1. Setting up Ansible

During this lab you will configure Ansible. You will be able to use Ansible on the controller node and run your first commands on the ansible nodes (managed nodes).

You have the IP addresses of the controller node and managed nodes (given by your instructor). The controller node is where you execute Ansible from and the other nodes represent the machines you like to manage. We will do some configurations on the controller as well.

To make it easier for inexperienced users, we installed an editor and terminal on the controller, accessible from your browser. You can then connect to the nodes from there.

Unless otherwise specified, your working directory for all labs should be /home/ansible/techlab/.

Some good advice:

Always read all the tasks first. Some tasks might not be clear until you get the whole scope of the lab.
Open a terminal that you use only for ansible-doc (see later) and another terminal that you use for ad hoc commands (see later) to check the result of your plays.
When possible use copy & paste for filenames and file content. You’ll make fewer mistakes.

Connect to your controller host

Web Browser

Connect to your controller host by pasting the DNS name into your web browser

1
https://<dnsname>

username: ansible
password: << web password >>

After a successful login you should see an editor similar to visual studio code in your browser. In the navigation bar you can open “Terminal” or press ctrl-shift-^ to open a terminal. Do this now and then continue with the installation of Ansible.

SSH

You can access the nodes using SSH as well. Use your favourite SSH client to connect to the IP address of your controller host as user ansible.

Task 1

Install all packages needed to use Ansible on the controller host.

Tip

Use sudo to elevate your privilege to those of root. Be sure to only use root priviledges for installing the packages, you should perform the rest of the lab as user ansible.

Test if you can connect to the nodes from your controller using SSH. Use their public IPs.
Make sure python is installed on your nodes before continuing with the lab.

Solution Task 1

Installing Ansible with root privileges (on controller host):

1
sudo dnf -y install ansible

If dnf does not find the ansible package you might need to install epel-release.noarch to enable the EPEL repository.

Opening a SSH connection:

1
ssh -l ansible <node-ip>

Enter “yes” when prompted if you want to continue connecting
Insert your SSH-password you received from your instructor when prompted and hit return

On the nodes:

1
2
which python3 # (or which python)
/usr/bin/python3

If which does not find python3 or python:

1
sudo dnf -y install python3 # (or python)

Task 2

Create a SSH key pair for the user ansible on the controller host.
Don’t set a password for the private key! Just hit ENTER at the prompt.
Enable SSH key-based login for the user ansible on all nodes and the controller by distributing the SSH-public key.
Test the login on the nodes.

Solution Task 2

1
2
ssh-keygen #(no passphrase, just hit enter until the end)
ssh-copy-id <node-ip>

Follow the prompt and enter the ansible user password you received from your instructor:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ansible/.ssh/id_rsa.pub"
The authenticity of host '5.102.146.128 (5.102.146.128)' can't be established.
ECDSA key fingerprint is SHA256:5PmNPnSzE2IS309kJ8fAKrAjk0/NZT91qC4zQo0Vwiw.
ECDSA key fingerprint is MD5:43:5f:9c:e1:ad:b5:76:a1:fa:5d:09:9c:be:5d:c2:7e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ansible@5.102.146.128's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '5.102.146.128'"
and check to make sure that only the key(s) you wanted were added.

Test it by running the SSH command executed on that node and make sure you’re not prompted for a pasword:

1
ssh <node-ip>

Note

Don’t forget your controller and the second node.

Task 3

Create an inventory file named hosts in your working directory with your public IPs:

1
2
3
4
5
6
7
8
[controller]
control0 ansible_host=<your-controller-ip>

[web]
node1 ansible_host=<your-node1-ip>

[db]
node2 ansible_host=<your-node2-ip>

Tip

Instead of copying the ssh-id to the controller itself you could set ansible_connection=local in the inventory file for host control0. Then Ansible would not use SSH to connect to the controller, but use the “local” transport mechanism. If you have a valid /etc/hosts file containing information about lab hosts, you can omit the ansible_host=<ip> parts in the inventory file.

Check if ansible is ready using the ping module to ping all hosts in your inventory

Solution Task 3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
cd techlab
vim hosts # (copy & paste inventory data)
ansible all -i hosts -m ping
5.102.146.128 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
...
...

Task 4

Note

If you are using the lab servers provided by your teacher, the sudoers configuration is already done. Anyways have a look at it to see how stuff works.

Configure the ansible user to have root privilege on all hosts in your inventory file. Also enable login without a password for this user.
Test the functionality by running sudo -v as user ansible on all nodes.

Solution Task 4

In the file /etc/sudoers (On CentOS/RHEL), there’s already a config entry for the wheel group that is similar to the one we need for our ansible user.

1
2
3
4
5
6
ssh -l ansible <node-ip>
sudo -i
grep wheel /etc/sudoers
Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
%wheel        ALL=(ALL)       NOPASSWD: ALL # <-- this line!

Add a similar line for user ansible to the sudoers file:

1
echo 'ansible ALL=(ALL)   NOPASSWD: ALL' >> /etc/sudoers

Alternatively you can put that into a separate file:

1
echo 'ansible ALL=(ALL)   NOPASSWD: ALL' >> /etc/sudoers.d/ansible

Check if ansible user has root privileges:

1
sudo -v

Note

Note that you cannot do this using Ansible yet. The reason being you need root privileges and we are just setting up those right now.

Task 5

extend the inventory with a group nodes that has the groups web and db as members
Tip
Take a look at Ansible Docs - Inventory Intro for how to use the :children suffix in INI file inventories.
ping all servers in the group nodes

Solution Task 5

Add [nodes:children] to inventory file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
cat hosts
[controller]
control0 ansible_host=192.168.122.30

[web]
node1 ansible_host=192.168.122.31

[db]
node2 ansible_host=192.168.122.32

[nodes:children]
web
db

Ping nodes:

1
2
3
# Note: hosts is the inventory file you created, either "-i hosts" or "-i ./hosts" works.
ansible -i hosts nodes -m ping
...

Tip

Use ansible -i hosts <group> --list-hosts to verify group membership in Ansible inventories:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
ansible -i hosts web  --list-hosts
  hosts (1):
    node1
ansible -i hosts db  --list-hosts
  hosts (1):
    node2
ansible -i hosts nodes  --list-hosts
  hosts (2):
    node1
    node2
ansible -i hosts all  --list-hosts
  hosts (3):
    control0
    node1
    node2

All done?

Have a look at The Bullhorn newsletter
See what inspired the creators of Ansible: Rocannon’s World
Ansible Configuration File
Easteregg: Cowsay not found!

1.1 Git Repository

Last modified November 20, 2023: Merge pull request #216 from puzzle/psc_edaserver_lab (d791dbe)