16 KiB
obj | website | repo |
---|---|---|
application | https://www.ansible.com | https://github.com/ansible/ansible |
Ansible
Ansible is an open-source automation tool that simplifies configuration management, application deployment, and task automation.
Inventory
The inventory contains all the host. The simplest inventory is a single file with a list of hosts and groups. The default location for this file is /etc/ansible/hosts
. You can specify a different inventory file at the command line using the -i <path>
option or in configuration using inventory
.
Example:
mail.example.com
[webservers]
foo.example.com
bar.example.com
[dbservers]
one.example.com
two.example.com
three.example.com
You can specify variables for the hosts:
[atlanta]
host1
host2
[atlanta:vars]
ntp_server=ntp.atlanta.example.com
proxy=proxy.atlanta.example.com
Command Line Tools
ansible
Define and run a single task ‘playbook’ against a set of hosts
Options
Option | Description |
---|---|
--become-method <BECOME_METHOD> |
privilege escalation method to use (default=sudo), use ansible-doc -t become -l to list valid choices. |
--become-password-file <BECOME_PASSWORD_FILE>, --become-pass-file <BECOME_PASSWORD_FILE> |
Become password file |
--become-user <BECOME_USER> |
run operations as this user (default=root) |
--list-hosts |
outputs a list of matching hosts; does not execute anything else |
--playbook-dir <BASEDIR> |
Since this tool does not use playbooks, use this as a substitute playbook directory. This sets the relative path for many features including roles/ group_vars/ etc. |
--private-key <PRIVATE_KEY_FILE>, --key-file <PRIVATE_KEY_FILE> |
use this file to authenticate the connection |
--vault-password-file, --vault-pass-file |
vault password file |
-J, --ask-vault-password, --ask-vault-pass |
ask for vault password |
-K, --ask-become-pass |
ask for privilege escalation password |
-b, --become |
run operations with become (does not imply password prompting) |
-e, --extra-vars |
set additional variables as key=value |
-i, --inventory |
specify inventory host path or comma separated host list |
-k, --ask-pass |
ask for connection password |
-l <SUBSET>, --limit <SUBSET> |
further limit selected hosts to an additional pattern |
-m <MODULE_NAME>, --module-name <MODULE_NAME> |
Name of the action to execute (default=command) |
-t <TREE>, --tree <TREE> |
log output to this directory |
-u <REMOTE_USER>, --user <REMOTE_USER> |
connect as this user (default=None) |
ansible-playbook
Runs Ansible playbooks, executing the defined tasks on the targeted hosts.
Usage: ansible-playbook [option]... [playbook]
Options
Option | Description |
---|---|
--become-method <BECOME_METHOD> |
privilege escalation method to use (default=sudo), use ansible-doc -t become -l to list valid choices. |
--become-password-file <BECOME_PASSWORD_FILE>, --become-pass-file <BECOME_PASSWORD_FILE> |
Become password file |
--become-user <BECOME_USER> |
run operations as this user (default=root) |
--list-hosts |
outputs a list of matching hosts; does not execute anything else |
--list-tasks |
list all tasks that would be executed |
--private-key <PRIVATE_KEY_FILE>, --key-file <PRIVATE_KEY_FILE> |
use this file to authenticate the connection |
--vault-password-file, --vault-pass-file |
vault password file |
-J, --ask-vault-password, --ask-vault-pass |
ask for vault password |
-K, --ask-become-pass |
ask for privilege escalation password |
-b, --become |
run operations with become (does not imply password prompting) |
-e, --extra-vars |
set additional variables as key=value |
-i, --inventory |
specify inventory host path or comma separated host list |
-k, --ask-pass |
ask for connection password |
-l <SUBSET>, --limit <SUBSET> |
further limit selected hosts to an additional pattern |
-t <TREE>, --tree <TREE> |
log output to this directory |
-u <REMOTE_USER>, --user <REMOTE_USER> |
connect as this user (default=None) |
--syntax-check |
perform a syntax check on the playbook, but do not execute it |
ansible-vault
encryption/decryption utility for Ansible data files.
Ansible vault gives you the ability to securely store sensitive information besides your playbooks and use them normally as variables if you have the encryption key.
Usage: ansible-vault [action] [options]...
create
This command creates a new ansible vault file.
Usage: ansible-vault create [--vault-password-file, --vault-pass-file] vault.yml
decrypt
decrypt the supplied file using the provided vault secret.
