Jim Cheung



Ansible for Devops

notes from Amazon.com: Ansible for DevOps

Chapter 1 - Getting Started with Ansible

Chapter 2 - Local Infrastructure Development: Ansible and Vagrant

Chapter 3 - Ad-Hoc Commands

Chapter 4 - Ansible Playbooks

Chapter 5 - Ansible Playbooks - Beyond the Basics

Chapter 6 - Playbook Organization - Roles and Includes

Chapter 7 - Inventories

Chapter 8 - Ansible Cookbooks

Chapter 9 - Deployments with Ansible

Chapter 10 - Server Security and Ansible

Chapter 11 - Automating Your Automation - Ansible Tower and CI/CD

(clean up later)

-f 1 to tell Ansible to use only one fork 

use the command ansible [host-or-group] -m setup. 


$ ansible multi -s -m yum -a "name=ntp state=present" 


-s option (alias for --sudo) 


-K (alias for --ask-sudo-pass), 


$ ansible multi -s -a "ntpdate -q 0.rhel.pool.ntp.org" 


$ ansible db -s -m mysql_user -a "name=django host=% password=12345 \ priv=*.*:ALL state=present" 


--limit "192.168.60.4" 


regular expression (prefixed with ~). 


--limit "*.4" 


--limit ~".*\.4" 


-m group -a "name=admin state=present" 


state=absent, set a group id with gid=[gid], and indicate that the group is a system group with system=yes. 


createhome=yes" 


generate_ssh_key=yes. 


state=absent remove=yes" 


-m copy -a "src=/etc/hosts dest=/tmp/hosts" 


If you omit the trailing slash, the contents and the directory itself will be copied into the dest. 


unarchive module, or using Ansible’s synchronize module. 


The fetch module works almost exactly the same as the copy module, except in reverse. 


flat=yes, 


-m file -a "dest=/tmp/test mode=644 state=directory" 


-m file -a "src=/src/symlink dest=/dest/symlink \ owner=root group=root state=link" 


-m file -a "dest=/tmp/test state=absent" 


-s -B 3600 -a "yum -y update" 


leave out -P, Ansible defaults to polling every 10 seconds: 


set -P to ‘0’, 


inspect the file ~/.ansible_async/<jid> on the remote server. 


tail -f, won’t work via Ansible, 


use the shell module instead of Ansible’s default command module 


-m cron -a "name='daily-cron-all-servers' \ hour=4 job='/path/to/daily-script.sh'" 


day, hour, minute, month, and weekday). 


user=[user], and create a backup of the current crontab by passing backup=yes. 


-s -m cron -a "name='daily-cron-all-servers' state=absent" 


cron_file_name is a cron file located in /etc/cron.d). 


-s -m git -a "repo=git://example.com/path/to/repo.git \ dest=/opt/myapp update=yes version=1.2.4" 


branch, tag, or even a specific commit with the version parameter 


force Ansible to update the checked-out copy, we passed in update=yes. 


accept_hostkey=yes 


pipelining=True under the [ssh_connection] 


next set of indented lines as one long string, with each line separated by a space”. 


each of the items will be substituted for the {{ item }} variable. 


you use a dot to access the variable within the item, 


running the playbook with the --check option (see the next section below) verifies the configuration matches what’s defined in the playbook, without actually running the tasks on the server. 


by changing the hosts: definition. 


even if the playbook is set to hosts: all, or includes hosts in addition to what’s defined in the webservers group, it will only be run on the hosts defined in webservers. 


--list-hosts: 


--remote-user =johndoe 


--ask-sudo-pass (-K) 


--sudo. 


--sudo-user (-U) 


--extra-vars=VARS 


--check: Run the playbook in Check Mode (‘Dry Run’); 


load in variables from a separate vars.yml file: 


Update apt cache if needed. 


handlers are special kinds of tasks you run at the end of a group of tasks by adding the notify option to any of the tasks in that group. 


Modifying PHP’s configuration is a perfect way to demonstrate lineinfile’s simplicity and 


If not, Ansible will add the line as defined in the line parameter. 


shell allows you to pipe command output to other commands, access the local environment, etc. 


get_url: 


notify: restart tomcat 


handler—handlers are basically glorified tasks that can be called by the notify option, 


To notify multiple handlers from one task, use a list for the notify option: 


Handlers will run once, and only once, 


you can do that by adding lines to the remote user’s .bash_profile, 


use a task’s register option to store the environment variable in a variable 


In some situations, the tasks all run over a persistent or quasi-cached SSH session, over which $ENV_VAR wouldn’t yet be defined. 


inventory file, a variable’s value is assigned using an equals sign, 


playbook or variables include file, a variable’s value is assigned using a colon, 


You can also pass in extra variables using quoted JSON, YAML, or even by passing a JSON or YAML file directly, 


$ ansible-vault encrypt api_key.yml 


--vault-password-file ~/.ansible/vault_pass.txt 


Playbooks should rarely define variables 


Command line variables ( -e) should be avoided when possible. 


Later, you can access stdout (as a string) with my_command_result.stdout, and stderr with my_command_result.stderr. 


when: (is_db_server is defined) and is_db_server 


if you use the command or shell module without also using changed_when, Ansible will always report a change. 


Ansible allows any task to be delegated to a particular host using delegate_to: 


If you’re delegating a task to localhost, Ansible has a convenient shorthand you can use, local_action, 


Pausing playbook execution with wait_for 


10 seconds before the first check, and between checks). 


Running a playbook with --connection=local is also useful when you’re either running a playbook with --check mode to verify configuration 


if you want to exclude a play or included tasks), then it’s easy to do using --tags or --skip-tags. 


Tasks inside the block will be run first. If there is a failure in any task in block, tasks inside rescue will be run. The tasks inside always will always be run, 


You can’t use variables for task include file names 


ansible-galaxy init role_name. 


files and templates inside files and templates directories, respectively: