diff --git a/docsite/latest/rst/playbooks2.rst b/docsite/latest/rst/_old_playbooks2.rst similarity index 100% rename from docsite/latest/rst/playbooks2.rst rename to docsite/latest/rst/_old_playbooks2.rst diff --git a/docsite/latest/rst/contrib.rst b/docsite/latest/rst/contrib.rst deleted file mode 100644 index 5100a1c978..0000000000 --- a/docsite/latest/rst/contrib.rst +++ /dev/null @@ -1,109 +0,0 @@ -Ansible Resources -================= - -User contributed playbooks, modules, and articles. This is a small -curated list, but growing. Everyone is encouraged to add to this -document, just `edit it on Github `_ -and send a pull request! - -Ansible Modules -``````````````` - -Ansible modules are a way of adding new client-side logic to ansible. -They can be written in any language. Generally our goal is to include most modules in core ("batteries included!"), -though a few may remain outside of core depending on use cases and implementations. - -- `Official "core" ansible modules `_ - various -- `Linode `_ - Lex Toumbourou -- `zypper (bash module example) `_ - jp\_mens -- `additional provisioning-related modules `_ - jhoekx and dagwieers -- `dynamic dns updates `_ - jp\_mens -- `apk-tools `_ - Bartłomiej Piotrowski - -All python modules (especially all submitted to core) should use the common "AnsibleModule" class to dramatically reduce the amount of boilerplate code required. - -Not all modules above may take advantage of this feature. See the official documentation for more details. - -Selected Playbooks -`````````````````` - -`Playbooks `_ are Ansible's -configuration management language. It should be easy to write your own -from scratch for most applications (we keep the language simple for EXACTLY that reason), but it can -be helpful to look at what others have done for reference and see what is possible. - -The ansible-examples repo on github contains some examples of best-practices Ansible content deploying some -full stack workloads: - -- `Ansible-Examples `_ - -And here are some other community-developed playbooks. Feel free to submit a pull request to the docs -to add your own. - -- `edX Online `_ - `edX Online `_ -- `Fedora Infrastructure `_ - `Fedora `_ -- `Hadoop `_ - jkleint -- `LAMP `_ - `Four Kitchens `_ -- `LEMP `_ - francisbesset -- `Ganglia (demo) `_ - mpdehaan -- `Nginx `_ - cocoy -- `OpenStack `_ - lorin -- `Systems Configuration `_ - cegeddin - -Callbacks and Plugins -````````````````````` - -The Ansible project has a whole repo devoted to extending ansible with -new connection types, logging/event callbacks, and inventory data -storage. Talk to Cobbler and EC2, tweak the way things are logged, or -even add sound effects. - -- `Ansible-Plugins `_ -- `Various modules, plugins, and scripts `_ sergevanginderachter - -Scripts And Misc -```````````````` - -Ansible isn't just a program, it's also an API. Here's some examples of -some clever integrations with the "Runner" and also Playbook APIs, and -integrations with other interesting pieces of software. - -- `Ansible Vagrant plugin `_ - dsander -- `Ansible+Vagrant Tutorial `_ - mattupstate - -- `virt-install `_ - skvidal -- `rebooting hosts `_ - skvidal -- `uptime (API demo) `_ - mpdehaan -- `vim snippet generator `_ - bleader - -Blogs, Videos & Articles -```````````````````````` - -- `HighScalability.com `_ - mpdehaan -- `ColoAndCloud.com interview `_ - mpdehaan -- `dzone `_ - Mitch Pronschinske -- `Configuration Management With Ansible `_ - jp\_mens -- `Shell Scripts As Ansible Modules `_ - jp\_mens -- `Ansible Facts `_ - jp\_mens -- `Infrastructure as Data `_ - cocoy -- `Ansible Pull Mode `_ - cocoy -- `Exploring Configuration Management With Ansible `_ - Palamino DB -- `You Should Consider Using SSH Based Configuration Management `_ - LShift Ltd -- `Deploying Flask/uWSGI, Nginx, and Supervisorctl `_ - mattupstate -- `Infracoders Presentation `_ - Daniel Hall -- `Ansible - an introduction `_ - jp\_mens -- `Using Ansible to setup complex networking - `_ - Robert Verspuy -- `Video presentation to Montreal Linux `_ - Alexandre Bourget -- `Provisioning CentOS EC2 Instances with Ansible `_ - jp\_mens - -Disclaimer -`````````` - -Modules and playbooks here may not be using the latest in Ansible -features. When in doubt to the features of a particular version of -Ansible, always consult `ansibleworks.com `_ and in -particular see `Best Practices `_ -for some tips and tricks that may be useful. - -Ansible is (C) 2012, `Michael DeHaan `_ -and others and is available under the GPLv3 license. Content here is as -specified by individual contributors. diff --git a/docsite/latest/rst/api.rst b/docsite/latest/rst/developing_api.rst similarity index 100% rename from docsite/latest/rst/api.rst rename to docsite/latest/rst/developing_api.rst diff --git a/docsite/latest/rst/developing_callbacks.rst b/docsite/latest/rst/developing_callbacks.rst new file mode 100644 index 0000000000..b07cba206d --- /dev/null +++ b/docsite/latest/rst/developing_callbacks.rst @@ -0,0 +1,397 @@ +API & Integrations +================== + +There are several interesting ways to use Ansible from an API perspective. You can use +the Ansible python API to control nodes, you can extend Ansible to respond to various python events, +and you can plug in inventory data from external data sources. Ansible is written in its own +API so you have a considerable amount of power across the board. + +.. contents:: `Table of contents` + :depth: 2 + +Python API +---------- + +The Python API is very powerful, and is how the ansible CLI and ansible-playbook +are implemented. + +It's pretty simple:: + + import ansible.runner + + runner = ansible.runner.Runner( + module_name='ping', + module_args='', + pattern='web*', + forks=10 + ) + datastructure = runner.run() + +The run method returns results per host, grouped by whether they +could be contacted or not. Return types are module specific, as +expressed in the 'ansible-modules' documentation.:: + + { + "dark" : { + "web1.example.com" : "failure message" + }, + "contacted" : { + "web2.example.com" : 1 + } + } + +A module can return any type of JSON data it wants, so Ansible can +be used as a framework to rapidly build powerful applications and scripts. + +Detailed API Example +```````````````````` + +The following script prints out the uptime information for all hosts:: + + #!/usr/bin/python + + import ansible.runner + import sys + + # construct the ansible runner and execute on all hosts + results = ansible.runner.Runner( + pattern='*', forks=10, + module_name='command', module_args='/usr/bin/uptime', + ).run() + + if results is None: + print "No hosts found" + sys.exit(1) + + print "UP ***********" + for (hostname, result) in results['contacted'].items(): + if not 'failed' in result: + print "%s >>> %s" % (hostname, result['stdout']) + + print "FAILED *******" + for (hostname, result) in results['contacted'].items(): + if 'failed' in result: + print "%s >>> %s" % (hostname, result['msg']) + + print "DOWN *********" + for (hostname, result) in results['dark'].items(): + print "%s >>> %s" % (hostname, result) + +Advanced programmers may also wish to read the source to ansible itself, for +it uses the Runner() API (with all available options) to implement the +command line tools ``ansible`` and ``ansible-playbook``. + +Plugins Available Online +------------------------ + +The remainder of features in the API docs have components available in `ansible-plugins `_. Send us a github pull request if you develop any interesting features. + +External Inventory Scripts +-------------------------- + +Often a user of a configuration management system will want to keep inventory +in a different system. Frequent examples include LDAP, `Cobbler `_, +or a piece of expensive enterprisey CMDB software. Ansible easily supports all +of these options via an external inventory system. The plugins directory contains some of these already -- including options for EC2/Eucalyptus and OpenStack, which will be detailed below. + +It's possible to write an external inventory script in any language. If you are familiar with Puppet terminology, this concept is basically the same as 'external nodes', with the slight difference that it also defines which hosts are managed. + +Script Conventions +`````````````````` + +When the external node script is called with the single argument '--list', the script must return a JSON hash/dictionary of all the groups to be managed. +Each group's value should be either a hash/dictionary containing a list of each host/IP, potential child groups, and potential group variables, or +simply a list of host/IP addresses, like so:: + + { + "databases" : { + "hosts" : [ "host1.example.com", "host2.example.com" ], + "vars" : { + "a" : true + } + }, + "webservers" : [ "host2.example.com", "host3.example.com" ], + "atlanta" : { + "hosts" : [ "host1.example.com", "host4.example.com", "host5.example.com" ], + "vars" : { + "b" : false + }, + "children": [ "marietta", "5points" ], + }, + "marietta" : [ "host6.example.com" ], + "5points" : [ "host7.example.com" ] + } + +.. versionadded:: 1.0 + +Before version 1.0, each group could only have a list of hostnames/IP addresses, like the webservers, marietta, and 5points groups above. + +When called with the arguments '--host ' (where is a host from above), the script must return either an empty JSON +hash/dictionary, or a hash/dictionary of variables to make available to templates and playbooks. Returning variables is optional, +if the script does not wish to do this, returning an empty hash/dictionary is the way to go:: + + { + "favcolor" : "red", + "ntpserver" : "wolf.example.com", + "monitoring" : "pack.example.com" + } + +Tuning the External Inventory Script +```````````````````````````````````` + +.. versionadded:: 1.3 + +The stock inventory script system detailed above works for all versions of Ansible, but calling +'--host' for every host can be rather expensive, especially if it involves expensive API calls to +a remote subsystemm. In Ansible +1.3 or later, if the inventory script returns a top level element called "_meta", it is possible +to return all of the host variables in one inventory script call. When this meta element contains +a value for "hostvars", the inventory script will not be invoked with "--host" for each host. This +results in a significant performance increase for large numbers of hosts, and also makes client +side caching easier to implement for the inventory script. + +The data to be added to the top level JSON dictionary looks like this:: + + { + + # results of inventory script as above go here + # ... + + "_meta" : { + "hostvars" : { + "moocow.example.com" : { "asdf" : 1234 }, + "llama.example.com" : { "asdf" : 5678 }, + } + } + + } + + +Example: The Cobbler External Inventory Script +`````````````````````````````````````````````` + +It is expected that many Ansible users will also be `Cobbler `_ users. Cobbler has a generic +layer that allows it to represent data for multiple configuration management systems (even at the same time), and has +been referred to as