I’ve been messing around with Ansible for some time now and have created simple playbooks to patch our servers. I use pip to install the latest Ansible:
sudo apt install python3-pip python3-venv python3 -m venv env source env/bin/activate pip3 install ansible
The first thing I created was a hosts.ini file:
cat hosts.ini [xyze] backup.xyze ansible_ssh_extra_args="[email protected]" git.xyze ansible_ssh_extra_args="[email protected]" icinga.xyze ansible_ssh_extra_args="[email protected]" tickets.xyze ansible_ssh_extra_args="[email protected]" bastion.xyze [client1] website.client1 [client2] website.client2 . . .
Our DNS is on AWS’s Route 53 and I’ve created private zones for each of our clients and us, so when we’re logged into our VPN the addresses above can be resolved. Our machines can only be accessed via an intermediate bastion host so the jump host is included in the hosts file.
Then I created some apt playbooks:
cat apt-safe-upgrade.yml --- - hosts: xyze, client1, client2 remote_user: xyze become: true become_method: sudo gather_facts: false tasks: - name: apt-get dist-upgrade apt: update_cache: true upgrade: safe
cat apt-reboot.yml --- - hosts: xyze, client1, client2 remote_user: xyze become: yes become_method: sudo gather_facts: no tasks: - name: Check if a reboot is required register: reboot_required_file stat: path=/var/run/reboot-required get_md5=no - name: Reboot box if kernel/libs updated and requested by the system shell: sleep 10 && /sbin/shutdown -r now 'Rebooting box to update system libs/kernel as needed' args: removes: /var/run/reboot-required async: 300 poll: 0 ignore_errors: true when: reboot_required_file.stat.exists == true
cat apt-autoremove.yml --- - hosts: xyze, client1, client2 remote_user: xyze become: true become_method: sudo gather_facts: false tasks: - name: apt autoremove apt: autoremove: true
Unfortunately some of my playbooks had errors which were found by the Ansible Lint tool. This can be installed via pip and installs yamllint which can be run first:
pip3 install ansible-lint
Playbooks are executed in the following manner:
ansible-playbook -i hosts.ini -l xyze,client1,client2 apt-safe-upgrade.yml -f10
Running ‘ansible-playbook’ on its own will give a list of all the options or passing ‘-h’ or’–help’ to it will display the same thing.
In our example above we are using hosts.ini as the inventory, and limiting the hosts it runs on to a subset. This can be a single host within the hosts.ini file or a group of hosts like xyze,client1 or it’ll run on all the hosts if you pass the limiting option ‘all’. Normally it’ll fork into 5 parallel processes but I’ve doubled that to 10 in this example.
A check or test run can be performed and this is useful for testing if a machine needs a reboot after patching. A machine or group of machines need rebooting if it shows ‘ok=2’:
ansible-playbook --check -i hosts.ini -l xyze apt-reboot.yml
To perform the actual reboots the playbook is run again without the ‘–check’.