Ansible for Absolute Beginners
- Ansible for Absolute Beginners - 30 Days of Ansible (YouTube)
- Ansible Real Life Scenarios (YouTube)
- Automation with Ansible – All You Want to Learn
- techbeatly.com.
- ANSIBLE LEARNFEST GUIDE
- Track 1 “Ansible Automation Platform Administrator”
- Track 2 “Automation Content Developer”
- Ansible - Frequently Asked Questions
Table of Contents
- Ansible for Absolute Beginners
- Ansible Automation Platform (Formerly Ansible Tower)
- Ansible on Clouds
- Red Hat Ansible Automation Platform Hardening Guide
- Migrating, Updating and Upgrading AAP
- Ansible Automation Hub
- Ansible Playbook References
- Tools for Ansible
- Ansible for Network Automation
- Ansible and Python Modules
- Ansible Blog/Articles to Follow
- Ansible Interview Questions
- Ansible Modules
- Other References
- Ansible for IBM Power
- Ansible for Arista Networks
- Ansible for CIS Hardening/CIS Check
- Ansible AD/LDAP Integration
- Best practices
- Utilities and References
Ansible Automation Platform (Formerly Ansible Tower)
Ansible Automation Platform - Containerized Setup
$ export ANSIBLE_COLLECTIONS_PATH=/home/devops/ansible-automation-platform-containerized-setup-bundle-2.4-1-x86_64/collections/
$ ansible-playbook -i inventory ansible.containerized_installer.install
To uninstall a containerized deployment, execute the uninstall.yml playbook.
$ ansible-playbook -i inventory ansible.containerized_installer.uninstall
This will stop all systemd units and containers and then delete all resources used by the containerized installer such as:
- config and data directories/files
- systemd unit files
- podman containers and images
- RPM packages
References:
Removing instance from cluster
bash-4.4$ awx-manage deprovision_instance --hostname aap-rhel-92-2.lab.local
Instance Removed
Successfully deprovisioned aap-rhel-92-2.lab.local
(changed: True)
Installing Ansible Automation Platfom
Note : The Ansible Automation Platform installer only supports Red Hat Enterprise Linux and CentOS.
Enable RHEL and AAP Subscriptions
Make sure you subscribed to Red Hat and added RHEL Subscription.
# subscription-manager register
# subscription-manager attach --pool=<pool_id of RHEL subscription>
# subscription-manager list --consumed
Now, search for Ansible Automation Platform subscription and attach the pool ID.
# subscription-manager list --available --all | grep "Ansible Automation Platform" -B 3 -A 6
# subscription-manager attach --pool=<pool_id>
# subscription-manager list --consumed
Update required repo for AAP 2.1
# subscription-manager repos \
--disable=ansible-automation-platform-2.0-early-access-for-rhel-8-x86_64-rpms
# subscription-manager repos \
--enable=ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms
Prepare for Ansible Automation Platform Installation
- Download the latest Ansible Automation Platform Installation Program
Download Options:
- Option A: From access.redhat.com/downloads(Note, you must have a Red Hat customer account to access the downloads)
- Option B: From releases.ansible.com.
- Option C: From developers.redhat.com
-
Download the old versions of Ansible Tower - setup bundle OpenShift installer - For migration activities. - AAP Nightly Builds
- aap-containerized-nightlies
- Extract the content
$ tar xvzf ansible-tower-setup-latest.tar.gz
$ cd ansible-tower-setup-<tower_version>
Get Registry Credential
You need access to Red Hat Container Registry to fetch the continer images for automation controller and execution environment. You can create a service account in Red Hat registry for the same and use the credential in AAP installation inventory.
# Execution Environment Configuration
# Credentials for container registry to pull execution environment images from,
# comment out registry_username if authentication is not required
registry_url='registry.redhat.io'
registry_username='YOUR_SERICE_ACCOUNT_USERNAME'
registry_password='YOUR_SERICE_ACCOUNT_PASSWORD'
Read more Registry Service Account Management Application
Configure Ansible Automation Platform Installation Inventory
Run Setup Script
# ./setup.sh
You can ignore ignore_preflight_errors
if you are testing or preparing home labs.
