This introduction to Ansible is based on my personal experiences.
I will not compare Ansible to other automation tools/frameworks! There may be some out there that can replace Ansible - but I haven't got much experience using other ones.
Ansible is used to automate IT administration.
Its base-product is Open-Source and free to use.
There is also an Open-Source web-based control-environment named 'Ansible AWX'.
For enterprise-use RedHat offers a product named 'Ansible Automation Platform' that is Closed-Source and must be licensed.
Practical examples of use-cases are:
- Provisioning/managing IT-services from small- up to large-scale
- Webserver nodes
- Database clusters
- Configuration of host- and network-firewalls
- Configuration of local users or identity providers
- Generating and renewing certificates for encrypted connectivity
- Preparing for the worst-case - automate your disaster-recovery
Why automate?
- Scalability
- Allows you to implement Infrastructure-as-Code
- Benefits:
- Cost reduction
- Increase in speed of deployments
- Reduce errors
- Improve infrastructure consistency
- Having the configuration of all your IT-systems in one place and versioning it using a Version Control System like Git
- Benefits:
- Abstract the complexity of administration to a single click or button press
- Simplifying/empowering Continuous integration/Continuous delivery
- Testing of your automation can also be automated - see: Molecule
- Making system-upgrades easier
- Finding and correcting bugs before they hit your actual infrastructure
It is designed to:
- work in an agentless manner
- need few to none requirements on the target systems
- operations being idempotent (checking if operations need to be performed before executing them)
- combine variable host- & group-configuration with templated tasks
- verify the target state is as desired
What systems can Ansible target?
- Linux/Unix-like
- Cloud providers like Amazon AWS, Microsoft Azure, Google Cloud
- Windows
- Network devices like Switches, Firewalls
- Storage like NetApp, PureStorage
- Databases like MySQL/MariaDB, PostgreSQL
- Virtualization Platforms like VMWare, Proxmox, Kubernetes, LibVirt
- Monitoring systems like Zabbix
- And many more
There are also third-party community modules that allow you to manage even more systems!
Per example:
- ansibleguy.opnsense => allows you to manage OPNSense firewalls
For Ansible to manage its target system it needs to connect to them.
Most of the time one will use the system-specific default connection-types:
- Linux/Unix-like via OpenSSH
- Cloud services via APIs/SDKs
- Windows via WinRM/Windows Remote Management
- Network devices via OpenSSH
- Many systems via APIs (mainly HTTPS/REST)
There are also some advanced tricks you can use for connecting to target systems:
- SSH Tunneling to provision private targets through a jump-host
- Using automation-mesh to add connection proxies
If you have got some experience administrating IT-systems you might think:
Why use a large framework like Ansible if I can just script it? Ansible has much more overhead and is slower than basic bash/powershell scripts..
It's true - Ansible has more overhead and is slower than scripting.
But that has its reasons.
Ansible provides many features that help you prevent mistakes and/or errors:
- Simplicity:
- Ansible 'scripts' are written in YAML Syntax. This format makes it really easy to read tasks/roles/playbooks and understand what is going on.
- Even people without a background in programming or advanced-scripting are able to understand and write most tasks.
- Check-Mode:
- Ansible Modules can be executed in check-mode to show you what WOULD BE changed without actually applying those changes.
- That is pretty useful if you want to test some new functionality or just want to make sure nothing will break.
- Diff-Mode:
- Most Ansible Modules have implemented the 'difference' flag/mode - it enables you to see what exact changes are applied.
- This feature is really useful in check-mode.
- If the execution did unintentionally break something it helps you to analyze what went wrong.
- Error handling:
- Ansible give you many options to configure error-handling.
- Most Ansible Modules will return useful information whenever they fail just in case you want to soft-handle its failure.
- Validation
- Parameters passed to Ansible Modules are checked for basic validity and formatted as a given type. That can catch user- or configuration-errors before they have any negative impact.
- Parameters passed to Ansible Roles can also be validated that way.
- Secrets
- Ansible has a feature named Ansible-Vault that provides a way to encrypt and manage sensitive data such as passwords.
- You can also use centralized 3th-party vault-solutions like Hashicorp Vault.
- Sensitive data can also be protected from being logged in clear-text using the 'no_log' parameter. Most Modules also implement this for secrets you pass to them.
- Secrets that are prompted at runtime can also be encrypted.
- Configuration
- Working with complex configurations that require multiple scopes (host, group, role, execution, ...) can be challenging when using raw scripting. Ansible handles much of the mind-boggling logic in the background so we as admins/users don't have to deal with it.
In the following example I will show you the difference between Bash-scripting and Ansible.
What will be configured in this example:
- Installing web-application dependencies
- MariaDB database server
- Apache2 webserver
- Configuration
- Apache2
- Modules
- Virtualhost
- MariaDB
- Config
- Import database schema
- Users
- Copy/update web application
- Systemd Timer to update some data on a schedule
- Apache2
Compare the Bash and Ansible example and think about it: which one would you rather maintain/work with?
- The script and Ansible-playbook needs to be executed on a controller node
- The controller needs to have network-access to the target-system (ssh port)
- The executing user needs to be able to
- connect to the target-system via SSH
- run commands with root-privileges on the target-system using 'sudo'
See: Example Bash
See: Example Ansible