Ansible 101 - Episode 10 - Ansible Tower and AWX

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Paging /u/nixfu ;)

May 27 is a momentous day! For the first time in a decade... I'll be talking about AWX and Tower :D

Just kiddingโ€”well, sorta. I will talk about Ansible AWX and Tower in episode 10, but later that day, on the 27th, there will be commercial human spaceflight to the ISS from the US! I'll have to think of some aeronautical theme.

๐Ÿ‘๏ธŽ︎ 6 ๐Ÿ‘ค๏ธŽ︎ u/geerlingguy ๐Ÿ“…๏ธŽ︎ May 21 2020 ๐Ÿ—ซ︎ replies

Thanks again Jeff, really looking forward to this one!

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/highexplosive ๐Ÿ“…๏ธŽ︎ May 21 2020 ๐Ÿ—ซ︎ replies

Thanks, I have recently started working with Ansible Tower so this is much appreciated.

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/chud6 ๐Ÿ“…๏ธŽ︎ May 21 2020 ๐Ÿ—ซ︎ replies

RemindMe! May 27th, 2020

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/0ni0nrings ๐Ÿ“…๏ธŽ︎ May 22 2020 ๐Ÿ—ซ︎ replies

Hi Jeff,

Great stuff this video series!

Will you be covering the โ€œfullโ€ cycle (if ever briefly)?

More specifically: how to take an existing playbook : - itโ€™s venv - itโ€™s roles requirements file - itโ€™s host/ group vars files - itโ€™s host/ group vault files - etc. and migrate it to AWX?

Ok, so I realize itโ€™a probably quite a lot for a 1h โ€˜101โ€™ :-) but it would be appreciated if you could do a quick flyover on those.

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/vincenma ๐Ÿ“…๏ธŽ︎ May 22 2020 ๐Ÿ—ซ︎ replies

Where did you purchase your Turing Pi and the modules? The Turing PI looked like it was almost $200 and the modules are around $40 each.

