Table des matières
0 billet(s) pour février 2026
Notes ansible-vault
Ansible-vault pour crypto chiffrement
Définir la clef
Adding the vault password file option to the Ansible configuration
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass chmod 600 ~/.ansible/.vault_pass
~/.ansible.cfg
[defaults] vault_password_file = $HOME/.ansible/.vault_pass
Changer le secret
mv ~/.ansible/.vault_pass ~/.ansible/.vault_pass.old cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass chmod 600 ~/.ansible/.vault_pass* ansible-vault rekey --vault-password-file=~/.ansible/.vault_pass.old --new-vault-password-file=~/.ansible/.vault_pass $(find . -type f -name "*.mdp.yml") # shred -u ~/.ansible/.vault_pass
Exemples
ansible-vault encrypt_string 'P@ssw0rd' --name 'mysql_pass_root'
mysql_pass_root: !vault | $ANSIBLE_VAULT;1.1;AES256 31313332623736393962306239386565356536663533343665653565336265373265373166326565 6166646561303163376336363834636633373538346632310a356166393237333865623863336133 64343962336462356336303239663633316364393137633263366334376533303766393262653561 6638303531626238630a613161663932376333633539656334336465383238623330393832666136 6666
Pb
secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode
Dans notre exemple mysecret est une chaine chiffrée par ansible-vault
fatal: [remote]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ mysecret | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}
Solution
Source : https://gist.github.com/douglasmiranda/f21a4481d372ae54fcf4a6ff32249949
- name: "Create main user" user: name: "myuser" password: "{{ '%s' | format(mysecret) | password_hash('sha512') }}" # ...
Notes ansible-pull
Voir :
# pull mode (suitable for automation) $ ansible-pull -U https://git.example.com/ansible.git -i "$(hostname --short)," # push mode (development) $ ansible-playbook -i inventory ./playbook.yml --limit foo.example.com
Notes Ansible Inventory
Voir :
Script pour gérer un inventaire - openstack-ansible :
- openstack-ansible/scripts/inventory-manage.py
Linter un fichier inventaire
ansible-lint inventory1.yml yamllint inventory1.yml ansible-inventory -i inventory1.yml -y --list > inventory2.yml
Print all variables for all hosts from the command line
ansible -i inventory/local -m debug -a "var=hostvars" all
Afficher les variables pour tous les hosts
ansible-inventory -i inventory.yml --graph --vars
Afficher les variables pour un host particulier
# En YAML ansible-inventory -i inventory.yml -y --host server1 # En JSON ansible-inventory -i inventory.yml --host server1
Plugin
$ ansible-doc -t inventory -l advanced_host_list Parses a 'host list' with ranges auto Loads and executes an inventory plugin specified in a YAML config awx.awx.controller Ansible dynamic inventory plugin for the Automation Platform Controller community.general.cobbler Cobbler inventory source community.general.gitlab_runners Ansible dynamic inventory plugin for GitLab runners community.general.icinga2 Icinga2 inventory source community.general.linode Ansible dynamic inventory plugin for Linode community.general.lxd Returns Ansible inventory from lxd host community.general.nmap Uses nmap to find hosts to target community.general.online Scaleway (previously Online SAS or Online.net) inventory source community.general.opennebula OpenNebula inventory source community.general.proxmox Proxmox inventory source community.general.scaleway Scaleway inventory source community.general.stackpath_compute StackPath Edge Computing inventory source community.general.virtualbox virtualbox inventory source community.general.xen_orchestra Xen Orchestra inventory source constructed Uses Jinja2 to construct vars and groups based on existing inventory generator Uses Jinja2 to construct hosts and groups from patterns host_list Parses a 'host list' string ini Uses an Ansible INI file as inventory source script Executes an inventory script that returns JSON toml Uses a specific TOML file as an inventory source yaml Uses a specific YAML file as an inventory source
Playbook
Limiter l'inventaire en faisant une intersection
hosts: "type_host:&{{ PLOP_LIMIT | default('all') }}"
Inventaire dynamique passé en extra-vars
play_roles_temp_inventory.yaml
#! /usr/bin/ansible-playbook --- - hosts: localhost connection: local gather_facts: false tasks: - name: add hosts from extra-vars add_host: name: '{{ item }}' groups: building loop: "{{ hosts_list.split('\n') }}" changed_when: false - hosts: building gather_facts: "{{ play_roles_gather_facts | default(false) | bool }}" tasks: - debug: msg="hosts_list={{ hosts_list | replace('\n',',') }}" run_once: true when: play_roles_debug | default(false) | bool - name: Include Ansible roles include_role: name: "{{ role_name }}" loop: "{{ play_roles }}" loop_control: loop_var: role_name when: play_roles is defined
Tower
awx-manage inventory_import --source=inventory/ \ --inventory-name="My Tower Inventory" awx-manage inventory_import --source=inventory/ \ --inventory-name="My Tower Inventory" \ --overwrite --overwrite-vars mkdir -p inventory-directory/group_vars
Voir awx import
Autres
inventory_hostname et ansible_hostname
Notes Ansible Tower - Ansible Automation Platform
Voir aussi :
- event-driven platform for runbook automation / IFTTT (if this, then that)
Vocabulaire / Concepts
Cycle de vie :
Recherche doc RedHat :
Voir :
Ansible Engine
Correspond à Ansible et est installé par :
sudo yum install ansible
Control node
Control node
- control plane
- execution plane
