Scribd
Upload
43 views

Ansible for DevOps Jeff Geerling 2024 scribd download

Geerling

Uploaded by

mihevcodueke
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
43 views

Ansible for DevOps Jeff Geerling 2024 scribd download

Geerling

Uploaded by

mihevcodueke
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

Download Full Version ebook - Visit ebookmeta.

com

Ansible for DevOps Jeff Geerling

https://ebookmeta.com/product/ansible-for-devops-jeff-
geerling/

OR CLICK HERE

DOWLOAD NOW

Discover More Ebook - Explore Now at ebookmeta.com


Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Start reading on any device today!

Ansible for Kubernetes by Example: Automate Your


Kubernetes Cluster with Ansible 1st Edition Luca Berton

https://ebookmeta.com/product/ansible-for-kubernetes-by-example-
automate-your-kubernetes-cluster-with-ansible-1st-edition-luca-berton/

ebookmeta.com

Ansible for Kubernetes by Example: Automate Your


Kubernetes Cluster with Ansible 1st Edition Luca Berton

https://ebookmeta.com/product/ansible-for-kubernetes-by-example-
automate-your-kubernetes-cluster-with-ansible-1st-edition-luca-
berton-2/
ebookmeta.com

Ansible for VMware by Examples 1st Edition Luca Berton

https://ebookmeta.com/product/ansible-for-vmware-by-examples-1st-
edition-luca-berton/

ebookmeta.com

Struggles for Recognition Melodrama and Visibility in


Latin American Silent Film 1st Edition Juan Sebastián
Ospina León
https://ebookmeta.com/product/struggles-for-recognition-melodrama-and-
visibility-in-latin-american-silent-film-1st-edition-juan-sebastian-
ospina-leon/
ebookmeta.com
Apple Cider Vinegar 1st Edition Deirdre Layne Daniel P
Kray

https://ebookmeta.com/product/apple-cider-vinegar-1st-edition-deirdre-
layne-daniel-p-kray/

ebookmeta.com

International Debt Statistics 2017 1st Edition World Bank

https://ebookmeta.com/product/international-debt-statistics-2017-1st-
edition-world-bank/

ebookmeta.com

Principles of Economics, 8e ISE Robert H. Frank

https://ebookmeta.com/product/principles-of-economics-8e-ise-robert-h-
frank/

ebookmeta.com

Deals with Demons 01.0 - Speak of the Demon 1st Edition


Stacia Stark

https://ebookmeta.com/product/deals-with-demons-01-0-speak-of-the-
demon-1st-edition-stacia-stark/

ebookmeta.com

Civil Engineering Procedure 8th Edition Institution Of


Civil Engineers.

https://ebookmeta.com/product/civil-engineering-procedure-8th-edition-
institution-of-civil-engineers/

ebookmeta.com
Tomorrow s Table Organic Farming Genetics and the Future
of Food 2nd Edition Pamela C. Ronald

https://ebookmeta.com/product/tomorrow-s-table-organic-farming-
genetics-and-the-future-of-food-2nd-edition-pamela-c-ronald/

ebookmeta.com
Ansible for DevOps
Server and configuration management for
humans

Jeff Geerling
This book is for sale at http://leanpub.com/ansible-for-devops

This version was published on 2023-06-29

ISBN 978-0-9863934-3-3

This is a Leanpub book. Leanpub empowers authors and publishers with the Lean
Publishing process. Lean Publishing is the act of publishing an in-progress ebook
using lightweight tools and many iterations to get reader feedback, pivot until you
have the right book and build traction once you do.

© 2014 - 2023 Jeff Geerling


Tweet This Book!
Please help Jeff Geerling by spreading the word about this book on Twitter!
The suggested tweet for this book is:
I just purchased @Ansible4DevOps by @geerlingguy on @leanpub -
https://leanpub.com/ansible-for-devops #ansible
The suggested hashtag for this book is #ansible.
Find out what other people are saying about the book by clicking on this link to
search for this hashtag on Twitter:
#ansible
Also By Jeff Geerling
Ansible for Kubernetes
You Only Have Crohn’s Once!
Kubernetes 101
This book is dedicated to my wife, Natalie, and my children.
Editing by Margie Newman and Katherine Geerling.
Cover photograph and illustration © 2011 Jeff Geerling.
Ansible is a software product distributed under the GNU GPLv3 open source license.
Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Second Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Who is this book for? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Typographic conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Please help improve this book! . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Current Published Book Version Information . . . . . . . . . . . . . . . vi
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
In the beginning, there were sysadmins . . . . . . . . . . . . . . . . . . . . . vii
Modern infrastructure management . . . . . . . . . . . . . . . . . . . . . . . vii
Ansible and Red Hat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Ansible Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Other resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1 - Getting Started with Ansible . . . . . . . . . . . . . . . . . . . . . . 1


Ansible and Infrastructure Management . . . . . . . . . . . . . . . . . . . . . 1
On snowflakes and shell scripts . . . . . . . . . . . . . . . . . . . . . . . 1
Configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Installing Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Creating a basic inventory file . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Running your first Ad-Hoc Ansible command . . . . . . . . . . . . . . . . . 7
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2 - Local Infrastructure Development: Ansible and Vagrant . . . . 9


Prototyping and testing with local virtual machines . . . . . . . . . . . . . . 9
CONTENTS

Your first local server: Setting up Vagrant . . . . . . . . . . . . . . . . . . . . 10


Using Ansible with Vagrant . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Your first Ansible playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Cleaning Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3 - Ad-Hoc Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18


Conducting an orchestra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Build infrastructure with Vagrant for testing . . . . . . . . . . . . . . . . . . 19
Inventory file for multiple servers . . . . . . . . . . . . . . . . . . . . . . . . . 21
Your first ad-hoc commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Discover Ansible’s parallel nature . . . . . . . . . . . . . . . . . . . . . . 23
Learning about your environment . . . . . . . . . . . . . . . . . . . . . . 25
Make changes using Ansible modules . . . . . . . . . . . . . . . . . . . 28
Configure groups of servers, or individual servers . . . . . . . . . . . . . . . 29
Configure the Application servers . . . . . . . . . . . . . . . . . . . . . . 29
Configure the Database servers . . . . . . . . . . . . . . . . . . . . . . . 30
Make changes to just one server . . . . . . . . . . . . . . . . . . . . . . . 32
Manage users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Manage packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Manage files and directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Get information about a file . . . . . . . . . . . . . . . . . . . . . . . . . 35
Copy a file to the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Retrieve a file from the servers . . . . . . . . . . . . . . . . . . . . . . . . 36
Create directories and files . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Delete directories and files . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Run operations in the background . . . . . . . . . . . . . . . . . . . . . . . . 37
Update servers asynchronously with asynchronous jobs . . . . . . . . 38
Check log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Manage cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Deploy a version-controlled application . . . . . . . . . . . . . . . . . . . . . 42
Ansible’s SSH connection history . . . . . . . . . . . . . . . . . . . . . . . . . 43
Paramiko . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
OpenSSH (default) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Faster OpenSSH with Pipelining . . . . . . . . . . . . . . . . . . . . . . . 44
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CONTENTS

Chapter 4 - Ansible Playbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


Power plays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Running Playbooks with ansible-playbook . . . . . . . . . . . . . . . . . . 52
Limiting playbooks to particular hosts and groups . . . . . . . . . . . . 52
Setting user and sudo options with ansible-playbook . . . . . . . . . 54
Other options for ansible-playbook . . . . . . . . . . . . . . . . . . . . 54
Real-world playbook: Rocky Linux Node.js app server . . . . . . . . . . . . 55
Add extra repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Deploy a Node.js app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Launch a Node.js app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Node.js app server summary . . . . . . . . . . . . . . . . . . . . . . . . . 63
Real-world playbook: Ubuntu LAMP server with Drupal . . . . . . . . . . . 64
Include a variables file, and discover pre_tasks and handlers . . . . . 64
Basic LAMP server setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Configure Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configure PHP with lineinfile . . . . . . . . . . . . . . . . . . . . . . . 70
Configure MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Install Composer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Create a Drupal project with Composer . . . . . . . . . . . . . . . . . . 73
Install Drupal with Drush . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Drupal LAMP server summary . . . . . . . . . . . . . . . . . . . . . . . . 76
Real-world playbook: Ubuntu server with Solr . . . . . . . . . . . . . . . . . 77
Include a variables file, and more pre_tasks . . . . . . . . . . . . . . . 78
Install Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Install Apache Solr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Apache Solr server summary . . . . . . . . . . . . . . . . . . . . . . . . . 82
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Chapter 5 - Ansible Playbooks - Beyond the Basics . . . . . . . . . . . . . . . 84


Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Per-task environment variables . . . . . . . . . . . . . . . . . . . . . . . 87
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Playbook Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Inventory variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Registered Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
CONTENTS

Accessing Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Host and Group variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Automatically-loaded group_vars and host_vars . . . . . . . . . 97
Magic variables with host and group variables and information . 98
Facts (Variables derived from system information) . . . . . . . . . . . . 99
Local Facts (Facts.d) . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Ansible Vault - Keeping secrets secret . . . . . . . . . . . . . . . . . . . 102
Variable Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
If/then/when - Conditionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Jinja Expressions, Python built-ins, and Logic . . . . . . . . . . . . . . . 108
register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
when . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
changed_when and failed_when . . . . . . . . . . . . . . . . . . . . . . . 112
ignore_errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Delegation, Local Actions, and Pauses . . . . . . . . . . . . . . . . . . . . . . 114
Pausing playbook execution with wait_for . . . . . . . . . . . . . . . . 115
Running an entire playbook locally . . . . . . . . . . . . . . . . . . . . . 116
Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Chapter 6 - Playbook Organization - Roles, Includes, and Imports . . . . . 123


Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Includes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Dynamic includes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Handler imports and includes . . . . . . . . . . . . . . . . . . . . . . . . 127
Playbook imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Complete includes example . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Role scaffolding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Building your first role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
More flexibility with role vars and defaults . . . . . . . . . . . . . . . . 135
Other role parts: handlers, files, and templates . . . . . . . . . . . . . . 137
Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Files and Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
CONTENTS

Organizing more complex and cross-platform roles . . . . . . . . . . . 139


Ansible Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Getting roles from Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Using role requirements files to manage dependencies . . . . . . 143
A LAMP server in nine lines of YAML . . . . . . . . . . . . . . . . . . . 144
A Solr server in seven lines of YAML . . . . . . . . . . . . . . . . . . . . 145
Helpful Galaxy commands . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Contributing to Ansible Galaxy . . . . . . . . . . . . . . . . . . . . . . . 147
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 7 - Ansible Plugins and Content Collections . . . . . . . . . . . . . . 148


Creating our first Ansible Plugin — A Jinja Filter . . . . . . . . . . . . . . . 148
The history of Ansible Content Collections . . . . . . . . . . . . . . . . . . . 153
The Anatomy of a Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Putting our Plugin into a Collection . . . . . . . . . . . . . . . . . . . . . 157
Going deeper developing collections . . . . . . . . . . . . . . . . . . . . 158
Collections on Automation Hub and Ansible Galaxy . . . . . . . . . . . . . 159
Collection version constraints . . . . . . . . . . . . . . . . . . . . . . . . 160
Where are collections installed? . . . . . . . . . . . . . . . . . . . . . . . 160
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Chapter 8 - Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163


