• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Ansible, a free and open-source Python-based project by Red Hat, is a popular configuration management and IT automation platform.

    It is multi-platform and can work with most modern operating systems, including Linux, Windows, and Mac. It supports a declarative language written in YAML or YAML Ain't Markup Language to describe system configuration.

    Ansible, along with other modern configuration management platforms, has revolutionized IT automation and industry standards. Configuration management tools have become part of the DevOps toolset and are an inseparable part of any modern IT process lifecycle. This is applicable for any modern infrastructure environment, whether built on an on-premises, hybrid, or cloud environment. Not only for DevOps, but Ansible can also help automate many day-to-day tasks done by a System Administrator.

    One of the advantages of using Ansible is that it is agent-less and doesn’t need much to get started besides SSH access to the target machine and the supported version of Python, which is already installed by default on most modern operating systems. Also, since it’s a lightweight tool, it can be deployed and used with a legacy to innovative systems.

    Uses of Ansible

    Orchestration

    Ansible is a tool of choice for orchestrating various system administration and deployment tasks. Playbooks allow using the same orchestration workflows across different projects and YAML based configuration data allows storing and versioning your infrastructure on Git repository or any supported version control platform.

    Application Deployment

    Whether it’s a simple few lines code application or multi-tier heavy-weight deployment, Ansible makes it possible to automate the end-to-end application deployment lifecycle.

    Security and Compliance

    Ansible can also help ensure your systems are secured as per your organization’s guidelines and compliant with industry standards. It can run across thousands of servers, generate an audit, and fix those security holes, giving the administrator complete control of the environment.

    Let’s now look at some of the common Sysadmin Tasks you can automate with Ansible.

    Copy files from a local or remote system

    As a System Administrator, it is common to copy files from one directory to another. Configuration files often need to be copied to remote servers, or sometimes we need to move files from one remote location to another.

    Ansible copy module can help you do these tasks in a playbook.

    It’s a routine task for a sysadmin to know the status of managed servers and perform predefined actions as per the organization’s policies. One such task is to know server uptime. With Ansible, we can easily fetch uptime values and print them together. An example to copy ntp configuration from local to a remote server using copy module is shown below:

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
        - name: Copy a new ntp configuration file and back up the original, if it differs
          copy:
            src: ./ntp.conf
            dest: /etc/ntp.conf
            owner: root
            group: root
            mode: '0644'
            backup: yes

    Configure additional cron jobs

    Setting up scheduled jobs to carry out routine tasks is part of managing any server. You can schedule automatic backups, patching, auditing, etc., during certain times of day or month automatically and leaving productive time for your use.

    cron is one such tool in Linux that supports scheduling, and Ansible can help you add or modify those jobs. As an example, the below playbook demonstrates how you can set a rsync job as root on some or all of your servers easily using Ansible.

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
        - name: Deploy cron job
          cron:
            name: "Set rsync job"
            user: root
            minute: "5"
            hour: "4"
            job: "rsync -avz /path/to/folder1 /path/to/folder1 2>&1"

    Manage disks and filesystems

    Ansible can be used to manage disks, partition layouts, filesystems, and mounts, including /etc/fstab on Linux servers. Different Ansible module makes this possible. Here’s an example that creates a partition on a 100GB disk, formats it with ext4 filesystem creates a new directory for mounting the partition and finally mounts it on a given directory. An entry in /etc/fstab is also created through temporary or permanent mount depending on module options.

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
        - name: Create a partition
          parted:
            device: /dev/sdb
            number: 1
            part_end: "100%"
            state: present
        - name: Format new partition
          filesystem:
            fstype: ext4
            dev: /dev/sdb1
        - name: Create mount directory
          file:
            path: /data
            state: directory
        - name: Mount partition
          mount:
            path: /data
            src: /dev/sdb1
            fstype: ext4
            state: mounted

    Collect server logs

    Keeping logs in a convenient place is sometimes essential for security, audit as well as analysis. Ansible allows the collection of logs from different servers in your enterprise environment and keeps them in your defined location easily. Here’s the playbook to achieve this:

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
      
        - name: Find logs
          find:
            paths: /var/log/
            patterns: '*.log'
            recurse: yes
          register: _logs
    
        - name: Fetch logs
          fetch:
            src: "{{ item.path }}"
            dest: /tmp/logs
          with_items: "{{ _logs.files }}"

    Install or remove packages and software

    Packages are often required to be installed on user requests or as part of initial server builds. We may also need to remove certain packages which are no longer needed or have some critical bugs etc. Ansible allows you to easily install or remove packages without the hassle of going to each server and running manual commands. Here’s an example demonstrating the installation and removal of one package each for Ubuntu and RHEL/CentOS-based Linux servers.

    ---
    - hosts: ubuntu
      gather_facts: no
      tasks:
        - name: Install lsof utility
          apt:
            pkg: lsof
            state: latest
          sudo: yes
        - name: Remove ARP Scan utility
          apt:
            pkg: arp-scan
            state: absent
          sudo: yes
          
     ---
    - hosts: centos
      gather_facts: no
      tasks:
        - name: Install lsof utility
          yum:
            pkg: lsof
            state: latest
          sudo: yes
        - name: Remove ARP Scan utility
          yum:
            pkg: arp-scan
            state: absent
          sudo: yes

    Managing users

    Users and groups form the basic structure around which Unix/Linux-based systems manage access and permissions. In a big organization, managing users and groups can be a big challenge despite automation to support the environment.

    With Ansible, the system administrator has an excellent tool to create, modify and delete users and groups with all different possibilities supported in the OS.

    Here’s a simple example that shows the creation and deletion of users and groups using Ansible. After this playbook runs, target servers will have groupA and groupB created with given GIDs while user1 will be removed, if present. A new user without a shell will be created as user2 with given UID, groups assigned, and locked password.

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
        - group:
            gid: 12310
            name: groupA
            state: present
        - group:
            gid: 12311
            name: groupB
            state: present
        - user:
            name: user1
            state: absent
        - user:
            name: user2
            uid: 12427
            shell: /bin/false
            password_lock: yes
            groups: groupA, groupB

    Managing services

    Services are process daemons that run in the background and serve some service like sshd providing SSH connectivity etc. Using Ansible, you can manage system and user services, like starting, stopping, and restarting them. Here’s a sample playbook to demonstrate that:

    ---
    - hosts: all
      gather_facts: no
      become: yes
      tasks:
        - name: Restart ssh daemon
          service:
            name: ssh
            state: restarted
        - name: Restart sssd daemon
          service:
            name: sssd
            state: stopped
        - name: Restart httpd daemon
          service:
            name: httpd
            state: started

    In the above example, the SSH service will be restarted while stopping the SSSD service next. The httpd daemon is started towards the end. As Ansible is idempotent, any service which is already started or stopped will not be changed while restarting always changes service state. Do remember to check service name as different Linux distributions use other names even for the same service like ssh and sshd.

    Summary 👨‍💻

    Ansible makes the life of a system administrator easy by allowing you to execute repeated and time-consuming tasks in an automated way and reducing human errors and effort. Further, it will enable the storage of configuration data in a central code repository like Git, allowing multiple users to collaborate and review each activity.

    To read more about Ansible and its extensive set of modules, refer to its documentation.