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/hlh2 ๐Ÿ“…๏ธŽ︎ May 24 2020 ๐Ÿ—ซ︎ replies
Captions
hello everybody in case you haven't been glancing at the live chat or if you're watching this later today is a very big day I am a space nut in case you can't tell by the fact that I'm wearing a NASA shirt with the worm logo which is making a comeback today from I think what was it 1992 or sometime around then when the worm logo came into existence it went out of existence sometime 10 or so years ago but then it's making a comeback on the SpaceX Falcon 9 rocket which is on the pad right now getting ready to launch later today with human spaceflight and we've had human spaceflight for years and and it's been in all of the American astronauts have launched in Russia which is great the Soyuz is a is a capable rocket platform but this is not a space channel this is talking about ansible right now so I won't get too far into that it's Sept to mention that I also have you may notice in the background this this Saturn 5 rocket replica it's the lego ideas kit actually put a link to the kit in the description below but I found out today that this is a retired Lego ideas kit unfortunately I don't know why they did that because it's pretty much the best thing ever in the whole world from Lego and my kids and I spent two weeks building that we I had a system where the youngest one would sort the colors because she couldn't really do the little Legos then the second youngest would put together some of the simpler things and the oldest would put together the larger parts and then I would assemble it all on top of each other and it's a really cool Lego set because you can you can pop apart the different stages here's the this is the second stage or actually no this is the third stage the second stage is here which you can also pop out and then at the top I'm not going to get it out right now because if I do it'll probably fall out and be really crazy but there's even the the lunar lander and you can put it together and it comes with a kit for that it's a really cool Lego set anyways so that's coming up later today but I know that everybody is thinking more about this ansible 101 livestream and less about the that's about space unless you're the space Corps from from Portal Oh hmm hmm anyway so if you're interested in watching that there's it's gonna be all over the place nASA has livestream SpaceX has live streams probably some Network channels will have it it's at 4:30 3 p.m. Eastern Time today pending weather there's a tropical storm in the Atlantic today that might cause some issues we'll see anyways but as I said this is ansible we won't talk too much about space the second that this finishes though I'm going to be opening up all my Twitter feeds and things and checking in on progress there but for today we have we have a bit of a full plate but I did want to go through some of the some of the other important things first of all thank you so much to everybody who's supporting me on github and patreon I have a goal of trying to be able to get get to $1,000 or so a month of sponsorship so that I can devote more time to these YouTube videos and to working on the books which I just gave away 60,000 copies of the books so you know that's a potential audience that will probably never pay for it so I'm trying to find ways to replace it make it more a sustainable income so that I can work on these things and keep things relevant for you the ansible for DevOps which I have right here this is version one point 20 the 20th revision this was from six months ago we're up to one point 23 and I'm working on one point 24 right now an unfortunate thing with Amazon in the in the paperback book is that I can't tell Amazon like show the latest published date so it still says published in 2015 which is way out of date because the the latest version is from just a few weeks ago of the paperback so and I'll probably do a second edition even though we're on edition 23 right now but up I do that on Amazon soon but thank you and if you would like to support me on github or patreon there are links to that and just in the description below this video as well there are some great questions and answers in last week's episode as we get deeper into ansible you know that the first few things are connecting to a server all that it's pretty unambiguous and there's only one way to do a lot of things but as we get deeper and we do more things with ansible you realize there's usually 5 10 20 different ways to do something and what's just for some some person is not the same thing that's the best for another person if you're managing giant enterprise infrastructure with hundreds of servers that's a wildly different use case in managing two or three servers or managing a small kubernetes cluster versus 20 kubernetes clusters all these different kinds of things have different challenges and and so there were a lot of great questions eggs and Ray said what how do you install kubernetes using ansible and i have a whole book for that actually if you want to look for instable for kubernetes that's in that book I explore a few different ways of setting up kubernetes clusters in different environments using ansible and how you integrate with ansible with them and I also have another streaming series or not a streaming series but a actual pre-recorded series where I get to edit out all my little bloopers on on this YouTube channel for the turnpike cluster which I can't pick up right now because it's actually running I'm doing a burnin testing how long things will last at high temperatures so far it's been 24 hours so that's pretty cool and anyway so that that checked that out Jordan Peterson says this stream is wealthy on the scope of advanced security yes that is true because I could probably do a 24 episode streaming series on just security and still not even cover half of the world of security for infrastructure but automated key rotation is something good to do if you have if you're running an Amazon or Google or something like that and you can integrate vault you can do a lot of really nice things for security making sure that keys are never stored in your repository and and are rotated and and have you can have key rotation permissions and things like that so that you know a lot of places what you'll do is you'll just have multiple people have access to the servers and can do anything on them but you could set it up so that production can only be accessed by automation or by like one particular small set of people more easily than managing everything by hand captain iron but who wins the award for the most interesting name I guess said the first step after installing ansible is to install Cousy I believe that was after I put no cows equals true and one of my inventory files to turn off the cows a plugin but yes and here in honor of captain iron but I will cal say that there it is let's see so and tej Singh Rana sorry if I mispronounced that says what is the best way to learn regular expressions well the best way is to never have to use them at all but the second best way is using tools like reg X reg X 101 is that it yeah reg X 101 is one of my favorite tools for it and if you use it a lot do you consider donating for a lot of these projects I like to give like if I find myself using something a bunch of times and there's a donate link or support me on patreon link I'll throw in 5 10 20 bucks something like that because this saves me so much time and helps me learn things so much better and you can switch to Python flavor reg X so you can test things in here but as I said before the best way is to never have to do it because when you do it there's always going to be edge cases you never expect so that's that captain wasabi says yeah that so last livestream I was connected and I was still