A real-world web application server inventory . . . . . . . . . . . . . . . . . 164
Non-prod environments, separate inventory files . . . . . . . . . . . . 168
Inventory variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
host_vars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
group_vars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Ephemeral infrastructure: Dynamic inventory . . . . . . . . . . . . . . . . . 173
Dynamic inventory with DigitalOcean . . . . . . . . . . . . . . . . . . . 174
DigitalOcean account prerequisites . . . . . . . . . . . . . . . . . . 174
Connecting to your DigitalOcean account . . . . . . . . . . . . . . 174
Creating a droplet with Ansible . . . . . . . . . . . . . . . . . . . . 175
DigitalOcean dynamic inventory with digital_ocean.py . . . . 182
Dynamic inventory with AWS . . . . . . . . . . . . . . . . . . . . . . . . 183
Inventory on-the-fly: add_host and group_by . . . . . . . . . . . . . . . 183
Multiple inventory sources - mixing static and dynamic inventories . 185
CONTENTS

Creating custom dynamic inventories . . . . . . . . . . . . . . . . . . . 185


Building a Custom Dynamic Inventory in Python . . . . . . . . . 187
Building a Custom Dynamic Inventory in PHP . . . . . . . . . . . 192
Managing a PaaS with a Custom Dynamic Inventory . . . . . . . 195
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Chapter 9 - Ansible Cookbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197


Highly-Available Infrastructure with Ansible . . . . . . . . . . . . . . . . . . 197
Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Individual Server Playbooks . . . . . . . . . . . . . . . . . . . . . . . . . 199
Main Playbook for Configuring All Servers . . . . . . . . . . . . . . . . 212
Getting the required roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Vagrantfile for Local Infrastructure via VirtualBox . . . . . . . . . . . . 213
Provisioner Configuration: DigitalOcean . . . . . . . . . . . . . . . . . . 218
Provisioner Configuration: Amazon Web Services (EC2) . . . . . . . . 223
AWS EC2 Dynamic inventory plugin . . . . . . . . . . . . . . . . . 230
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
ELK Logging with Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
ELK Playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Forwarding Logs from Other Servers . . . . . . . . . . . . . . . . . . . . 240
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
GlusterFS Distributed File System Configuration with Ansible . . . . . . . 247
Configuring Gluster - Basic Overview . . . . . . . . . . . . . . . . . . . 248
Configuring Gluster with Ansible . . . . . . . . . . . . . . . . . . . . . . 249
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Mac Provisioning with Ansible and Homebrew . . . . . . . . . . . . . . . . 256
Running Ansible playbooks locally . . . . . . . . . . . . . . . . . . . . . 257
Automating Homebrew package and app management . . . . . . . . . 257
Configuring macOS through dotfiles . . . . . . . . . . . . . . . . . . . . 259
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Chapter 10 - Deployments with Ansible . . . . . . . . . . . . . . . . . . . . . . 262


Deployment strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Simple single-server deployments . . . . . . . . . . . . . . . . . . . . . . . . . 263
Provisioning a Ruby on Rails server . . . . . . . . . . . . . . . . . . . . . 264
Deploying a Rails app to the server . . . . . . . . . . . . . . . . . . . . . 267
CONTENTS

Provisioning and Deploying the Rails App . . . . . . . . . . . . . . . . . 272


Deploying application updates . . . . . . . . . . . . . . . . . . . . . . . . 274
Zero-downtime multi-server deployments . . . . . . . . . . . . . . . . . . . 277
Ensuring zero downtime with serial and integration tests . . . . . . 286
Deploying to app servers behind a load balancer . . . . . . . . . . . . . 288
Capistrano-style and blue-green deployments . . . . . . . . . . . . . . . . . 296
Additional Deployment Features . . . . . . . . . . . . . . . . . . . . . . . . . 297
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Chapter 11 - Server Security and Ansible . . . . . . . . . . . . . . . . . . . . . . 300


A brief history of SSH and remote access . . . . . . . . . . . . . . . . . . . . 300
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
rlogin, rsh and rcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
The evolution of SSH and the future of remote access . . . . . . . . . . 305
Use secure and encrypted communication . . . . . . . . . . . . . . . . . . . . 306
Disable root login and use sudo . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Remove unused software, open only required ports . . . . . . . . . . . . . . 310
Use the principle of least privilege . . . . . . . . . . . . . . . . . . . . . . . . 311
User account configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 312
File permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Update the OS and installed software . . . . . . . . . . . . . . . . . . . . . . 313
Automating updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Automating updates for RHEL systems . . . . . . . . . . . . . . . . . . . 315
Automating updates for Debian-based systems . . . . . . . . . . . . . . 315
Use a properly-configured firewall . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring a firewall with ufw on Debian or Ubuntu . . . . . . . . . 317
Configuring a firewall with firewalld on Fedora, RHEL and RHEL-
derivatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Make sure log files are populated and rotated . . . . . . . . . . . . . . . . . . 320
Monitor logins and block suspect IP addresses . . . . . . . . . . . . . . . . . 321
Use SELinux (Security-Enhanced Linux) or AppArmor . . . . . . . . . . . . 323
Summary and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Chapter 12 - Automating Your Automation with Ansible Tower and CI/CD 326
Installing Ansible AWX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
CONTENTS

Using AWX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329


Uninstalling AWX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Other Tower Features of Note . . . . . . . . . . . . . . . . . . . . . . . . 332
Tower Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Jenkins CI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Build a local Jenkins server with Ansible . . . . . . . . . . . . . . . . . . 333
Create an Ansible playbook on the Jenkins server . . . . . . . . . . . . 336
Create a Jenkins job to run an Ansible Playbook . . . . . . . . . . . . . 337
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Chapter 13 - Testing and CI for Ansible Content . . . . . . . . . . . . . . . . . 340


