Main Page

Sunday, 7 February 2021

Understanding Ansible Directory Structure

/etc/ansible : This is the default ansible home directory. 

 [osboxes@master ~]$ tree /etc/ansible

/etc/ansible

├── ansible.cfg

├── hosts

└── roles

1 directory, 2 files

/etc/ansible/ansible.cfg

With a fresh installation of Ansible, it ships with a default configuration file. This is the brain and the heart of Ansible, the file that governs the behavior of all interactions performed by the control node. In Ansible’s case that default configuration file is (ansible.cfg) located in /etc/ansible/ansible.cfg. 

When it comes to the order of precedence, the ANSIBLE_CONFIG  environment variable has the highest precedence. If this environment variable is in your current shell, it will override all other configuration files. Here is one reason you might want to use the environment variable: let’s say you have multiple projects and you want all of them to use one specific configuration file, besides the default one located in /etc/ansible. Setting the environment variable would be a good way to solve this problem. 

The second location on the food chain is to have ansible.cfg in your current working directory. if Ansible doesn’t find a configuration file in the current working directory, it will then look in for an .ansible.cfg file in the user’s home directory, if there isn’t one there either, it will finally grab the /etc/ansible/ansible.cfg.

Example: I moved ansible configurations from default location (/etc/ansible) to /home/osboxes/ansible-new . When I executed "ansible all -m ping" command it looked for ansible.cfg from local directory and executed.  

[root@master ~]# mkdir -p /home/osboxes/ansible-new

[root@master ~]# cp -r /etc/ansible/* /home/osboxes/ansible-new/

[osboxes@master ~]$ cd /home/osboxes/ansible-new/

[osboxes@master ansible-new]$ ansible all -m ping
databasehost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Order of Operations:

1) $ANSIBLE_CONFIG   ( env variable )
2) ./ansible.cfg                   ( current directory config )
3) ~/.ansible.cfg                 ( home directory hidden file )
4) /etc/ansible/ansible.cfg  ( global config file )

The default ansible.cfg is very large and divided into 10 different sections. Each section denoted within the square brackets gives you an idea about this configuration file. 

[osboxes@master ~]$ wc -l /etc/ansible/ansible.cfg
490 /etc/ansible/ansible.cfg

[osboxes@master ~]$ grep '^\[' /etc/ansible/ansible.cfg | cat -n
     1  [defaults]
     2  [inventory]
     3  [privilege_escalation]
     4  [paramiko_connection]
     5  [ssh_connection]
     6  [persistent_connection]
     7  [accelerate]
     8  [selinux]
     9  [colors]
    10  [diff]

1) [defaults] :  This section has some basic default values. 

Example: 
#inventory      = /etc/ansible/hosts

Here the default inventory file location is /etc/ansible/hosts unless you explicitly specify in the ansible.cfg file. You may change this to a different location by uncommenting and specifying a new location
Change the default inventory location to 
inventory      = /etc/ansiblehostfiles/hosts

You may override default inventory file location by explicitly providing "-i" option to the ansible command line. It will override the default configuration location.

[osboxes@master ansible]$ ansible all -m ping -i /home/osboxes/hosts
databasehost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

This is one of the example. You may change the other values. 

2  [inventory] :

    This section enables inventory plugins, ignores inventory source extensions, ignore files, etc. 
    default plugins are :  'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
    default ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
   
    You may specify the other values to override default settings. 

 3  [privilege_escalation] 

#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

You can set the directives that control become at the play or task level. You can override these by setting connection variables, which often differ from one host to another. These variables and directives are independent. For example, setting become_user does not set become.

become
set to yes to activate privilege escalation.

become_user
set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: yes, to allow it to be set at host level. Default value is root.

become_method
(at play or task level) overrides the default method set in ansible.cfg, set to use any of the Become Plugins.

become_flags
(at play or task level) permit the use of specific flags for the tasks or role. One common use is to change the user to nobody when the shell is set to nologin. 

For example, to manage a system service (which requires root privileges) when connected as a non-root user, you can use the default value of become_user (root):

4  [paramiko_connection]

Ansible uses the python ssh implementation (Paramiko) to connect to targets. This section contains the default settings for paramiko connection. 