connected even after I changed the port for SSH and I was like what is going on and I realized ansible is using a persistent connection so that first playbook run that I was doing was still connected for 30 seconds after I finished running it that's something that ansible does just to optimize the speed that it can connect through SSH servers so that that's that's something you can also configure with persistent connect timeout in your ansible configuration that lets you turn that off or make it longer and it just helps with the optimization of the SSH connections there's tons and tons of options you can set in an Sable's configuration which we won't be able to get into in this live stream Aaron Colby says one problem with sudoers changes might not persist across upgrades that's true for more modern Linux systems if it has an Etsy suder's that'd be folder you can put the settings per user in there and it will it will not be overwritten when you upgrade your distribution so that's a good point any kind of configuration if you have a dot B folder for it that has like your basically your local configuration overrides you that instead of using the the global file because the global files will be managed by the package manager Erin also asked do you prefer rpm based distros overdub based I don't really have a preference too much I both have their up pluses and minuses I will say that I'm burned more by apt than I am by YUM but on the flip side it seems like YUM takes some more yum and DNF take a little bit more memory sometimes so on smaller servers which I use a lot with some of the services that I build that does that does cause some consternation sometimes dan says popcorn for these comments great conversations happening over them here I agree that's that's one reason I enjoy doing the live stream format for these it actually it's a lot more work for me to do a live stream than to do one of the pre-recorded videos and it's a little more stressful just because it's all live and you know I don't want to have a lot of dead air so I try to spend some time making sure that my things that I work on are not gonna just blow up on my face even though they do half the time but the comments are amazing so thank you very much for everybody who's posting in in the in the live chat and if you're are in the live chat please go ahead and post where you're from it's always inspiring to see where people are from all around the world and as you'll notice earlier I had a go/no-go countdown for the launch which is this episode so thanks for participating in that little fun aside let's see so getting on to today's topic I actually got that done a little quicker than I was hoping so that's good that means we have time to talk about this stuff ansible tower and awx or in the book I believe it's chapter 11 I don't even have it bookmarked in here right now wherever chapter 11 is that is ansible tower and and see ICD automating your automation chapter 11 no oh there goes chapter 12 the new pages that I had just inserted in here anyway I'm actually rewriting that whole chapter so if you have the book right now don't refer to it during this episode because a lot of it is out of date it uses an example that worked with like ansible tower 1 or 2 or something and at the time that I wrote that a degree X was open-source it was like 2016 or 2017 that it was open sir I think 2017 it was open sourced after Red Hat had bought ansible and so I'm rewriting that whole chapter partly based on some of the work I've done for this episode so that will be coming out in a book update very soon in hopefully in version 1.2 for its it's been a little bit of extra work just because it's you can't just spin up at our instance in ten seconds which I'll get to in a moment the first thing that's important to know about tower and ATO X is they are in some ways the same thing but they're also very different and Red Hat has an article a datasheet talking about aw X versus tower what the differences are and the main thing is it's it's a lot like fedora vs. Red Hat Enterprise Linux and that that's kind of the model that that ansible has gone after with with setting up tower and 80 X 80 bucks is the open source community based upstream from which tower draws features and functionality so the way to think of it is a dbx is bleeding edge it has all the latest features and things but it might also have some things that are experiments that might not actually make it into tower so when you run a double X you're running something that doesn't have any official support or any any means to get support for it it's just you know community forum based there's there's an IRC channel for it there's you can use the issue queues so there's there is some support but it's not official it's not something pay to get like 24/7 type support and you can't have it in your cloud Red Hat comm dashboard so if you're looking for that ATO X is not the right choice but it does it does offer all the features and functionality of automation transport playbooks that you would want and so it still is very valuable to and a lot of people like a lot of people would choose fedora for a personal workstation or for some side projects and things that's great but if you're running an enterprise linux shop and you're trying to have stability and all that you'd want to be running tower and this this page goes into a lot of the details another thing that's important to know is that there are some processes that tower goes through for compliance and or security and all those kind of things that a dbx is not necessarily completely vetted for so if you are in an environment that those things are major concerns you also want to consider using the the supported ansible automation platform with tower but you can read this page for for more information about that but I wanted to give that background because once you choose oh I do want to use tower or ansible awx for my automation needs for CI and CD and for running play books and for role based access control for PlayBook runs and things like that there's a lot of different ways to install it and before I get into before I get into how tower works and all that I wanted to show how to install it but since it takes a few minutes it's it's a pretty big application I actually have a video for that which I will play here as long as it actually works so bear with me for a second when you first think about installing tower or awx there's actually a lot of different options available there's an official installer for tower from ansible that you can use to install it on bare metal you can also download installers for OpenShift which also work on kubernetes clusters those are two options for tower itself and if you have an ansible Red Hat ansible automation platform subscription it's best to probably use one of the supported methods and and manage it through your your cloud Red Hat comm instance there's also ansible awx which is of course the open-source version and this this has a few other options as well for installing if you go to its install guide you can install it on openshift using the Installer you can run an install it on kubernetes or you can install it on docker compose there are even some community scripts and things that get it running on on bare metal hosts without using any docker at all but those are unsupported and sometimes a little bit outdated and might break with newer versions so using one of these official installation guides is probably the best bet in my case whenever I install it I usually use something that I run called the tower operator which is at Guerlain guys / tower operator again this is unofficial and unsupported so if you're looking for any kind of support or you have a Red Hat subscription you probably don't want to use this you'd want to install tower using an official