Skip to content
Snippets Groups Projects
Commit ec46cdbc authored by Vincent Mazenod's avatar Vincent Mazenod
Browse files

ansible

parent a6a2b559
No related branches found
No related tags found
No related merge requests found
......@@ -106,13 +106,11 @@
dans `./inventory.ini`
```ini
[other]
other1.isima.fr
[criprod]
pvecriprod2.isima.fr
py.criprod.isima.fr
gitlab-runner1.criprod.isima.fr
ansible-test.criprod.isima.fr
[ovh]
ansible-test.ovh.isima.fr
[criprod:vars]
environment = production
......@@ -123,9 +121,27 @@ ansible_user = limosadm
```
## ad-hoc command
## inventory
```
Host ansible-test.criprod.isima.fr
User limosadm
Hostname 192.168.220.243
IdentityFile ~/.ssh/ids/duncan.isima.fr/limosadm/id_rsa
Host ansible-test.ovh.isima.fr
User limosadm
Hostname 10.10.100.2
IdentityFile ~/.ssh/ids/duncan.isima.fr/limosadm/id_rsa
ProxyCommand ssh duncan -W %h:%p
```
la connexion ssh doit se faire sans mot de passe sur le système
## ad-hoc command
```shell
$ ansible criprod --inventory-file=inventory.ini \
-a "/usr/bin/uptime"
......@@ -145,28 +161,25 @@ gitlab-runner1.criprod.isima.fr | CHANGED | rc=0 >>
## ad-hoc command
fonctionne avec les modules ansible
```shell
$ ansible all --inventory-file=inventory.ini \
$ ansible ovh --inventory-file=inventory.ini \
--module-name ping
other1.isima.fr | SUCCESS => {
"changed": false,
"ping": "pong"
}
pvecriprod2.isima.fr | SUCCESS => {
"changed": false,
"ping": "pong"
}
py.criprod.isima.fr | SUCCESS => {
"changed": false,
"ping": "pong"
}
gitlab-runner1.criprod.isima.fr | SUCCESS => {
ansible-test.ovh.isima.fr | SUCCESS => {
"changed": false,
"ping": "pong"
}
```
avec le module raw python n'est pas nécessaire ;)
```shell
ansible ovh --inventory-file=inventory.ini \
-m raw -a "sudo apt update && sudo apt install -y python"
```
## ad-hoc command
......@@ -189,7 +202,7 @@ my-playbook.yml
```yaml
- name: my-playbook # ce que vous voulez
hosts: criprod # ou all
hosts: ovh # ou all
# ou n'importe quel nom de machine
# ou n'importe quel nom de groupe
remote_user: limosadm # prioritaire sur ansible_user de l'inventaire
......@@ -200,13 +213,24 @@ my-playbook.yml
## playbook
```shell
$ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
$ ansible-playbook my-playbook.yml \
--inventory-file=inventory.ini
```
* exécute le playbook
* sur toutes les machines définies dans `hosts:`
* en parallèle
```shell
PLAY [my-playbook] ****************************************************************************
TASK [Gathering Facts] ************************************************************************
ok: [ansible-test.ovh.isima.fr]
PLAY RECAP ************************************************************************************
ansible-test.ovh.isima.fr : ok=1 changed=0 unreachable=0 failed=0
```
## variables
......@@ -221,7 +245,9 @@ $ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
```yaml
- name: my-playbook
hosts: server.test
hosts: ovh
remote_user: limosadm
vars:
awesomevar: awesome
```
......@@ -229,13 +255,47 @@ $ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
`group_vars/all.yml`
```yaml
mail_address: vincent.mazenod@isima.fr
ssl:
country_name: FR
state_province_name: puy de dome
locality_name: Aubière
organization_name: LIMOS
organizational_unit_name: IT
coolvar: Coool
```
## variables
[<i class="fa fa-book" aria-hidden="true"></i> debug](https://docs.ansible.com/ansible/latest/modules/debug_module.html)
```yaml
tasks:
- name: display awesome message
debug:
msg: "{{ awesomevar }}"
- name: display cool message
debug:
msg: "{{ coolvar }}"
```
## variables
```shell
PLAY [my-playbook] ****************************************************************************
TASK [Gathering Facts] ************************************************************************
ok: [ansible-test.ovh.isima.fr]
TASK [display awesome message] ****************************************************************
ok: [ansible-test.ovh.isima.fr] => {
"msg": "awesome"
}
TASK [display cool message] *******************************************************************
ok: [ansible-test.ovh.isima.fr] => {
"msg": "Coool"
}
PLAY RECAP ************************************************************************************
ansible-test.ovh.isima.fr : ok=3 changed=0 unreachable=0 failed=0
```
......@@ -270,125 +330,157 @@ permettent de lire les variables à partir de l'entrée standard.