# ./setup.sh ignore_preflight_errors=true
Root access to the remote machines is required, you need to use any of the below methods
$ ansible_user=root ansible_ssh_pass=”your_password_here” inventory host or group variables
# or
$ ansible_user=root ansible_ssh_private_key_file=”path_to_your_keyfile.pem” inventory host or group variables
# or
$ ANSIBLE_BECOME_METHOD=’sudo’ ANSIBLE_BECOME=True ./setup.sh
Disaster Recovery for the Ansible Automation Platform
Please note DR and High Availability (“HA”) are not currently supported. Current Ansible Automation Platform customers are needing to configure their DR instances to accurately reflect their node usage and need guidance based on changes due to manifest files. This can be for cold, warm, or hot DR/HA. This article regards how manifests are handled in DR and HA environments.
Refer to the documentation.
Ansible Tower HA and DR
(TODO)
Verify Streaming Replication**
On primary database node
swtich to postgres
user.
[ansible@AAP-DB-1 ~]$ sudo su - postgres
Then,
[postgres@AAP-DB-1 ~]$ psql -c 'select application_name, state, sync_priority, sync_state from pg_stat_replication;'
application_name | state | sync_priority | sync_state
------------------+-----------+---------------+------------
awx | streaming | 1 | sync
(1 row)
or
[postgres@AAP-DB-1 ~]$ psql -c 'select client_addr, state, sent_lsn, write_lsn,flush_lsn, replay_lsn from pg_stat_replication;'
client_addr | state | sent_lsn | write_lsn | flush_lsn | replay_lsn
---------------+-----------+-----------+-----------+-----------+------------
192.168.56.32 | streaming | 0/402AF38 | 0/402AF38 | 0/402AF38 | 0/402AF38
(1 row)
[postgres@AAP-DB-1 ~]$ psql -c 'select * from pg_stat_replication;'
pid | usesysid | usename | application_name | client_addr | client_hostname | client_port |
backend_start | backend_xmin | state | sent_lsn | write_lsn | flush_lsn | replay_lsn | write
_lag | flush_lag | replay_lag | sync_priority | sync_state
-------+----------+------------+------------------+---------------+-----------------+-------------+---------
----------------------+--------------+-----------+-----------+-----------+-----------+------------+---------
--------+-----------------+-----------------+---------------+------------
46392 | 23055 | replicator | awx | 192.168.56.32 | | 37668 | 2022-02-
03 07:23:25.296914+00 | | streaming | 0/402B4E0 | 0/402B4E0 | 0/402B4E0 | 0/402B4E0 | 00:00:00
.002516 | 00:00:00.006299 | 00:00:00.007456 | 1 | sync
(1 row)
On secondary/standby database node
Switch to postgres
user
[ansible@AAP-DB-2 ~]$ sudo su - postgres
Last login: Thu Feb 3 07:59:07 UTC 2022 on pts/1
[postgres@AAP-DB-2 ~]$
Then,
[postgres@AAP-DB-2 ~]$ psql -c 'select * from pg_stat_wal_receiver;'
pid | status | receive_start_lsn | receive_start_tli | received_lsn | received_tli | last_msg_send_time
| last_msg_receipt_time | latest_end_lsn | latest_end_time | slot_name |
conninfo
-------+-----------+-------------------+-------------------+--------------+--------------+------------------------
-------+-------------------------------+----------------+-------------------------------+-----------+-------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------
51587 | streaming | 0/4000000 | 1 | 0/4031110 | 1 | 2022-02-03 08:15:14.493
483+00 | 2022-02-03 08:15:14.493939+00 | 0/4031110 | 2022-02-03 08:15:14.493483+00 | | user=replica
tor passfile=/var/lib/pgsql/.pgpass channel_binding=prefer dbname=replication host=192.168.56.31 port=5432 applica
tion_name=awx fallback_application_name=walreceiver sslmode=prefer sslcompression=0 ssl_min_protocol_version=TLSv1
.2 gssencmode=prefer krbsrvname=postgres target_session_attrs=any
(1 row)
or,
[postgres@AAP-DB-2 ~]$ psql -c 'SELECT pg_last_xact_replay_timestamp();'
pg_last_xact_replay_timestamp
-------------------------------
2022-02-03 08:15:54.592737+00
(1 row)
Ansible Tower HA Failover
Check current Tower database configurations.