method but this is one of the quickest ways to get it up and running locally and all it requires is that you have mini cube installed mini cube is a kubernetes environment that runs on your local computer and it abstracts a lot of things so it's actually not super hard to get started with and so I'm going to use the testing configuration for this tower operator and while I'm downloading it and getting it ready I'm gonna go ahead and start a mini cube instance on my Mac I installed mini cube with brew install mini cube that uses homebrew to install it and on on other platforms you can install mini cube other ways but I'm gonna go ahead and start an instance and I'm gonna put 8 gigabytes of RAM in it and give it 4 CPUs because Tower and a 2 X both use a number of of auxilary services like Postgres and reticent things like that to to run all of the different parts of the platform so it needs a lot of RAM and a lot of CPU power if you want to run it well so while that's starting up I'm going to go ahead and download this this repository and to my computer so that I can run its test configuration and as we learned a little bit a couple episodes ago you can use molecule to test all kinds of different things in this case molecule is going to build a test ansible awx operator for us and run an instance of awx all configured through molecule in here I'm not going to go through that in this this particular episode but but I'll just use molecule to set it up because it's really fast and easy the other thing I'm gonna do is turn on mini cube ingress and that lets me be able to access the the tower or a dbx instance at example - tower dot test on my computer so I'll show you how to do that also while it's setting this up so I'm going to go in here to the tower operator that I just downloaded I'm gonna open it up in my terminal I'll make that a little bit bigger so you can see it and I'm going to run this command so that it starts building it it'll take a little while and of course it fails because something's not right here insolent Oh ansible inte is complaining that it's not a git repository even when I procore things I run into annoying issues like this so I'm gonna say molecule what is it molecule converge I don't care about the linting and that's going to go ahead and set that up while it's setting up I will also mention how to make it so that you can visit this at example - tower dot test you basically need to edit your hosts file and put in the IP address that mini cube sets up so you can get that with mini cube IP that gives me an IP address and then I'm going to edit my host file so sudo nano that's C hosts and I'm gonna go down here and put this in and call it example tower test save that file and now it's just time to wait for everything to get set up here so I'm gonna let that go and once it starts once it gets to this point where it waits for reconciliation to run that means that the tower operator at this point is trying to build a new awx instance locally and that could take up to 5 10 15 minutes depending on how fast your computer is while it's doing that I can go to example tower dot test and right now it's giving me 503 unavailable because the the kubernetes resources are already but the container that runs a dbx is probably still coming up so I'm gonna go ahead and and and speed this video up a little bit and what happens is 8 bucks starts up but it needs to run some database migrations before it can start actually doing anything so as you watch this video sped up you'll see that I'm refreshing the example tower test site and eventually it's going to start giving me a status but it's not going to be ready and then finally let me log in and then and then it'll be ready and that we have it it's up and and the test credentials that are default in this ansible tower operator are user named test and password change me and I'm gonna sign in and here is the dashboard and I'm gonna pass it right back over to the live live stream because this is the end of this little pre-recorded video segment alright so back to me from me I don't know how that works but anyways so that's how you install it there's there's like I said there's tons of different ways to install it depending on what your goals are in my case I just like having quick instances that I can bring up and completely destroy quickly and this is that instance I if you looked very closely in the at the time stamp that was like an hour ago that I started it so it's been running and has not brought down my computer so that's a nice thing but it comes unless you turn this off it comes with one example inventory credential playbook all that kind of stuff so what I'm gonna do is I'm going to go to that template that it sets out the job template and click this little rocket ship which is very apropos apropos whatever that word is I'm gonna run that because today's the rocket launch you know I'm gonna run it and the first thing I usually do with a new install is just run this demo job because that's a good quick way to tell if the the whole system is actually working because on the back end it actually runs through a scheduler the scheduler picks up the project which pulls a git repository to the tower instance then it runs it and then it gives you the playback output and as long as this all works you know that your tower instance is actually running or in this case awx so that's the demo job now I have a playbook over here this is my let's clear this out this is my instable aetbx varnish PHP app and this is actually available on github if I go to github.com gear link I what is it it's a bull what did I call it ansible awx varnish PHP app this is up on github and all I did was I set up three instances in ec2 and I'm not using any fancy things like dynamic inventory or anything like we haven't covered that yet so I didn't want to get deep dive into how you can connect straight through Amazon to get the inventory for your servers so I have an inventory file here with three servers I already ran this playbook before but it's basically ansible playbook made that amyl and this playbook sets up a few different things and it doesn't it can't reach that's interesting why is it not able to connect oh you know what I think I actually set a different different private key let me try this that's not right downloads / downloads / varnish PHP key and it is varnish PHP let me try that out and see if that actually works no that's not working okay so forget that for a second maybe somebody already hacked into these servers and is destroying them as we speak hopefully not though but I do have this playbook running and I'm going to go to the main server and this is I'm not going to get too deeply into the playbook itself today we might be able to after after we get it set up in tower or a native of X but the PlayBook has three plays in it the first place sets up security on all the servers which hopefully is working but I might have blown things up last night when I was setting all the demo stuff up so the first step is running my security role which which runs some of the security settings that I talked about in last week's episode on all the servers to make sure that they're at least minimally secured then it sets up on the varnish server which is this server this single server up here and sets up varnish on it and varnish is if you don't know what it is it's a proxy and load balancing system that's written in C and it's extremely fast and extremely configurable although it's the configuration can be a little bit obtuse but if you work in web web anything a lot of times you'll see things like varnish H a proxy nginx all these different systems for proxying and caching and speeding up websites with multiple backends that kind of thing so varnish is used there it has a it has a VCL that that load balances