* valeurs collectées par ansible à l'exécution du playbook
```yaml
- debug:
- name: display hostname
debug:
msg: "System {{ inventory_hostname }}"
- debug:
- name: display os family
debug:
msg: "comes from family {{ ansible_os_family }}"
- name: HOSTVARS (ANSIBLE GATHERED, group_vars, host_vars) :
- name: HOSTVARS (ANSIBLE GATHERED, group_vars, host_vars)
debug:
msg: {{ hostvars | to_yaml }}
msg: "{{ hostvars | to_yaml }}"
```
[<i class="fa fa-book" aria-hidden="true"></i> Variables discovered from systems: Facts](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variables-discovered-from-systems-facts)
## [<i class="fa fa-book" aria-hidden="true"></i> set_fact](https://docs.ansible.com/ansible/latest/modules/set_fact_module.html)
## jinja
```yaml
criprod:
pvecriprod1:
api_users:
- proxmoxapi
- vimazeno
```
[<i class="fa fa-book" aria-hidden="true"></i> templating](https://docs.ansible.com/ansible-container/container_yml/template.html)
```yaml
- name: provisionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
_pve: "{ 'cluster': '{{ lookup('env','PVE_CLUSTER') }}', 'node': '{{ lookup('env','PVE_NODE') }}', 'host': '{{ lookup('env','PVE_HOST') }}'}"
utilisable partout (playbook, role, tasks, template)
- name: provisionner les utilisateurs d'api pve uniquement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
api_users: "{ 'api_users': {{ hostvars[inventory_hostname][_pve.cluster][_pve.node]['api_users'] }}}"
- name: fusionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
pve: "{{ _pve | combine(api_users) }}"
## filters
[<i class="fa fa-book" aria-hidden="true"></i> filters](https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html)
```yaml
"{{ item_path[:4] | replace('/', '-') }}"
```
[<i class="fa fa-gitlab" aria-hidden="true"></i> réorganiser les variables dans une pre_task](https://gitlab.isima.fr/cri/stack/blob/master/ansible/pre-tasks/set-pve-vars.yml)
* renvoie le contenu de la variable (un path)
* sans les 4 derniers caractères
* avec les `/` remplacés par des `-`
[<i class="fa fa-book" aria-hidden="true"></i> developing filters](https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#developing-particular-plugin-types)
## jinja
[<i class="fa fa-book" aria-hidden="true"></i> templating](https://docs.ansible.com/ansible-container/container_yml/template.html)
## lookup
group_vars/all.yml
[<i class="fa fa-book" aria-hidden="true"></i> lookup](https://docs.ansible.com/ansible/latest/plugins/lookup.html)
```yaml
my-role: my-awesome-role
vars:
file_contents: "{{lookup('file', 'path/to/file.txt')}}"
```
playbook.yml
```yaml
roles:
- name: lit un secret dans vault (mais on fera pas comme ça)
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxx url=http://myvault')}}"
```
- role: "{{ my-role }}"
```yaml
- name: lit une variable d'environnement sur le noeud pilote
debug:
msg: "{{ lookup('env','PVE_NODE') }}"
```
utilisable partout (playbook, role, tasks, template)
[<i class="fa fa-book" aria-hidden="true"></i> lookup list](https://docs.ansible.com/ansible/latest/plugins/lookup.html#plugin-list)
[<i class="fa fa-book" aria-hidden="true"></i> developing lookups](https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#developing-particular-plugin-types)
## filters
[<i class="fa fa-book" aria-hidden="true"></i> filters](https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html)
## task
[<i class="fa fa-book" aria-hidden="true"></i> loop](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html)
```yaml
"{{ item.path[:4] | replace('/', '-') }}"
- user:
name: "{{ item }}"
state: present
loop:
- testuser1
- testuser2
loop_control:
index_var: key_index
```
* renvoie un path
* sans les 4 derniers caractères
* avec les `/` remplacés par des `-`
* marche avec
* n'importe quelle variable itérable
* [fileglob](https://docs.ansible.com/ansible/latest/plugins/lookup/fileglob.html) - fichiers par pattern
* [filetree](https://docs.ansible.com/ansible/latest/plugins/lookup/filetree.html) - tous les fichiers récursivement
* ...