Unit, Integration, and Functional Testing . . . . . . . . . . . . . . . . . . . . 340
Debugging and Asserting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
The debug module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
The fail and assert modules . . . . . . . . . . . . . . . . . . . . . . . . 344
Linting YAML with yamllint . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Performing a --syntax-check . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Linting Ansible content with ansible-lint . . . . . . . . . . . . . . . . . . . 348
Automated testing and development with Molecule . . . . . . . . . . . . . . 350
Testing a role with Molecule . . . . . . . . . . . . . . . . . . . . . . . . . 351
Testing a playbook with Molecule . . . . . . . . . . . . . . . . . . . . . . 353
Adjusting Molecule to use more flexible test containers . . . . . . 357
Verifying a playbook with Molecule . . . . . . . . . . . . . . . . . . 359
Adding lint configuration to Molecule . . . . . . . . . . . . . . . . 360
Molecule Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Running your playbook in check mode . . . . . . . . . . . . . . . . . . . . . 361
Automated testing on GitHub using GitHub Actions . . . . . . . . . . . . . 362
Automated testing in other CI environments . . . . . . . . . . . . . . . 367
Real-world examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Functional testing using serverspec or testinfra . . . . . . . . . . . . . . . . . 367
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Chapter 14 - Automating HTTPS and TLS Certificates . . . . . . . . . . . . . 370


Generating Self-Signed Certificates with Ansible . . . . . . . . . . . . . . . 370
Idempotent Nginx HTTPS playbook with a self-signed cert . . . . . . 372
Automating Let’s Encrypt with Ansible for free Certs . . . . . . . . . . . . 379
CONTENTS

Use Galaxy roles to get things done faster . . . . . . . . . . . . . . . . . 380


Create the playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Create a server and configure DNS . . . . . . . . . . . . . . . . . . . . . 387
Point the playbook inventory at the server . . . . . . . . . . . . . . . . 387
Access your server over HTTPS! . . . . . . . . . . . . . . . . . . . . . . . 388
Configuring Nginx to proxy HTTP traffic and serve it over HTTPS . . . . 389
Modify the Nginx configuration to proxy traffic . . . . . . . . . . . . . 390
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Chapter 15 - Docker and Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . 394


A brief introduction to Docker containers . . . . . . . . . . . . . . . . . . . . 394
Using Ansible to build and manage containers . . . . . . . . . . . . . . . . . 396
Building a Flask app with Ansible and Docker . . . . . . . . . . . . . . . . . 398
Data storage container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Flask container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
MySQL container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Ship it! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Building containers with Ansible from the outside . . . . . . . . . . . . . . 412
Build a Hubot Slack bot container with ansible_connection: docker 412
Hubot and Slack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Building a Docker container with Ansible . . . . . . . . . . . . . . 413
Building the hubot-slack role . . . . . . . . . . . . . . . . . . . . . 416
Building and running the Hubot Slack bot container . . . . . . . . 418
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Afterword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Appendix A - Using Ansible on Windows workstations . . . . . . . . . . . . 422


Method 1 - Use the Windows Subsystem for Linux . . . . . . . . . . . . . . 422
Installing Ansible inside WSL . . . . . . . . . . . . . . . . . . . . . . . . 423
Method 2 - When WSL is not an option . . . . . . . . . . . . . . . . . . . . . 425
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Set up an Ubuntu Linux Virtual Machine . . . . . . . . . . . . . . . . . 425
Log into the Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . 426
Install Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
CONTENTS

Appendix B - Ansible Best Practices and Conventions . . . . . . . . . . . . . 430


Playbook Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Write comments and use name liberally . . . . . . . . . . . . . . . . . . . 430
Include related variables and tasks . . . . . . . . . . . . . . . . . . . . . 431
Use Roles to bundle logical groupings of configuration . . . . . . . . . 432
Use role defaults and vars correctly . . . . . . . . . . . . . . . . . . . . . 433
YAML Conventions and Best Practices . . . . . . . . . . . . . . . . . . . . . . 434
YAML for Ansible tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Three ways to format Ansible tasks . . . . . . . . . . . . . . . . . . . . . 436
Shorthand/one-line (key=value) . . . . . . . . . . . . . . . . . . . . 436
Structured map/multi-line (key:value) . . . . . . . . . . . . . . . . 437
Folded scalars/multi-line (>) . . . . . . . . . . . . . . . . . . . . . . . 438
Using | to format multiline variables . . . . . . . . . . . . . . . . . . . . 439
Using ansible-playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Use Ansible Tower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Install Galaxy dependencies local to your playbook . . . . . . . . . . . . . . 440
Discriminate wisely when choosing community dependencies . . . . 441
Specify --forks for playbooks running on > 5 servers . . . . . . . . . . . . 442
Use Ansible’s Configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Foreword
Over the last few years, Ansible has rapidly become one of the most popular IT
automation tools in the world. We’ve seen the open source community expand from
the beginning of the project in early 2012 to over 1200 individual contributors today.
Ansible’s modular architecture and broad applicability to a variety of automation
and orchestration problems created a perfect storm for hundreds of thousands of
users worldwide.
Ansible is a general purpose IT automation platform, and it can be used for a variety
of purposes. From configuration management: enforcing declared state across your
infrastructure, to procedural application deployment, to broad multi-component and
multi-system orchestration of complicated interconnected systems. It is agentless, so
it can coexist with legacy tools, and it’s easy to install, configure, and maintain.
Ansible had its beginnings in 2012, when Michael DeHaan, the project’s founder,
took inspiration from several tools he had written prior, along with some hands-on
experience with the state of configuration management at the time, and launched the
project in February of 2012. Some of Ansible’s unique attributes like its module-based
architecture and agentless approach quickly attracted attention in the open source
world.
In 2013, Said Ziouani, Michael DeHaan, and I launched Ansible, Inc. We wanted
to harness the growing adoption of Ansible in the open source world, and create
products to fill the gaps in the IT automation space as we saw them. The existing
tools were complicated, error-prone, and hard to learn. Ansible gave users across
an IT organization a low barrier of entry into automation, and it could be deployed
incrementally, solving as few or as many problems as the team needed without a big
shift in methodology.
This book is about using Ansible in a DevOps environment. I’m not going to try to
define what DevOps is or isn’t, or who’s doing it or not. My personal interpretation
of the idea is that DevOps is meant to shorten the distance between the developers
writing the code, and the operators running the application. Now, I don’t believe
Foreword ii

adding a new “DevOps” team in between existing development and operations teams
achieves that objective! (Oops, now I’m trying for a definition, aren’t I?)
Well, definitions aside, one of the first steps towards a DevOps environment is
choosing tools that can be consumed by both developers and operations engineers.
Ansible is one of those tools: you don’t have to be a software developer to use it, and
the playbooks that you write can easily be self-documenting. There have been a lot
of attempts at “write once, run anywhere” models of application development and
deployment, but I think Ansible comes the closest to providing a common language
that’s useful across teams and across clouds and different datacenters.
The author of this book, Jeff, has been a long-time supporter, contributor, and
advocate of Ansible, and he’s maintained a massive collection of impressive Ansible
roles in Galaxy, the public role-sharing service maintained by Ansible, Inc. Jeff has
used Ansible extensively in his professional career, and is eminently qualified to
write the end-to-end book on Ansible in a DevOps environment.
As you read this book, I hope you enjoy your journey into IT automation as much
as we have. Be well, do good work, and automate everything.
Tim Gerla Ansible, Inc. Co-Founder & CTO
Preface
Growing up, I had access to a world that not many kids ever get to enter. At the
local radio stations where my dad was chief engineer, I was fortunate to get to see
networks and IT infrastructure up close: Novell servers and old Mac and Windows
workstations in the ’90s; Microsoft and Linux-based servers; and everything in
between. Best of all, he brought home decommissioned servers and copies of Linux
burned to CD.
I began working with Linux and small-scale infrastructures before I started high
school, and my passion for infrastructure grew as I built a Cat5 wired network
and a small rack of networking equipment for a local grade school. When I started
developing full-time, what was once a hobby became a necessary part of my job, so
I invested more time in managing infrastructure efficiently. Over the past ten years,
I’ve gone from manually booting and configuring physical and virtual servers; to
using relatively complex shell scripts to provision and configure servers; to using
configuration management tools to manage thousands of cloud-based servers.
When I began converting my infrastructure to code, some of the best tools for testing,
provisioning, and managing my servers were still in their infancy, but they have since
matured into fully-featured, robust tools that I use every day. Vagrant is an excellent
tool for managing local virtual machines to mimic real-world infrastructure locally
(or in the cloud), and Ansible — the subject of this book — is an excellent tool for
provisioning servers, managing their configuration, and deploying applications, even
on my local workstation!
These tools are still improving rapidly, and I’m excited for what the future holds.
The time I invest in learning new infrastructure tools well will be helpful for years
to come.
In these pages, I’ll share with you all I’ve learned about Ansible: my favorite tool for
server provisioning, configuration management, and application deployment. I hope
you enjoy reading this book as much as I did writing it!
— Jeff Geerling, 2015
Preface iv

Second Edition
I’ve published 23 major revisions to the book since the original 1.0 release in 2015.
After major rewrites (and three new chapters) in 2019 and 2020 to reflect Ansible’s
changing architecture, I decided to publish the new content as a ‘2nd edition’.
I will continue to publish revisions in the future, to keep this book relevant for as
long as possible! Please visit the book’s website, at www.ansiblefordevops.com, for
the latest updates, or to subscribe to be notified of Ansible and book news!
— Jeff Geerling, 2020

Who is this book for?


Many of the developers and sysadmins I work with are at least moderately com-
fortable administering a Linux server via SSH, and manage between 1-100 servers,
whether bare metal, virtualized, or using containers.
Some of these people have a little experience with configuration management tools
(usually with Puppet or Chef), and maybe a little experience with deployments and
continuous integration using tools like Jenkins, Capistrano, or Fabric. I am writing
this book for these friends who, I think, are representative of most people who have
heard of and/or are beginning to use Ansible.
If you are interested in both development and operations, and have at least a passing
familiarity with managing a server via the command line, this book should provide
you with an intermediate- to expert-level understanding of Ansible and how you can
use it to manage your infrastructure.

Typographic conventions
Ansible uses a simple syntax (YAML) and simple command-line tools (using common
POSIX conventions) for all its powerful abilities. Code samples and commands will
be highlighted throughout the book either inline (for example: ansible [command]),
or in a code block (with or without line numbers) like:
Preface v

1 ---
2 # This is the beginning of a YAML file.

Some lines of YAML and other code examples require more than 70 characters per
line, resulting in the code wrapping to a new line. Wrapping code is indicated by a \
at the end of the line of code. For example:

1 # The line of code wraps due to the extremely long URL.


2 wget http://www.example.com/really/really/really/long/path/in/the/url/c\
3 auses/the/line/to/wrap

When using the code, don’t copy the \ character, and make sure you don’t use a
newline between the first line with the trailing \ and the next line.
Links to pertinent resources and websites are added inline, like the following link to
Ansible¹, and can be viewed directly by clicking on them in eBook formats, or by
following the URL in the footnotes.
Sometimes, asides are added to highlight further information about a specific topic:

Informational asides will provide extra information.

Warning asides will warn about common pitfalls and how to avoid them.

Tip asides will give tips for deepening your understanding or optimizing
your use of Ansible.

When displaying commands run in a terminal session, if the commands are run under
your normal/non-root user account, the commands will be prefixed by the dollar sign
($). If the commands are run as the root user, they will be prefixed with the pound
sign (#).
¹https://www.ansible.com/
Preface vi

Please help improve this book!


New revisions of this book are published on a regular basis (see current book
publication stats below). If you think a particular section needs improvement or find
something missing, please post an issue in the Ansible for DevOps issue queue² (on
GitHub) or contact me via Twitter (@geerlingguy³).
All known issues with Ansible for DevOps will be aggregated on the book’s online
Errata⁴ page.