a 'lightweight CMDB' by some admins. This particular script will communicate with Cobbler +using Cobbler's XMLRPC API. + +To tie Ansible's inventory to Cobbler (optional), copy `this script `_ to /etc/ansible/hosts and `chmod +x` the file. cobblerd will now need +to be running when you are using Ansible. + +Test the file by running `./etc/ansible/hosts` directly. You should see some JSON data output, but it may not have +anything in it just yet. + +Let's explore what this does. In cobbler, assume a scenario somewhat like the following:: + + cobbler profile add --name=webserver --distro=CentOS6-x86_64 + cobbler profile edit --name=webserver --mgmt-classes="webserver" --ksmeta="a=2 b=3" + cobbler system edit --name=foo --dns-name="foo.example.com" --mgmt-classes="atlanta" --ksmeta="c=4" + cobbler system edit --name=bar --dns-name="bar.example.com" --mgmt-classes="atlanta" --ksmeta="c=5" + +In the example above, the system 'foo.example.com' will be addressable by ansible directly, but will also be addressable when using the group names 'webserver' or 'atlanta'. Since Ansible uses SSH, we'll try to contract system foo over 'foo.example.com', only, never just 'foo'. Similarly, if you try "ansible foo" it wouldn't find the system... but "ansible 'foo*'" would, because the system DNS name starts with 'foo'. + +The script doesn't just provide host and group info. In addition, as a bonus, when the 'setup' module is run (which happens automatically when using playbooks), the variables 'a', 'b', and 'c' will all be auto-populated in the templates:: + + # file: /srv/motd.j2 + Welcome, I am templated with a value of a={{ a }}, b={{ b }}, and c={{ c }} + +Which could be executed just like this:: + + ansible webserver -m setup + ansible webserver -m template -a "src=/tmp/motd.j2 dest=/etc/motd" + +.. note:: + The name 'webserver' came from cobbler, as did the variables for + the config file. You can still pass in your own variables like + normal in Ansible, but variables from the external inventory script + will override any that have the same name. + +So, with the template above (motd.j2), this would result in the following data being written to /etc/motd for system 'foo':: + + Welcome, I am templated with a value of a=2, b=3, and c=4 + +And on system 'bar' (bar.example.com):: + + Welcome, I am templated with a value of a=2, b=3, and c=5 + +And technically, though there is no major good reason to do it, this also works too:: + + ansible webserver -m shell -a "echo {{ a }}" + +So in other words, you can use those variables in arguments/actions as well. You might use this to name +a conf.d file appropriately or something similar. Who knows? + +So that's the Cobbler integration support -- using the cobbler script as an example, it should be trivial to adapt Ansible to pull inventory, as well as variable information, from any data source. If you create anything interesting, please share with the mailing list, and we can keep it in the source code tree for others to use. + +Example: AWS EC2 External Inventory Script +`````````````````````````````````````````` + +If you use Amazon Web Services EC2, maintaining an inventory file might not be the best approach. For this reason, you can use the `EC2 external inventory `_ script. + +You can use this script in one of two ways. The easiest is to use Ansible's ``-i`` command line option and specify the path to the script. + + ansible -i ec2.py -u ubuntu us-east-1d -m ping + +The second option is to copy the script to `/etc/ansible/hosts` and `chmod +x` it. You will also need to copy the `ec2.ini `_ file to `/etc/ansible/ec2.ini`. Then you can run ansible as you would normally. + +To successfully make an API call to AWS, you will need to configure Boto (the Python interface to AWS). There are a `variety of methods `_ available, but the simplest is just to export two environment variables: + + export AWS_ACCESS_KEY_ID='AK123' + export AWS_SECRET_ACCESS_KEY='abc123' + +You can test the script by itself to make sure your config is correct + + cd plugins/inventory + ./ec2.py --list + +After a few moments, you should see your entire EC2 inventory across all regions in JSON. + +Since each region requires its own API call, if you are only using a small set of regions, feel free to edit ``ec2.ini`` and list only the regions you are interested in. There are other config options in ``ec2.ini`` including cache control, and destination variables. + +At their heart, inventory files are simply a mapping from some name to a destination address. The default ``ec2.ini`` settings are configured for running Ansible from outside EC2 (from your laptop for example). If you are running Ansible from within EC2, internal DNS names and IP addresses may make more sense than public DNS names. In this case, you can modify the ``destination_variable`` in ``ec2.ini`` to be the private DNS name of an instance. This is particularly important when running Ansible within a private subnet inside a VPC, where the only way to access an instance is via its private IP address. For VPC instances, `vpc_destination_variable` in ``ec2.ini`` provides a means of using which ever `boto.ec2.instance variable `_ makes the most sense for your use case. + +The EC2 external inventory provides mappings to instances from several groups: + +Instance ID + These are groups of one since instance IDs are unique. + e.g. + ``i-00112233`` + ``i-a1b1c1d1`` + +Region + A group of all instances in an AWS region. + e.g. + ``us-east-1`` + ``us-west-2`` + +Availability Zone + A group of all instances in an availability zone. + e.g. + ``us-east-1a`` + ``us-east-1b`` + +Security Group + Instances belong to one or more security groups. A group is created for each security group, with all characters except alphanumerics, dashes (-) converted to underscores (_). Each group is prefixed by ``security_group_`` + e.g. + ``security_group_default`` + ``security_group_webservers`` + ``security_group_Pete_s_Fancy_Group`` + +Tags + Each instance can have a variety of key/value pairs associated with it called Tags. The most common tag key is 'Name', though anything is possible. Each key/value pair is its own group of instances, again with special characters converted to underscores, in the format ``tag_KEY_VALUE`` + e.g. + ``tag_Name_Web`` + ``tag_Name_redis-master-001`` + ``tag_aws_cloudformation_logical-id_WebServerGroup`` + +When the Ansible is interacting with a specific server, the EC2 inventory script is called again with the ``--host HOST`` option. This looks up the HOST in the index cache to get the instance ID, and then makes an API call to AWS to get information about that specific instance. It then makes information about that instance available as variables to your playbooks. Each variable is prefixed by ``ec2_``. Here are some of the variables available: + +- ec2_architecture +- ec2_description +- ec2_dns_name +- ec2_id +- ec2_image_id +- ec2_instance_type +- ec2_ip_address +- ec2_kernel +- ec2_key_name +- ec2_launch_time +- ec2_monitored +- ec2_ownerId +- ec2_placement +- ec2_platform +- ec2_previous_state +- ec2_private_dns_name +- ec2_private_ip_address +- ec2_public_dns_name +- ec2_ramdisk +- ec2_region +- ec2_root_device_name +- ec2_root_device_type +- ec2_security_group_ids +- ec2_security_group_names +- ec2_spot_instance_request_id +- ec2_state +- ec2_state_code +- ec2_state_reason +- ec2_status +- ec2_subnet_id +- ec2_tag_Name +- ec2_tenancy +- ec2_virtualization_type +- ec2_vpc_id + +Both ``ec2_security_group_ids`` and ``ec2_security_group_names`` are comma-separated lists of all security groups. Each EC2 tag is a variable in the format ``ec2_tag_KEY``. + +To see the complete list of variables available for an instance, run the script by itself:: + + cd plugins/inventory + ./ec2.py --host ec2-12-12-12-12.compute-1.amazonaws.com + +Example: OpenStack Inventory Script +``````````````````````````````````` + +Though not detailed here in as much depth as the EC2 module, there's also a OpenStack Compute external inventory source in the plugins directory. It requires the Grizzly release of OpenStack or +later. See the inline comments in the module source for how to use it. + +Callback Plugins +---------------- + +Ansible can be configured via code to respond to external events. This can include enhancing logging, signalling an external software +system, or even (yes, really) making sound effects. Some examples are contained in the plugins directory. + +Connection Type Plugins +----------------------- + +By default, ansible ships with a 'paramiko' SSH, native ssh (just called 'ssh'), and 'local' connection type, and an accelerated connection type named 'fireball'. All of these can be used +in playbooks and with /usr/bin/ansible to decide how you want to talk to remote machines. The basics of these connection types +are covered in the 'getting started' section. Should you want to extend Ansible to support other transports (SNMP? Message bus? +Carrier Pigeon?) it's as simple as copying the format of one of the existing modules and dropping it into the connection plugins +directory. The value of 'smart' for a connection allows selection of paramiko or openssh based on system capabilities, and chooses +'ssh' if OpenSSH supports ControlPersist, in Ansible 1.2.1 an later. Previous versions did not support 'smart'. + +Lookup Plugins +-------------- + +Language constructs like "with_fileglob" and "with_items" are implemented via lookup plugins. Just like other plugin types, you can write your own. + +Vars Plugins +------------ + +Playbook constructs like 'host_vars' and 'group_vars' work via 'vars' plugins. They inject additional variable +data into ansible runs that did not come from an inventory, playbook, or command line. Note that variables +can also be returned from inventory, so in most cases, you won't need to write or understand vars_plugins. + +Filter Plugins +-------------- + +If you want more Jinja2 filters available in a Jinja2 template (filters like to_yaml and to_json are provided by default), they can be extended by writing a filter plugin. + +Distributing Plugins +-------------------- + +.. versionadded:: 0.8 + +Plugins are loaded from both Python's site_packages (those that ship with ansible) and a configured plugins directory, which defaults +to /usr/share/ansible/plugins, in a subfolder for each plugin type:: + + * action_plugins + * lookup_plugins + * callback_plugins + * connection_plugins + * filter_plugins + * vars_plugins + +To change this path, edit the ansible configuration file. + +In addition, plugins can be shipped in a subdirectory relative to a top-level playbook, in folders named the same as indicated above. + +.. seealso:: + + :doc:`modules` + List of built-in modules + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/developing_inventory.rst b/docsite/latest/rst/developing_inventory.rst new file mode 100644 index 0000000000..b07cba206d --- /dev/null +++ b/docsite/latest/rst/developing_inventory.rst @@ -0,0 +1,397 @@ +API & Integrations +================== + +There are several interesting ways to use Ansible from an API perspective. You can use +the Ansible python API to control nodes, you can extend Ansible to respond to various python events, +and you can plug in inventory data from external data sources. Ansible is written in its own +API so you have a considerable amount of power across the board. + +.. contents:: `Table of contents` + :depth: 2 + +Python API +---------- + +The Python API is very powerful, and is how the ansible CLI and ansible-playbook +are implemented. + +It's pretty simple:: + + import ansible.runner + + runner = ansible.runner.Runner( + module_name='ping', + module_args='', + pattern='web*', + forks=10 + ) + datastructure = runner.run() + +The run method returns results per host, grouped by whether they +could be contacted or not. Return types are module specific, as +expressed in the 'ansible-modules' documentation.:: + + { + "dark" : { + "web1.example.com" : "failure message" + }, + "contacted" : { + "web2.example.com" : 1 + } + } + +A module can return any type of JSON data it wants, so Ansible can +be used as a framework to rapidly build powerful applications and scripts. + +Detailed API Example +```````````````````` + +The following script prints out the uptime information for all hosts:: + + #!