ansible, automation,

Ansible - Learning Docs & References

Follow · 14 mins read
Ansible - Learning Docs & References
Share this

Disclaimer:
This document represents an upstream version created during my learning process, proof-of-concepts (PoCs), and other experimental practices. The complete and finalized version of this document might be published on the website techbeatly.com and will be periodically updated.

Ansible for Absolute Beginners

Table of Contents

Ansible Automation Platform (Formerly Ansible Tower)

Ansible Automation Platform - Containerized Setup

$ export ANSIBLE_COLLECTIONS_PATH=/home/devops/ansible-automation-platform-containerized-setup-bundle-2.4-1-x86_64/collections/

$ ansible-playbook -i inventory ansible.containerized_installer.install

To uninstall a containerized deployment, execute the uninstall.yml playbook.

$ ansible-playbook -i inventory ansible.containerized_installer.uninstall

This will stop all systemd units and containers and then delete all resources used by the containerized installer such as:

  • config and data directories/files
  • systemd unit files
  • podman containers and images
  • RPM packages

References:

Removing instance from cluster

bash-4.4$ awx-manage deprovision_instance --hostname aap-rhel-92-2.lab.local
Instance Removed
Successfully deprovisioned aap-rhel-92-2.lab.local
(changed: True)

Installing Ansible Automation Platfom

Note : The Ansible Automation Platform installer only supports Red Hat Enterprise Linux and CentOS.

Enable RHEL and AAP Subscriptions

Make sure you subscribed to Red Hat and added RHEL Subscription.

# subscription-manager register
# subscription-manager attach --pool=<pool_id of RHEL subscription>
# subscription-manager list --consumed

Now, search for Ansible Automation Platform subscription and attach the pool ID.

# subscription-manager list --available --all | grep "Ansible Automation Platform" -B 3 -A 6
# subscription-manager attach --pool=<pool_id>
# subscription-manager list --consumed

Update required repo for AAP 2.1

# subscription-manager repos \
  --disable=ansible-automation-platform-2.0-early-access-for-rhel-8-x86_64-rpms

# subscription-manager repos \
  --enable=ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms

Prepare for Ansible Automation Platform Installation

  1. Download the latest Ansible Automation Platform Installation Program

Download Options:

  1. Extract the content
$ tar xvzf ansible-tower-setup-latest.tar.gz
$ cd ansible-tower-setup-<tower_version>

Get Registry Credential

You need access to Red Hat Container Registry to fetch the continer images for automation controller and execution environment. You can create a service account in Red Hat registry for the same and use the credential in AAP installation inventory.

# Execution Environment Configuration
# Credentials for container registry to pull execution environment images from,
# comment out registry_username if authentication is not required
registry_url='registry.redhat.io'
registry_username='YOUR_SERICE_ACCOUNT_USERNAME'
registry_password='YOUR_SERICE_ACCOUNT_PASSWORD'

Read more Registry Service Account Management Application

Configure Ansible Automation Platform Installation Inventory

Run Setup Script

# ./setup.sh

You can ignore ignore_preflight_errors if you are testing or preparing home labs.

# ./setup.sh ignore_preflight_errors=true

Root access to the remote machines is required, you need to use any of the below methods

$ ansible_user=root ansible_ssh_pass=”your_password_here” inventory host or group variables
# or
$ ansible_user=root ansible_ssh_private_key_file=”path_to_your_keyfile.pem” inventory host or group variables
# or
$ ANSIBLE_BECOME_METHOD=’sudo’ ANSIBLE_BECOME=True ./setup.sh

Disaster Recovery for the Ansible Automation Platform

Please note DR and High Availability (“HA”) are not currently supported. Current Ansible Automation Platform customers are needing to configure their DR instances to accurately reflect their node usage and need guidance based on changes due to manifest files. This can be for cold, warm, or hot DR/HA. This article regards how manifests are handled in DR and HA environments.

Refer to the documentation.

Ansible Tower HA and DR

(TODO)

Verify Streaming Replication**

On primary database node

swtich to postgres user.