Current Published Book Version Information


• Current book version: 2.2
• Current Ansible version as of last publication: 8.0.0 (core 2.15.0)
• Current Date as of last publication: June 17, 2023

About the Author


Jeff Geerling is a developer who has worked in programming and reliability engi-
neering for companies with anywhere between one to thousands of servers. He also
manages many virtual servers for services offered by Midwestern Mac, LLC and has
been using Ansible to manage infrastructure since early 2013.
²https://github.com/geerlingguy/ansible-for-devops/issues
³https://twitter.com/geerlingguy
⁴https://www.ansiblefordevops.com/errata
Introduction
In the beginning, there were sysadmins
Since the beginning of networked computing, deploying and managing servers
reliably and efficiently has been a challenge. Historically, system administrators
were walled off from the developers and users who interact with the systems
they administer, and they managed servers by hand, installing software, changing
configurations, and administering services on individual servers.
As data centers grew, and hosted applications became more complex, administrators
realized they couldn’t scale their manual systems management as fast as the
applications they were enabling. That’s why server provisioning and configuration
management tools came to flourish.
Server virtualization brought large-scale infrastructure management to the fore, and
the number of servers managed by one admin (or by a small team of admins), has
grown by an order of magnitude. Instead of deploying, patching, and destroying
every server by hand, admins now are expected to bring up new servers, either
automatically or with minimal intervention. Large-scale IT deployments now may
involve hundreds or thousands of servers; in many of the largest environments, server
provisioning, configuration, and decommissioning are fully automated.

Modern infrastructure management


As the systems that run applications become an ever more complex and integral part
of the software they run, application developers themselves have begun to integrate
their work more fully with operations personnel. In many companies, development
and operations work is integrated. Indeed, this integration is a requirement for
modern test-driven application design.
As a software developer by trade, and a sysadmin by necessity, I have seen the power
in uniting development and operations—more commonly referred to now as DevOps
Introduction viii

or Site Reliability Engineering. When developers begin to think of infrastructure as


part of their application, stability and performance become normative. When sysad-
mins (most of whom have intermediate to advanced knowledge of the applications
and languages being used on servers they manage) work tightly with developers,
development velocity is improved, and more time is spent doing ‘fun’ activities like
performance tuning, experimentation, and getting things done, and less time putting
out fires.

DevOps is a loaded word; some people argue using the word to identify
both the movement of development and operations working more closely
to automate infrastructure-related processes, and the personnel who skew
slightly more towards the system administration side of the equation,
dilutes the word’s meaning. I think the word has come to be a rallying cry
for the employees who are dragging their startups, small businesses, and
enterprises into a new era of infrastructure growth and stability. I’m not
too concerned that the term has become more of a catch-all for modern
infrastructure management. My advice: spend less time arguing over the
definition of the word, and more time making it mean something to you.

Ansible and Red Hat


Ansible was released in 2012 by Michael DeHaan (@laserllama⁵ on Twitter), a
developer who has been working with configuration management and infrastructure
orchestration in one form or another for many years. Through his work with Puppet
Labs and Red Hat (where he worked on Cobbler⁶, a configuration management
tool, Func, a tool for communicating commands to remote servers, and some other
projects⁷), he experienced the trials and tribulations of many different organizations
and individual sysadmins on their quest to simplify and automate their infrastructure
management operations.
Additionally, Michael found many shops were using separate tools⁸ for configuration
management (Puppet, Chef, cfengine), server deployment (Capistrano, Fabric), and
⁵https://twitter.com/laserllama
⁶http://cobbler.github.io/
⁷https://www.ansible.com/blog/2013/12/08/the-origins-of-ansible
⁸http://highscalability.com/blog/2012/4/18/ansible-a-simple-model-driven-configuration-management-and-c.html
Introduction ix

ad-hoc task execution (Func, plain SSH), and wanted to see if there was a better way.
Ansible wraps up all three of these features into one tool, and does it in a way that’s
actually simpler and more consistent than any of the other task-specific tools!
Ansible aims to be:

1. Clear - Ansible uses a simple syntax (YAML) and is easy for anyone (developers,
sysadmins, managers) to understand. APIs are simple and sensible.
2. Fast - Fast to learn, fast to set up—especially considering you don’t need to
install extra agents or daemons on all your servers!
3. Complete - Ansible does three things in one, and does them very well. Ansible’s
‘batteries included’ approach means you have everything you need in one
complete package.
4. Efficient - No extra software on your servers means more resources for your
applications. Also, since Ansible modules work via JSON, Ansible is extensible
with modules written in a programming language you already know.
5. Secure - Ansible uses SSH, and requires no extra open ports or potentially-
vulnerable daemons on your servers.

Ansible also has a lighter side that gives the project a little personality. As an example,
Ansible’s major releases are named after Led Zeppelin songs (e.g. 2.0 was named
after 1973’s “Over the Hills and Far Away”, 1.x releases were named after Van Halen
songs). Additionally, Ansible uses cowsay, if installed, to wrap output in an ASCII
cow’s speech bubble (this behavior can be disabled in Ansible’s configuration).
Ansible, Inc.⁹ was founded by Saïd Ziouani (@SaidZiouani¹⁰ on Twitter), Michael
DeHaan, and Tim Gerla, and acquired by Red Hat in 2015. The Ansible team oversees
core Ansible development and provides services (such as Ansible Consulting¹¹) and
extra tooling (such as Ansible Tower¹²) to organizations using Ansible. Hundreds of
individual developers have contributed patches to Ansible, and Ansible is the most
starred infrastructure management tool on GitHub (with over 33,000 stars as of this
writing).
In October 2015, Red Hat acquired Ansible, Inc., and has proven itself to be a good
steward and promoter of Ansible. I see no indication of this changing in the future.
⁹https://www.ansible.com/
¹⁰https://twitter.com/SaidZiouani
¹¹https://www.ansible.com/products/consulting
¹²https://www.ansible.com/tower
Introduction x

Ansible Examples
There are many Ansible examples (playbooks, roles, infrastructure, configuration,
etc.) throughout this book. Most of the examples are in the Ansible for DevOps
GitHub repository¹³, so you can browse the code in its final state while you’re reading
the book. Some of the line numbering may not match the book exactly (especially if
you’re reading an older version of the book!), but I will try my best to keep everything
synchronized over time.

