-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Network Getting started docs #36337
Network Getting started docs #36337
Changes from all commits
6be9422
42ecc80
3b04bfb
1b4740e
c7ed408
a1877a6
616f4e3
60f4895
e2e8647
42e19a6
56a6653
d985e5e
b7e346f
8e1ff51
f64e168
acd5fc9
23339a6
a1b0aad
62cde11
6939fd8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
*************************************** | ||
Basic Concepts | ||
*************************************** | ||
|
||
These concepts are common to all uses of Ansible, including network automation. You need to understand them to use Ansible for network automation. This basic introduction provides the background you need to follow the examples in this guide. | ||
|
||
.. contents:: Topics | ||
|
||
Control Node | ||
================================================================================ | ||
|
||
Any machine with Ansible installed. You can run commands and playbooks, invoking ``/usr/bin/ansible`` or ``/usr/bin/ansible-playbook``, from any control node. You can use any computer that has Python installed on it as a control node - laptops, shared desktops, and servers can all run Ansible. However, you cannot use a Windows machine as a control node. You can have multiple control nodes. | ||
|
||
Managed Nodes | ||
================================================================================ | ||
|
||
The network devices (and/or servers) you manage with Ansible. Managed nodes are also sometimes called "hosts". Ansible is not installed on managed nodes. | ||
|
||
Inventory | ||
================================================================================ | ||
|
||
A list of managed nodes. An inventory file is also sometimes called a "hostfile". Your inventory can specify information like IP address for each managed node. An inventory can also organize managed nodes, creating and nesting groups for easier scaling. To learn more about inventory, see :doc:`the Working with Inventory<../../user_guide/intro_inventory>` pages. | ||
|
||
Modules | ||
================================================================================ | ||
|
||
The units of code Ansible executes. Each module has a particular use, from administering users on a specific type of database to managing VLAN interfaces on a specific type of network device. You can invoke a single module with a task, or invoke several different modules in a playbook. For an idea of how many modules Ansible includes, take a look at the :doc:`list of all modules<../../modules/modules_by_category>` or the :doc:`list of network modules<../../modules/list_of_network_modules>`. | ||
|
||
Tasks | ||
================================================================================ | ||
|
||
The units of action in Ansible. You can execute a single task once with an ad-hoc command. | ||
|
||
Playbooks | ||
================================================================================ | ||
|
||
Ordered lists of tasks, saved so you can run those tasks in that order repeatedly. Playbooks can include variables as well as tasks. Playbooks are written in YAML and are easy to read, write, share and understand. To learn more about playbooks, see :doc:`../../user_guide/playbooks_intro`. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,253 @@ | ||
*********************************************** | ||
Build Your Inventory | ||
*********************************************** | ||
|
||
A fully-featured inventory file can serve as the source of truth for your network. Using an inventory file, a single playbook can maintain hundreds of network devices with a single command. This page shows you how to build an inventory file, step by step. | ||
|
||
.. contents:: Topics | ||
|
||
Basic Inventory | ||
================================================== | ||
|
||
First, group your inventory logically. Best practice is to group servers and network devices by their What (application, stack or microservice), Where (datacenter or region), and When (development stage): | ||
|
||
- **What**: db, web, leaf, spine | ||
- **Where**: east, west, floor_19, building_A | ||
- **When**: dev, test, staging, prod | ||
|
||
Avoid spaces, hyphens, and preceding numbers (use ``floor_19``, not ``19th_floor``) in your group names. Group names are case sensitive. | ||
|
||
This tiny example data center illustrates a basic group structure. You can group groups using the syntax ``metagroupname:children`` and listing groups as members of the metagroup. Here, the group ``network`` includes all leafs and all spines; the group ``datacenter`` includes all network devices plus all webservers. | ||
|
||
.. code-block:: yaml | ||
|
||
[leafs] | ||
leaf01 | ||
leaf02 | ||
|
||
[spines] | ||
spine01 | ||
spine02 | ||
|
||
[network:children] | ||
leafs | ||
spines | ||
|
||
[webservers] | ||
webserver01 | ||
webserver02 | ||
|
||
[datacenter:children] | ||
network | ||
webservers | ||
|
||
|
||
Add Variables to Inventory | ||
================================================================================ | ||
|
||