/usr/bin/python + + import ansible.runner + import sys + + # construct the ansible runner and execute on all hosts + results = ansible.runner.Runner( + pattern='*', forks=10, + module_name='command', module_args='/usr/bin/uptime', + ).run() + + if results is None: + print "No hosts found" + sys.exit(1) + + print "UP ***********" + for (hostname, result) in results['contacted'].items(): + if not 'failed' in result: + print "%s >>> %s" % (hostname, result['stdout']) + + print "FAILED *******" + for (hostname, result) in results['contacted'].items(): + if 'failed' in result: + print "%s >>> %s" % (hostname, result['msg']) + + print "DOWN *********" + for (hostname, result) in results['dark'].items(): + print "%s >>> %s" % (hostname, result) + +Advanced programmers may also wish to read the source to ansible itself, for +it uses the Runner() API (with all available options) to implement the +command line tools ``ansible`` and ``ansible-playbook``. + +Plugins Available Online +------------------------ + +The remainder of features in the API docs have components available in `ansible-plugins `_. Send us a github pull request if you develop any interesting features. + +External Inventory Scripts +-------------------------- + +Often a user of a configuration management system will want to keep inventory +in a different system. Frequent examples include LDAP, `Cobbler `_, +or a piece of expensive enterprisey CMDB software. Ansible easily supports all +of these options via an external inventory system. The plugins directory contains some of these already -- including options for EC2/Eucalyptus and OpenStack, which will be detailed below. + +It's possible to write an external inventory script in any language. If you are familiar with Puppet terminology, this concept is basically the same as 'external nodes', with the slight difference that it also defines which hosts are managed. + +Script Conventions +`````````````````` + +When the external node script is called with the single argument '--list', the script must return a JSON hash/dictionary of all the groups to be managed. +Each group's value should be either a hash/dictionary containing a list of each host/IP, potential child groups, and potential group variables, or +simply a list of host/IP addresses, like so:: + + { + "databases" : { + "hosts" : [ "host1.example.com", "host2.example.com" ], + "vars" : { + "a" : true + } + }, + "webservers" : [ "host2.example.com", "host3.example.com" ], + "atlanta" : { + "hosts" : [ "host1.example.com", "host4.example.com", "host5.example.com" ], + "vars" : { + "b" : false + }, + "children": [ "marietta", "5points" ], + }, + "marietta" : [ "host6.example.com" ], + "5points" : [ "host7.example.com" ] + } + +.. versionadded:: 1.0 + +Before version 1.0, each group could only have a list of hostnames/IP addresses, like the webservers, marietta, and 5points groups above. + +When called with the arguments '--host ' (where is a host from above), the script must return either an empty JSON +hash/dictionary, or a hash/dictionary of variables to make available to templates and playbooks. Returning variables is optional, +if the script does not wish to do this, returning an empty hash/dictionary is the way to go:: + + { + "favcolor" : "red", + "ntpserver" : "wolf.example.com", + "monitoring" : "pack.example.com" + } + +Tuning the External Inventory Script +```````````````````````````````````` + +.. versionadded:: 1.3 + +The stock inventory script system detailed above works for all versions of Ansible, but calling +'--host' for every host can be rather expensive, especially if it involves expensive API calls to +a remote subsystemm. In Ansible +1.3 or later, if the inventory script returns a top level element called "_meta", it is possible +to return all of the host variables in one inventory script call. When this meta element contains +a value for "hostvars", the inventory script will not be invoked with "--host" for each host. This +results in a significant performance increase for large numbers of hosts, and also makes client +side caching easier to implement for the inventory script. + +The data to be added to the top level JSON dictionary looks like this:: + + { + + # results of inventory script as above go here + # ... + + "_meta" : { + "hostvars" : { + "moocow.example.com" : { "asdf" : 1234 }, + "llama.example.com" : { "asdf" : 5678 }, + } + } + + } + + +Example: The Cobbler External Inventory Script +`````````````````````````````````````````````` + +It is expected that many Ansible users will also be `Cobbler `_ users. Cobbler has a generic +layer that allows it to represent data for multiple configuration management systems (even at the same time), and has +been referred to as a 'lightweight CMDB' by some admins. This particular script will communicate with Cobbler +using Cobbler's XMLRPC API. + +To tie Ansible's inventory to Cobbler (optional), copy `this script `_ to /etc/ansible/hosts and `chmod +x` the file. cobblerd will now need +to be running when you are using Ansible. + +Test the file by running `./etc/ansible/hosts` directly. You should see some JSON data output, but it may not have +anything in it just yet. + +Let's explore what this does. In cobbler, assume a scenario somewhat like the following:: + + cobbler profile add --name=webserver --distro=CentOS6-x86_64 + cobbler profile edit --name=webserver --mgmt-classes="webserver" --ksmeta="a=2 b=3" + cobbler system edit --name=foo --dns-name="foo.example.com" --mgmt-classes="atlanta" --ksmeta="c=4" + cobbler system edit --name=bar --dns-name="bar.example.com" --mgmt-classes="atlanta" --ksmeta="c=5" + +In the example above, the system 'foo.example.com' will be addressable by ansible directly, but will also be addressable when using the group names 'webserver' or 'atlanta'. Since Ansible uses SSH, we'll try to contract system foo over 'foo.example.com', only, never just 'foo'. Similarly, if you try "ansible foo" it wouldn't find the system... but "ansible 'foo*'" would, because the system DNS name starts with 'foo'. + +The script doesn't just provide host and group info. In addition, as a bonus, when the 'setup' module is run (which happens automatically when using playbooks), the variables 'a', 'b', and 'c' will all be auto-populated in the templates:: + + # file: /srv/motd.j2 + Welcome, I am templated with a value of a={{ a }}, b={{ b }}, and c={{ c }} + +Which could be executed just like this:: + + ansible webserver -m setup + ansible webserver -m template -a "src=/tmp/motd.j2 dest=/etc/motd" + +.. note:: + The name 'webserver' came from cobbler, as did the variables for + the config file. You can still pass in your own variables like + normal in Ansible, but variables from the external inventory script + will override any that have the same name. + +So, with the template above (motd.j2), this would result in the following data being written to /etc/motd for system 'foo':: + + Welcome, I am templated with a value of a=2, b=3, and c=4 + +And on system 'bar' (bar.example.com):: + + Welcome, I am templated with a value of a=2, b=3, and c=5 + +And technically, though there is no major good reason to do it, this also works too:: + + ansible webserver -m shell -a "echo {{ a }}" + +So in other words, you can use those variables in arguments/actions as well. You might use this to name +a conf.d file appropriately or something similar. Who knows? + +So that's the Cobbler integration support -- using the cobbler script as an example, it should be trivial to adapt Ansible to pull inventory, as well as variable information, from any data source. If you create anything interesting, please share with the mailing list, and we can keep it in the source code tree for others to use. + +Example: AWS EC2 External Inventory Script +`````````````````````````````````````````` + +If you use Amazon Web Services EC2, maintaining an inventory file might not be the best approach. For this reason, you can use the `EC2 external inventory `_ script. + +You can use this script in one of two ways. The easiest is to use Ansible's ``-i`` command line option and specify the path to the script. + + ansible -i ec2.py -u ubuntu us-east-1d -m ping + +The second option is to copy the script to `/etc/ansible/hosts` and `chmod +x` it. You will also need to copy the `ec2.ini `_ file to `/etc/ansible/ec2.ini`. Then you can run ansible as you would normally. + +To successfully make an API call to AWS, you will need to configure Boto (the Python interface to AWS). There are a `variety of methods `_ available, but the simplest is just to export two environment variables: + + export AWS_ACCESS_KEY_ID='AK123' + export AWS_SECRET_ACCESS_KEY='abc123' + +You can test the script by itself to make sure your config is correct + + cd plugins/inventory + ./ec2.py --list + +After a few moments, you should see your entire EC2 inventory across all regions in JSON. + +Since each region requires its own API call, if you are only using a small set of regions, feel free to edit ``ec2.ini`` and list only the regions you are interested in. There are other config options in ``ec2.ini`` including cache control, and destination variables. + +At their heart, inventory files are simply a mapping from some name to a destination address. The default ``ec2.ini`` settings are configured for running Ansible from outside EC2 (from your laptop for example). If you are running Ansible from within EC2, internal DNS names and IP addresses may make more sense than public DNS names. In this case, you can modify the ``destination_variable`` in ``ec2.ini`` to be the private DNS name of an instance. This is particularly important when running Ansible within a private subnet inside a VPC, where the only way to access an instance is via its private IP address. For VPC instances, `vpc_destination_variable` in ``ec2.ini`` provides a means of using which ever `boto.ec2.instance variable `_ makes the most sense for your use case. + +The EC2 external inventory provides mappings to instances from several groups: + +Instance ID + These are groups of one since instance IDs are unique. + e.g. + ``i-00112233`` + ``i-a1b1c1d1`` + +Region + A group of all instances in an AWS region. + e.g. + ``us-east-1`` + ``us-west-2`` + +Availability Zone + A group of all instances in an availability zone. + e.g. + ``us-east-1a`` + ``us-east-1b`` + +Security Group + Instances belong to one or more security groups. A group is created for each security group, with all characters except alphanumerics, dashes (-) converted to underscores (_). Each group is prefixed by ``security_group_`` + e.g. + ``security_group_default`` + ``security_group_webservers`` + ``security_group_Pete_s_Fancy_Group`` + +Tags + Each instance can have a variety of key/value pairs associated with it called Tags. The most common tag key is 'Name', though anything is possible. Each key/value pair is its own group of instances, again with special characters converted to underscores, in the format ``tag_KEY_VALUE`` + e.g. + ``tag_Name_Web`` + ``tag_Name_redis-master-001`` + ``tag_aws_cloudformation_logical-id_WebServerGroup`` + +When the Ansible is interacting with a specific server, the EC2 inventory script is called again with the ``--host HOST`` option. This looks up the HOST in the index cache to get the instance ID, and then makes an API call to AWS to get information about that specific instance. It then makes information about that instance available as variables to your playbooks. Each variable is prefixed by ``ec2_``. Here are some of the variables available: + +- ec2_architecture +- ec2_description +- ec2_dns_name +- ec2_id +- ec2_image_id +- ec2_instance_type +- ec2_ip_address +- ec2_kernel +- ec2_key_name +- ec2_launch_time +- ec2_monitored +- ec2_ownerId +- ec2_placement +- ec2_platform +- ec2_previous_state +- ec2_private_dns_name +- ec2_private_ip_address +- ec2_public_dns_name +- ec2_ramdisk +- ec2_region +- ec2_root_device_name +- ec2_root_device_type +- ec2_security_group_ids +- ec2_security_group_names +- ec2_spot_instance_request_id +- ec2_state +- ec2_state_code +- ec2_state_reason +- ec2_status +- ec2_subnet_id +- ec2_tag_Name +- ec2_tenancy +- ec2_virtualization_type +- ec2_vpc_id + +Both ``ec2_security_group_ids`` and ``ec2_security_group_names`` are comma-separated lists of all security groups. Each EC2 tag is a variable in the format ``ec2_tag_KEY``. + +To see the complete list of variables available for an instance, run the script by itself:: + + cd plugins/inventory + ./ec2.py --host ec2-12-12-12-12.compute-1.amazonaws.com + +Example: OpenStack Inventory Script +``````````````````````````````````` + +Though not detailed here in as much depth as the EC2 module, there's also a OpenStack Compute external inventory source in the plugins directory. It requires the Grizzly release of OpenStack or +later. See the inline comments in the module source for how to use it. + +Callback Plugins +---------------- + +Ansible can be configured via code to respond to external events. This can include enhancing logging, signalling an external software +system, or even (yes, really) making sound effects. Some examples are contained in the plugins directory. + +Connection Type Plugins +----------------------- + +By default, ansible ships with a 'paramiko' SSH, native ssh (just called 'ssh'), and 'local' connection type, and an accelerated connection type named 'fireball'. All of these can be used +in playbooks and with /usr/bin/ansible to decide how you want to talk to remote machines. The basics of these connection types +are covered in the 'getting started' section. Should you want to extend Ansible to support other transports (SNMP? Message bus? +Carrier Pigeon?) it's as simple as copying the format of one of the existing modules and dropping it into the connection plugins +directory. The value of 'smart' for a connection allows selection of paramiko or openssh based on system capabilities, and chooses +'ssh' if OpenSSH supports ControlPersist, in Ansible 1.2.1 an later. Previous versions did not support 'smart'. + +Lookup Plugins +-------------- + +Language constructs like "with_fileglob" and "with_items" are implemented via lookup plugins. Just like other plugin types, you can write your own. + +Vars Plugins +------------ + +Playbook constructs like 'host_vars' and 'group_vars' work via 'vars' plugins. They inject additional variable +data into ansible runs that did not come from an inventory, playbook, or command line. Note that variables +can also be returned from inventory, so in most cases, you won't need to write or understand vars_plugins. + +Filter Plugins +-------------- + +If you want more Jinja2 filters available in a Jinja2 template (filters like to_yaml and to_json are provided by default), they can be extended by writing a filter plugin. + +Distributing Plugins +-------------------- + +.. versionadded:: 0.8 + +Plugins are loaded from both Python's site_packages (those that ship with ansible) and a configured plugins directory, which defaults +to /usr/share/ansible/plugins, in a subfolder for each plugin type:: + + * action_plugins + * lookup_plugins + * callback_plugins + * connection_plugins + * filter_plugins + * vars_plugins + +To change this path, edit the ansible configuration file. + +In addition, plugins can be shipped in a subdirectory relative to a top-level playbook, in folders named the same as indicated above. + +.. seealso:: + + :doc:`modules` + List of built-in modules + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/moduledev.rst b/docsite/latest/rst/developing_modules.rst similarity index 100% rename from docsite/latest/rst/moduledev.rst rename to docsite/latest/rst/developing_modules.rst diff --git a/docsite/latest/rst/developing_plugins.rst b/docsite/latest/rst/developing_plugins.rst new file mode 100644 index 0000000000..b07cba206d --- /dev/null +++ b/docsite/latest/rst/developing_plugins.rst @@ -0,0 +1,397 @@ +API & Integrations +================== + +There are several interesting ways to use Ansible from an API perspective. You can use +the Ansible python API to control nodes, you can extend Ansible to respond to various python events, +and you can plug in inventory data from external data sources. Ansible is written in its own +API so you have a considerable amount of power across the board. + +.. contents:: `Table of contents` + :depth: 2 + +Python API +---------- + +The Python API is very powerful, and is how the ansible CLI and ansible-playbook +are implemented. + +It's pretty simple:: + + import ansible.runner + + runner = ansible.runner.Runner( + module_name='ping', + module_args='', + pattern='web*', + forks=10 + ) + datastructure = runner.run() + +The run method returns results per host, grouped by whether they +could be contacted or not. Return types are module specific, as +expressed in the 'ansible-modules' documentation.:: + + { + "dark" : { + "web1.example.com" : "failure message" + }, + "contacted" : { + "web2.example.com" : 1 + } + } + +A module can return any type of JSON data it wants, so Ansible can +be used as a framework to rapidly build powerful applications and scripts. + +Detailed API Example +```````````````````` + +The following script prints out the uptime information for all hosts:: + + #!/usr/bin/python + + import ansible.runner + import sys + + # construct the ansible runner and execute on all hosts + results = ansible.runner.Runner( + pattern='*', forks=10, + module_name='command', module_args='/usr/bin/uptime', + ).run() + + if results is None: + print "No hosts found" + sys.exit(1) + + print "UP ***********" + for (hostname, result) in results['contacted'].items(): + if not 'failed' in result: + print "%s >>> %s" % (hostname, result['stdout']) + + print "FAILED *******" + for (hostname, result) in results['contacted'].items(): + if 'failed' in result: + print "%s >>> %s" % (hostname, result['msg']) + + print "DOWN *********" + for (hostname, result) in results['dark'].items(): + print "%s >>> %s" % (hostname, result) + +Advanced programmers may also wish to read the source to ansible itself, for +it uses the Runner() API (with all available options) to implement the +command line tools ``ansible`` and ``ansible-playbook``. + +Plugins Available Online +------------------------ + +The remainder of features in the API docs have components available in `ansible-plugins `_. Send us a github pull request if you develop any interesting features. + +External Inventory Scripts +-------------------------- + +Often a user of a configuration management system will want to keep inventory +in a different system. Frequent examples include LDAP, `Cobbler `_, +or a piece of expensive enterprisey CMDB software. Ansible easily supports all +of these options via an external inventory system. The plugins directory contains some of these already -- including options for EC2/Eucalyptus and OpenStack, which will be detailed below. + +It's possible to write an external inventory script in any language. If you are familiar with Puppet terminology, this concept is basically the same as 'external nodes', with the slight difference that it also defines which hosts are managed. + +Script Conventions +`````````````````` + +When the external node script is called with the single argument '--list', the script must return a JSON hash/dictionary of all the groups to be managed. +Each group's value should be either a hash/dictionary containing a list of each host/IP, potential child groups, and potential group variables, or +simply a list of host/IP addresses, like so:: + + { + "databases" : { + "hosts" : [ "host1.example.com", "host2.example.com" ], + "vars" : { + "a" : true + } + }, + "webservers" : [ "host2.example.com", "host3.example.com" ], + "atlanta" : { + "hosts" : [ "host1.example.com", "host4.example.com", "host5.example.com" ], + "vars" : { + "b" : false + }, + "children": [ "marietta", "5points" ], + }, + "marietta" : [ "host6.example.com" ], + "5points" : [ "host7.example.com" ] + } + +.. versionadded:: 1.0 + +Before version 1.0, each group could only have a list of hostnames/IP addresses, like the webservers, marietta, and 5points groups above. + +When called with the arguments '--host ' (where is a host from above), the script must return either an empty JSON +hash/dictionary, or a hash/dictionary of variables to make available to templates and playbooks. Returning variables is optional, +if the script does not wish to do this, returning an empty hash/dictionary is the way to go:: + + { + "favcolor" : "red", + "ntpserver" : "wolf.example.com", + "monitoring" : "pack.example.com" + } + +Tuning the External Inventory Script +```````````````````````````````````` + +.. versionadded:: 1.3 + +The stock inventory script system detailed above works for all versions of Ansible, but calling +'--host' for every host can be rather expensive, especially if it involves expensive API