[root@AnsibleController1x-1 ~]# cat /etc/tower/conf.d/postgres.py
# Ansible Tower database settings.
DATABASES = {
'default': {
'ATOMIC_REQUESTS': True,
'ENGINE': 'awx.main.db.profiled_pg',
'NAME': 'awx',
'USER': 'awx',
'PASSWORD': """aapadmin""",
'HOST': 'aap-db-1.lab.local',
'PORT': '5432',
'OPTIONS': { 'sslmode': 'prefer',
'sslrootcert': '/etc/pki/tls/certs/ca-bundle.crt',
},
}
}
- redhat-cop/automate-tower-ha-dr
- Ansible Tower High Availability and Disaster Recovery - April 8, 2019 / Marc Petrivelli, Red Hat Blog
Database tips
Check Data path
[postgres@AAP-DB-2 ~]$ pg_ctl status
pg_ctl: server is running (PID: 51581)
/usr/bin/postgres "-D" "/var/lib/pgsql/data"
[postgres@AAP-DB-2 ~]$ psql -c "SHOW data_directory;"
data_directory
---------------------
/var/lib/pgsql/data
(1 row)
Ansible Tower with database SSL connection enabled
Verify SSL Certificate-Key pair
If all the three match, the SSL certificate matches the Private Key.
# SSL certificate
$ openssl x509 –noout –modulus –in <file>.crt | openssl md5
# RSA private key
$ openssl rsa –noout –modulus –in <file>.key | openssl md5
# CSR
$ openssl req -noout -modulus -in <file>.csr | openssl md5
SSL Certificate with Passphrase
- After Replacing Self-Signed Certificate with Passphrase in Ansible Tower, How Do I Correct Issues with Nginx Service Failing to Start?
- Using ssl_password_file for nginx
Troubleshooting
- Resolve error occurred while running Ansible Tower installation
- Why Ansile Tower Setup Is Failing At ‘Migrate the Tower database schema’ Task With Errors ‘Server does not support SSL’ / ‘certificate verify failed’ / ‘no pg_hba.conf entry for host’ When Connecting To PostgreSQL Database With SSL Enabled ?
- How to install a CA certificate on Red Hat Enterprise Linux 7 and later
- How Can I Bypass “noexec” Permission Issue On “/tmp” and “/var/tmp” During Ansible Tower Installation?s
- Verify SSL is enabled on PGSQL
- Why is Ansible Tower Restore Process Failing With Error
no pg_hba.conf entry for host x.x.x.x
?
References
- Explore Ansible Automation Platform - Hands on Lab/Practices via instruqt.
- Red Hat Ansible Automation Platform installation guide - 2.
- Red Hat Ansible Automation Platform installation guide - 2.0(2.0-EA)
- Ansible Automation Platform 2.0 Early Access Homepage
- What’s New in Ansible Automation Controller 4.0
-
What Happens to an Ansible Tower Installation After the Subscription/License has Expired?
- Red Hat Ansible Automation Platform Life Cycle
- Red Hat Ansible Tower Life Cycle - Details about Ansible Tower and Ansible Automation Platform Life Cycle, End of Life, End of Support etc.
- Ansible Tower Installation and Reference Guide
- Preparing for the Ansible Automation Platform Installation
- Ansible Automation Platform Quick Installation Guide v3.8.0
- Installing Ansible Automation Platform
- Ansible Tower Administration Guide (3.8.3) [PDF]
- Which Ports and Services Should I Monitor for Ansible Tower?
