* [WIP] become plugins Move from hardcoded method to plugins for ease of use, expansion and overrides - load into connection as it is going to be the main consumer - play_context will also use to keep backwards compat API - ensure shell is used to construct commands when needed - migrate settings remove from base config in favor of plugin specific configs - cleanup ansible-doc - add become plugin docs - remove deprecated sudo/su code and keywords - adjust become options for cli - set plugin options from context - ensure config defs are avaialbe before instance - refactored getting the shell plugin, fixed tests - changed into regex as they were string matching, which does not work with random string generation - explicitly set flags for play context tests - moved plugin loading up front - now loads for basedir also - allow pyc/o for non m modules - fixes to tests and some plugins - migrate to play objects fro play_context - simiplify gathering - added utf8 headers - moved option setting - add fail msg to dzdo - use tuple for multiple options on fail/missing - fix relative plugin paths - shift from play context to play - all tasks already inherit this from play directly - remove obsolete 'set play' - correct environment handling - add wrap_exe option to pfexec - fix runas to noop - fixed setting play context - added password configs - removed required false - remove from doc building till they are ready future development: - deal with 'enable' and 'runas' which are not 'command wrappers' but 'state flags' and currently hardcoded in diff subsystems * cleanup remove callers to removed func removed --sudo cli doc refs remove runas become_exe ensure keyerorr on plugin also fix backwards compat, missing method is attributeerror, not ansible error get remote_user consistently ignore missing system_tmpdirs on plugin load correct config precedence add deprecation fix networking imports backwards compat for plugins using BECOME_METHODS * Port become_plugins to context.CLIARGS This is a work in progress: * Stop passing options around everywhere as we can use context.CLIARGS instead * Refactor make_become_commands as asked for by alikins * Typo in comment fix * Stop loading values from the cli in more than one place Both play and play_context were saving default values from the cli arguments directly. This changes things so that the default values are loaded into the play and then play_context takes them from there. * Rename BECOME_PLUGIN_PATH to DEFAULT_BECOME_PLUGIN_PATH As alikins said, all other plugin paths are named DEFAULT_plugintype_PLUGIN_PATH. If we're going to rename these, that should be done all at one time rather than piecemeal. * One to throw away This is a set of hacks to get setting FieldAttribute defaults to command line args to work. It's not fully done yet. After talking it over with sivel and jimi-c this should be done by fixing FieldAttributeBase and _get_parent_attribute() calls to do the right thing when there is a non-None default. What we want to be able to do ideally is something like this: class Base(FieldAttributeBase): _check_mode = FieldAttribute([..] default=lambda: context.CLIARGS['check']) class Play(Base): # lambda so that we have a chance to parse the command line args # before we get here. In the future we might be able to restructure # this so that the cli parsing code runs before these classes are # defined. class Task(Base): pass And still have a playbook like this function: --- - hosts: tasks: - command: whoami check_mode: True (The check_mode test that is added as a separate commit in this PR will let you test variations on this case). There's a few separate reasons that the code doesn't let us do this or a non-ugly workaround for this as written right now. The fix that jimi-c, sivel, and I talked about may let us do this or it may still require a workaround (but less ugly) (having one class that has the FieldAttributes with default values and one class that inherits from that but just overrides the FieldAttributes which now have defaults) * Revert "One to throw away" This reverts commit 23aa883cbed11429ef1be2a2d0ed18f83a3b8064. * Set FieldAttr defaults directly from CLIARGS * Remove dead code * Move timeout directly to PlayContext, it's never needed on Play * just for backwards compat, add a static version of BECOME_METHODS to constants * Make the become attr on the connection public, since it's used outside of the connection * Logic fix * Nuke connection testing if it supports specific become methods * Remove unused vars * Address rebase issues * Fix path encoding issue * Remove unused import * Various cleanups * Restore network_cli check in _low_level_execute_command * type improvements for cliargs_deferred_get and swap shallowcopy to default to False * minor cleanups * Allow the su plugin to work, since it doesn't define a prompt the same way * Fix up ksu become plugin * Only set prompt if build_become_command was called * Add helper to assist connection plugins in knowing they need to wait for a prompt * Fix tests and code expectations * Doc updates * Various additional minor cleanups * Make doas functional * Don't change connection signature, load become plugin from TaskExecutor * Remove unused imports * Add comment about setting the become plugin on the playcontext * Fix up tests for recent changes * Support 'Password:' natively for the doas plugin * Make default prompts raw * wording cleanups. ci_complete * Remove unrelated changes * Address spelling mistake * Restore removed test, and udpate to use new functionality * Add changelog fragment * Don't hard fail in set_attributes_from_cli on missing CLI keys * Remove unrelated change to loader * Remove internal deprecated FieldAttributes now * Emit deprecation warnings now
7.4 KiB
Getting Started
Topics
Foreword
Now that you've read the installation guide<installation_guide>
and
installed Ansible, it's time to get started with some ad-hoc
commands.
What we are showing first are not the powerful configuration/deployment/orchestration features of Ansible. These features are handled by playbooks which are covered in a separate section.
