Ansible - Infrastructure-as-a-Code
Introduction
Ansible is an open-source automation and orchestration tool based on YAML and SSH, used to automate repetitive tasks in infrastructure management, such as provisioning, configuration management, continuous delivery, application deployment, and security compliance.
Developing scripts for these tasks requires time, coding skills, and ongoing maintenance. With Ansible, automation becomes simple and efficient
Configuration Files
Ansible provides a default configuration file, usually located at /etc/ansible/ansible.cfg. This file contains various settings such as the inventory file location, SSH connection options, privilege escalation rules, and more. Depending on the project you're working on, you can define a separate configuration file in a different directory with custom settings. This is one way to override specific parameters in Ansible without changing the global config.
In addition to the configuration file, you can create a playbook, written in YAML. A playbook describes what tasks to run on which hosts. It typically defines target hosts, tasks to execute, roles to apply, variables, handlers, and other automation logic. Playbook is explain more in an another section.
Be careful, when running a playbook, you should explicitly specify which configuration file to use by setting it through an environment variable, or directly in the Playbook file :
marijan$ ANSIBLE_CONFIG=/path/to/ansible.cfg ansible-playbook playbook.yml
Here is the priority order Ansible uses to determine which configuration file to load :
- Environment variable, you can specify the configuration file using the ANSIBLE_CONFIG environment variable, either when running the command or in your environment setup.
- Configuration file in the current directory, if there’s an ansible.cfg file in the same directory where the playbook is being run, Ansible will use it (as long as no environment variable overrides it).
- Default configuration file, if neither of the above is set, Ansible will fall back to the default configuration file located at /etc/ansible/ansible.cfg.
For example, if you have a playbook that currently relies on the default configuration file, but you want to change just one parameter, you should first check the correct name of that parameter in the Ansible documentation or by using command. This is important because the name you see in the configuration file might not always match the name required for environment variables.
To see the full list of available parameters via the command line, run:
marijan$ ansible-config list
Once you've identified the correct variable name, you can use the export command (for a Linux shell) to set it as an environment variable :
marijan$ export ANSIBLE_INVENTORY=/path/to/your/inventory
This lets you override specific settings without modifying the entire config file. If you only want to change a parameter temporarily, for a single run, you can also specify it directly in the command using the environment variable.
You can check the value of a specific parameter and see where it was defined (e.g., from an environment variable, a config file, etc.) by running the following command :
marijan$ ansible-config dump | grep "parameter"
Finally, to see which configuration file Ansible is currently using, run :
marijan$ ansible-config view"
Inventory
To connect to different hosts in your infrastructure and execute Playbooks, Ansible uses SSH for Linux systems and PowerShell Remoting for Windows systems. Ansible is an agentless tool, which means it does not require any agent to be installed on the remote machines. It operates through standard protocols like SSH and PowerShell Remoting.
Information about the target systems is stored in an inventory file, which is located at /etc/ansible/hosts by default.
Here is an example of a sample Ansible inventory file:
marijan$ cat /opt/company-playbook/hosts web ansible_host=server1.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd ansible_port=4115 db ansible_host=server2.company.com ansible_connection=winrm ansible_user=admin mail ansible_host=server3.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd dev ansible_host=server4.company.com ansible_connection=winrm ansible_ssh_pass=P@ssw0rd
In this example :
- Each line defines a host alias (e.g., web, db, mail, dev) along with its connection parameters ;
- ansible_host specifies the FQDN or IP address of the target machine ;
- ansible_connection defines the protocol to use (e.g., ssh for Linux, winrm for Windows) ;
- Optional variables like ansible_ssh_pass, ansible_port, and ansible_user are used to customise the connection.
For a production environment, it is recommended to use certificate-based authentication or SSH key-based, passwordless authentication.
To run a Playbook locally, you can set the following line in the host configuration file :
marijan$ cat /opt/local-playbook/hosts localhost ansible_host=localhost
Format
Depending on your project, it exists two kind of Inventory format :
- INI : simplest and most straightforward format :
[web] server1.company.com [db] server2.company.com ansible_user=admin ansible_connection=winrm
- YAML : more structured and flexible format than the INIT format :
all:
hosts:
server1.company.com:
ansible_connection: ssh
server2.company.com:
ansible_connection: winrm
ansible_user: admin
children:
web:
hosts:
server1.company.com:
db:
hosts:
server2.company.com:
Group and Parent-Child Relationships
No matter which inventory format you use INI or YAML defining groups allows you to target specific sets of hosts when running a Playbook. For example :
marijan$ cat /opt/company-playbook/inventory.ini web1 ansible_host=server1.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd ansible_port=4115 web2 ansible_host=server2.company.com ansible_connection=winrm ansible_user=admin db1 ansible_host=server3.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd db2 ansible_host=server4.company.com ansible_connection=winrm ansible_ssh_pass=P@ssw0rd [web] web1, web2 [db] db1, db2
To run a Playbook only on the db group :
marijan$ ansible-playbook playbook.yml -i inventory.yaml -l db
This command targets only the hosts in the db group, even though other hosts are listed in the inventory.
You can also group multiple groups under a parent group using the :children keyword. This is useful when you want to run a Playbook on a broader category of machines made up of smaller, related groups.
marijan$ cat /opt/company-playbook/inventory.ini web1 ansible_host=server1.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd ansible_port=4115 web2 ansible_host=server2.company.com ansible_connection=winrm ansible_user=admin db1 ansible_host=server3.company.com ansible_connection=ssh ansible_ssh_pass=P@ssw0rd db2 ansible_host=server4.company.com ansible_connection=winrm ansible_ssh_pass=P@ssw0rd [web] web1, web2 [db] db1, db2 [app_servers:children] web, deb
Here is the same example in .YAML format :
all:
children:
web:
hosts:
web1:
ansible_host: server1.company.com
ansible_connection: ssh
ansible_ssh_pass: P@ssw0rd
web2:
ansible_host: server2.company.com
ansible_connection: winrm
ansible_user: admin
db:
hosts:
db1:
ansible_host: server3.company.com
ansible_connection: ssh
ansible_ssh_pass: P@ssw0rd
db2:
ansible_host: server4.company.com
ansible_connection: winrm
ansible_ssh_pass: P@ssw0rd
app_servers:
children:
web:
db:
Variables
Just like in any other programming language, variables are used in Ansible to store and reference values.
In an Ansible Playbook, you can define variables using the vars: directive or by storing them in separate variable files. For now, let's focus on defining variables directly inside the vars section of a Playbook :
marijan$ cat Playbook.yml
- name: Add DNS server to resolv.conf
hosts: localhost
vars:
dns_server: 10.1.250.10
tasks:
- lineinfile:
path: /etc/resolv.conf
line: 'nameserver 10.1.250.10'
Then, to use the defined variable, we call it using Jinja2 templating syntax, like this:
marijan$ cat Playbook.yml
- name: Add DNS server to resolv.conf
hosts: localhost
vars:
dns_server: 10.1.250.10
tasks:
- lineinfile:
path: /etc/resolv.conf
line: 'nameserver {{ dns_server }}'