manintheit.org

manintheit.org


Ansible Sample Scripts

Hello Folks! In this post I will share you some playbooks. Actually, I wrote it before some purposes. You can change it and tweak it :). 1- Apache2 Virtual Host  deployment. It deploys new Virtual Host configuration, enables configuration and checks syntax. If it is everything is all right then restarts an apache2, otherwise rollback.

#apache2-vhost.yml
---
  - hosts: lubuntu
    tasks:
      - name: copy vhost-lapiba.conf
        template: src=/home/ansible/ansible/templates/lapiba-vhost.conf dest=/etc/apache2/sites-available/lapiba-vhost.conf
        notify:
         - restart apache2
      - name: enable lapiba-vhost
        shell: /usr/sbin/a2ensite lapiba-vhost.conf
      - name: check lapiba-vhost configuration
        register: result
        shell: /usr/sbin/apache2ctl configtest
        ignore_errors: True
      - name: Disable-lapiba-vhost when error occurs
        shell: /usr/sbin/a2dissite lapiba-vhost.conf
        when: result|failed
      - name: remove lapiba-vhost
        file: dest=/etc/apache2/sites-available/lapiba-vhost.conf state=absent
        when: result|failed
      - name: Creates directory
        file: path=/var/www/lapiba state=directory
        when: result|success
      - name: put html files.
        template: src=/home/ansible/ansible/templates/index.html dest=/var/www/lapiba
        when: result|success
    handlers:
     - name: restart apache2
       service: name=apache2 state=restarted
       when: result|success

Apache Virtual Host Configuration 

Minimalist Virtual Host configuration for testing purpose.

<VirtualHost *:80>
DocumentRoot "/var/www/lapiba"
ServerName lapiba
# Other directives here
</VirtualHost>

Sample index.html for lapiba

<h1> Hello from LAPIBA<h1>
<h2>Ansible is everywhere</h2>

Sample Conditional Script It pings google.com, if it cannot ping 10.10.10.1 in three times.

---
  - hosts: rhce
    tasks:
      - name: Echo
        shell: ping -c3 10.10.10.1
        register: result
        ignore_errors: True
      - name: Ping google.com
        shell: ping -c3 google.com
        when: result|failed
        #result|failed or success

Ansible Copy playbook It copies from localhost file /tmp/copy.me to remote host /tmp/hello.me

---
- hosts: rhce
  tasks:
    - name: Copying copy.me file to /tmp/hello.me
      copy: src=/tmp/copy.me dest=/tmp/hello.me

Install httpd on CentOS 7 It installs latest version of httpd, allows connections(temporary) to port 80 and starts the httpd process on the remote machine.

---
  - hosts: rhce
    tasks:
      - name: Install httpd
        yum: name=httpd state=latest
      - name: Copy index.html file to /var/www/html
        copy: src=/home/ansible/ansible/index.html dest=/var/www/html mode=0644 owner=root
        notify: restart httpd
      - name: open port 80
        shell: firewall-cmd --add-service=http
    handlers:
      - name: restart httpd
        service: name=httpd state=restarted

Replace the line

It replaces the line GSSAPIAuthentication yeswith #GSSAPIAuthentcation no on the remote host.

---
- hosts: rhce
  tasks:
    - replace:
        dest: /etc/ssh/gokay.me
        regexp: "GSSAPIAuthentication yes"
        replace: '#GSSAPIAuthentcation no'

Notify and Handlers

… handlers are only fired when certain tasks report changes, and are run at the end of each play:
---
- hosts: lubuntu
  tasks:
  - name: "copy msg.html"
    template: src=/home/ansible/ansible/templates/template.html dest=/var/www/html/msg.html
    notify:
      - restart apache2
    handlers:
      - name: restart apache2
        service: name=apache2 state=restarted

Remove a file It removes a file on the remote machine.

---
  - hosts: all
    tasks:
      - name: Removing hello.me
        file: dest  =/tmp/hello.me state=absent

Catching an Error with an Ansible Something you suppose an error may not be an error for ansible. So, It is a good way to catch an error manually.  It will failed when no package found.(dadhaproxy in this case.)

---
  - hosts: rhce
    tasks:
      - name: search for package
        shell: yum search dadhaproxy
        register: result
        failed_when: "'No matches' in result.stdout"

Replace the line Granular way It is granular way of replacing the lines. Lets assume that you have different flavours of Linux and each configuration different than other distribution. And you need an OS specific settings ? this playbooks for you, then.  🙂

---
#for ubuntu run it like below without ssh keys.
#ansible-playbook -l ubuntu  -i hosts playbooks/ssh\_modify.yml -K -s
  - hosts: all
    tasks:
      - set_fact:
         sshd_ciphers: 'Pseudo Ciphers no ciphers'
         sshd_macs: 'CentOS MACs Pseudo'
        when: ansible_distribution=="CentOS"
      - set_fact:
         sshd_ciphers: 'Ciphers for ubuntu'
         sshd_macs: 'Ubuntu Macs Pseudo'
        when: ansible_distribution=="Ubuntu"
      - name: Update ciphers
        lineinfile:
          dest: /etc/ssh/sshd_template
          state: present
          regexp: '^Ciphers '
          line: 'Ciphers {{ hostvars[ansible_hostname]["sshd_ciphers"]}}'
        tags:
          - cip
      - name: Update MACs
        lineinfile:
          dest: /etc/ssh/sshd_template
          state: present
          regexp: '^MACs '
          line: 'MACs {{ hostvars[ansible_hostname]["sshd_macs"]}}'
        tags:
          - mac

Debugging Sometimes debugging is good way to troubleshoot an issue. Below debug saved my time. 🙂

---
  - hosts: lubuntu
    tasks:
      - name: check lapiba-vhost configuration
        shell: /usr/sbin/apache2ctl configtest
        register: result
        ignore_errors: True
      - debug:
        msg: Message "{{ result }}"
      - name: ping
        ping:
        when: result|failed

 Validation with an Ansible It is good way to validate configuration before, restarting service otherwise you can lock yourself out.

---
  - hosts: rhce
    tasks:
    - template:
        src: /home/ansible/ansible/templates/sshd_config
        dest: /etc/ssh/sshd_config
        owner: root
        group: root
        mode: '0600'
        validate: /usr/sbin/sshd -t -f %s
        backup: yes

Chek for Specific Update (YUM) You can check specific RHEL advisory package and can update it.

---
- hosts: all
  tasks:
  - name: "INFO Checking curl security vulnerabiliy"
    shell: yum list-security --advisory RHSA-2017:0847
    register: result
    changed_when: "'RHSA-2017:0847' in result.stdout"
    tags:
      - check
  - name: "UPDATE curl security vulnerabiliy"
    shell: yum update -y --advisory RHSA-2017:0847
    tags:
      - update


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.