Usage: ansible-vault decrypt [--vault-password-file, --vault-pass-file] --output out.yml vault.yml
encrypt
encrypt the supplied file using the provided vault secret.
Usage: ansible-vault encrypt [--vault-password-file, --vault-pass-file] --output vault.yml in.yml
edit
open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed.
Usage: ansible-vault edit [--vault-password-file, --vault-pass-file] vault.yml
view
open, decrypt and view an existing vaulted file using a pager using the supplied vault secret.
Usage: ansible-vault view [--vault-password-file, --vault-pass-file] vault.yml
Playbooks
Playbooks are automation blueprints, in YAML format, that Ansible uses to deploy and configure nodes in an inventory. You can use variables with this syntax {{ result.stdout | from_json }}
.
Example playbook:
- name: GPU Passthrough
hosts: pve
become: true
vars_prompt:
- name: pcie_hw_ids
prompt: "Enter PCIE Hardware IDs"
private: false
tasks:
- name: Enable iommu (amd)
ansible.builtin.lineinfile:
dest: /etc/default/grub
regexp: .*GRUB_CMDLINE_LINUX_DEFAULT.*
line: |
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off video=efifb:off"
register: grub_cfg
- name: Enable vfio modules
ansible.builtin.blockinfile:
dest: /etc/modules
block: |
vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd
- name: Set vfio configuration
ansible.builtin.copy:
dest: /etc/modprobe.d/vfio.conf
owner: root
mode: "0644"
content: |
options vfio-pci ids={{ pcie_hw_ids }}
- name: Blacklist drivers
become: true
ansible.builtin.copy:
dest: /etc/modprobe.d/gpu-blacklist.conf
content: |
blacklist radeon
blacklist nouveau
blacklist nvidia
blacklist amdgpu
blacklist snd_hda_intel
- name: Update grub
ansible.builtin.shell:
cmd: grub-mkconfig -o /boot/grub/grub.cfg
when: grub_cfg.changed
Playbook fields
name
: A human-readable description for the task.
- name: My Playbook
hosts: all
tasks:
- name: My Task
...
hosts
: Specifies the target hosts or groups from inventory on which the tasks should be executed.
- name: My Playbook
hosts: web_servers
tasks:
...
gather_facts
: A boolean indicating whether Ansible should gather facts about the target hosts before executing tasks.
- name: My Playbook
hosts: all
gather_facts: true
tasks:
...
become
: Indicate that tasks should be executed with escalated privileges (sudo).
- name: My Playbook
hosts: all
become: true
tasks:
...
become_user
: Specify the user to become when using privilege escalation.
- name: My Playbook
hosts: all
become: true
become_user: someuser
tasks:
...
vars
: Define variables that can be used in the playbook.
- name: My Playbook
hosts: all
vars:
my_variable: "value"
tasks:
...
vars_files
: Include external variable files.
- name: My Playbook
hosts: all
vars_files:
- my_vars.yml
tasks:
...
vars_prompt
: Get info from user.
- hosts: all
vars_prompt:
- name: username
prompt: What is your username?
private: false
- name: password
prompt: What is your password?
tasks:
- name: Print a message
ansible.builtin.debug:
msg: 'Logging in as {{ username }}'
include
orimport
: Include or import other playbooks.
- name: My Playbook
hosts: all
tasks:
- include: other_playbook.yml
include_vars
: Include external variable files dynamically.
- name: Include external variables
include_vars:
file: external_vars.yml
tasks
: A list of tasks to be executed. Each task is defined as a dictionary.
- name: My Playbook
hosts: all
tasks:
- name: Task 1
...
- name: Task 2
...
environment
: Set environment variables for a task.
- name: Run a command with a specific environment
command: echo $MY_VARIABLE
environment:
MY_VARIABLE: "some_value"
when
: Specifies a condition for executing a task.
tasks:
- name: Shut down Debian flavored systems
ansible.builtin.command: /sbin/shutdown -t now
when: ansible_facts['os_family'] == "Debian"
register
: Save the result of a task into a variable for later use.
- name: Execute a command and register the output
command: echo "Hello, World!"
register: command_output
- name: Display the registered output
debug:
var: command_output.stdout
loop
: Execute module multiple times
- name: Add several users
ansible.builtin.user:
name: "{{ item }}"
state: present
groups: "wheel"
loop:
- testuser1
- testuser2
See these pages for usage in your playbooks.: