Ansible: Up and running

Reading The Network Reliability Engineer's Manifesto reminded me I have yet to implement an automation solution. In this post, I am going to get Ansible up and running for use with network automation. This will install the base linux OS, latest ansible package, and allow you to connect to a Cisco IOS device.
How to get up and running
Base Operating System
Ubuntu 18.04 Server Download Ubuntu Server
Ansible Install
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:ansible/ansible
$ sudo apt-get update
$ sudo apt-get install ansible
As of June 21st, 2018 the latest package version of Ansible on Ubuntu 18.04 is 2.5.4
Now you have ansible installed. Ridiculously easily, right?
Configuring Ansible
A default configuration should now be in /etc/ansible/ansible.cfg
.
Ansible - Getting Started
First edit /etc/ansible/hosts
and add the IP address of a test host. This is also the appropriate time to SSH to your device to verify the username/password are valid before proceeding.
Keep in mind that a default ansible install expects to connect to a host via SSH. It will then execute the specified command on the remote host. I am a network engineer and want to test this with various networking devices.
Ad-hoc commands
If you follow the getting started guide you'll be immediately frustrated. Try this command with a Cisco IOS device.
ansible all -m raw -a "show version" -u ansible --ask-pass
It uses the raw
module with the command show version
and username ansible
and asks for the password.
-a MODULE_ARGS, --args MODULE_ARGS
module arguments
-m MODULE_NAME, --module-name MODULE_NAME
module name to execute (default=command)
-u REMOTE_USER, --user REMOTE_USER
connect as this user (default=None)
-k, --ask-pass
ask for connection password
Passwords / Keys / Secrets
If you are tired of entering your password. The recommended way to handle this is with public/private keys or in the case of password-based logins the use of Ansible Vault - aka secrets.
If you can't push a public key to the remote host an alternative that SHOULD ONLY BE USED IN A LAB would be to use a file in the host_vars
directory. For example, if you created a file there for host R1
it would look something like:
ansible_ssh_host: 10.0.0.1
ansible_ssh_pass: my_secret_password
Ansible - Playbooks
Up to this point, we have only used the ansible command. The real power of ansible comes into play with playbooks.
Per this blog, I am using a local ansible configuration file in ~/ansible.cfg
with the following config.
[defaults]
transport=paramiko
inventory = ./myhosts
host_key_checking=False
timeout = 5
The playbooks themselves require additional reading but here are two simple examples. The first uses the ios_command
module while the second one uses the ios_facts
module.
The first example will run the Show Version
command and copy the output in JSON to a file.
- name: Display Version
hosts: cisco-devices
connection: local
gather_facts: false
remote_user: ansible
vars:
tasks:
- name: Show Version
register: command_out
ios_command:
commands: "show version"
- copy: content="{{ command_out | to_nice_json }}" dest="out/{{inventory_hostname}}_command_out.json"
You could automate configuration backups with the ios_command
module with a simple SCP to a local hard drive. If it is simple for you then consider how a bad actor could use an ansible
command host to pull configurations. Please secure your ansible hosts by using Ansible Vault and disable any unnecessary services.
The second example with gather facts (configuration details) from the device and output in JSON to a file.
- name: Get Config
hosts: cisco-devices
connection: local
remote_user: ansible
vars:
tasks:
- name: Get Config
register: iosfacts_out
ios_facts:
gather_subset: all
- copy: content="{{ iosfacts_out | to_nice_json }}" dest="out/{{inventory_hostname}}_iosfacts.json"
To execute these playbooks use the ansible-playbook <script.yaml>
syntax.
JSON is easy to manipulate with python or your programming language of choice. These two playbooks could be combined. To further expand the functionality on ansible use variables and filters within your playbooks. I encourage you to continue reading the Ansible docs and building our playbooks.
To make this even more useful use Github to save backups of your playbooks. This is how you transform into using infrastructure-as-code.
Wrapping Up
Ansible is a powerful tool that is excellent for both servers and network infrastructure. Combined with a source control tool like Github enables for tracking and automating changes to infrastructure in a way that has been difficult in the past. Given the minimal level of effort to get ansible installed, I hope you take the time to install and get started.
Additional Resources
Digital Ocean - Ansible Install guide
Packet Pushers - Ansible - Cisco SNMP
Recent Comments