- Ansible Automation Platform Installation and Reference Guide v3.8.0
- Tower - Previous versions
- Guidelines, Troubleshooting, and Recommended Configurations for Ansible Tower
Ansible on Clouds
Red Hat Ansible Automation Platform Hardening Guide
- Red Hat Ansible Automation Platform hardening guide(Doc)
- Red Hat Ansible Automation Platform Hardening Guide
Migrating, Updating and Upgrading AAP
- On-Prem Ansible Automation Platform Patching Procedure - OS Packages Update & AAP Packages Update
- Frequently Asked Questions (FAQs) on OS Patching for Ansible Automation Platform 2.3 and later
- Migrating Red Hat Ansible Automation Platform to Ansible Automation Platform Operator
Ansible Automation Hub
Ansible Playbook References
- Ansible Examples (Forked from @ansible)
- Ansible for DevOps (Forked from geerlingguy)
- Ansible NXOS Samples (Network Automation)
Tools for Ansible
- Ansible Automation Platform Inventory File Generator
- Ansible Automation Platform Upgrade Assistant
- Ansible Silo
- ansible-risk-insight: Ansible Risk Insight (ARI) is the tool to evaluate the quality and risk of the ansible content.
Ansible for Network Automation
Ansible and Python Modules
- How to set up and use Python virtual environments for Ansible
- Running in a virtualenv
- How to install pip on Red Hat Enterprise Linux?
pip install --target=/your/pyinstalldir loremipsum
pip install fortiosapi --target=/var/lib/awx/venv/ansible/lib/python2.7/site-packages
pip list --target=/var/lib/awx/venv/ansible/lib/python2.7/site-packages
# subscription-manager repos --enable rhel-server-rhscl-7-rpms
# yum install python27-python-pip
Switch to a normal user and check the pip
$ scl enable python27 bash
$ which pip
$ pip -V
For Existing Tower
# source /var/lib/awx/venv/ansible/bin/activate
# umask 0022
# pip install --upgrade pywinrm
# deactivate
Ansible and Python 3
- Python 3 Support
- How Can I Use Virtual Environment with Python3 on RHEL 7 for Ansible Tower?
- How do I use Python 3 in Ansible Tower?
- Ansible and Python 3 (docs.ansible.com/)
Ansible 2.5 and above work with Python 3.
[ansible@vm-ans-02 ~]$ ansible --version |grep python
ansible python module location = /usr/lib/python2.7/site-packages/ansible
python version = 2.7.5 (default, Sep 26 2019, 13:23:47) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Ansible Blog/Articles to Follow
Ansible Interview Questions
Ansible Modules
Other References
- Red Hat Ansible Tower Life Cycle
- Red Hat Ansible Automation Platform Workshops
- DEEP DIVE INTO ANSIBLE NETWORK RESOURCE MODULE
Ansible for IBM Power
Ansible for Arista Networks
Ansible for CIS Hardening/CIS Check
Ansible AD/LDAP Integration
$ ldapsearch -x -H ldap://192.168.57.137:389 -D "CN=ansible_bind,CN=Users,DC=example,DC=com" -b "dc=example,dc=com" -w yourbindpassword
# search for a specific user
$ ldapsearch -x -H ldap://192.168.57.137:389 -D "CN=ansible_bind,CN=Users,DC=example,DC=com" -w yourbindpassword -b "cn=devops,cn=Users,dc=example,dc=com"
LDAP Organization Map
{
"XYZCorp-CaC": {
"users": true,
"admins": "CN=ansible_admins,OU=AAP,DC=example,DC=com",
"remove_users": false,
"remove_admins": false
}
}
LDAP Team Map
{
"cac-admins": {
"users": "cn=ansible_admins,ou=AAP,dc=example,dc=com",
"remove": true,
"organization": "XYZCorp-CaC"
},
"cac-operators": {
"users": "cn=ansible_operators,ou=AAP,dc=example,dc=com",
"remove": true,
"organization": "XYZCorp-CaC"
}
}
Best practices
Utilities and References
-
Janus - The project ansible-middleware/janus holds a set of playbooks used to transform upstream collection (such as ansible-middleware/wildfly) to downstream collection (redhat/eap) using [FQCN migration https://github.com/ansible-collections/community.fqcn_migration]. Please refers to this project for more information. - community.fqcn_migration - This project, called fqcn_migration, is a set of Ansible roles designed to rename a collection and even changed its namespace.