Next, you can set values for many of the variables you needed in your first Ansible command in the inventory, so you can skip them in the ansible-playbook command. In this example, the inventory includes each network device's IP, OS, and SSH user. If your network devices are only accessible by IP, you must add the IP to the inventory file. If you access your network devices using hostnames, the IP is not necessary. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Again I would link to the existing variables documentation and just describe networking specific details here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The current variables docs are thorough and good, but not task-oriented. The Getting Started Guide aims to walk the user through tasks rather than document all the options. I'm not sure this page has the right balance yet, but I think it should be more than just "if you're using Ansible for Networking, you have these options in addition to the things documented in the main docs." Does that make sense? |
||
|
||
.. code-block:: yaml | ||
|
||
[leafs] | ||
leaf01 ansible_host=10.16.10.11 ansible_network_os=vyos ansible_user=my_vyos_user | ||
leaf02 ansible_host=10.16.10.12 ansible_network_os=vyos ansible_user=my_vyos_user | ||
|
||
[spines] | ||
spine01 ansible_host=10.16.10.13 ansible_network_os=vyos ansible_user=my_vyos_user | ||
spine02 ansible_host=10.16.10.14 ansible_network_os=vyos ansible_user=my_vyos_user | ||
|
||
[network:children] | ||
leafs | ||
spines | ||
|
||
[servers] | ||
server01 ansible_host=10.16.10.15 ansible_user=my_server_user | ||
server02 ansible_host=10.16.10.16 ansible_user=my_server_user | ||
|
||
[datacenter:children] | ||
leafs | ||
spines | ||
servers | ||
|
||
Group Variables within Inventory | ||
================================================================================ | ||
|
||
When devices in a group share the same variable values, such as OS or SSH user, you can reduce duplication and simplify maintenance by consolidating these into group variables: | ||
|
||
.. code-block:: yaml | ||
|
||
[leafs] | ||
leaf01 ansible_host=10.16.10.11 | ||
leaf02 ansible_host=10.16.10.12 | ||
|
||
[leafs:vars] | ||
ansible_network_os=vyos | ||
ansible_user=my_vyos_user | ||
|
||
[spines] | ||
spine01 ansible_host=10.16.10.13 | ||
spine02 ansible_host=10.16.10.14 | ||
|
||
[spines:vars] | ||
ansible_network_os=vyos | ||
ansible_user=my_vyos_user | ||
|
||
[network:children] | ||
leafs | ||
spines | ||
|
||
[servers] | ||
server01 ansible_host=10.16.10.15 | ||
server02 ansible_host=10.16.10.16 | ||
|
||
[datacenter:children] | ||
leafs | ||
spines | ||
servers | ||
|
||
Variable Syntax | ||
================================================================================ | ||
|
||
The syntax for variable values is different in inventory, in playbooks and in ``group_vars`` files, which are covered below. Even though playbook and ``group_vars`` files are both written in YAML, you use variables differently in each. | ||
|
||
- In an inventory file you **must** use the syntax ``key=value`` for variable values: ``ansible_network_os=vyos``. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about the YAML syntax for inventory? Is there any reason you'd only mention the INI style? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The Getting Started guide shouldn't document every option. It's meant to show a common path and common patterns, point out common pitfalls, and guide a new user from ignorance to beginning proficiency. That said, I could show examples of both inventory syntaxes. Do we recommend one over the other? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think keeping the INI style example here is fine, as you said, it's ok for beginners. |
||
- In any file with the ``.yml`` or ``.yaml`` extension, including playbooks and ``group_vars`` files, you **must** use YAML syntax: ``key: value`` | ||
|
||
- In ``group_vars`` files, use the full ``key`` name: ``ansible_network_os: vyos``. | ||
- In playbooks, use the short-form ``key`` name, which drops the ``ansible`` prefix: ``network_os: vyos`` | ||
|
||
|
||
Move Group Variables to ``group_vars`` Files | ||
================================================================================ | ||
|
||
As your inventory grows, you may want to group devices by platform and move shared variables out of the main inventory file into a set of group variable files. This reduces duplication further and sets the stage for managing devices on multiple platforms in a single inventory file. The directory tree for this setup looks like this: | ||
|
||
.. code-block:: console | ||
|
||
. | ||
├── first_playbook.yml | ||
├── inventory | ||
├── group_vars | ||
└── vyos.yml | ||
|
||
The group name must match the file name in your ``group_vars`` directory. In this example, Ansible will load the file ``group_vars/vyos.yml`` when it finds the group ``[vyos]`` in the inventory. So this inventory: | ||
|
||
.. code-block:: yaml | ||
|
||
[vyos_leafs] | ||
leaf01 ansible_host=10.16.10.11 | ||
leaf02 ansible_host=10.16.10.12 | ||
|
||
[vyos_spines] | ||
spine01 ansible_host=10.16.10.13 | ||
spine02 ansible_host=10.16.10.14 | ||
|
||
[vyos:children] | ||
vyos_leafs | ||
vyos_spines | ||
|
||
[network:children] | ||
vyos | ||
|
||
[servers] | ||
server01 ansible_host=10.16.10.15 | ||
server02 ansible_host=10.16.10.16 | ||
|
||
[datacenter:children] | ||
vyos | ||
servers | ||
|
||
works with this ``group_vars/vyos.yml`` content: | ||
|
||
.. code-block:: yaml | ||
|
||
ansible_connection: network_cli | ||
ansible_network_os: vyos | ||
ansible_user: my_vyos_user | ||
|
||
|
||
With this setup, you can run first_playbook.yml with only two flags: | ||
|
||
.. code-block:: bash | ||
|
||
ansible-playbook -i inventory -k first_playbook.yml | ||
|
||
With the ``-k`` flag, you provide the SSH password(s) at the prompt. Alternatively, you can store SSH and other secrets and passwords securely in your group_vars files with ``ansible-vault``. | ||
|
||
|
||
Protecting Sensitive Variables with ``ansible-vault`` | ||
