Learning Ansible like a Command Line addict

I’ve always been hindered by my ability to deploy code using existing tools, and often times I lean too heavily on my ability as a programmer to solve this problem. As a result, I’ve written multiple deployment systems from scratch, and can’t use common tools as a result. So I’ve set out to learn Ansible, but I’m gonna do it in the most backwards way possible.

First, we have to get Ansible (https://github.com/ansible/ansible). I have a Jenkins build server that compiles and packages artifacts, so it makes sense that it would be able to deploy those packages when approved. Luckily, Ansible provides a nice Aptitude package repo.

Add the file /etc/apt/sources.list.d/ansible.list​ with the contents:

deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main

Then run these commands:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
sudo apt-get update
sudo apt-get install ansible

And now you should have Ansible installed. So… now what?

Well, I wanted to use this to deploy to remote servers via SSH. So let’s try adding some servers.

Edit /etc/ansible/hosts and add this at the bottom (obviously change for your server needs)

[webservers]
web01 ansible_ssh_host=10.0.0.20
web02 ansible_ssh_host=10.0.0.21

And we need to add a username so that we have a deploy user with the appropriate access. Add a file /etc/ansible/group_vars/webservers​ and give it the following contents

---
ansible_ssh_user: deploy

NOTE: This config file is formatted YAML. Those three dashes at the top are actually pretty critical. Don’t miss them!

This will make all connections use the deploy user, regardless of which user on the deploy server is running the command. Well, that’s cool. So now what? Let’s test it!

ansible -m ping webservers

Should fire off a command to each server listed under the webservers group, and return back if that server responds correctly.

midas@deploy:~$ ansible -m ping webservers
The authenticity of host '10.0.0.20 (10.0.0.20)' can't be established.
ECDSA key fingerprint is ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff.
Are you sure you want to continue connecting (yes/no)? web01 | UNREACHABLE! => {
 "changed": false, 
 "msg": "Failed to connect to the host via ssh: Permission denied (publickey).\r\n", 
 "unreachable": true
}
yes
web02 | UNREACHABLE! => {
 "changed": false, 
 "msg": "Failed to connect to the host via ssh: Warning: Permanently added '10.0.0.20' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey).\r\n", 
 "unreachable": true
}

Oh god what a mess. It looks like we forgot a critical step; adding a user and ssh key to each of the web servers we are trying to deploy to. Since I want my jenkins install to be able to do this, I’ll switch over to the jenkins user and generate a key pair for this account.

sudo su - jenkins
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub

Now that I’ve got a key, I need to create a deploy user on each of my target servers and add the jenkins public key to the authorized_keys file. (This step is left as an exercise for the reader). Now we just need to test it, so from the jenkins account, run

ssh deploy@10.0.0.20 "echo hello"
ssh deploy@10.0.0.21 "echo hello"

and make sure you accept the ECDSA key fingerprint for the first connection. Awesome!

So now from the jenkins account, let’s run that ping command again.

jenkins@deploy:~$ ansible -m ping webservers
web02 | SUCCESS => {
 "changed": false, 
 "ping": "pong"
}
web01 | SUCCESS => {
 "changed": false, 
 "ping": "pong"
}

Hooray! But that’s hardly useful, so let’s get cracking at something meaningful. Part two, coming soon!

Update: You can find part 2 here

 

Advertisements
Learning Ansible like a Command Line addict

One thought on “Learning Ansible like a Command Line addict

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s