[ansible@AAP-DB-1 ~]$ sudo su - postgres

Then,

[postgres@AAP-DB-1 ~]$ psql -c 'select application_name, state, sync_priority, sync_state from pg_stat_replication;'
 application_name |   state   | sync_priority | sync_state
------------------+-----------+---------------+------------
 awx              | streaming |             1 | sync
(1 row)

or

[postgres@AAP-DB-1 ~]$ psql -c 'select client_addr, state, sent_lsn, write_lsn,flush_lsn, replay_lsn from pg_stat_replication;'
  client_addr  |   state   | sent_lsn  | write_lsn | flush_lsn | replay_lsn
---------------+-----------+-----------+-----------+-----------+------------
 192.168.56.32 | streaming | 0/402AF38 | 0/402AF38 | 0/402AF38 | 0/402AF38
(1 row)

[postgres@AAP-DB-1 ~]$ psql -c 'select * from pg_stat_replication;'
  pid  | usesysid |  usename   | application_name |  client_addr  | client_hostname | client_port |
backend_start         | backend_xmin |   state   | sent_lsn  | write_lsn | flush_lsn | replay_lsn |    write
_lag    |    flush_lag    |   replay_lag    | sync_priority | sync_state
-------+----------+------------+------------------+---------------+-----------------+-------------+---------
----------------------+--------------+-----------+-----------+-----------+-----------+------------+---------
--------+-----------------+-----------------+---------------+------------
 46392 |    23055 | replicator | awx              | 192.168.56.32 |                 |       37668 | 2022-02-
03 07:23:25.296914+00 |              | streaming | 0/402B4E0 | 0/402B4E0 | 0/402B4E0 | 0/402B4E0  | 00:00:00
.002516 | 00:00:00.006299 | 00:00:00.007456 |             1 | sync
(1 row)

On secondary/standby database node

Switch to postgres user

[ansible@AAP-DB-2 ~]$ sudo su - postgres
Last login: Thu Feb  3 07:59:07 UTC 2022 on pts/1
[postgres@AAP-DB-2 ~]$

Then,

[postgres@AAP-DB-2 ~]$ psql -c 'select * from pg_stat_wal_receiver;'
  pid  |  status   | receive_start_lsn | receive_start_tli | received_lsn | received_tli |      last_msg_send_time
       |     last_msg_receipt_time     | latest_end_lsn |        latest_end_time        | slot_name |

                      conninfo

-------+-----------+-------------------+-------------------+--------------+--------------+------------------------
-------+-------------------------------+----------------+-------------------------------+-----------+-------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------
 51587 | streaming | 0/4000000         |                 1 | 0/4031110    |            1 | 2022-02-03 08:15:14.493
483+00 | 2022-02-03 08:15:14.493939+00 | 0/4031110      | 2022-02-03 08:15:14.493483+00 |           | user=replica
tor passfile=/var/lib/pgsql/.pgpass channel_binding=prefer dbname=replication host=192.168.56.31 port=5432 applica
tion_name=awx fallback_application_name=walreceiver sslmode=prefer sslcompression=0 ssl_min_protocol_version=TLSv1
.2 gssencmode=prefer krbsrvname=postgres target_session_attrs=any
(1 row)

or,

[postgres@AAP-DB-2 ~]$ psql -c 'SELECT pg_last_xact_replay_timestamp();'
 pg_last_xact_replay_timestamp
-------------------------------
 2022-02-03 08:15:54.592737+00
(1 row)

Ansible Tower HA Failover

Check current Tower database configurations.

[root@AnsibleController1x-1 ~]# cat /etc/tower/conf.d/postgres.py
# Ansible Tower database settings.