This section is about how to initially get Ansible running. Once you
understand these concepts, read intro_adhoc
for some more detail, and then you'll be
ready to begin learning about playbooks and explore the most interesting
parts!
Remote Connection Information
Before we get started, it's important to understand how Ansible communicates with remote machines over the SSH protocol.
By default, Ansible will try to use native OpenSSH for remote
communication when possible. This enables ControlPersist (a performance
feature), Kerberos, and options in ~/.ssh/config
such as
Jump Host setup. However, when using Enterprise Linux 6 operating
systems as the control machine (Red Hat Enterprise Linux and derivatives
such as CentOS), the version of OpenSSH may be too old to support
ControlPersist. On these operating systems, Ansible will fallback into
using a high-quality Python implementation of OpenSSH called 'paramiko'.
If you wish to use features like Kerberized SSH and more, consider using
Fedora, macOS, or Ubuntu as your control machine until a newer version
of OpenSSH is available for your platform.
Occasionally you'll encounter a device that doesn't support SFTP.
This is rare, but should it occur, you can switch to SCP mode in intro_configuration
.
When speaking with remote machines, Ansible by default assumes you
are using SSH keys. SSH keys are encouraged but password authentication
can also be used where needed by supplying the option
--ask-pass
. If using sudo features and when sudo requires a
password, also supply --ask-become-pass
(previously
--ask-sudo-pass
which has been deprecated).
While it may be common sense, it is worth sharing: Any management system benefits from being run near the machines being managed. If you are running Ansible in a cloud, consider running it from a machine inside that cloud. In most cases this will work better than on the open Internet.
As an advanced topic, Ansible doesn't just have to connect remotely over SSH. The transports are pluggable, and there are options for managing things locally, as well as managing chroot, lxc, and jail containers. A mode called 'ansible-pull' can also invert the system and have systems 'phone home' via scheduled git checkouts to pull configuration directives from a central repository.
Your first commands
Now that you've installed Ansible, it's time to get started with some basics.
Edit (or create) /etc/ansible/hosts
and put one or more
remote systems in it. Your public SSH key should be located in
authorized_keys
on those systems:
192.0.2.50
aserver.example.org
bserver.example.org
This is an inventory file, which is also explained in greater depth
here: intro_inventory
.
We'll assume you are using SSH keys for authentication. To set up SSH agent to avoid retyping passwords, you can do:
$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
(Depending on your setup, you may wish to use Ansible's
--private-key
option to specify a pem file instead)
Now ping all your nodes:
$ ansible all -m ping
Ansible will attempt to remote connect to the machines using your current user name, just like SSH would. To override the remote user name, just use the '-u' parameter.
If you would like to access sudo mode, there are also flags to do that:
# as bruce
$ ansible all -m ping -u bruce
# as bruce, sudoing to root (sudo is default method)
$ ansible all -m ping -u bruce --become
# as bruce, sudoing to batman
$ ansible all -m ping -u bruce --become --become-user batman
The sudo implementation (and other methods of changing the current user) can be modified in Ansible's configuration if you happen to want to use a sudo replacement. Flags passed to sudo (like -H) can also be set.
Now run a live command on all of your nodes:
$ ansible all -a "/bin/echo hello"
Congratulations! You've just contacted your nodes with Ansible. It's
soon going to be time to: read about some more real-world cases in intro_adhoc
, explore what you
can do with different modules, and to learn about the Ansible playbooks
language. Ansible
is not just about running commands, it also has powerful configuration
management and deployment features. There's more to explore, but you
already have a fully working infrastructure!
Tips
When running commands, you can specify the local server by using "localhost" or "127.0.0.1" for the server name.
Example:
$ ansible localhost -m ping -e 'ansible_python_interpreter="/usr/bin/env python"'
You can specify localhost explicitly by adding this to your inventory file:
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"
Host Key Checking
Ansible has host key checking enabled by default.
If a host is reinstalled and has a different key in 'known_hosts', this will result in an error message until corrected. If a host is not initially in 'known_hosts' this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.
If you understand the implications and wish to disable this behavior,
you can do so by editing /etc/ansible/ansible.cfg
or
~/.ansible.cfg
:
[defaults]
host_key_checking = False
Alternatively this can be set by the ANSIBLE_HOST_KEY_CHECKING
environment variable:
$ export ANSIBLE_HOST_KEY_CHECKING=False
Also note that host key checking in paramiko mode is reasonably slow, therefore switching to 'ssh' is also recommended when using this feature.
Ansible will log some information about module arguments on the remote system in the remote syslog, unless a task or play is marked with a "no_log: True" attribute. This is explained later.
To enable basic logging on the control machine see intro_configuration
document
and set the 'log_path' configuration file setting. Enterprise users may
also be interested in ansible_tower
. Tower provides a very robust database
logging feature where it is possible to drill down and see history based
on hosts, projects, and particular inventories over time -- explorable
both graphically and through a REST API.
intro_inventory
-
More information about inventory
intro_adhoc
-
Examples of basic commands
working_with_playbooks
-
Learning Ansible's configuration management language
- Mailing List
-
Questions? Help? Ideas? Stop by the list on Google Groups
- irc.freenode.net
-
#ansible IRC chat channel