Dans AAP v1 le “control plane” et l'“execution plane” étaient ensemble sur le “control node”
mesh node types : node_type=hybrid par défaut ou node_type=control
node_type :
- control (WebUI & API)
- execution (ansible-playbook)
- hybrid (Execution + control)
- hop (sorte de proxy ssh entre le Controller et les Execution Nodes ; ne peut pas être un Execution Node)
Execution Node (Ansible Automation Engine)
The machine that runs Ansible Linux Mac BSD … Python 3.8 ou +
Hop nodes / Execution nodes
mesh node types node_type=hop
ou node_type=execution
Ansible Mesh / Receptor
Voir :
receptor_listener_port
27199/tcp
| Automation Controller | Execution Node |
| ESTABLISHED 27199 | LISTEN 27199 |
work-signing keys
Control node receptor
- work-signing: privatekey: /etc/receptor/work_private_key.pem tokenexpiration: 1m - work-verification: publickey: /etc/receptor/work_public_key.pem
Execution Node
- work-verification: publickey: /etc/receptor/work_public_key.pem
To create the keys, just do openssl commands, you can see them evokes in the plays here https://github.com/ansible/awx/blob/a86740c3c9eaf9a551e850341d8adec5a3962dd5/tools/docker-compose/ansible/roles/sources/tasks/main.yml#L84
Ansible Execution Environment
Sorte de pyenv contenant Ansible, les collections et plugins
Managed host
Les cibles
ansible myhost --become -m raw -a "yum install -y python2"
Prereq Python 2 (version 2.6 or later) or Python 3 (version 3.5 or later)
Automation Hub / Galaxy
jfrog-artifactory :
Hop node
Anciennement “Isolated Nodes”
Voir :
Alternative à ssh-proxy
The only prerequisite is that there is SSH connectivity from the Tower Cluster to the Isolated Node
Exemple de conf :
[isolated_group_restrictedzone:vars] controller=tower [isolated_group_nc] cary.remote.office controller=tower
Isolated instances are not supported in conjunction with running Ansible Tower in OpenShift.
Ansible Automation Hub
Voir Galaxy NG
(Private) Automation Hub
Config
tower-cli setting modify ALLOW_JINJA_IN_EXTRA_VARS always
Logs
Voir : https://github.com/ansible/awx/issues/11330
extra_vars des jobs dans les logs (à tester)
- hosts: localhost gather_facts: false tasks: - shell: "echo {{ inventory_hostname }}"
ou
The first idea was to add extra_vars to every job events, but it would work just as well to be able to add a short string label (prompt on launch) when launching a job template. This should not cause a performance issue.
Add extra_vars to every job event sent over job_events #11330
Rechercher par date / heures
GT
env TZ=Europe/Paris date --rfc-3339=second -d '2023-08-23 21:50' 2023-08-23 21:50:00+02:00
LT
env TZ=Europe/Paris date --rfc-3339=second -d '2023-08-24 00:20' 2023-08-24 00:20:00+02:00
Développement / Intégration
Ansible Navigator
- TUI or CLI to execute playbook
- Supports Execution Environments
Ansible Builder
- creates Execution Environment
- takes in input text/yaml files describing the EE to produce
Voir :
Autres
GPG Signing
Connaitre la version
cat /etc/ansible-automation-platform/VERSION
La config de la connexion à la DB est ici :
/etc/tower/conf.d/postgres.py
Autres
#ansible-config init --disabled -t all > ansible.cfg ansible-navigator config init --disabled -t all > ansible.cfg
Voir la configuration
ansible-config dump --only-changed -t all
#ansible-config view | grep -B 2 -A 2 'inventory plugins' ansible-navigator config view | grep -B 2 -A 2 'inventory plugins'
[root@ansible-1 ~]# awx-manage list_instances
[tower capacity=51]
ansible-1 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:06:21"
ansible-2 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:05:58"
ansible-3 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:06:00"
https://goetzrieger.github.io/ansible-tower-advanced/2-clustering/
#!/bin/bash awx -f human inventory create --name "Example Inventory" --organization "Default" awx -f human host create --name "node1" \ --inventory "Example Inventory" awx -f human host create --name "node2" \ --inventory "Example Inventory" awx -f human credential create --name "Example Credentials" \ --organization "Default" \ --credential_type "Machine" \ --inputs '{"username": "ec2-user", "ssh_key_data": "@~/.ssh/aws-private.pem"}' awx -f human project create --name="Apache" \ --scm_type=git \ --scm_url="https://github.com/goetzrieger/ansible-labs-playbooks.git" \ --organization "Default" \ --scm_clean=true --scm_delete_on_update=true --scm_update_on_launch=true \ --wait awx -f human job_templates create \ --name="Install Apache" \ --inventory="Example Inventory" \ --project=Apache \ --playbook=apache_install.yml \ --become_enabled="yes" awx -f human job_template associate --name "Install Apache" \ --credential "Example Credentials"
Source : https://goetzrieger.github.io/ansible-tower-advanced/4-awx-cli-exercises/
Autres
Credentials
sudo awx-python -m pip install safeguardcredentialtype sudo awx-manage setup_managed_credential_types sudo automation-controller-service restart
Source : https://pypi.org/project/safeguardcredentialtype/
Voir aussi : M(awx.awx.credential_input_source)
Architecture CPU Endianness byte order
big-endian, little-endian, byte order, CPU
Source http://serverfault.com/questions/163487/how-to-tell-if-a-linux-system-is-big-endian-or-little-endian
Voir https://fr.wikipedia.org/wiki/Endianness
On a Big Endian-System (Solaris on SPARC)
$ echo -n I | od -to2 | head -n1 | cut -f2 -d" " | cut -c6 0
On a little endian system (Linux on x86)
$ echo -n I | od -to2 | head -n1 | cut -f2 -d" " | cut -c6 1