Wrangling systems for Ansible

When I’m just getting moving with an ansible deployment, there’s one thing we always have to do first.

Get shit under our control.

Environments have systems that were provisioned by different people at different times, probably with different templates, with different passwords. So here’s some tips on how to wrangle hundreds of systems that might not all be immediately under ansible’s control.

1. Get your inventory.

Set up your dynamic inventories. In my case, I needed to wrangle vmware systems, so I set up the vmware inventory as shown below.

plugin: vmware_vm_inventory
strict: False
cache: True
username: blah
password: blahbar
hostname: vcenter.foo.bar
validate_certs: False
with_tags: True
- 'name'
- "guest.hostName"
- "guest.ipAddress"

Inspect the inventory

Take a look at the groupings to identify a plan of attack.

ansible-inventory --list -i inventory/vmware.yml

I have a mix of ubuntu, centos, and windows systems. I’ll go after linux first.

2. Get Control

Start running some ping blasts to see which systems we can actually reach, and we can start from there.

This playbook will ignore all errors, unreachable, etc, and will give us a wholistic idea of which systems we need to target. We’re going to expect lots of errors.

Create a playbook called ‘site.yml’ with the following content

- hosts: linux
  gather_facts: false
  ignore_errors: true
  ignore_unreachable: true
    - ping:

Blast the ping!

ansible-playbook -i inventory/vmware.yml site.yml -u admin -k

3. Establish administrator service account.

Standardize a service account. Do this through creation of a common role

We know we want at least the admin account on every system. Create a role with this service account and apply it to all systems!

Create a roles directory and a common role.

$ pwd
$ ls -alr
-rw-r--r--  1 root root 242 Mar 16 19:41 linux.yml
drwxr-xr-x  4 root root 128 Mar 16 18:35 inventory
-rw-r--r--  1 root root 110 Mar 16 18:15 ansible.cfg
$ mkdir roles
$ cd roles
$ ansible-galaxy init common

Edit tasks in your common role and add your admin user details. (In my case just a local user named ansible.)

- name: Add the ansible user
    name: ansible
    shell: /bin/bash
    groups: wheel
    append: yes

Update our playbook and use the role.

- hosts: linux
  ignore_errors: true
  ignore_unreachable: true
    - ping:
    - common

Hosts groups will periodically fail, target failing groups, inputting specific credentials on the cli where neccessary.

Example 1: Pings were failing on the host qa-host2. I know my LDAP creds have admin, I’ll use that to apply the standard service account.

ansible-playbook -i inventory/vmware.yml site.yml --limit qa-host2 -u stobias -k --become

Example 2: A whole group was failing! It’s my production group. It needs different passwords.

ansible-playbook -i inventory/vmware.yml site.yml --limit production -u superadmin -k --become