Other resources
We’ll explore all aspects of using Ansible to provision and manage your infrastructure
in this book, but there’s no substitute for the wealth of documentation and commu-
nity interaction that make Ansible great. Check out the links below to find out more
about Ansible and discover the community:

• Ansible Documentation¹⁴ - Covers all Ansible options in depth. There are few
open source projects with documentation as clear and thorough.
• Ansible Glossary¹⁵ - If there’s ever a term in this book you don’t seem to fully
understand, check the glossary.
• The Bullhorn¹⁶ - Ansible’s official newsletter.
• Ansible Mailing List¹⁷ - Discuss Ansible and submit questions with Ansible’s
community via this Google group.
• Ansible on GitHub¹⁸ - The official Ansible code repository, where the magic
happens.
• Ansible Example Playbooks on GitHub¹⁹ - Many examples for common server
configurations.
• Getting Started with Ansible²⁰ - A simple guide to Ansible’s community and
resources.
¹³https://github.com/geerlingguy/ansible-for-devops
¹⁴https://docs.ansible.com/ansible/
¹⁵https://docs.ansible.com/ansible/latest/reference_appendices/glossary.html
¹⁶https://us19.campaign-archive.com/home/?u=56d874e027110e35dea0e03c1&id=d6635f5420
¹⁷https://groups.google.com/forum/#!forum/ansible-project
¹⁸https://github.com/ansible/ansible
¹⁹https://github.com/ansible/ansible-examples
²⁰https://www.ansible.com/resources/get-started
Introduction xi

• Ansible Blog²¹

I’d like to especially highlight Ansible’s documentation (the first resource listed
above); one of Ansible’s greatest strengths is its well-written and extremely relevant
documentation, containing a large number of relevant examples and continuously-
updated guides. Very few projects—open source or not—have documentation as
thorough, yet easy-to-read. This book is meant as a supplement to, not a replacement
for, Ansible’s documentation!

²¹https://www.ansible.com/blog
Chapter 1 - Getting Started with
Ansible
Ansible and Infrastructure Management

On snowflakes and shell scripts


Many developers and system administrators manage servers by logging into them via
SSH, making changes, and logging off. Some of these changes would be documented,
some would not. If an admin needed to make the same change to many servers (for
example, changing one value in a config file), the admin would manually log into
each server and repeatedly make this change.
If there were only one or two changes in the course of a server’s lifetime, and if
the server were extremely simple (running only one process, with one configuration,
and a very simple firewall), and if every change were thoroughly documented, this
process wouldn’t be a problem.
But for almost every company in existence, servers are more complex—most run tens,
sometimes hundreds of different applications or application containers. Most servers
have complicated firewalls and dozens of tweaked configuration files. And even with
change documentation, the manual process usually results in some servers or some
steps being forgotten.
If the admins at these companies wanted to set up a new server exactly like one that
is currently running, they would need to spend a good deal of time going through
all of the installed packages, documenting configurations, versions, and settings; and
they would spend a lot of unnecessary time manually reinstalling, updating, and
tweaking everything to get the new server to run close to how the old server did.
Some admins may use shell scripts to try to reach some level of sanity, but I’ve yet to
see a complex shell script that handles all edge cases correctly while synchronizing
multiple servers’ configuration and deploying new code.
Chapter 1 - Getting Started with Ansible 2

Configuration management
Lucky for you, there are tools to help you avoid having these snowflake servers—
servers that are uniquely configured and impossible to recreate from scratch because
they were hand-configured without documentation. Tools like CFEngine²², Puppet²³
and Chef²⁴ became very popular in the mid-to-late 2000s.
But there’s a reason why many developers and sysadmins stick to shell scripting and
command-line configuration: it’s simple and easy-to-use, and they’ve had years of
experience using bash and command-line tools. Why throw all that out the window
and learn a new configuration language and methodology?
Enter Ansible. Ansible was built (and continues to be improved) by developers and
sysadmins who know the command line—and want to make a tool that helps them
manage their servers exactly the same as they have in the past, but in a repeatable
and centrally managed way. Ansible also has other tricks up its sleeve, making it a
true Swiss Army knife for people involved in DevOps (not just the operations side).
One of Ansible’s greatest strengths is its ability to run regular shell commands
verbatim, so you can take existing scripts and commands and work on converting
them into idempotent playbooks as time allows. For someone (like me) who was
comfortable with the command line, but never became proficient in more compli-
cated tools like Puppet or Chef (which both required at least a slight understanding
of Ruby and/or a custom language just to get started), Ansible was a breath of fresh
air.
Ansible works by pushing changes out to all your servers (by default), and requires
no extra software to be installed on your servers (thus no extra memory footprint,
and no extra daemon to manage), unlike most other configuration management tools.
²²http://cfengine.com/
²³http://puppetlabs.com/
²⁴http://www.getchef.com/chef/
Chapter 1 - Getting Started with Ansible 3

Idempotence is the ability to run an operation which produces the same


result whether run once or multiple times (source²⁵).
An important feature of a configuration management tool is its ability to
ensure the same configuration is maintained whether you run it once or
a thousand times. Many shell scripts have unintended consequences if run
more than once, but Ansible deploys the same configuration to a server over
and over again without making any changes after the first deployment.
In fact, almost every aspect of Ansible modules and commands is idem-
potent, and for those that aren’t, Ansible allows you to define when the
given command should be run, and what constitutes a changed or failed
command, so you can easily maintain an idempotent configuration on all
your servers.