## lookup
## task
[<i class="fa fa-book" aria-hidden="true"></i> lookup](https://docs.ansible.com/ansible/latest/plugins/lookup.html)
[<i class="fa fa-book" aria-hidden="true"></i> when](https://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html)
[<i class="fa fa-book" aria-hidden="true"></i> conditions](https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html)
```yaml
vars:
file_contents: "{{lookup('file', 'path/to/file.txt')}}"
- name: affiche un message sur la vezrison de l'os
shell: echo "only on Red Hat 6, derivatives, and later"
when: |
ansible_facts['os_family'] == "RedHat"
and ansible_facts['lsb']['major_release']|int >= 6
```
[<i class="fa fa-book" aria-hidden="true"></i> lookup list](https://docs.ansible.com/ansible/latest/plugins/lookup.html#plugin-list)
conditions jinja, à la python:
* not, is, empty, in ...
[<i class="fa fa-book" aria-hidden="true"></i> callback](https://docs.ansible.com/ansible/latest/plugins/callback.html)
## task
## lookup
* permet de continuer l'exécution du playbook
* même en cas de retour d'erreur d'une commande
```yaml
- debug:
msg: "{{ lookup('env','PVE_NODE') }}"
- name: get mysqladmin
shell: mysqladmin status
ignore_errors: True
```
lit une valeur à partir d'une variable d'environement
## task
* permet de forcer à stopper l'exécution du playbook
* sur une condition
```yaml
- debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxx url=http://myvault')}}"
- name: get mysqladmin
shell: mysqladmin status
failed_when: "'FAILED' in command_result.stderr"
```
lit un secret dans vault
* parfois ignorer l'erreur ne suffit pas pour continuer
* il faut ajouter `failed_when`
```yaml
- name: get mysqladmin
shell: mysqladmin status
ignore_errors: True
failed_when: no
```
## basic tasks
[<i class="fa fa-book" aria-hidden="true"></i> debug](https://docs.ansible.com/ansible/latest/modules/debug_module.html)
## [command modules](https://docs.ansible.com/ansible/latest/modules/list_of_commands_modules.html)
* [<i class="fa fa-book" aria-hidden="true"></i> raw](https://docs.ansible.com/ansible/latest/modules/raw_module.html)
* n'utilise que ssh et pas python
* permet d'installer python
* [<i class="fa fa-book" aria-hidden="true"></i> command](https://docs.ansible.com/ansible/latest/modules/command_module.html#command-module)
* [<i class="fa fa-book" aria-hidden="true"></i> shell](https://docs.ansible.com/ansible/latest/modules/shell_module.html)
* comme **command** mais au travers d'un shell
```yaml
- shell: somescript.sh >> somelog.txt
- name: redirige la sortie de somescript.sh dans somelog.txt
shell: somescript.sh >> somelog.txt
args:
chdir: somedir/
creates: somelog.txt
......@@ -399,48 +491,101 @@ lit un secret dans vault
[<i class="fa fa-book" aria-hidden="true"></i> register](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#registering-variables)
dans une variable
```yaml
shell: /usr/bin/foo
register: foo_result
ignore_errors: True
failed_when: no
- name: le service pam est il lancé
shell: "ps -aux | grep pam"
register: pam_status
```
[<i class="fa fa-gitlab" aria-hidden="true"></i> register dans une liste](https://gitlab.isima.fr/cri/ansible-playbook-vault/blob/master/tasks/initialize.yml#L17)
## task
[<i class="fa fa-book" aria-hidden="true"></i> loop](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html)
dans une liste
```yaml
- user:
name: "{{ item }}"
