Ansible Profile

Keywords: Linux ansible ssh sudo SELinux

Profile Details

Most of the configuration files are comment line default configuration items.The file follows the INI format and is divided into several categories of configurations, which are described below.
Before that, take a look at where the profile is stored and how to get the profile template from the official website.

Location of profile

Ansible has only one configuration file, ansible.cfg.Configuration files can exist in multiple locations, the first valid one found in the following order:

  • ANSIBLE_CONFIG (Environment Variable Specified)
  • ansible.cfg (current command execution directory)
  • ~/.ansible.cfg (under user home directory)
  • /etc/ansible/ansible.cfg

Only the first profile found will take effect.In addition, environment variables have higher priority than configuration files and can be set individually.The name of the environment variable corresponding to each configuration item can be found in the following official documentation:
https://docs.ansible.com/ansible/latest/reference_appendices/config.html#common-options

There is also the way command line parameters are specified, which is a higher priority than the configuration above.However, the settings specified in playbook are of higher priority and will not be overridden by command line parameters.

Get Profile Template

When Ansible is installed, a configuration file is generated by default in the / etc/ansible/directory.But if it is installed via pip or source code, there is no such file and it needs to be created manually.You can go to the official github for the next update:

$ mkdir /etc/ansible
$ cd /etc/ansible
$ wget https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg

[defaults]

Define a general connection class configuration:

[defaults]

# some basic default values...

#inventory      = /etc/ansible/hosts  # Define Inventory to define host list configuration
#library        = /usr/share/my_modules/  # Customized lib inventory catalog
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp  # Temporary Files Remote Host Storage Directory
#local_tmp      = ~/.ansible/tmp  # Temporary Files Local Storage Directory
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks          = 5  # Number of concurrencies opened by default
#poll_interval  = 15  # Default polling interval
#sudo_user      = root  # Default sudo user
#ask_sudo_pass = True  # Is sudo password required
#ask_pass      = True  # Is a password required
#transport      = smart
#remote_port    = 22
#module_lang    = C
#module_set_locale = False

# additional paths to search for roles in, colon separated
#roles_path    = /etc/ansible/roles  # Directory where Roles exists by default download

# uncomment this to disable SSH key host checking
#host_key_checking = False  # Whether the first connection needs to check key authentication, it is recommended that the comment be set to False

# SSH timeout
#timeout = 10  # Default timeout

# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log  # Execution Log Storage Directory

# default module name for /usr/bin/ansible
#module_name = command  # Default Execution Module

# set plugin path directories here, separate with colons
#action_plugins     = /usr/share/ansible/plugins/action  # Storage directory for various plug-ins
#become_plugins     = /usr/share/ansible/plugins/become
#cache_plugins      = /usr/share/ansible/plugins/cache
#callback_plugins   = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins     = /usr/share/ansible/plugins/lookup
#inventory_plugins  = /usr/share/ansible/plugins/inventory
#vars_plugins       = /usr/share/ansible/plugins/vars
#filter_plugins     = /usr/share/ansible/plugins/filter
#test_plugins       = /usr/share/ansible/plugins/test
#terminal_plugins   = /usr/share/ansible/plugins/terminal
#strategy_plugins   = /usr/share/ansible/plugins/strategy

# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored.  This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact_caching = memory  # Host information storage for getfact cache

# retry files
# When a playbook fails a .retry file can be created that will be placed in ~/
# You can enable this feature by setting retry_files_enabled to True
# and you can change the location of the files by setting retry_files_save_path

#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry  # Error Restarting File Storage Directory

Most of these configurations remain default.Only one host_key_checking = False can release the comment.

[privilege_escalation]

For security reasons, sometimes you don't want to deploy apps directly as root users, you need to give normal users sudo privileges, which are mainly for sudo users:

[privilege_escalation]
#become=True  # Is sudo
#become_method=sudo  # sudo mode
#become_user=root  # Change to root after sudo
#become_ask_pass=False  # Verify password after sodu

[paramiko_connection]

This part of the function is not used very often. Understand the following:

[paramiko_connection]

# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered.  Increases performance on new host additions.  Setting works independently of the
# host key checking setting above.
#record_host_keys=False  # Keys for new hosts are not logged for efficiency

# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False  # Disable sudo functionality

[ssh_connection]

Ansible uses SSH to connect to the host by default, here are some configurations for SSH connections:

# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False  # Pipeline Acceleration Function, Required for requiretty use to take effect

There aren't many configuration items in this block, most of which are left by default.

