The Ansible Configuration Manager¶
The Ansible configuration manager provides integration with an Ansible management server.
The integration supports these features from the CloudBolt UI:
- Assignment of Ansible groups on servers
- Automatic execution of designated playbooks on server provision.
CloudBolt’s Ansible support makes a few assumptions about your Ansible environment. If your environment deviates from these assumptions, Ansible support may not work correctly. These assumptions are:
- Direct connectivity from the CloudBolt server to the Ansible management server
- Direct connectivity from the CloudBolt server to the new servers being built over ssh
- sshd installed and set to automatically start on newly deployed Linux servers
- CloudBolt configured to know the initial username & password on the servers being built
- Calling commands on the Ansible management server cannot be run in interactive mode, so passwords cannot be entered when running playbooks or ad-hoc commands. Therefore, servers within the inventory must have a user that can connect via password-less SSH. If that is not enabled by default on the images used to provision servers, then CloudBolt includes an out-of-the-box plugin that can push an SSH Public Key to a server. That plugin is used as an orchestration action at the ‘Pre-Application Installation’ trigger point, but is disabled by default.
- If any playbooks require sudo, the Ansible management server must be able to connect without using a password. That means any applicable servers within the inventory must use the root user or have password-less sudo authorized for the user specified in the playbook, as interactive mode would not be possible from CloudBolt. As that varies by OS, that is left up to the image being used to provision, but customizations could always be scripted as a Remote Script to run on the server post-provision.
- The Ansible management server must be configured to use the correct user name. If playbooks don’t specify a user, then the management server’s .cfg file must set a value for ‘remote_user’.
- Ansible can’t access a server until the server’s SSH key is added to the management server’s known_hosts. See the Ansible docs if you wish to disable this behavior.
Enabling this Feature¶
To install this feature, create a management server according to Ansible’s documentation: http://docs.ansible.com/ansible/intro_installation.html.
Connecting CloudBolt with an Ansible management server¶
This section describes how to create an Ansible configuration manager that can be used to take advantage of CloudBolt–Ansible integration.
Creating an Ansible Configuration Manager in CloudBolt¶
- Navigate to the Configuration Managers admin page in the CloudBolt web interface.
- Click the Add a configuration manager button, then click Ansible in the resulting dialog.
- Fill out the form, then click the Create button to create your configuration manager and show its detail page.
Harnessing Ansible’s Power from CloudBolt¶
After associating your new Ansible configuration manager with the right environments, create playbooks by going to the manager’s detail page, clicking on the Playbooks tab and clicking Add a Playbook. That will map the path of a playbook on the management server with a human-readable name in CloudBolt.
Next, add groups on the Inventory tab. You can choose from your existing playbooks to be run on initialization of a server when it is added to the group, or to just be available to run on that group’s servers at any point.
New servers can be added to an existing Ansible group by installing the application associated with the group name.
After initial installation of a new server in an Ansible environment, you can choose to install and remove applications from the server at any point (either from the server list page or the server’s detail page). Removing an application will dis-associate that server with that group, and will remove the server from the Ansible inventory.
Connecting to Servers¶
By default, Ansible manages machines over the SSH protocol. Playbooks must be able to connect to servers via password-less SSH keys, as passwords shouldn’t be entered as each playbook is run.
Technically, a password could be passed as an extra variable to a playbook run via the ‘Extra vars’ property on the configuration manager instance. However, that would involve storing the password in plain text and passing it to the shell command running the playbook, which is not recommended. Also, every server managed by the instance would have to use the same credentials.
Ideally, each server managed by Ansible will have a public key available to the user Ansible is trying to connect as. Then, the Ansible management server will have the matching private key added to its SSH config. If a user can manually run playbooks on the management server without entering a password, then CloudBolt should be able to as well.
This can be accomplished by including a public key in the image or template that is used to create the servers being managed by Ansible. Or, an orchestration action could be used by CloudBolt to install the public key after the provision process has completed.
If a playbook requires sudo to run properly, then password-less sudo must be enabled on
the server for the given user. The instructions for this varies by OS. For example,
Ubuntu allows for setting via the
visudo command. Assuming the playbook is configured
properly and can be run manually on the management server, no further changes are required
for CloudBolt to run the playbook successfully.
Running Playbooks on Servers¶
Two server actions related to Ansible are provided by CloudBolt, but are disabled by default. One is named “Ansible: Run Playbook”, and it allows choosing from the playbooks available for a server and running it against that server. The other is “Ansible: Run Ad-hoc Command”, and it allows a user to manually enter any valid Ansible module to run against the current server. To activate these actions, go to Admin -> Server Actions and search for ‘Ansible’, and toggle the desired actions to ‘Enabled’.
These server actions probably should be limited to just servers provisioned in the given Ansible environment. To do that, manage the underlying plugin by expanding the server action and clicking on the plug-in that is listed. Then, on the plug-in’s detail page, click the Edit button at the top and add your Ansible configuration manager to the Configuration managers dropdown.