The paramiko transport is provided because many distributions, in particular EL6 and before do not support ControlPersist in their SSH implementations.
This is needed on the Ansible control machine to be reasonably efficient with connections. Thus paramiko is faster for most users on these platforms. Users with ControlPersist capability can consider using -c ssh or configuring the transport in the configuration file.
This plugin also borrows a lot of settings from the ssh plugin as they both cover the same protocol.

5  [ssh_connection]
 
    This section contains arguments to use it for ssh connections. You may override defaults.
  
6  [persistent_connection]
    
    This section contains peristent connection value settings. You may override defaults.
 
 7  [accelerate]
     
While OpenSSH using the ControlPersist feature is quite fast and scalable, there is a certain small amount of overhead involved in using SSH connections. While many people will not encounter a need, if you are running on a platform that doesn’t have ControlPersist support (such as an EL6 control machine), you’ll probably be even more interested in tuning options.

Accelerated mode is there to help connections work faster, but still uses SSH for initial secure key exchange. There is no additional public key infrastructure to manage, and this does not require things like NTP or even DNS.

Accelerated mode can be anywhere from 2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko.

Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly to it via a socket connection. Ansible secures this communication by using a temporary AES key that is exchanged during the SSH connection (this key is different for every host, and is also regenerated periodically).

By default, Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH.
 
8  [selinux]

This section contains values required for selinux settings. You may override defaults.

 9  [colors]

By default, in an interactive terminal session, Ansible colorizes its output so failures get 'red' color, good things / ok gets 'green', and changes get 'yellow-ish' etc. You may override these values.

 10  [diff]

 This section contains the settings for print difference when running and show how many context lines to show in diff. You may override these values. 

ansible-config command utility

To view, edit, and manage ansible configuration.

ansible-config [view|dump|list] [--help] [options] [ansible.cfg]

-h, --help
show this help message and exit

-v, --verbose
verbose mode (-vvv for more, -vvvv to enable connection debugging)

ansible-config --version : show program’s version number and exit

[osboxes@master ~]$ ansible-config --version
ansible-config 2.9.17
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/osboxes/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-config
  python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]


ansible-config dump

Shows the current settings, merges ansible.cfg if specified

[osboxes@master ~]$ ansible-config dump
ACTION_WARNINGS(default) = True
AGNOSTIC_BECOME_PROMPT(default) = True
ALLOW_WORLD_READABLE_TMPFILES(default) = False
ANSIBLE_CONNECTION_PATH(default) = None
ANSIBLE_COW_PATH(default) = None
ANSIBLE_COW_SELECTION(default) = default
---------------------------
---------------------------
---------------------------
---------------------------
---------------------------
---------------------------

ansible-config dump --only-changed

Only show configurations that have changed from the default


ansible-config list

list all current configs reading lib/constants.py and shows env and config file setting names

[osboxes@master ~]$ ansible-config list
ACTION_WARNINGS:
  default: true
  description: [By default Ansible will issue a warning when received from a task
      action (module or action plugin), These warnings can be silenced by adjusting
      this setting to False.]
  env:
  - {name: ANSIBLE_ACTION_WARNINGS}
  ini:
  - {key: action_warnings, section: defaults}
  name: Toggle action warnings
  type: boolean
  version_added: '2.5'
---------------------------
---------------------------
---------------------------
---------------------------
---------------------------
---------------------------

/etc/ansible/hosts : 

This is the default inventory file for ansible 

Ansible works against multiple systems in your infrastructure at the same time. It does this by selecting portions of systems listed in Ansible’s inventory, which defaults to being saved in the location /etc/ansible/hosts. You can specify a different inventory file using the -i <path> option on the command line.

Not only is this inventory configurable, but you can also use multiple inventory files at the same time and pull inventory from dynamic or cloud sources or different formats (YAML, ini, etc). Ansible has inventory plugins to make this flexible and customizable.

/etc/ansible/roles

Roles let you automatically load related vars_files, tasks, handlers, and other Ansible artifacts based on a known file structure. Once you group your content in roles, you can easily reuse them and share them with other users.

Role directory structure

An Ansible role has a defined directory structure with seven main standard directories. You must include at least one of these directories in each role. You can omit any directories the role does not use. For example:

# playbooks
site.yml
webservers.yml
fooservers.yml
roles/
    common/
        tasks/
        handlers/
        library/
        files/
        templates/
        vars/
        defaults/
        meta/
    webservers/
        tasks/
        defaults/
        meta/



No comments:

Post a Comment