requests using round-robin so the first request goes to one server second request goes to the other server third request goes back to the first server and it just goes through the servers like that for every web request it gets and that VCL actually disables caching on the server so if i refresh every time i refresh you'll see that the the page changes the time changes and the server here changes back and forth because it's using round-robin and not trying to tie it to one particular server or anything like that so that's how that's set up and then and then there's a PHP to PHP servers that both run Apache with PHP and they have a index.php file which I'll show you right here and this file is incredibly simple and the reason I use PHP was just because a I am traditionally a PHP developer don't hate me for that but be it's really quick and easy to get it set up it it took me all of like 15 minutes last night to get this all running and set up a little page that has a fancy hello and siblings and has the server IP and all that kind of stuff so you can actually visit these sites so here's the the load bouncer I'll pop it and a live chat in case you want to see this unbelievably amazing website and try to figure out a way to hack into it but you can go to varnish and every time you reload the page it goes to a different server and if I click on a server it'll just be on that servers and I'm on this one server and it's only giving me that so I could go back to the load bouncer refresh and why is it not there we go my browser was caching so that if I go to this server now it's giving me that page so it's it's a really simple way to demonstrate load balancing using varnish and how quick quick and easy it is to get it running with ansible using a few play a few roles and collections on ansible galaxy and these roles so I mentioned this rule last week this is how you use it in a playbook here's a whole playbook for securing your servers as you get further along in your ansible journey and you build roles and collections that do everything for you building playbooks is a lot easier this this whole thing I set up let's see if I go to here and look at the commits I started working on this 15 hours ago and finished working on it 12 hours ago so 3 hours with a couple breaks I think I had a bowl of cereal somewhere in there but I set this infrastructure up for this demo and it's pretty quick and easy once you once you start relying on community things and also having all of your all of your stuff abstracted in good ways so this is the playbook and it's not running and I might have to debug that in a minute we'll see but trust me it runs if if my SSH is actually working which it seems not to be right now I might have locked myself out of the servers which would be funny that's what you get for doing live demos anyways so that's the playbook and to get these roles so there's the Gillings guy security role the Guerlain guy varnish role and then down here there's the Apache role but these two roles are a little bit different I haven't talked about collections yet but these are roles that come from collections and collection roles are a little different than community Galaxies roles because it has the namespace Girling guy which all the other roles have but then it has the collection name so I have a collection called PHP roles that has all my different PHP roles in it and then the role name so it's it's a little bit extra and if I look into my requirements file from ansible galaxy the roles are up here and those you've seen before you just list the roles but collections can also be listed in this file so to install that I can go in here and say ansible galaxy install - are requirements one note on if you're mixing collections and roles if you're using ansible 2.9 or earlier you actually have to do two installations you have to do roll install to install the rolls which it's going to say they're already installed and then you also have to do collection install collection in that collections collection install and that'll do both of the the two different types in ansible 2.10 and later you don't have to do that you can just do ansible galaxy install and it will install all the roles and collections so that's one little thing to watch out for I know I haven't talked much about collections yet but part of the reason for that is that things have changed a bit with 2.8 2.9 in 2.10 so I don't want to do things that might confuse you especially if you're not watching this live and you're watching it some time a year in the future when things are even a little bit more different so anyway that's the playbook and I have it up here on github and I want to get this running on you can see that the initial commit did not work on the first try so I shouldn't buy a lottery ticket anyway so I'll get this I have the son on github and now I won't want to run it in ansible awx here so there's a few different things I need to do first I need to set up my credential for the server so I'm gonna go to credentials and the weird thing is let me see what is this server I'm gonna try logging in to the server SSH and - I where is it no SSH add that missus H Jeff Garlin AWS and then have that let's see if I can log in okay so I can't log into that server and that means that I should be able to play it run this playbook yeah so now it's working there I'm not sure why it didn't work with that other key but we'll see anyways so first thing I need to do is add a credential that that's basically a way to connect to servers and there's tons of different credential types that you can add in this case we're just going to add a machine credential that connects to a machine or servers so I'm going to say this is the varnish PHP demo credential I'm gonna put it in the default organization and that is that's the default one set up I'm not we don't have enough time to get into the full gamut of our back controls in Tower or how to connect it to LDAP or one of a thousand other things that you can do with Tower however I will say that you should read the documentation and if you do have a support contract rely on that for help if you're setting up things like LDAP connections and connections to other systems that are outside the scope of this quick intro video but I'm gonna select a machine type of credential so I'll go here machine and the username is admin and I'm going to copy the SSH private key out of here so that is what is it downloads and then varnish PHP key and then I'll cat it and I'm not gonna do it to the screen because then you could just well it take you a while probably to transcribe it unless you have some system set up with YouTube that can can OCR text off the screen but I'm not gonna cat it straight to the screen because then you could do that so I'm gonna say cat what is it what is the name of it okay varnish PHP PB copy lets me copy it straight to the clipboard so that you cannot see it hopefully I don't have root access to my computer and can grab the clipboard that would be a much more serious problem I'm gonna paste it in here and you can get the bottom of the key whatever this key does not have a passphrase but if your key has a passphrase you can do that or you can prompt it on launch if you're manually running the playbooks and then the method for privilege x escalation is sudo on this server on servers that use this key and then i'm gonna save this so i have that credential and when you save it ansible tower actually encrypts the the key so that that people that pop in here afterwards can't see it easily and then you can also set up permissions for keys credentials it's not always keys and so there's there's a lot of controls for who can see what and and how they can configure it and things like that in tower and unfortunately I don't have the time to get into everything because I'm just kind of giving you a broad overview of things but that is something that that there are some other videos that Red Hat puts out and some guides and things that that go into detail there I also need to set up an inventory so there's a bunch of different ways to do inventory in danceable ATO accent our the way that I have it here in this playbook is i have an inventory this is i could call it inventory and i or host that i and i are but it's this is the ini format for inventory and you can actually import that directly into ansible tower but I wanted to show the like the the most drawn out way that you can do it that you can have a structure of inventory and Tower that you can manage through Tower there's also inventory scripts which lets you have a script that runs that pulls inventory from an external system but in my case I'm gonna create an inventory it's not gonna be very smart it's gonna be a very dumb and inventory called varnish PHP demo and it's gonna be in the default organization and variables for it I want to have these two variables well I actually I just wanted to do actually I already set up the user and the private key separately in the credentials so I don't need any variables here there are no their group fires in this playbook so I should be good to go here I'll save that and then now I'm gonna add groups I'm gonna add a group for varnish and a group for PHP so here just varnish and if I did have group variables I could put them into this group farce here as yeah mole or JSON save that group and then I'm going to add oh I all groups then I'm gonna add another group this one is PHP save that and then under hosts so I'm gonna go to the varnish group I'm gonna add hosts to it this is the host new host host name is that and you can also add host VARs here save that and then go back to all groups go to PHP and add two hosts under it as I said this is the manual like this is the most drawn out way to do it but I wanted to show it just because this is this is if you have people who are not familiar at all with ansible or the way it's set up or anything like that this is this is one way that they can do it all through a little UI instead of having to do it through Fars files or building dynamic inventory that kind of thing and that hosts the HP and another host this one and again I'm using Amazon ec2 instances so I could use the Amazon into inventory integration and do it that way but I I'm not going to get into that in this episode since I'm not demoing dynamic and inventories yet do that now I think that's it so I have the furnished PHP demo there's PHP and varnish and here's the host and it shows you the groups that they're in so that the inventory is all set up now the credentials all set up now the next thing I need to do is set up a project so this is my project on github I want to get that project into ansible so I'm going to add a project here and call it varnish PHP demo default organization it's gonna come from git and the URL is going to be this I'm gonna use the public HTTP URL since this is an open source project it can clone it now something that you will probably need to do for a lot of projects in Tower is you need to use a credential for get github or get lab or bitbucket or whatever whatever system you're using you'll need to setup a credential for Tower to clone the thing and you can use like in github I forget what it's called like a I think you could use a personal access token but I think I forget what it's called somebody could pop it in live chat you can get it like a token just for automation for a particular repository so you'd want to do that for Tower and then there's a bunch of different options you can use so I'm just going to use the default which is master I believe I think if you set none it just defaults to master but you could also put in master and let's see there's some options for it you can make you can make it basically wipe out the repository every time it updates all those kind of things so you can also set it so that when you're running the job you can actually allow the person running the job to override the branch that it's it's running off of but I'm not going to do that this is just a basic set up it's going to pull that project down and I believe if I if I go into here and I run this monitory tea if I if I run this job it will pull down the repository now something interesting may happen here and I'm gonna I'm gonna try this and see what happens after I set up the PlayBook in here I pulled it down so now tower knows about this project and it knows what what files are inside of it on all that but one thing that you might be wondering is how does it know to pull these requirements from ansible galaxy and we'll get to that in a minute first I'm going to go up to templates and this is where you create a template to run job so the template could be used to run manual jobs where somebody can go in and kick it off whenever they want you can also run them on a schedule you can even use web hooks so that when you do something like if I push to the master branch or if I emerge something on a PR it will automatically go in and run the job template that's something otherwise known as good apps nowadays although in the old days we just called that web hooks but what's old is new and what's new makes lots of money so they made a new term for it called the get-ups anyway so i'm going to make a new job template here and call it varnish PHP demo and we're going to use the inventory that I created here orange PHP demo set a project for inertia PHP demo is the the project that pulls from github the job type is a run you can also do check which runs it with check mode which I talked about a little bit a couple weeks ago but we're not going to get into that right now but you can use this for checking up on on play books by running them in check mode that's one nice thing about tower and then you can choose play books so it detects that there's different play books in here there's an authorized key play book that puts an authorized key on to the server and then there's also the main that amyl play book that runs all of these three different plays to configure everything so I'm gonna pick the main that amyl play book there's also overrides for almost everything you can think of in here you can also have a lot of these like if you want to let people choose what tags to run so I have a few tags in here if you just want people to be able to say only do the deploy tests you could let them put in the deploy tag on launch or you could even put that here deploy like that but I'm not gonna do that for now these are all basically the options that you can pass to ansible on the command line but all configured in the job and then as I mentioned there's the the ability to use web hook so that git could or github or whatever system use and could notify Tower when there's a change and you could do that by checking this box and then you set it up here it looks like right now there's support for github and get lab so that's that's about it for this job I believe and you can also give more verbosity so that it you can see all the debug information if you need to if a job is failing or something so I'm gonna save that and if I go to job templates now I can run it and let's see what happens it takes me to the job page where it gives the output in real time and it gives you status information and all that and I know this because I did this last night but this is not actually gonna work and the reason it's not going to work is because it doesn't find this role and you're thinking well Tower didn't have any configuration setting for like you know where's the requirements file how do I pull it so Tower actually uses a kind of slightly magical incantation of where it gets requirements from and because of the fact remember earlier I mentioned that when you're installing requirements from ansible galaxy you can install if you use ansible 2.9 or earlier there's actually two different commands you have to run to install the requirements and that was what was it collections install and roll install and because of that ansible galaxy which has to work with all kinds of ansible versions and all kinds of ansible situations because of that ansible galaxy or ansible tower and ATX use a convention where the requirements file has to be split up right now in the future this may change the by the time you're watching this video this might just work out of the box but for now you actually have to put the collections in a requirements file into a collections folder and the roles in the requirements file into a roles folder so I actually did that and if you go and github you can see there's a separate branch called a 2x version and if I go there you can see that there's no requirements tamil file anymore now there's two folders collections and roles if I go in here there's a collections that your requirements that animal file in here and it just lists the collections to install and in the roles folder there's a requirement study animal file that has all the roles to install so if I go here and if I change this PHP demo playbook template to let's see I'll go to it and I'm going to oh I need to change the project actually not the the playbook change the project here to use the branch what was it called a dbx - version so save that so now it's gonna use that branch and I'm gonna I think it's already getting the latest version let me see I think when you save it it actually updates it if I go to jobs let's see if it's doing that right now yeah so it's doing that right now job is still running and there it goes and pulled it and another thing to note is I don't know if this is a bug or not and there's an issue for it on ansible aw axes repository but when you pull the project it doesn't actually pull the dependencies so it doesn't pull these things when you pull the project it only pulls them when you run the job template so that's just something to look out for so I'm going to go back here and run this again and what it should do is it'll it'll pull the project and install the dependencies this time since it's using a job template to do it and then this should actually hopefully work as long as the credential that I have is is valid we'll see all right so this is route why is it trying to connect with route that ain't gonna work let's go over to live debugging time with inventories there's an exclamation point what does that mean this says what oh it's just associated with some failed jobs all right I'm gonna put ansible user and what is it admin admin say that let's see if we can force it that way I don't know why it's trying to connect as root I thought it would pick up the fact that this credential credential here's username is admin so maybe it doesn't pull from that it pulls from the inventory so I'm gonna run this again and see what it does this time all right running well it's definitely doing something oh it's pulling the project right now and installing the dependencies one other thing that can be a challenge some time and this is one reason sometimes I'll get to this in a minute sometimes I I'm actually sometimes I actually commit all the dependencies to the project and I don't use a requirements file is because every time that you run this it's pulling all the dependencies from galaxy if galaxy has an outage and this happens with github a lot of times when people deploy applications if galaxy is having an outage and you need to run your PlayBook and it can't pull from galaxy it'll fail so that can be a little bit of a bummer I guess so that's one argument sometimes in favor of including your dependencies in this case I don't know why it's why it's doing this to me I'm gonna try running the authorized key I wonder if it what I'm doing is actually accidentally overriding my other authorized key each time that I do this let's try this again and run it at least we get to click the little rocket icon a lot it's very very appropriate for today lots of rockets happening here and what's doing this out glance and live chat I I noticed a few people asking very specific questions about problems that they may might be having in 82x and tower and unfortunately in a one-hour live stream I can't cover the full gamut of all of aw X's functionality because there's a lot of things over here that I haven't even clicked on and talked about things like using organizations and in our back and all that but you can you can set it up so that some people are like the admins who have access to everything other people are able to just run jobs and maybe run things on schedules other people can configure things and then you can even have a set of people like maybe the end users who are deploying who are building applications they can just run or they could just see the output and they wouldn't have any controller access to run things because sometimes you give somebody power and they they blow things up I don't know why this is happening here but you can trust me that this actually worked last night I think I must have messed something up with the the authorized key that I'm using for the server or somebody may have found a way to break things but I find that doubtful I'm guessing I'm just doing something slightly wrong in here but let's see I'm just trying to think of if it's something really simple or not permission denied admin and the weird thing is to let me so if you click on it that's interesting I didn't even know that feature if you click on this it brings up the task as a little little snippet about each task that ran I'm gonna try SSH - hi what is the past downloads varnish varnish PHP and then it's admin at that that's interesting I know not admin admin so that's working this is really strange I don't know why this is not working today it worked last night maybe credentials let me try one more thing here let's see replace I'm going to copy this out again clear what is it down downloads varnish PHP varnish PHP TB copy copy it to the clipboard username is admin machine credential that's the private key they got that extra space but I don't think that causes a problem actually I'm gonna take this off maybe that was it because I don't need to be sudo unless I say so in the playbook save I don't know if that was it but I repay stings credential we'll see if that works rerun this job and let's see if it actually works this time because I I just verified that the key is working on here because if I log in with that key it lets me login so it could also be I mean there's a lot of other little things that could be going on maybe there's something and failed to ban that is banning my login on this server now because I do have failed to ban running on the server so maybe I've secured it so well that I can't even get into it myself but we'll see we'll see what happens this time project finished nope yeah so I don't know what it's saying permission denied public key so I don't know why it's not picking up the right key and again you have to trust me that this actually worked when I tried it out last night but that is the that is a privilege and honor of doing live demonstrations that they kind of blow up in your face sometimes and this one did but imagine if you can that this ran and it was so glorious and wonderful and it looked just like this the output was coming out and I was going to talk about how how great it is now to have everything running in Tower because now I can now I can go to the dashboard and see how my jobs working of course here you can see that there's a lot of failed jobs this is not supposed to be gone this way but Tower gives you some of these these options aetbx gives you some of these things that you can see at a glance how your playbooks are doing whether they're resulting in failures and things another cool thing that this enables is if you use ansible x' the Red Hat ansible automation platform on cloud that Red Hat com there's also automation analytics that this ties into and so you can see at a glance how your entire organizations play books and things are running or in my case how how much you fail the the extent of your failure can be quantified very easily and in this case my failure level is 5 so anyway that's that's the quick introduction to ansible a 2x in tower i'll run through a few other things here really quick so jobs just lists all of the jobs that are running so you can see the SCM updates the when it does the get polls those seem to work fine but the Play Books are not running fine here and you can always go go in and see the details by clicking on anything and I like it because it gives you all the output it's colorized it gives it it gives you the output live as it's running which is nice because a lot of tools might not show you that live especially if you build your own thing it's actually kind of hard to implement live streaming output into your browser from a from a terminal console but it does that schedules it lets you set up other jobs that you can you can run on a schedule like you could have a nightly job that runs something that checks if your servers are all up to date or runs a nightly backup job if you want to run it through ansible instead of using some other backup system all those kind of things my view is is a customizable dashboard we already looked at templates a little bit we looked at credentials we looked at projects with inventories I wish I had the time to go into it today but I might have time for it in next episode when we're going to talk about dynamic and inventories but being able to use your own inventory scripts to generate inventory for ansible playbook runs and I promise that time I'll have this working a little better so I won't just run it and then it fails but then there's also all the all the ARB a are back controls under access you can create organizations that have different different levels of permissions and different projects inside of them in ansible tower and Adri acts do a good job of kind of insulating all of your playbooks and credentials and things so that one organization can't see the other organizations credentials or playbooks or data from job runs and things like that and you can get a glance at all the different users and teams in your in your installation and then there's a bunch of different settings for ansvil tower and awx so that is that is the quick introduction to tower and ATO x and as i mentioned previously i am still working on the updated chapter in the book for this it's it's a work in progress I think there's an issue open on here let me look really quick there's an issue from a long time ago tower yeah actually this one is not from a long long time ago the 26 but there was there was an issue that I had open a long time before this about updating it and I just haven't had the time to get around to it and in the book in Chapter 11 which I'll get to really quick here in chapter 11 there's also a section I believe no that's I'm testing this has also been a little bit rearranged recently because of the fact that I moved the testing into its own chapter I also have a section in here on Jenkins which right there you can get the book to be able to read the whole thing but they have a section on Jenkins it's another option ansible is automation it's it's being able to do a set of steps in order that you want to do so you can use ansible tower or awx you could use if you're already using Jenkins for everything else ansible can be integrated with Jenkins pretty easily and you can run jobs through Jenkins you can run it with any of the CI systems on the planet basically and and molecule can help with testing and it can also help with scaffolding and things like that if you need to but but as I said at the beginning of this episode and thank you for in live chat I'm sure some people probably were giving me the right suggestion and I'll probably see that later and smack myself in the face but as I said before you know as we get deeper into ansible things things are more complicated mostly because there's a lot of different ways to do something and you know even with tower here I set up I set up this inventory manually using all the different options in here but I could also import this inventory script I forget exactly where that is I think it's like smart inventory maybe no I don't remember exactly where it it's from maybe it's under projects or something but there's a way that you can import the inventory script from your actual project itself so that you don't have to building inventory by hand and and and then there's also dynamic content or since we're running in in Amazon ec2 which I'll talk about next week and and as things get more complicated there's there's more ways to do things there there's of course more ways for things to fail like they just did here and and thank you in the live chat for being able to to help and support other people who might have questions that I can't get to in these live streams since I only have an hour for them but again thank you very much to the sponsors let me set up our first job template it didn't work out perfectly but next week I'll I'll probably figure out what happened and let you know next week it's probably something silly almost always is and then and I hope that you guys can all make the launch I hope that it happens I know there's a tropical storm today that's it's kind of slowing slowing things down over there but 4:30 today is when that happens and I will definitely be having my NASA shirt on we'll have it on the big TV and my kids are all wearing their their space paraphernalia as well anything good in the chat that I missed if somebody wants to pop something in here while I'm glancing before I wrap up completely let's see some people talking about pod man and such yeah nothing else there okay yeah and someone mentioned Dan mentioned that using Jenkins and tower together it's it happens a lot in the automation world especially since a lot of these products like tower is great at certain things but it's not as good at some other things that might fit another use case somewhere and so you might end up using Jenkins tower and something else you might use some cloud platform to do some of your things that's that's kind of life it's a little bit messy in the world of in the real world of computing but that's how it is for instance I have two different Raspberry Pi clusters that I'm testing here and it's and everything there's there's multiple ways to do things and some ways are better for one use case some ways are better for another each case but I think I will wrap it up there and as I've mentioned before you can support me on get github sponsors or patreon my Twitter accounts down here I'm grilling Guyot wherever you want us to find me and oh goodness somebody just fell down upstairs hopefully not a broken skull or anything but that happens about three or four times a day anyway let's see so next week we're going to talk about dynamic inventories I will hopefully have a dbx working correctly that time so that I can show how to connect to these instances in Amazon using Amazon and inventory instead of manual and and we'll go from there so thank you very much and I'll see you next week you
Info
Channel: Jeff Geerling
Views: 36,232
Rating: 4.9343066 out of 5
Keywords: ansible, ansible 101, devops, playbook, automation, tower, awx
Id: iKmY4jEiy_A
Channel Id: undefined
Length: 59min 38sec (3578 seconds)
Published: Wed May 27 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.