DATABASES = {
   'default': {
       'ATOMIC_REQUESTS': True,
       'ENGINE': 'awx.main.db.profiled_pg',
       'NAME': 'awx',
       'USER': 'awx',
       'PASSWORD': """aapadmin""",
       'HOST': 'aap-db-1.lab.local',
       'PORT': '5432',
       'OPTIONS': { 'sslmode': 'prefer',
                    'sslrootcert': '/etc/pki/tls/certs/ca-bundle.crt',
       },
   }
}

Database tips

Check Data path

[postgres@AAP-DB-2 ~]$ pg_ctl status
pg_ctl: server is running (PID: 51581)
/usr/bin/postgres "-D" "/var/lib/pgsql/data"

[postgres@AAP-DB-2 ~]$ psql -c "SHOW data_directory;"
   data_directory
---------------------
 /var/lib/pgsql/data
(1 row)

Ansible Tower with database SSL connection enabled

Verify SSL Certificate-Key pair

If all the three match, the SSL certificate matches the Private Key.

# SSL certificate
$ openssl x509 –noout –modulus –in <file>.crt | openssl md5

# RSA private key
$ openssl rsa –noout –modulus –in <file>.key | openssl md5

# CSR
$ openssl req -noout -modulus -in <file>.csr | openssl md5

SSL Certificate with Passphrase

Troubleshooting

References

Ansible on Clouds

Red Hat Ansible Automation Platform Hardening Guide

Migrating, Updating and Upgrading AAP

Ansible Automation Hub

Documentation

Ansible Playbook References

Tools for Ansible

Ansible for Network Automation

Ansible and Python Modules

pip install --target=/your/pyinstalldir loremipsum
pip install fortiosapi --target=/var/lib/awx/venv/ansible/lib/python2.7/site-packages

pip list --target=/var/lib/awx/venv/ansible/lib/python2.7/site-packages
# subscription-manager repos --enable rhel-server-rhscl-7-rpms
# yum install python27-python-pip

Switch to a normal user and check the pip

$ scl enable python27 bash
$ which pip
$ pip -V

For Existing Tower

# source /var/lib/awx/venv/ansible/bin/activate
# umask 0022
# pip install --upgrade pywinrm
# deactivate

Ansible and Python 3

Ansible 2.5 and above work with Python 3.

[ansible@vm-ans-02 ~]$ ansible --version |grep python
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  python version = 2.7.5 (default, Sep 26 2019, 13:23:47) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Ansible Blog/Articles to Follow

Ansible Interview Questions

Ansible Modules

Other References

Ansible for IBM Power

Ansible for Arista Networks

Ansible for CIS Hardening/CIS Check

Ansible AD/LDAP Integration

$ ldapsearch -x  -H ldap://192.168.57.137:389 -D "CN=ansible_bind,CN=Users,DC=example,DC=com" -b "dc=example,dc=com" -w yourbindpassword

# search for a specific user
$ ldapsearch -x  -H ldap://192.168.57.137:389 -D "CN=ansible_bind,CN=Users,DC=example,DC=com" -w yourbindpassword -b "cn=devops,cn=Users,dc=example,dc=com"

LDAP Organization Map

{
  "XYZCorp-CaC": {
    "users": true,
    "admins": "CN=ansible_admins,OU=AAP,DC=example,DC=com",
    "remove_users": false,
    "remove_admins": false
  }
}

LDAP Team Map

{
  "cac-admins": {
    "users": "cn=ansible_admins,ou=AAP,dc=example,dc=com",
    "remove": true,
    "organization": "XYZCorp-CaC"
  },
  "cac-operators": {
    "users": "cn=ansible_operators,ou=AAP,dc=example,dc=com",
    "remove": true,
    "organization": "XYZCorp-CaC"
  }
}

Best practices

Utilities and References

  • Janus - The project ansible-middleware/janus holds a set of playbooks used to transform upstream collection (such as ansible-middleware/wildfly) to downstream collection (redhat/eap) using [FQCN migration https://github.com/ansible-collections/community.fqcn_migration]. Please refers to this project for more information.
  • community.fqcn_migration - This project, called fqcn_migration, is a set of Ansible roles designed to rename a collection and even changed its namespace.

Latest Stories

Featured