state: present
- name: les services sshd, systemd, dbus sont ils lancés
shell: "ps -aux | grep {{ item }}"
register: services_status
loop:
- testuser1
- testuser2
- sshd
- systemd
- dbus
```
## register (<i class="fa fa-gift" aria-hidden="true"></i>)
```json
"msg": {
"changed": true,
"cmd": "ps -aux | grep pam",
"delta": "0:00:00.011674",
"end": "2019-01-23 20:27:24.836966",
"failed": false,
"rc": 0,
"start": "2019-01-23 20:27:24.825292",
"stderr": "",
"stderr_lines": [],
"stdout": "limosadm 22227 0.0 0.1 193868 2688 ? S 20:27 0:00 (sd-pam)\nlimosadm 22359 0.0 0.0 4628 856 pts/0 S+ 20:27 0:00 /bin/sh -c ps -aux | grep pam\nlimosadm 22361 0.0 0.0 14856 1100 pts/0 S+ 20:27 0:00 grep pam",
"stdout_lines": [
"limosadm 22227 0.0 0.1 193868 2688 ? S 20:27 0:00 (sd-pam)",
"limosadm 22359 0.0 0.0 4628 856 pts/0 S+ 20:27 0:00 /bin/sh -c ps -aux | grep pam",
"limosadm 22361 0.0 0.0 14856 1100 pts/0 S+ 20:27 0:00 grep pam"
]
}
```
* marche avec
* n'importe quelle variable itérable
* [fileglob](https://docs.ansible.com/ansible/latest/plugins/lookup/fileglob.html) - list files matching a pattern
* [filetree](https://docs.ansible.com/ansible/latest/plugins/lookup/filetree.html) - recursively match all files in a directory tree
* ...
```yaml
- name: afficher la sortie de la commande
debug:
msg: pam_status.stdout
```
## task
## register (<i class="fa fa-gift" aria-hidden="true"></i>)
[<i class="fa fa-book" aria-hidden="true"></i> when](https://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html)
```yaml
- name:
shell: mysqladmin status
register: mysql_status
ignore_errors: True
```
* If a task fails or is skipped, **the variable still is registered with a failure or skipped status**
```yaml
- name:
shell: mysqladmin status
register: mysql_status
when: False
```
[<i class="fa fa-book" aria-hidden="true"></i> conditions](https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html)
* If a task fails or is skipped, **the variable still is registered with a failure or skipped status**
## [<i class="fa fa-book" aria-hidden="true"></i> set_fact](https://docs.ansible.com/ansible/latest/modules/set_fact_module.html)
```yaml
criprod:
pvecriprod1:
api_users:
- proxmoxapi
- vimazeno
```
```yaml
- shell: echo "only on Red Hat 6, derivatives, and later"
when: ansible_facts['os_family'] == "RedHat" and ansible_facts['lsb']['major_release']|int >= 6
- name: provisionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
_pve: "{ 'cluster': '{{ lookup('env','PVE_CLUSTER') }}', 'node': '{{ lookup('env','PVE_NODE') }}', 'host': '{{ lookup('env','PVE_HOST') }}'}"
- name: provisionner les utilisateurs d'api pve uniquement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
api_users: "{ 'api_users': {{ hostvars[inventory_hostname][_pve.cluster][_pve.node]['api_users'] }}}"
- name: fusionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
set_fact:
pve: "{{ _pve | combine(api_users) }}"
```
[<i class="fa fa-gitlab" aria-hidden="true"></i> réorganiser les variables dans une pre_task](https://gitlab.isima.fr/cri/stack/blob/master/ansible/pre-tasks/set-pve-vars.yml)
## modules
......@@ -615,6 +760,9 @@ become_user: root
become_method: sudo
```
[<i class="fa fa-book" aria-hidden="true"></i> callback](https://docs.ansible.com/ansible/latest/plugins/callback.html)
## extend
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment