Wrangling systems for Ansible
When I’m just getting moving with an ansible deployment, there’s one thing we always have to do first.
Get shit under our control.
Environments have systems that were provisioned by different people at different times, probably with different templates, with different passwords. So here’s some tips on how to wrangle hundreds of systems that might not all be immediately under ansible’s control.
1. Get your inventory.
Set up your dynamic inventories. In my case, I needed to wrangle vmware systems, so I set up the vmware inventory as shown below.
plugin: vmware_vm_inventory strict: False cache: True username: blah password: blahbar hostname: vcenter.foo.bar validate_certs: False with_tags: True properties: - 'name' - "guest.hostName" - "guest.ipAddress"
Inspect the inventory
Take a look at the groupings to identify a plan of attack.
ansible-inventory --list -i inventory/vmware.yml
I have a mix of ubuntu, centos, and windows systems. I’ll go after linux first.
2. Get Control
Start running some ping blasts to see which systems we can actually reach, and we can start from there.
This playbook will ignore all errors, unreachable, etc, and will give us a wholistic idea of which systems we need to target. We’re going to expect lots of errors.
Create a playbook called ‘site.yml’ with the following content
- hosts: linux gather_facts: false ignore_errors: true ignore_unreachable: true tasks: - ping:
Blast the ping!
ansible-playbook -i inventory/vmware.yml site.yml -u admin -k
3. Establish administrator service account.
Standardize a service account. Do this through creation of a common role
We know we want at least the admin account on every system. Create a role with this service account and apply it to all systems!
Create a roles directory and a common role.
$ pwd /home/stobias/repos/ansible/ $ ls -alr -rw-r--r-- 1 root root 242 Mar 16 19:41 linux.yml drwxr-xr-x 4 root root 128 Mar 16 18:35 inventory -rw-r--r-- 1 root root 110 Mar 16 18:15 ansible.cfg $ mkdir roles $ cd roles $ ansible-galaxy init common
Edit tasks in your common role and add your admin user details. (In my case just a local user named
--- - name: Add the ansible user user: name: ansible shell: /bin/bash groups: wheel append: yes
Update our playbook and use the role.
- hosts: linux ignore_errors: true ignore_unreachable: true tasks: - ping: roles: - common
Hosts groups will periodically fail, target failing groups, inputting specific credentials on the cli where neccessary.
Example 1: Pings were failing on the host
qa-host2. I know my LDAP creds have admin, I’ll use that to apply the standard service account.
ansible-playbook -i inventory/vmware.yml site.yml --limit qa-host2 -u stobias -k --become
Example 2: A whole group was failing! It’s my
production group. It needs different passwords.
ansible-playbook -i inventory/vmware.yml site.yml --limit production -u superadmin -k --become