[accelerate]

Ansible connection acceleration related configuration:

[accelerate]
#accelerate_port = 5099  # Accelerated Connection Port
#accelerate_timeout = 30  # Command execution timeout in seconds
#accelerate_connect_timeout = 5.0  # Connection timeout in seconds

# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30  # Time, Unit Score of Last Active Connection

# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes

The configuration items here involve providing Ansible connection speed, mostly by default

[selinux]

selinux is hardly usable and remains configuratively default:

# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes

[colors]

Settings for output color.The original configuration is very good, hardly need to be modified, keep the default:

[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan

Inventory configuration details

Inventory is the configuration file for the Ansible management host. The default location is/etc/ansible/hosts, which is defined at the beginning of the ansible.cfg configuration file.
The -i parameter can also be used on the ansible command line to specify the Inventory file to use.
Note: Use # to write notes.

Define hosts and groups

The internal representation of the group name written in brackets.The host name can be either an IP address or a Hostname.Host names can appear multiple times, so they can be written to multiple groups.
If the host uses a non-default SSH port, you can specify the SSH port number with a colon after the host name.
Configuration example:

# Configuration example

# Can use IP address
192.168.1.1

# Hostname can also be used
www.ansible.com
docs.ansible.com:2222

# Use square brackets to indicate the start of a grouping. There can be a blank line between the host and the host without affecting the grouping
[webservers]
web1.ansible.com

# Represent continuous arrays with [10:20], including 10 and 20
web[10:20].ansible.com

[dbservers]
db-a.ansible.com
# Continuous letters can also be handled with square brackets
db-[b:f].ansible.com

Custom variable

For some nonstandardized configuration requirements, you can set them in the Inventory configuration.This can meet some personalization requirements for the host.
Ansible supports many ways to modify or customize variables, and Inventory is one of them.

Define host variables
Host variables can be defined simultaneously when defining a host:

[webserverrs]
web1.ansible.com http_port=8000  # Custom http_port port port number 8000

Define group variables
You can also define group variables and modify or customize them for a set of hosts:

[groupservers]
web1.ansible.com
web2.ansible.com

[groupservers:vars]
http_port=8000

Default groups
Ansible also defined two default groups:

  • All:Include all hosts
  • ungrouped: Contains all hosts without groups

Nesting of groups

Groups in Inventory can also contain other groups, which are nested.When nesting, add: children after the name of a large group to indicate that the nested member is a group name, not a host name:

[apache]
httpd1.ansible.com
httpd2.ansible.com

[nginx]
ngx1.ansible.com
ngx2.ansible.com

[webservers:children]
apache
nginx

[webservers:vars]
ntp_server=ntp1.aliyun.com

Group variables can also be set for nested groups, just like normal group variables.

Multiple variable definitions

In addition to variables that can be defined in Inventory, variables can also be defined in a configuration file independently of the Inventory file.
Here are the various ways to set variables, in order of priority:

  1. command line values (eg "-u user")
  2. role defaults
  3. inventory file or script group vars
  4. inventory group_vars/all
  5. playbook group_vars/all
  6. inventory group_vars/*
  7. playbook group_vars/*
  8. inventory file or script host vars
  9. inventory host_vars/*
  10. playbook host_vars/*
  11. host facts / cached set_facts
  12. play vars
  13. play vars_prompt
  14. play vars_files
  15. role vars (defined in role/vars/main.yml)
  16. block vars (only for tasks in block)
  17. task vars (only for the task)
  18. include_vars
  19. set_facts / registered vars
  20. role (and include_role) params
  21. include params
  22. extra vars (always win precedence)

https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#ansible-variable-precedence

Four types are commonly used:

  • Inventory Profile
  • Areas defined by vars in Playbook
  • Files in the vars directory in Roles (roles/X/vars/main.yml)
  • Files in the group_vars and hosts_vars directories

If you define a vars configuration file separately, such as a host foosball that belongs to both the raleigh and webservers groups, then variable definitions are valid in the following three files defined by host or group names:

  • /etc/ansible/group_vars/raleigh
  • /etc/ansible/group_vars/webservers
  • /etc/ansible/host_vars/foosball

Parameters for SSH connections

When Ansible specifies a remote host in the SSH-based connection Inventory, it also has built-in parameters to specify how it interacts with the connection. Below are some of the more common parameters:

  • ansible_ssh_host: Specify the connection host
  • ansible_ssh_port: Specifies SSH connection port, default 22
  • ansible_ssh_user: Specify SSH connection user
  • ansible_ssh_pass:Specify SSH connection password
  • ansible_ssh_private_key_file:Specify the private key file

Connections use connection plug-ins, which use their own variables, such as the ones above.The following are generic connection variables, and these variable plug-ins are also recognizable and have the same effect.

The following three variables are used for a common connection:

  • ansible_host
  • ansible_port
  • ansible_user

The three here are generic and should be overridden by the one above.

What variables do SSH plug-ins have in common, how they are set and their corresponding names, including default values, environment variables, and all corresponding variable names, are available in the official documentation:
https://docs.ansible.com/ansible/latest/plugins/connection/ssh.html#ssh-connection

See all the connections here:
https://docs.ansible.com/ansible/latest/plugins/connection.html?highlight=ansible_ssh_host

Posted by Christoph09 on Fri, 23 Aug 2019 13:11:34 -0700