diff --git a/content/slides/cri/md/ansible.md b/content/slides/cri/md/ansible.md
index 858e5a8c08b9455d7c26cd6a624f431b0709f113..fd46ebc8a65ca54e884a47c0563806accfde517c 100644
--- a/content/slides/cri/md/ansible.md
+++ b/content/slides/cri/md/ansible.md
@@ -106,13 +106,11 @@
dans `./inventory.ini`
```ini
-[other]
-other1.isima.fr
-
[criprod]
-pvecriprod2.isima.fr
-py.criprod.isima.fr
-gitlab-runner1.criprod.isima.fr
+ansible-test.criprod.isima.fr
+
+[ovh]
+ansible-test.ovh.isima.fr
[criprod:vars]
environment = production
@@ -123,9 +121,27 @@ ansible_user = limosadm
```
-## ad-hoc command
+## inventory
+
+```
+Host ansible-test.criprod.isima.fr
+ User limosadm
+ Hostname 192.168.220.243
+ IdentityFile ~/.ssh/ids/duncan.isima.fr/limosadm/id_rsa
+Host ansible-test.ovh.isima.fr
+ User limosadm
+ Hostname 10.10.100.2
+ IdentityFile ~/.ssh/ids/duncan.isima.fr/limosadm/id_rsa
+ ProxyCommand ssh duncan -W %h:%p
```
+
+la connexion ssh doit se faire sans mot de passe sur le système
+
+
+## ad-hoc command
+
+```shell
$ ansible criprod --inventory-file=inventory.ini \
-a "/usr/bin/uptime"
@@ -145,28 +161,25 @@ gitlab-runner1.criprod.isima.fr | CHANGED | rc=0 >>
## ad-hoc command
+fonctionne avec les modules ansible
+
```shell
-$ ansible all --inventory-file=inventory.ini \
+$ ansible ovh --inventory-file=inventory.ini \
--module-name ping
-other1.isima.fr | SUCCESS => {
- "changed": false,
- "ping": "pong"
-}
-pvecriprod2.isima.fr | SUCCESS => {
- "changed": false,
- "ping": "pong"
-}
-py.criprod.isima.fr | SUCCESS => {
- "changed": false,
- "ping": "pong"
-}
-gitlab-runner1.criprod.isima.fr | SUCCESS => {
+ansible-test.ovh.isima.fr | SUCCESS => {
"changed": false,
"ping": "pong"
}
```
+avec le module raw python n'est pas nécessaire ;)
+
+```shell
+ansible ovh --inventory-file=inventory.ini \
+-m raw -a "sudo apt update && sudo apt install -y python"
+```
+
## ad-hoc command
@@ -189,7 +202,7 @@ my-playbook.yml
```yaml
- name: my-playbook # ce que vous voulez
- hosts: criprod # ou all
+ hosts: ovh # ou all
# ou n'importe quel nom de machine
# ou n'importe quel nom de groupe
remote_user: limosadm # prioritaire sur ansible_user de l'inventaire
@@ -200,13 +213,24 @@ my-playbook.yml
## playbook
```shell
-$ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
+$ ansible-playbook my-playbook.yml \
+ --inventory-file=inventory.ini
```
* exécute le playbook
* sur toutes les machines définies dans `hosts:`
* en parallèle
+```shell
+PLAY [my-playbook] ****************************************************************************
+
+TASK [Gathering Facts] ************************************************************************
+ok: [ansible-test.ovh.isima.fr]
+
+PLAY RECAP ************************************************************************************
+ansible-test.ovh.isima.fr : ok=1 changed=0 unreachable=0 failed=0
+```
+
## variables
@@ -221,7 +245,9 @@ $ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
```yaml
- name: my-playbook
- hosts: server.test
+ hosts: ovh
+ remote_user: limosadm
+
vars:
awesomevar: awesome
```
@@ -229,13 +255,47 @@ $ ansible-playbook my-playbook.yml --inventory-file=inventory.ini
`group_vars/all.yml`
```yaml
-mail_address: vincent.mazenod@isima.fr
-ssl:
- country_name: FR
- state_province_name: puy de dome
- locality_name: Aubière
- organization_name: LIMOS
- organizational_unit_name: IT
+coolvar: Coool
+```
+
+
+## variables
+
+[<i class="fa fa-book" aria-hidden="true"></i> debug](https://docs.ansible.com/ansible/latest/modules/debug_module.html)
+
+```yaml
+ tasks:
+
+ - name: display awesome message
+ debug:
+ msg: "{{ awesomevar }}"
+
+ - name: display cool message
+ debug:
+ msg: "{{ coolvar }}"
+```
+
+
+## variables
+
+```shell
+PLAY [my-playbook] ****************************************************************************
+
+TASK [Gathering Facts] ************************************************************************
+ok: [ansible-test.ovh.isima.fr]
+
+TASK [display awesome message] ****************************************************************
+ok: [ansible-test.ovh.isima.fr] => {
+ "msg": "awesome"
+}
+
+TASK [display cool message] *******************************************************************
+ok: [ansible-test.ovh.isima.fr] => {
+ "msg": "Coool"
+}
+
+PLAY RECAP ************************************************************************************
+ansible-test.ovh.isima.fr : ok=3 changed=0 unreachable=0 failed=0
```
@@ -270,125 +330,157 @@ permettent de lire les variables à partir de l'entrée standard.