calls to +a remote subsystemm. In Ansible +1.3 or later, if the inventory script returns a top level element called "_meta", it is possible +to return all of the host variables in one inventory script call. When this meta element contains +a value for "hostvars", the inventory script will not be invoked with "--host" for each host. This +results in a significant performance increase for large numbers of hosts, and also makes client +side caching easier to implement for the inventory script. + +The data to be added to the top level JSON dictionary looks like this:: + + { + + # results of inventory script as above go here + # ... + + "_meta" : { + "hostvars" : { + "moocow.example.com" : { "asdf" : 1234 }, + "llama.example.com" : { "asdf" : 5678 }, + } + } + + } + + +Example: The Cobbler External Inventory Script +`````````````````````````````````````````````` + +It is expected that many Ansible users will also be `Cobbler `_ users. Cobbler has a generic +layer that allows it to represent data for multiple configuration management systems (even at the same time), and has +been referred to as a 'lightweight CMDB' by some admins. This particular script will communicate with Cobbler +using Cobbler's XMLRPC API. + +To tie Ansible's inventory to Cobbler (optional), copy `this script `_ to /etc/ansible/hosts and `chmod +x` the file. cobblerd will now need +to be running when you are using Ansible. + +Test the file by running `./etc/ansible/hosts` directly. You should see some JSON data output, but it may not have +anything in it just yet. + +Let's explore what this does. In cobbler, assume a scenario somewhat like the following:: + + cobbler profile add --name=webserver --distro=CentOS6-x86_64 + cobbler profile edit --name=webserver --mgmt-classes="webserver" --ksmeta="a=2 b=3" + cobbler system edit --name=foo --dns-name="foo.example.com" --mgmt-classes="atlanta" --ksmeta="c=4" + cobbler system edit --name=bar --dns-name="bar.example.com" --mgmt-classes="atlanta" --ksmeta="c=5" + +In the example above, the system 'foo.example.com' will be addressable by ansible directly, but will also be addressable when using the group names 'webserver' or 'atlanta'. Since Ansible uses SSH, we'll try to contract system foo over 'foo.example.com', only, never just 'foo'. Similarly, if you try "ansible foo" it wouldn't find the system... but "ansible 'foo*'" would, because the system DNS name starts with 'foo'. + +The script doesn't just provide host and group info. In addition, as a bonus, when the 'setup' module is run (which happens automatically when using playbooks), the variables 'a', 'b', and 'c' will all be auto-populated in the templates:: + + # file: /srv/motd.j2 + Welcome, I am templated with a value of a={{ a }}, b={{ b }}, and c={{ c }} + +Which could be executed just like this:: + + ansible webserver -m setup + ansible webserver -m template -a "src=/tmp/motd.j2 dest=/etc/motd" + +.. note:: + The name 'webserver' came from cobbler, as did the variables for + the config file. You can still pass in your own variables like + normal in Ansible, but variables from the external inventory script + will override any that have the same name. + +So, with the template above (motd.j2), this would result in the following data being written to /etc/motd for system 'foo':: + + Welcome, I am templated with a value of a=2, b=3, and c=4 + +And on system 'bar' (bar.example.com):: + + Welcome, I am templated with a value of a=2, b=3, and c=5 + +And technically, though there is no major good reason to do it, this also works too:: + + ansible webserver -m shell -a "echo {{ a }}" + +So in other words, you can use those variables in arguments/actions as well. You might use this to name +a conf.d file appropriately or something similar. Who knows? + +So that's the Cobbler integration support -- using the cobbler script as an example, it should be trivial to adapt Ansible to pull inventory, as well as variable information, from any data source. If you create anything interesting, please share with the mailing list, and we can keep it in the source code tree for others to use. + +Example: AWS EC2 External Inventory Script +`````````````````````````````````````````` + +If you use Amazon Web Services EC2, maintaining an inventory file might not be the best approach. For this reason, you can use the `EC2 external inventory `_ script. + +You can use this script in one of two ways. The easiest is to use Ansible's ``-i`` command line option and specify the path to the script. + + ansible -i ec2.py -u ubuntu us-east-1d -m ping + +The second option is to copy the script to `/etc/ansible/hosts` and `chmod +x` it. You will also need to copy the `ec2.ini `_ file to `/etc/ansible/ec2.ini`. Then you can run ansible as you would normally. + +To successfully make an API call to AWS, you will need to configure Boto (the Python interface to AWS). There are a `variety of methods `_ available, but the simplest is just to export two environment variables: + + export AWS_ACCESS_KEY_ID='AK123' + export AWS_SECRET_ACCESS_KEY='abc123' + +You can test the script by itself to make sure your config is correct + + cd plugins/inventory + ./ec2.py --list + +After a few moments, you should see your entire EC2 inventory across all regions in JSON. + +Since each region requires its own API call, if you are only using a small set of regions, feel free to edit ``ec2.ini`` and list only the regions you are interested in. There are other config options in ``ec2.ini`` including cache control, and destination variables. + +At their heart, inventory files are simply a mapping from some name to a destination address. The default ``ec2.ini`` settings are configured for running Ansible from outside EC2 (from your laptop for example). If you are running Ansible from within EC2, internal DNS names and IP addresses may make more sense than public DNS names. In this case, you can modify the ``destination_variable`` in ``ec2.ini`` to be the private DNS name of an instance. This is particularly important when running Ansible within a private subnet inside a VPC, where the only way to access an instance is via its private IP address. For VPC instances, `vpc_destination_variable` in ``ec2.ini`` provides a means of using which ever `boto.ec2.instance variable `_ makes the most sense for your use case. + +The EC2 external inventory provides mappings to instances from several groups: + +Instance ID + These are groups of one since instance IDs are unique. + e.g. + ``i-00112233`` + ``i-a1b1c1d1`` + +Region + A group of all instances in an AWS region. + e.g. + ``us-east-1`` + ``us-west-2`` + +Availability Zone + A group of all instances in an availability zone. + e.g. + ``us-east-1a`` + ``us-east-1b`` + +Security Group + Instances belong to one or more security groups. A group is created for each security group, with all characters except alphanumerics, dashes (-) converted to underscores (_). Each group is prefixed by ``security_group_`` + e.g. + ``security_group_default`` + ``security_group_webservers`` + ``security_group_Pete_s_Fancy_Group`` + +Tags + Each instance can have a variety of key/value pairs associated with it called Tags. The most common tag key is 'Name', though anything is possible. Each key/value pair is its own group of instances, again with special characters converted to underscores, in the format ``tag_KEY_VALUE`` + e.g. + ``tag_Name_Web`` + ``tag_Name_redis-master-001`` + ``tag_aws_cloudformation_logical-id_WebServerGroup`` + +When the Ansible is interacting with a specific server, the EC2 inventory script is called again with the ``--host HOST`` option. This looks up the HOST in the index cache to get the instance ID, and then makes an API call to AWS to get information about that specific instance. It then makes information about that instance available as variables to your playbooks. Each variable is prefixed by ``ec2_``. Here are some of the variables available: + +- ec2_architecture +- ec2_description +- ec2_dns_name +- ec2_id +- ec2_image_id +- ec2_instance_type +- ec2_ip_address +- ec2_kernel +- ec2_key_name +- ec2_launch_time +- ec2_monitored +- ec2_ownerId +- ec2_placement +- ec2_platform +- ec2_previous_state +- ec2_private_dns_name +- ec2_private_ip_address +- ec2_public_dns_name +- ec2_ramdisk +- ec2_region +- ec2_root_device_name +- ec2_root_device_type +- ec2_security_group_ids +- ec2_security_group_names +- ec2_spot_instance_request_id +- ec2_state +- ec2_state_code +- ec2_state_reason +- ec2_status +- ec2_subnet_id +- ec2_tag_Name +- ec2_tenancy +- ec2_virtualization_type +- ec2_vpc_id + +Both ``ec2_security_group_ids`` and ``ec2_security_group_names`` are comma-separated lists of all security groups. Each EC2 tag is a variable in the format ``ec2_tag_KEY``. + +To see the complete list of variables available for an instance, run the script by itself:: + + cd plugins/inventory + ./ec2.py --host ec2-12-12-12-12.compute-1.amazonaws.com + +Example: OpenStack Inventory Script +``````````````````````````````````` + +Though not detailed here in as much depth as the EC2 module, there's also a OpenStack Compute external inventory source in the plugins directory. It requires the Grizzly release of OpenStack or +later. See the inline comments in the module source for how to use it. + +Callback Plugins +---------------- + +Ansible can be configured via code to respond to external events. This can include enhancing logging, signalling an external software +system, or even (yes, really) making sound effects. Some examples are contained in the plugins directory. + +Connection Type Plugins +----------------------- + +By default, ansible ships with a 'paramiko' SSH, native ssh (just called 'ssh'), and 'local' connection type, and an accelerated connection type named 'fireball'. All of these can be used +in playbooks and with /usr/bin/ansible to decide how you want to talk to remote machines. The basics of these connection types +are covered in the 'getting started' section. Should you want to extend Ansible to support other transports (SNMP? Message bus? +Carrier Pigeon?) it's as simple as copying the format of one of the existing modules and dropping it into the connection plugins +directory. The value of 'smart' for a connection allows selection of paramiko or openssh based on system capabilities, and chooses +'ssh' if OpenSSH supports ControlPersist, in Ansible 1.2.1 an later. Previous versions did not support 'smart'. + +Lookup Plugins +-------------- + +Language constructs like "with_fileglob" and "with_items" are implemented via lookup plugins. Just like other plugin types, you can write your own. + +Vars Plugins +------------ + +Playbook constructs like 'host_vars' and 'group_vars' work via 'vars' plugins. They inject additional variable +data into ansible runs that did not come from an inventory, playbook, or command line. Note that variables +can also be returned from inventory, so in most cases, you won't need to write or understand vars_plugins. + +Filter Plugins +-------------- + +If you want more Jinja2 filters available in a Jinja2 template (filters like to_yaml and to_json are provided by default), they can be extended by writing a filter plugin. + +Distributing Plugins +-------------------- + +.. versionadded:: 0.8 + +Plugins are loaded from both Python's site_packages (those that ship with ansible) and a configured plugins directory, which defaults +to /usr/share/ansible/plugins, in a subfolder for each plugin type:: + + * action_plugins + * lookup_plugins + * callback_plugins + * connection_plugins + * filter_plugins + * vars_plugins + +To change this path, edit the ansible configuration file. + +In addition, plugins can be shipped in a subdirectory relative to a top-level playbook, in folders named the same as indicated above. + +.. seealso:: + + :doc:`modules` + List of built-in modules + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/amazon_web_services.rst b/docsite/latest/rst/guide_aws.rst similarity index 100% rename from docsite/latest/rst/amazon_web_services.rst rename to docsite/latest/rst/guide_aws.rst diff --git a/docsite/latest/rst/index.rst b/docsite/latest/rst/index.rst index a38ab4c2cf..27fb48c782 100644 --- a/docsite/latest/rst/index.rst +++ b/docsite/latest/rst/index.rst @@ -1,23 +1,36 @@ -Ansible Documentation Index -``````````````````````````` +Ansible Documentation +````````````````````` -Welcome to the Ansible documentation. This documentation covers the current released -version of Ansible (1.2) and may also reference some development version features. +Welcome to the Ansible documentation. -For the previous released version, see `Ansible 1.1 Docs `_ instead. +Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT orchestration +such as continuous deployments or zero downtime rolling updates. + +Ansibe's goals are foremost those of simplicity and ease of use. It also has a strong focus on security and reliability, featuring +a minimum of moving parts, usage of Open SSH for transport, and a language that is designed around auditability by humans -- even those +not familiar with the program. + +This documentation covers the current released version of Ansible (1.3.X) and also some development version features (1.4). For recent features, in each section, the version of Ansible where the feature is added is indicated. Ansible produces a new major release approximately +every 2 months. Before we dive into playbooks, configuration management, deployment, and orchestration, we'll learn how to get Ansible installed and some basic information. We'll go over how to execute ad-hoc commands in parallel across your nodes using /usr/bin/ansible. We'll also see what sort of modules are available in Ansible's core (though you can also write your own, which we'll also show later). +An Introduction +``````````````` + .. toctree:: :maxdepth: 1 - gettingstarted - patterns - examples + intro_installation + intro_gettingstarted + intro_inventory + intro_inventory_dynamic + intro_patterns + intro_adhoc modules Overview @@ -28,56 +41,98 @@ Overview :width: 788px :height: 436px +An Introduction to Playbooks +```````````````````````````` -Playbooks -````````` +Playbooks are Ansible's configuration, deployment, and orchestration language. They can describe a policy you want your remote systems +to enforce, or a set of steps in a general IT process. -Playbooks are Ansible's orchestration language. At a basic level, playbooks can be used to manage configurations and deployments -of remote machines. At a more advanced level, they can sequence multi-tier rollouts involving rolling updates, and can delegate actions -to other hosts, interacting with monitoring servers and load balancers along the way. You can start small and pick up more features -over time as you need them. Playbooks are designed to be human-readable and are developed in a basic text language. There are multiple +At a basic level, playbooks can be used to manage configurations of and deployments to remote machines. At a more advanced level, they can sequence multi-tier rollouts involving rolling updates, and can delegate actions to other hosts, interacting with monitoring servers and load balancers along the way. + +There's no need to learn everything at once. You can start small and pick up more features +over time as you need them. + +Playbooks are designed to be human-readable and are developed in a basic text language. There are multiple ways to organize playbooks and the files they include, and we'll offer up some suggestions on that and making the most out of Ansible. .. toctree:: :maxdepth: 1 playbooks - playbooks2 - bestpractices - YAMLSyntax + playbooks_roles + playbooks_variables + playbooks_facts + playbooks_loops + playbooks_best_practices Example Playbooks -Specific Solutions -`````````````````` +Special Topics In Playbooks +``````````````````````````` + +Here are some playbook features that not everyone may need to learn, but can be quite useful for particular applications. +Browsing these topics is recommended as you may find some useful tips here, but feel free to learn Ansible first and adopt +these only if they seem relevant or useful to your environment. + + playbooks_acceleration + playbooks_check_mode + playbooks_delegation + playbooks_environment + playbooks_error_handling + playbooks_lookups + playbooks_prompts + playbooks_strategies + + +Detailed Guides +``````````````` + +This section is new and evolving. The idea here is explore particular use cases in greater depth and provide a more "top down" explanation +of some basic features. A chance to dive into some more topics in depth: .. toctree:: :maxdepth: 1 - amazon_web_services + guide_aws + +Pending topics may include: Vagrant, Docker, Jenkins, Rackspace Cloud, Google Compute Engine, Linode/Digital Ocean, Continous Deployment, +and more. + +Community Information +````````````````````` + +Ansible is an open source project designed to bring together developers and administrators of all kinds to collaborate on building +IT automation solutions that work well for them. Should you wish to get more involved -- whether in terms of just asking a question, helping +other users, introducing new people to Ansible, or helping with the software or documentation, we welcome your contributions to the project. + + How to interact Developer Information ````````````````````` -Learn how to build modules of your own in any language. Explore Ansible's Python API and write Python plugins to integrate +Learn how to build modules of your own in any language, and also how to extend ansible through several kinds of plugins. Explore Ansible's Python API and write Python plugins to integrate with other solutions in your environment. .. toctree:: :maxdepth: 1 - api - moduledev + developers_contributing + developers_code_standards + developers_api + developers_inventory + developers_modules + developers_plugins + developers_callbacks + developers_filters + developers_lookups + developers_transports + developers_modules + REST API Miscellaneous ````````````` -`Learn and share neat Ansible tricks on Coderwall `_ - sign-in using GitHub or Twitter to vote on top tips and add your own! - -`A list of some Ansible users and quotes about Ansible `_. - -More links: - .. toctree:: :maxdepth: 1 diff --git a/docsite/latest/rst/examples.rst b/docsite/latest/rst/intro_adhoc.rst similarity index 100% rename from docsite/latest/rst/examples.rst rename to docsite/latest/rst/intro_adhoc.rst diff --git a/docsite/latest/rst/patterns.rst b/docsite/latest/rst/intro_dynamic_inventory.rst similarity index 100% rename from docsite/latest/rst/patterns.rst rename to docsite/latest/rst/intro_dynamic_inventory.rst diff --git a/docsite/latest/rst/gettingstarted.rst b/docsite/latest/rst/intro_getting_started.rst similarity index 100% rename from docsite/latest/rst/gettingstarted.rst rename to docsite/latest/rst/intro_getting_started.rst diff --git a/docsite/latest/rst/intro_installation.rst b/docsite/latest/rst/intro_installation.rst new file mode 100644 index 0000000000..ff83caf160 --- /dev/null +++ b/docsite/latest/rst/intro_installation.rst @@ -0,0 +1,383 @@ +Getting Started +=============== + +.. contents:: + :depth: 2 + +Requirements +```````````` + +Requirements for Ansible are extremely minimal. + +For the central Ansible machine, you will need an environment with Python 2.6 or greater installed. If you are running Python 2.5 on an "Enterprise Linux 5" variant, we'll show you how to add 2.6 to your distribution, but most platforms already have a new enough Python. (Note that Windows is not supported as the Ansible control machine.) + +You will also want the following Python modules (installed via pip or perhaps via your OS package manager via slightly different names): + +* ``paramiko`` +* ``PyYAML`` +* ``jinja2`` + +If you are using RHEL or CentOS 5, Python is version 2.4 by default, but you can get Python 2.6 installed easily. `Use EPEL `_ and install these dependencies as follows: + +.. code-block:: bash + + $ yum install python26 python26-PyYAML python26-paramiko python26-jinja2 + + +On the managed nodes, you only need Python 2.4 or later, but if you are are running less than Python 2.6 on them, you will +also need: + +* ``python-simplejson`` + +.. note:: + + Ansible's "raw" module (for executing commands in a quick and dirty + way) and the script module don't even need that. So technically, you can use + Ansible to install python-simplejson using the raw module, which + then allows you to use everything else. (That's jumping ahead + though.) + +.. note:: + + If you have SELinux enabled on remote nodes, you will also want to install + libselinux-python on them before using any copy/file/template related functions in + Ansible. You can of course still use the yum module in Ansible to install this package on + remote systems that do not have it. + +.. note:: + + Python 3 is a slightly different language than Python 2 and most python programs (including + Ansible) are not switching over yet. However, some Linux distributions (Gentoo, Arch) may not have a + Python 2.X interpreter installed by default. On those systems, you should install one, and set + the 'ansible_python_interpreter' variable in inventory (see :doc:`patterns`) to point at your 2.X python. Distributions + like Red Hat Enterprise Linux, CentOS, Fedora, and Ubuntu all have a 2.X interpreter installed + by default and this does not apply to those distributions. This is also true of nearly all + Unix systems. If you need to bootstrap these remote systems by installing Python 2.X, + using the 'raw' module will be able to do it remotely. + +Getting Ansible +``````````````` + +If you are interested in using all the latest features, you may wish to keep up to date +with the development branch of the git checkout. This also makes it easiest to contribute +back to the project. + +Instructions for installing from source are below. + +Ansible's release cycles are usually about two months long. Due to this +short release cycle, minor bugs will generally be fixed in the next release versus maintaining +backports on the stable branch. + +You may also wish to follow the `Github project `_ if +you have a github account. This is also where we keep the issue tracker for sharing +bugs and feature ideas. + + +Running From Checkout ++++++++++++++++++++++ + +Ansible is trivially easy to run from a checkout, root permissions are not required +to use it: + +.. code-block:: bash + + $ git clone git://github.com/ansible/ansible.git + $ cd ./ansible + $ source ./hacking/env-setup + +You will want to install the dependencies needed by Ansible with pip if going from a checkout:: + + # on Ubuntu, for example: + apt-get install python-dev python-pip + pip install PyYAML Jinja2 paramiko + +Once running the env-setup script you'll be running from checkout and the default inventory file +will be /etc/ansible/hosts. You can optionally specify an inventory file (see :doc:`patterns`) +other than /etc/ansible/hosts: + +.. code-block:: bash + + $ echo "127.0.0.1" > ~/ansible_hosts + $ export ANSIBLE_HOSTS=~/ansible_hosts + +You can read more about the inventory file in later parts of the manual. + +Now let's test things: + +.. code-block:: bash + + $ ansible all -m ping --ask-pass + + +Make Install +++++++++++++ + +If you are not working from a distribution where Ansible is packaged yet, you can install Ansible +using "make install". This is done through `python-distutils`: + +.. code-block:: bash + + $ git clone git://github.com/ansible/ansible.git + $ cd ./ansible + $ sudo make install + +Via Pip ++++++++ + +Are you a python developer? + +Ansible can be installed via Pip, but when you do so, it will ask to install other dependencies used for +things like 'fireball' mode that you might not need:: + + $ sudo easy_install pip + $ sudo pip install ansible + +Readers that use virtualenv can also install Ansible under virtualenv. Do not use easy_install to install +ansible directly. + +Via RPM ++++++++ + +RPMs for the last Ansible release are available for `EPEL +`_ 6 and currently supported +Fedora distributions. RPMs for openSUSE can be found via the +`openSUSE Software Portal `_ +(in the systemsmanagement Project) for all currently supported +openSUSE and SLES distributions. + +Ansible itself can manage earlier operating +systems that contain python 2.4 or higher. + +If you are using RHEL or CentOS and have not already done so, `configure EPEL `_ + +.. code-block:: bash + + # install the epel-release RPM if needed on CentOS, RHEL, or Scientific Linux + $ sudo yum install ansible + +For openSUSE and SUSE Linux Enterprise, add the `systemsmanagement repository `_ +for your distribution: + +.. code-block:: bash + + # replace $dist with the correct distribution found here: http://download.opensuse.org/repositories/systemsmanagement/ + $ sudo zypper ar -f http://download.opensuse.org/repositories/systemsmanagement/$dist/systemsmanagement.repo + $ sudo zypper install ansible + +You can also use the ``make rpm`` command to build an RPM you can distribute and install. +Make sure you have ``rpm-build``, ``make``, and ``python2-devel`` installed. + +.. code-block:: bash + + $ git clone git://github.com/ansible/ansible.git + $ cd ./ansible + $ make rpm + $ sudo rpm -Uvh ~/rpmbuild/ansible-*.noarch.rpm + +Via MacPorts on OS X +++++++++++++++++++++ + +Ansible is easily run or installed from source, but you can also use MacPorts. +To install the stable version of Ansible from MacPorts, run: + +.. code-block:: bash + + $ sudo port install ansible + +If you wish to install the latest build via the MacPorts system from a +git checkout, run: + +.. code-block:: bash + + $ git clone git://github.com/ansible/ansible.git + $ cd ./ansible/packaging/macports + $ sudo port install + +Please refer to the documentation at for +further information on using Portfiles with MacPorts. + + +Ubuntu and Debian ++++++++++++++++++ + +Ubuntu builds are available `in a PPA here `_. + +Once configured, + +.. code-block:: bash + + $ sudo apt-get install ansible + +Debian/Ubuntu packages can also be built from the source checkout, run: + +.. code-block:: bash + + $ make debian + +You may also wish to run from source to get the latest, which is covered above. + +Gentoo, Arch, Others +++++++++++++++++++++ + +Gentoo eBuilds are in portage, version 1.0 `coming soon `_. + +.. code-block:: bash + + $ emerge ansible + + +An Arch PKGBUILD is available on `AUR `_ +If you have python3 installed on Arch, you probably want to symlink python to python2: + +.. code-block:: bash + + $ sudo ln -sf /usr/bin/python2 /usr/bin/python + +You should also set a 'ansible_python_interpreter' inventory variable (see :doc:`patterns`) for hosts that have python +pointing to python3, so the right python can be found on the managed nodes. + +Tagged Releases ++++++++++++++++ + +Tarballs of releases are available on the ansibleworks.com page. + +* `Ansible/downloads `_ + +These releases are also tagged in the git repository with the release version. + +Choosing Between Paramiko and Native SSH +```````````````````````````````````````` + +By default, ansible 1.3 and later will try to use native SSH for remote communication when possible. +This is done when ControlPersist support is available. Paramiko is however reasonably fast and makes +a good default on versions of Enterprise Linux where ControlPersist is not available. However, Paramiko +does not support some advanced SSH features that folks will want to use. In Ansible 1.2 and before, +the default was strictly paramiko and native SSH had to be explicitly selected with -c ssh or set in the +configuration file. + +.. versionadded:: 0.5 + +If you want to leverage more advanced SSH features (such as Kerberized +SSH or jump hosts), pass the flag "--connection=ssh" to any ansible +command, or set the ANSIBLE_TRANSPORT environment variable to +'ssh'. This will cause Ansible to use openssh tools instead. + +If ANSIBLE_SSH_ARGS are not set, ansible will try to use some sensible ControlMaster options +by default. You are free to override this environment variable, but should still pass ControlMaster +options to ensure performance of this transport. With ControlMaster in use, both transports +are roughly the same speed. Without CM, the binary ssh transport is signficantly slower. + +If none of this makes sense to you, the default paramiko option is probably fine. + + +Your first commands +``````````````````` + +Now that you've installed Ansible, it's time to test it. + +Edit (or create) /etc/ansible/hosts and put one or more remote systems in it, for +which you have your SSH key in ``authorized_keys``:: + + 192.168.1.50 + aserver.example.org + bserver.example.org + +Set up SSH agent to avoid retyping passwords: + +.. code-block:: bash + + $ ssh-agent bash + $ ssh-add ~/.ssh/id_rsa + +(Depending on your setup, you may wish to ansible's --private-key option to specify a pem file instead) + +Now ping all your nodes: + +.. code-block:: bash + + $ ansible all -m ping + +Ansible will attempt to remote connect to the machines using your current +user name, just like SSH would. To override the remote user name, just use the '-u' parameter. + +If you would like to access sudo mode, there are also flags to do that: + +.. code-block:: bash + + # as bruce + $ ansible all -m ping -u bruce + # as bruce, sudoing to root + $ ansible all -m ping -u bruce --sudo + # as bruce, sudoing to batman + $ ansible all -m ping -u bruce --sudo --sudo-user batman + +(The sudo implementation is changeable in ansible's configuration file if you happen to want to use a sudo +replacement. Flags passed dot sudo can also be set.) + +Now run a live command on all of your nodes: + +.. code-block:: bash + + $ ansible all -a "/bin/echo hello" + +Congratulations. You've just contacted your nodes with Ansible. It's +soon going to be time to read some of the more real-world :doc:`examples`, and explore +what you can do with different modules, as well as the Ansible +:doc:`playbooks` language. Ansible is not just about running commands, it +also has powerful configuration management and deployment features. There's more to +explore, but you already have a fully working infrastructure! + +A note about Connection (Transport) Modes +````````````````````````````````````````` + +Ansible has two major forms of SSH transport implemented, 'ssh' (OpenSSH) and 'paramiko'. Paramiko is a python +SSH implementation and 'ssh' simply calls OpenSSH behind the scenes. There are additionally 'fireball' (an accelerated +remote transport), 'local', and 'chroot' connection modes in Ansible that don't use SSH, but connecting by one of the two +SSH transports is the most common way to manage systems. It is useful to understand the difference between the 'ssh' +and 'paramiko' modes. + +Paramiko is provided because older Enterprise Linux operating systems do not have an efficient OpenSSH that support +ControlPersist technology, and in those cases, 'paramiko' is faster than 'ssh'. Thus, until EL6 backports a newer +SSH, 'paramiko' is the faster option on that platform. + +However, if you have a newer 'ssh' that supports ControlPersist, usage of the 'ssh' transport unlocks additional +configurability, including the option to use Kerberos. For instance, the latest Fedora and Ubuntu releases +all offer a sufficiently new OpenSSH. With ControlPersist available, 'ssh' is usually about as fast as paramiko. +If you'd like even more speed, read about 'fireball' in the Advanced Playbooks section. + +Starting with Ansible 1.2.1, the default transport mode for Ansible is 'smart', which means it will detect +if OpenSSH supports ControlPersist, and will select 'ssh' if available, and otherwise pick 'paramiko'. +Previous versions of Ansible defaulted to 'paramiko'. + +A note about Host Key Checking +`````````````````````````````` + +Ansible 1.2.1 and later have host key checking enabled by default. + +If a host is reinstalled and has a different key in 'known_hosts', this will result in a error message until +corrected. If a host is not initially in 'known_hosts' this will result in prompting for confirmation of the key, +which results in a interactive experience if using Ansible, from say, cron. + +If you wish to disable this behavior and understand the implications, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:: + + [defaults] + host_key_checking = False + +Alternatively this can be set by an environment variable: + + $ export ANSIBLE_HOST_KEY_CHECKING=False + +Also note that host key checking in paramiko mode is reasonably slow, therefore switching to 'ssh' is also recommended when using this +feature. + +.. seealso:: + + :doc:`examples` + Examples of basic commands + :doc:`playbooks` + Learning ansible's configuration management language + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/intro_inventory.rst b/docsite/latest/rst/intro_inventory.rst new file mode 100644 index 0000000000..6094406f16 --- /dev/null +++ b/docsite/latest/rst/intro_inventory.rst @@ -0,0 +1,281 @@ +.. _patterns: + +Inventory & Patterns +==================== + +Ansible works against multiple systems in your infrastructure at the +same time. It does this by selecting portions of systems listed