Ansible: Up and running

Reading The Network Reliability Engineer's Manifesto reminded me I have yet to implement an automation solution. In this post, I am going to get Ansible up and running for use with network automation. This will install the base linux OS, latest ansible package, and allow you to connect to a Cisco IOS device.

How to get up and running

Base Operating System

Ubuntu 18.04 Server Download Ubuntu Server

Ansible Install

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:ansible/ansible
$ sudo apt-get update
$ sudo apt-get install ansible

As of June 21st, 2018 the latest package version of Ansible on Ubuntu 18.04 is 2.5.4

Now you have ansible installed. Ridiculously easily, right?

Configuring Ansible

A default configuration should now be in /etc/ansible/ansible.cfg.

Ansible - Getting Started

First edit /etc/ansible/hosts and add the IP address of a test host. This is also the appropriate time to SSH to your device to verify the username/password are valid before proceeding.

Keep in mind that a default ansible install expects to connect to a host via SSH. It will then execute the specified command on the remote host. I am a network engineer and want to test this with various networking devices.

Ad-hoc commands

If you follow the getting started guide you'll be immediately frustrated. Try this command with a Cisco IOS device.
ansible all -m raw -a "show version" -u ansible --ask-pass

It uses the raw module with the command show version and username ansible and asks for the password.

-a MODULE_ARGS, --args MODULE_ARGS
    module arguments
-m MODULE_NAME, --module-name MODULE_NAME
    module name to execute (default=command)
-u REMOTE_USER, --user REMOTE_USER    
    connect as this user (default=None)
-k, --ask-pass
    ask for connection password

Passwords / Keys / Secrets

If you are tired of entering your password. The recommended way to handle this is with public/private keys or in the case of password-based logins the use of Ansible Vault - aka secrets.

If you can't push a public key to the remote host an alternative that SHOULD ONLY BE USED IN A LAB would be to use a file in the host_vars directory. For example, if you created a file there for host R1 it would look something like:

ansible_ssh_host: 10.0.0.1
ansible_ssh_pass: my_secret_password

Ansible - Playbooks

Up to this point, we have only used the ansible command. The real power of ansible comes into play with playbooks.

Per this blog, I am using a local ansible configuration file in ~/ansible.cfg with the following config.

[defaults]
transport=paramiko
inventory = ./myhosts
host_key_checking=False
timeout = 5

The playbooks themselves require additional reading but here are two simple examples. The first uses the ios_command module while the second one uses the ios_facts module.

The first example will run the Show Version command and copy the output in JSON to a file.

- name: Display Version
  hosts: cisco-devices
  connection: local
  gather_facts: false
  remote_user: ansible

  vars:

  tasks:
    - name: Show Version
      register: command_out
      ios_command:
        commands: "show version"

    - copy: content="{{ command_out | to_nice_json }}" dest="out/{{inventory_hostname}}_command_out.json"

You could automate configuration backups with the ios_command module with a simple SCP to a local hard drive. If it is simple for you then consider how a bad actor could use an ansible command host to pull configurations. Please secure your ansible hosts by using Ansible Vault and disable any unnecessary services.

The second example with gather facts (configuration details) from the device and output in JSON to a file.

- name: Get Config
  hosts: cisco-devices
  connection: local
  remote_user: ansible

  vars:

  tasks:
    - name: Get Config
      register: iosfacts_out
      ios_facts:
        gather_subset: all

    - copy: content="{{ iosfacts_out | to_nice_json }}" dest="out/{{inventory_hostname}}_iosfacts.json"

To execute these playbooks use the ansible-playbook <script.yaml> syntax.

JSON is easy to manipulate with python or your programming language of choice. These two playbooks could be combined. To further expand the functionality on ansible use variables and filters within your playbooks. I encourage you to continue reading the Ansible docs and building our playbooks.

To make this even more useful use Github to save backups of your playbooks. This is how you transform into using infrastructure-as-code.

Wrapping Up

Ansible is a powerful tool that is excellent for both servers and network infrastructure. Combined with a source control tool like Github enables for tracking and automating changes to infrastructure in a way that has been difficult in the past. Given the minimal level of effort to get ansible installed, I hope you take the time to install and get started.

Additional Resources

Digital Ocean - Ansible Install guide
Packet Pushers - Ansible - Cisco SNMP