* valeurs collectées par ansible à l'exécution du playbook
```yaml
-- debug:
+- name: display hostname
+ debug:
msg: "System {{ inventory_hostname }}"
-- debug:
+- name: display os family
+ debug:
msg: "comes from family {{ ansible_os_family }}"
-- name: HOSTVARS (ANSIBLE GATHERED, group_vars, host_vars) :
+- name: HOSTVARS (ANSIBLE GATHERED, group_vars, host_vars)
debug:
- msg: {{ hostvars | to_yaml }}
+ msg: "{{ hostvars | to_yaml }}"
```
[<i class="fa fa-book" aria-hidden="true"></i> Variables discovered from systems: Facts](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variables-discovered-from-systems-facts)
-## [<i class="fa fa-book" aria-hidden="true"></i> set_fact](https://docs.ansible.com/ansible/latest/modules/set_fact_module.html)
+## jinja
-```yaml
-criprod:
- pvecriprod1:
- api_users:
- - proxmoxapi
- - vimazeno
-```
+[<i class="fa fa-book" aria-hidden="true"></i> templating](https://docs.ansible.com/ansible-container/container_yml/template.html)
-```yaml
-- name: provisionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
- set_fact:
- _pve: "{ 'cluster': '{{ lookup('env','PVE_CLUSTER') }}', 'node': '{{ lookup('env','PVE_NODE') }}', 'host': '{{ lookup('env','PVE_HOST') }}'}"
+utilisable partout (playbook, role, tasks, template)
-- name: provisionner les utilisateurs d'api pve uniquement du noeud (pour y accéder plus facilement dans les roles)
- set_fact:
- api_users: "{ 'api_users': {{ hostvars[inventory_hostname][_pve.cluster][_pve.node]['api_users'] }}}"
-- name: fusionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
- set_fact:
- pve: "{{ _pve | combine(api_users) }}"
+## filters
+
+[<i class="fa fa-book" aria-hidden="true"></i> filters](https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html)
+
+```yaml
+"{{ item_path[:4] | replace('/', '-') }}"
```
-[<i class="fa fa-gitlab" aria-hidden="true"></i> réorganiser les variables dans une pre_task](https://gitlab.isima.fr/cri/stack/blob/master/ansible/pre-tasks/set-pve-vars.yml)
+* renvoie le contenu de la variable (un path)
+ * sans les 4 derniers caractères
+ * avec les `/` remplacés par des `-`
+[<i class="fa fa-book" aria-hidden="true"></i> developing filters](https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#developing-particular-plugin-types)
-## jinja
-[<i class="fa fa-book" aria-hidden="true"></i> templating](https://docs.ansible.com/ansible-container/container_yml/template.html)
+## lookup
-group_vars/all.yml
+[<i class="fa fa-book" aria-hidden="true"></i> lookup](https://docs.ansible.com/ansible/latest/plugins/lookup.html)
```yaml
-my-role: my-awesome-role
+vars:
+ file_contents: "{{lookup('file', 'path/to/file.txt')}}"
```
-playbook.yml
-
```yaml
-roles:
+- name: lit un secret dans vault (mais on fera pas comme ça)
+ debug:
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxx url=http://myvault')}}"
+```
- - role: "{{ my-role }}"
+```yaml
+- name: lit une variable d'environnement sur le noeud pilote
+ debug:
+ msg: "{{ lookup('env','PVE_NODE') }}"
```
-utilisable partout (playbook, role, tasks, template)
+[<i class="fa fa-book" aria-hidden="true"></i> lookup list](https://docs.ansible.com/ansible/latest/plugins/lookup.html#plugin-list)
+[<i class="fa fa-book" aria-hidden="true"></i> developing lookups](https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#developing-particular-plugin-types)
-## filters
-[<i class="fa fa-book" aria-hidden="true"></i> filters](https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html)
+## task
+
+[<i class="fa fa-book" aria-hidden="true"></i> loop](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html)
```yaml
-"{{ item.path[:4] | replace('/', '-') }}"
+- user:
+ name: "{{ item }}"
+ state: present
+ loop:
+ - testuser1
+ - testuser2
+ loop_control:
+ index_var: key_index
```
-* renvoie un path
- * sans les 4 derniers caractères
- * avec les `/` remplacés par des `-`
+* marche avec
+ * n'importe quelle variable itérable
+ * [fileglob](https://docs.ansible.com/ansible/latest/plugins/lookup/fileglob.html) - fichiers par pattern
+ * [filetree](https://docs.ansible.com/ansible/latest/plugins/lookup/filetree.html) - tous les fichiers récursivement
+ * ...
