Wrangling Systems for Ansible
Wrangling systems for Ansible
When I’m just getting moving with an ansible deployment, there’s one thing we always have to do first.
Get shit under our control.
Environments have systems that were provisioned by different people at different times, probably with different templates, with different passwords. So here’s some tips on how to wrangle hundreds of systems that might not all be immediately under ansible’s control.
1. Get your inventory.
Set up your dynamic inventories. In my case, I needed to wrangle vmware systems, so I set up the vmware inventory as shown below.
plugin: vmware_vm_inventory
strict: False
cache: True
username: blah
password: blahbar
hostname: vcenter.foo.bar
validate_certs: False
with_tags: True
properties:
- 'name'
- "guest.hostName"
- "guest.ipAddress"
Inspect the inventory
Take a look at the groupings to identify a plan of attack.
ansible-inventory --list -i inventory/vmware.yml
I have a mix of ubuntu, centos, and windows systems. I’ll go after linux first.
2. Get Control
Start running some ping blasts to see which systems we can actually reach, and we can start from there.
This playbook will ignore all errors, unreachable, etc, and will give us a wholistic idea of which systems we need to target. We’re going to expect lots of errors.
Create a playbook called ‘site.yml’ with the following content
- hosts: linux
gather_facts: false
ignore_errors: true
ignore_unreachable: true
tasks:
- ping:
Blast the ping!
ansible-playbook -i inventory/vmware.yml site.yml -u admin -k
3. Establish administrator service account.
Standardize a service account. Do this through creation of a common role
We know we want at least the admin account on every system. Create a role with this service account and apply it to all systems!
Create a roles directory and a common role.
$ pwd
/home/stobias/repos/ansible/
$ ls -alr
-rw-r--r-- 1 root root 242 Mar 16 19:41 linux.yml
drwxr-xr-x 4 root root 128 Mar 16 18:35 inventory
-rw-r--r-- 1 root root 110 Mar 16 18:15 ansible.cfg
$ mkdir roles
$ cd roles
$ ansible-galaxy init common
Edit tasks in your common role and add your admin user details. (In my case just a local user named ansible.)
---
- name: Add the ansible user
user:
name: ansible
shell: /bin/bash
groups: wheel
append: yes
Update our playbook and use the role.
- hosts: linux
ignore_errors: true
ignore_unreachable: true
tasks:
- ping:
roles:
- common
Hosts groups will periodically fail, target failing groups, inputting specific credentials on the cli where neccessary.
Example 1: Pings were failing on the host qa-host2. I know my LDAP creds have admin, I’ll use that to apply the standard service account.
ansible-playbook -i inventory/vmware.yml site.yml --limit qa-host2 -u stobias -k --become
Example 2: A whole group was failing! It’s my production group. It needs different passwords.
ansible-playbook -i inventory/vmware.yml site.yml --limit production -u superadmin -k --become