |
get_url | Download files from URLs | get_url: url=https://... dest=/path |
seboolean | Set SELinux booleans | seboolean: name=httpd_can_network_connect state=yes |
sefcontext | Set SELinux file contexts | sefcontext: target='/var/www(/.*)?' setype=httpd_sys_rw_content_t |
Templates use Jinja2 syntax for variable substitution:
# templates/hostname.j2
{{ hostname }}.{{ domain_name }}
Handlers — tasks triggered only when a notifying task reports changed:
# roles/web/handlers/main.yml
- name: restart httpd
systemd:
name: httpd
state: restarted
Reference a handler from a task with notify: restart httpd.
Idempotency — a core Ansible concept. Tasks should only report changed on the first run. Subsequent runs should report ok with no changes, meaning the system is already in the desired state.
Common Commands¶
# Run the full playbook
ansible-playbook playbook.yml -i inventory/hosts
# Run only tasks tagged 'dns'
ansible-playbook playbook.yml -i inventory/hosts --tags=dns
# Dry run (check mode) — show what would change
ansible-playbook playbook.yml -i inventory/hosts --check
# Ad-hoc command — ping all hosts
ansible -m ping all -i inventory/hosts
# Ad-hoc command — run a shell command
ansible all -m shell -a "uptime" -i inventory/hosts
# View gathered facts about a host
ansible -m setup localhost
# Check playbook syntax
ansible-playbook playbook.yml --syntax-check
# List tasks that would run
ansible-playbook playbook.yml --list-tasks
Logging and Debugging¶
- Verbose output: Add
-v,-vv,-vvv, or-vvvvto increase verbosity. debugmodule: Print variable values during execution:- name: Show hostname debug: msg="Hello from {{ ansible_hostname }}"register: Capture task output for later use:- name: Check service status command: systemctl status httpd register: httpd_status - debug: var=httpd_status.stdout- Task states:
ok(no change needed),changed(action taken),failed(error),skipped(condition not met).
Security Considerations¶
- No secrets in playbooks: Never hardcode passwords or keys in YAML files committed to Git. Use Ansible Vault (
ansible-vault encrypt) for sensitive data. - SSH key authentication: Ansible connects via SSH. Use key-based authentication rather than passwords.
- Least privilege: Run tasks as the minimum required user. Only use
become: yeswhen root access is genuinely needed. lineinfilevstemplate: For complex configuration files, prefertemplate(full file replacement) overlineinfile(single-line edits). Templates are more predictable and auditable.- Test before applying: Use
--checkmode and--diffto review changes before applying them to production systems. - Commit regularly: Store your Ansible repository in Git and push after every lab. This provides backup, history, and exam preparation.
Further Reading¶
- Ansible Documentation
- Ansible Module Index
- Ansible Best Practices
- Jinja2 Template Designer Documentation
Related Documentation¶
- Concepts: Configuration Management, Version Control
- SOPs: Ansible Operations