-## lookup
+## task
-[<i class="fa fa-book" aria-hidden="true"></i> lookup](https://docs.ansible.com/ansible/latest/plugins/lookup.html)
+[<i class="fa fa-book" aria-hidden="true"></i> when](https://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html)
+
+[<i class="fa fa-book" aria-hidden="true"></i> conditions](https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html)
```yaml
-vars:
- file_contents: "{{lookup('file', 'path/to/file.txt')}}"
+- name: affiche un message sur la vezrison de l'os
+ shell: echo "only on Red Hat 6, derivatives, and later"
+ when: |
+ ansible_facts['os_family'] == "RedHat"
+ and ansible_facts['lsb']['major_release']|int >= 6
```
-[<i class="fa fa-book" aria-hidden="true"></i> lookup list](https://docs.ansible.com/ansible/latest/plugins/lookup.html#plugin-list)
+conditions jinja, Ã la python:
+* not, is, empty, in ...
-[<i class="fa fa-book" aria-hidden="true"></i> callback](https://docs.ansible.com/ansible/latest/plugins/callback.html)
+## task
-## lookup
+* permet de continuer l'exécution du playbook
+ * même en cas de retour d'erreur d'une commande
```yaml
-- debug:
- msg: "{{ lookup('env','PVE_NODE') }}"
+- name: get mysqladmin
+ shell: mysqladmin status
+ ignore_errors: True
```
-lit une valeur à partir d'une variable d'environement
+
+## task
+
+* permet de forcer à stopper l'exécution du playbook
+ * sur une condition
```yaml
-- debug:
- msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxx url=http://myvault')}}"
+- name: get mysqladmin
+ shell: mysqladmin status
+ failed_when: "'FAILED' in command_result.stderr"
```
-lit un secret dans vault
+* parfois ignorer l'erreur ne suffit pas pour continuer
+ * il faut ajouter `failed_when`
+```yaml
+- name: get mysqladmin
+ shell: mysqladmin status
+ ignore_errors: True
+ failed_when: no
+```
-## basic tasks
-[<i class="fa fa-book" aria-hidden="true"></i> debug](https://docs.ansible.com/ansible/latest/modules/debug_module.html)
+## [command modules](https://docs.ansible.com/ansible/latest/modules/list_of_commands_modules.html)
* [<i class="fa fa-book" aria-hidden="true"></i> raw](https://docs.ansible.com/ansible/latest/modules/raw_module.html)
* n'utilise que ssh et pas python
* permet d'installer python
+
* [<i class="fa fa-book" aria-hidden="true"></i> command](https://docs.ansible.com/ansible/latest/modules/command_module.html#command-module)
* [<i class="fa fa-book" aria-hidden="true"></i> shell](https://docs.ansible.com/ansible/latest/modules/shell_module.html)
* comme **command** mais au travers d'un shell
```yaml
-- shell: somescript.sh >> somelog.txt
+- name: redirige la sortie de somescript.sh dans somelog.txt
+ shell: somescript.sh >> somelog.txt
args:
chdir: somedir/
creates: somelog.txt
@@ -399,48 +491,101 @@ lit un secret dans vault
[<i class="fa fa-book" aria-hidden="true"></i> register](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#registering-variables)
+dans une variable
+
```yaml
-shell: /usr/bin/foo
-register: foo_result
-ignore_errors: True
-failed_when: no
+- name: le service pam est il lancé
+ shell: "ps -aux | grep pam"
+ register: pam_status
```
-[<i class="fa fa-gitlab" aria-hidden="true"></i> register dans une liste](https://gitlab.isima.fr/cri/ansible-playbook-vault/blob/master/tasks/initialize.yml#L17)
-
-
-## task
-[<i class="fa fa-book" aria-hidden="true"></i> loop](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html)
+dans une liste
```yaml
-- user:
- name: "{{ item }}"
- state: present