================================================================================ | ||
|
||
The ``ansible-vault`` command provides encryption for files and/or individual variables like passwords. This tutorial uses SSH passwords for an example. You can use the commands below to encrypt other sensitive information, such as database passwords, privilege-escalation passwords and more. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd suggest to link to the existing vault documentation and limit the content here to the networking specific details. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The vault docs are thorough and great for an experienced user who wants to find the right command for the thing they know they need to do, but might be overwhelming for a complete newbie. |
||
|
||
First you must create a password for ansible-vault itself. Then you can encrypt dozens of different passwords across your Ansible project. You can access all those secrets with a single password (the ansible-vault password) when you run your playbooks. Here's a simple example. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the term 'secrets' may need some explanation |
||
|
||
Create a file and write your password for ansible-vault to it: | ||
|
||
.. code-block:: bash | ||
|
||
echo "my-ansible-vault-pw" > ~/my-ansible-vault-pw-file | ||
|
||
Encrypt the ssh password for your VyOS network devices, pulling your ansible-vault password from the file you just created: | ||
|
||
.. code-block:: bash | ||
|
||
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_ssh_pass' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. perhaps use vyos_user instead of my_user for clarity? |
||
|
||
If you prefer to type your vault password rather than store it in a file, you can request a prompt: | ||
|
||
.. code-block:: bash | ||
|
||
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_ssh_pass' | ||
|
||
and type in the vault password for ``my_user``. | ||
|
||
The :option:`--vault-id <ansible-playbook --vault-id>` flag allows different vault passwords for different users or different levels of access. The output includes the user name ``my_user`` from your ``ansible-vault`` command and uses the YAML syntax ``key: value``: | ||
|
||
.. code-block:: bash | ||
|
||
ansible_ssh_pass: !vault | | ||
$ANSIBLE_VAULT;1.2;AES256;my_user | ||
66386134653765386232383236303063623663343437643766386435663632343266393064373933 | ||
3661666132363339303639353538316662616638356631650a316338316663666439383138353032 | ||
63393934343937373637306162366265383461316334383132626462656463363630613832313562 | ||
3837646266663835640a313164343535316666653031353763613037656362613535633538386539 | ||
65656439626166666363323435613131643066353762333232326232323565376635 | ||
Encryption successful | ||
|
||
Copy this output into your ``group_vars/vyos.yml`` file, which now looks like this: | ||
|
||
.. code-block:: yaml | ||
|
||
ansible_connection: network_cli | ||
ansible_network_os: vyos | ||
ansible_user: my_vyos_user | ||
ansible_ssh_pass: !vault | | ||
$ANSIBLE_VAULT;1.2;AES256;my_user | ||
66386134653765386232383236303063623663343437643766386435663632343266393064373933 | ||
3661666132363339303639353538316662616638356631650a316338316663666439383138353032 | ||
63393934343937373637306162366265383461316334383132626462656463363630613832313562 | ||
3837646266663835640a313164343535316666653031353763613037656362613535633538386539 | ||
65656439626166666363323435613131643066353762333232326232323565376635 | ||
|
||
To run a playbook with this setup, drop the ``-k`` flag and add a flag for your ``vault-id``: | ||
|
||
.. code-block:: bash | ||
|
||
ansible-playbook -i inventory --vault-id my_user@~/my-ansible-vault-pw-file first_playbook.yml | ||
|
||
Or with a prompt instead of the vault password file: | ||
|
||
.. code-block:: bash | ||
|
||
ansible-playbook -i inventory --vault-id my_user@prompt first_playbook.yml | ||
|
||
|
||
.. warning:: | ||
|
||
Vault content can only be decrypted with the password that was used to encrypt it. If you want to stop using one password and move to a new one, you can update and re-encrypt existing vault content with ``ansible-vault rekey myfile``, then provide the old password and the new password. Copies of vault content still encrypted with the old password can still be decrypted with old password. | ||
|
||
For more details on building inventory files, see :doc:`the introduction to inventory<../../user_guide/intro_inventory>`; for more details on ansible-vault, see :doc:`the full Ansible Vault documentation<../../user_guide/vault>`. | ||
|
||
Now that you understand the basics of commands, playbooks, and inventory, it's time to explore some more complex Ansible Network examples. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have quite sophisticated documentation about building inventories in the general sections.
I'd suggest to link here to the existing documentation for further details and concentrate on networking specific details here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I agree that we should duplicate documentation as infrequently as possible. And the existing inventory docs are good. However, the Network Getting Started Guide is designed to walk network admins through the basics, step by step and with examples that look familiar to them (i.e. network devices instead of servers). My sense is that new/potential Ansible Network users need more handholding than the typical Ansible user (developer, sysadmin), so some duplication here is helpful.