Installing Ansible
Ansible’s only real dependency is Python. Once Python is installed, the simplest way
to get Ansible running is to use pip, a simple package manager for Python.
If you’re on a Mac, installing Ansible is a piece of cake:

1. Check if pip is installed (which pip). If not, install it: sudo easy_install pip
2. Install Ansible: pip install ansible

You could also install Ansible via Homebrew²⁶ with brew install ansible. Either
way (pip or brew) is fine, but make sure you update Ansible using the same system
with which it was installed!
If you’re running Windows, it will take a little extra work to set everything up.
Typically, people run Ansible inside the Windows Subsystem for Linux. For detailed
instructions setting up Ansible under the WSL, see Appendix A - Using Ansible on
Windows workstations.
If you’re running Linux, chances are you already have Ansible’s dependencies
installed, but we’ll cover the most common installation methods.
²⁵http://en.wikipedia.org/wiki/Idempotence#Computer_science_meaning
²⁶http://brew.sh/
Chapter 1 - Getting Started with Ansible 4

If you have python-pip and python-devel (python-dev on Debian/Ubuntu) installed,


use pip to install Ansible (this assumes you also have the ‘Development Tools’
package installed, so you have gcc, make, etc. available):

$ pip install ansible

Using pip allows you to upgrade Ansible with pip install --upgrade ansible.
Fedora/Red Hat Enterprise Linux/CentOS:
The easiest way to install Ansible on a Fedora-like system is to use the official dnf
package. If you’re running Red Hat Enterprise Linux (RHEL) or CentOS/Rocky/Alma
Linux, you need to install EPEL’s RPM before you install Ansible (see the info section
below for instructions):

$ dnf -y install ansible

On RHEL/CentOS systems, python-pip and ansible are available via the


EPEL repository²⁷. If you run the command dnf repolist | grep epel (to
see if the EPEL repo is already available) and there are no results, you need
to install it with the following commands:

# If you're on RHEL/CentOS 6:
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/\ Debian/Ubuntu:
epel-release-6-8.noarch.rpm
# If you're on RHEL/CentOS 7:
$ yum install epel-release
# If you're on RHEL 8+/Fedora:
$ dnf install epel-release

The easiest way to install Ansible on a Debian or Ubuntu system is to use the official
apt package.

²⁷https://fedoraproject.org/wiki/EPEL
Random documents with unrelated
content Scribd suggests to you:
TRANSCRIBER’S NOTES
1. Silently corrected typographical errors and variations in
spelling.
2. Archaic, non-standard, and uncertain spellings retained
as printed.
3. Footnotes were re-indexed using numbers.
*** END OF THE PROJECT GUTENBERG EBOOK RACE
DISTINCTIONS IN AMERICAN LAW ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.


copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying
copyright royalties. Special rules, set forth in the General Terms of
Use part of this license, apply to copying and distributing Project
Gutenberg™ electronic works to protect the PROJECT GUTENBERG™
concept and trademark. Project Gutenberg is a registered trademark,
and may not be used if you charge for an eBook, except by following
the terms of the trademark license, including paying royalties for use
of the Project Gutenberg trademark. If you do not charge anything
for copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE


THE FULL PROJECT GUTENBERG LICENSE
PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the free


distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.

Section 1. General Terms of Use and


Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund
from the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only be


used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law
in the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name associated
with the work. You can easily comply with the terms of this
agreement by keeping this work in the same format with its attached
full Project Gutenberg™ License when you share it without charge
with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the
terms of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.

1.E. Unless you have removed all references to Project Gutenberg:

1.E.1. The following sentence, with active links to, or other


immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears,
or with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:
This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is derived


from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is posted


with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning
of this work.

1.E.4. Do not unlink or detach or remove the full Project


Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute this


electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the Project
Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or
expense to the user, provide a copy, a means of exporting a copy, or
a means of obtaining a copy upon request, of the work in its original
“Plain Vanilla ASCII” or other form. Any alternate format must
include the full Project Gutenberg™ License as specified in
paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,


performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or providing


access to or distributing Project Gutenberg™ electronic works
provided that:

• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who


notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of


any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™


electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend


considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or
damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except for


the “Right of Replacement or Refund” described in paragraph 1.F.3,
the Project Gutenberg Literary Archive Foundation, the owner of the
Project Gutenberg™ trademark, and any other party distributing a
Project Gutenberg™ electronic work under this agreement, disclaim
all liability to you for damages, costs and expenses, including legal
fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR
NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR
BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK
OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL
NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF
YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you


discover a defect in this electronic work within 90 days of receiving
it, you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or
entity that provided you with the defective work may elect to provide
a replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.

1.F.4. Except for the limited right of replacement or refund set forth
in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied


warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation,


the trademark owner, any agent or employee of the Foundation,
anyone providing copies of Project Gutenberg™ electronic works in
accordance with this agreement, and any volunteers associated with
the production, promotion and distribution of Project Gutenberg™
electronic works, harmless from all liability, costs and expenses,
including legal fees, that arise directly or indirectly from any of the
following which you do or cause to occur: (a) distribution of this or
any Project Gutenberg™ work, (b) alteration, modification, or
additions or deletions to any Project Gutenberg™ work, and (c) any
Defect you cause.

Section 2. Information about the Mission


of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the


assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will
remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.

Section 3. Information about the Project


Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.

The Foundation’s business office is located at 809 North 1500 West,


Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact

Section 4. Information about Donations to


the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many
small donations ($1 to $5,000) are particularly important to
maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws regulating


charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states where


we have not met the solicitation requirements, we know of no
prohibition against accepting unsolicited donations from donors in
such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot make


any statements concerning tax treatment of donations received from
outside the United States. U.S. laws alone swamp our small staff.

Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.

Section 5. General Information About


Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could be
freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of
volunteer support.
Project Gutenberg™ eBooks are often created from several printed
editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,


including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.

You might also like