+- name: les services sshd, systemd, dbus sont ils lancés
+ shell: "ps -aux | grep {{ item }}"
+ register: services_status
loop:
- - testuser1
- - testuser2
+ - sshd
+ - systemd
+ - dbus
+```
+
+
+## register (<i class="fa fa-gift" aria-hidden="true"></i>)
+
+```json
+"msg": {
+ "changed": true,
+ "cmd": "ps -aux | grep pam",
+ "delta": "0:00:00.011674",
+ "end": "2019-01-23 20:27:24.836966",
+ "failed": false,
+ "rc": 0,
+ "start": "2019-01-23 20:27:24.825292",
+ "stderr": "",
+ "stderr_lines": [],
+ "stdout": "limosadm 22227 0.0 0.1 193868 2688 ? S 20:27 0:00 (sd-pam)\nlimosadm 22359 0.0 0.0 4628 856 pts/0 S+ 20:27 0:00 /bin/sh -c ps -aux | grep pam\nlimosadm 22361 0.0 0.0 14856 1100 pts/0 S+ 20:27 0:00 grep pam",
+ "stdout_lines": [
+ "limosadm 22227 0.0 0.1 193868 2688 ? S 20:27 0:00 (sd-pam)",
+ "limosadm 22359 0.0 0.0 4628 856 pts/0 S+ 20:27 0:00 /bin/sh -c ps -aux | grep pam",
+ "limosadm 22361 0.0 0.0 14856 1100 pts/0 S+ 20:27 0:00 grep pam"
+ ]
+ }
```
-* marche avec
- * n'importe quelle variable itérable
- * [fileglob](https://docs.ansible.com/ansible/latest/plugins/lookup/fileglob.html) - list files matching a pattern
- * [filetree](https://docs.ansible.com/ansible/latest/plugins/lookup/filetree.html) - recursively match all files in a directory tree
- * ...
+```yaml
+- name: afficher la sortie de la commande
+ debug:
+ msg: pam_status.stdout
+```
-## task
+## register (<i class="fa fa-gift" aria-hidden="true"></i>)
-[<i class="fa fa-book" aria-hidden="true"></i> when](https://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html)
+```yaml
+- name:
+ shell: mysqladmin status
+ register: mysql_status
+ ignore_errors: True
+```
- * If a task fails or is skipped, **the variable still is registered with a failure or skipped status**
+```yaml
+- name:
+ shell: mysqladmin status
+ register: mysql_status
+ when: False
+```
-[<i class="fa fa-book" aria-hidden="true"></i> conditions](https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html)
+* If a task fails or is skipped, **the variable still is registered with a failure or skipped status**
+
+
+## [<i class="fa fa-book" aria-hidden="true"></i> set_fact](https://docs.ansible.com/ansible/latest/modules/set_fact_module.html)
+
+```yaml
+criprod:
+ pvecriprod1:
+ api_users:
+ - proxmoxapi
+ - vimazeno
+```
```yaml
-- shell: echo "only on Red Hat 6, derivatives, and later"
- when: ansible_facts['os_family'] == "RedHat" and ansible_facts['lsb']['major_release']|int >= 6
+- name: provisionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
+ set_fact:
+ _pve: "{ 'cluster': '{{ lookup('env','PVE_CLUSTER') }}', 'node': '{{ lookup('env','PVE_NODE') }}', 'host': '{{ lookup('env','PVE_HOST') }}'}"
+
+- name: provisionner les utilisateurs d'api pve uniquement du noeud (pour y accéder plus facilement dans les roles)
+ set_fact:
+ api_users: "{ 'api_users': {{ hostvars[inventory_hostname][_pve.cluster][_pve.node]['api_users'] }}}"
+
+- name: fusionner l'environnement du noeud (pour y accéder plus facilement dans les roles)
+ set_fact:
+ pve: "{{ _pve | combine(api_users) }}"
```
+[<i class="fa fa-gitlab" aria-hidden="true"></i> réorganiser les variables dans une pre_task](https://gitlab.isima.fr/cri/stack/blob/master/ansible/pre-tasks/set-pve-vars.yml)
+
## modules
@@ -615,6 +760,9 @@ become_user: root
become_method: sudo
```
+[<i class="fa fa-book" aria-hidden="true"></i> callback](https://docs.ansible.com/ansible/latest/plugins/callback.html)
+
+
## extend