in +Ansible's inventory file, which defaults to /etc/ansible/hosts. + +.. contents:: + :depth: 2 + +.. _inventoryformat: + +Hosts and Groups +++++++++++++++++ + +The format for /etc/ansible/hosts is an INI format and looks like this:: + + mail.example.com + + [webservers] + foo.example.com + bar.example.com + + [dbservers] + one.example.com + two.example.com + three.example.com + +The things in brackets are group names. You don't have to have them, +but they are useful. + +If you have hosts that run on non-standard SSH ports you can put the port number +after the hostname with a colon. Ports listed in any SSH config file won't be read, +so it is important that you set them if things are not running on the default port:: + + badwolf.example.com:5309 + +Suppose you have just static IPs and want to set up some aliases that don't live in your host file, or you are connecting through tunnels. You can do things like this:: + + jumper ansible_ssh_port=5555 ansible_ssh_host=192.168.1.50 + +In the above example, trying to ansible against the host alias "jumper" (which may not even be a real hostname) will contact 192.168.1.50 on port 5555. + +Adding a lot of hosts? In 0.6 and later, if you have a lot of hosts following similar patterns you can do this rather than listing each hostname:: + + [webservers] + www[01:50].example.com + + +In 1.0 and later, you can also do this for alphabetic ranges:: + + [databases] + db-[a:f].example.com + +For numeric patterns, leading zeros can be included or removed, as desired. Ranges are inclusive. + +In 1.1 and later, you can also select the connection type and user on a per host basis:: + + [targets] + + localhost ansible_connection=local + other1.example.com ansible_connection=ssh ansible_ssh_user=mpdehaan + other2.example.com ansible_connection=ssh ansible_ssh_user=mdehaan + +All of these variables can of course also be set outside of the inventory file, in 'host_vars' if you wish +to keep your inventory file simple. + +List of Reserved Inventory Parameters ++++++++++++++++++++++++++++++++++++++ + +As a summary, you can set these parameters as host inventory variables. (Some we have already +mentioned). + +ansible_ssh_host + The name of the host to connect to, if different from the alias you wish to give to it. +ansible_ssh_port + The ssh port number, if not 22 +ansible_ssh_user + The default ssh user name to use. +ansible_ssh_pass + The ssh password to use (this is insecure, we strongly recommend using --ask-pass or SSH keys) +ansible_connection + Connection type of the host. Candidates are local, ssh or paramiko. The default is paramiko before Ansible 1.2, and 'smart' afterwards which detects whether usage of 'ssh' would be feasible based on whether ControlPersist is supported. +ansible_ssh_private_key_file + Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent. +ansible_syslog_facility + The syslog facility to log to. +ansible_python_interpreter + The target host python path. This is userful for systems with more + than one Python or not located at "/usr/bin/python" such as \*BSD, or where /usr/bin/python + is not a 2.X series Python. +ansible\_\*\_interpreter + Works for anything such as ruby or perl and works just like ansible_python_interpreter. + This replaces shebang of modules which will run on that host. + +Examples from a host file:: + + some_host ansible_ssh_port=2222 ansible_ssh_user=manager + aws_host ansible_ssh_private_key_file=/home/example/.ssh/aws.pem + freebsd_host ansible_python_interpreter=/usr/local/bin/python + ruby_module_host ansible_ruby_interpreter=/usr/bin/ruby.1.9.3 + + +Selecting Targets ++++++++++++++++++ + +We'll go over how to use the command line in :doc:`examples` section, however, basically it looks like this:: + + ansible -m -a + +Such as:: + + ansible webservers -m service -a "name=httpd state=restarted" + +Within :doc:`playbooks`, these patterns can be used for even greater purposes. + +Anyway, to use Ansible, you'll first need to know how to tell Ansible which hosts in your inventory file to talk to. +This is done by designating particular host names or groups of hosts. + +The following patterns target all hosts in the inventory file:: + + all + * + +Basically 'all' is an alias for '*'. It is also possible to address a specific host or hosts:: + + one.example.com + one.example.com:two.example.com + 192.168.1.50 + 192.168.1.* + +The following patterns address one or more groups, which are denoted +with the aforementioned bracket headers in the inventory file:: + + webservers + webservers:dbservers + +You can exclude groups as well, for instance, all webservers not in Phoenix:: + + webservers:!phoenix + +You can also specify the intersection of two groups:: + + webservers:&staging + +You can do combinations:: + + webservers:dbservers:!phoenix:&staging + +You can also use variables:: + + webservers:!{{excluded}}:&{{required}} + +Individual host names, IPs and groups, can also be referenced using +wildcards:: + + *.example.com + *.com + +It's also ok to mix wildcard patterns and groups at the same time:: + + one*.com:dbservers + +And if the pattern starts with a '~' it is treated as a regular expression:: + + ~(web|db).*\.example\.com + +Easy enough. See :doc:`examples` and then :doc:`playbooks` for how to do things to selected hosts. + +Host Variables +++++++++++++++ + +It is easy to assign variables to hosts that will be used later in playbooks:: + + [atlanta] + host1 http_port=80 maxRequestsPerChild=808 + host2 http_port=303 maxRequestsPerChild=909 + + +Group Variables ++++++++++++++++ + +Variables can also be applied to an entire group at once:: + + [atlanta] + host1 + host2 + + [atlanta:vars] + ntp_server=ntp.atlanta.example.com + proxy=proxy.atlanta.example.com + +Groups of Groups, and Group Variables ++++++++++++++++++++++++++++++++++++++ + +It is also possible to make groups of groups and assign +variables to groups. These variables can be used by /usr/bin/ansible-playbook, but not +/usr/bin/ansible:: + + [atlanta] + host1 + host2 + + [raleigh] + host2 + host3 + + [southeast:children] + atlanta + raleigh + + [southeast:vars] + some_server=foo.southeast.example.com + halon_system_timeout=30 + self_destruct_countdown=60 + escape_pods=2 + + [usa:children] + southeast + northeast + southwest + southeast + +If you need to store lists or hash data, or prefer to keep host and group specific variables +separate from the inventory file, see the next section. + +Splitting Out Host and Group Specific Data +++++++++++++++++++++++++++++++++++++++++++ + +.. versionadded:: 0.6 + +In addition to the storing variables directly in the INI file, host +and group variables can be stored in individual files relative to the +inventory file. These variable files are in YAML format. + +Assuming the inventory file path is:: + + /etc/ansible/hosts + +If the host is named 'foosball', and in groups 'raleigh' and 'webservers', variables +in YAML files at the following locations will be made available to the host:: + + /etc/ansible/group_vars/raleigh + /etc/ansible/group_vars/webservers + /etc/ansible/host_vars/foosball + +For instance, suppose you have hosts grouped by datacenter, and each datacenter +uses some different servers. The data in the groupfile '/etc/ansible/group_vars/raleigh' for +the 'raleigh' group might look like:: + + --- + ntp_server: acme.example.org + database_server: storage.example.org + +It is ok if these files do not exist, this is an optional feature. + +Tip: In Ansible 1.2 or later the group_vars/ and host_vars/ directories can exist in either +the playbook directory OR the inventory directory. If both paths exist, variables in the playbook +directory will be loaded second. + +Tip: Keeping your inventory file and variables in a git repo (or other version control) +is an excellent way to track changes to your inventory and host variables. + +.. versionadded:: 0.5 + If you ever have two python interpreters on a system, or your Python version 2 interpreter is not found + at /usr/bin/python, set an inventory variable called 'ansible_python_interpreter' to the Python + interpreter path you would like to use. + +.. seealso:: + + :doc:`examples` + Examples of basic commands + :doc:`playbooks` + Learning ansible's configuration management language + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/intro_patterns.rst b/docsite/latest/rst/intro_patterns.rst new file mode 100644 index 0000000000..6094406f16 --- /dev/null +++ b/docsite/latest/rst/intro_patterns.rst @@ -0,0 +1,281 @@ +.. _patterns: + +Inventory & Patterns +==================== + +Ansible works against multiple systems in your infrastructure at the +same time. It does this by selecting portions of systems listed in +Ansible's inventory file, which defaults to /etc/ansible/hosts. + +.. contents:: + :depth: 2 + +.. _inventoryformat: + +Hosts and Groups +++++++++++++++++ + +The format for /etc/ansible/hosts is an INI format and looks like this:: + + mail.example.com + + [webservers] + foo.example.com + bar.example.com + + [dbservers] + one.example.com + two.example.com + three.example.com + +The things in brackets are group names. You don't have to have them, +but they are useful. + +If you have hosts that run on non-standard SSH ports you can put the port number +after the hostname with a colon. Ports listed in any SSH config file won't be read, +so it is important that you set them if things are not running on the default port:: + + badwolf.example.com:5309 + +Suppose you have just static IPs and want to set up some aliases that don't live in your host file, or you are connecting through tunnels. You can do things like this:: + + jumper ansible_ssh_port=5555 ansible_ssh_host=192.168.1.50 + +In the above example, trying to ansible against the host alias "jumper" (which may not even be a real hostname) will contact 192.168.1.50 on port 5555. + +Adding a lot of hosts? In 0.6 and later, if you have a lot of hosts following similar patterns you can do this rather than listing each hostname:: + + [webservers] + www[01:50].example.com + + +In 1.0 and later, you can also do this for alphabetic ranges:: + + [databases] + db-[a:f].example.com + +For numeric patterns, leading zeros can be included or removed, as desired. Ranges are inclusive. + +In 1.1 and later, you can also select the connection type and user on a per host basis:: + + [targets] + + localhost ansible_connection=local + other1.example.com ansible_connection=ssh ansible_ssh_user=mpdehaan + other2.example.com ansible_connection=ssh ansible_ssh_user=mdehaan + +All of these variables can of course also be set outside of the inventory file, in 'host_vars' if you wish +to keep your inventory file simple. + +List of Reserved Inventory Parameters ++++++++++++++++++++++++++++++++++++++ + +As a summary, you can set these parameters as host inventory variables. (Some we have already +mentioned). + +ansible_ssh_host + The name of the host to connect to, if different from the alias you wish to give to it. +ansible_ssh_port + The ssh port number, if not 22 +ansible_ssh_user + The default ssh user name to use. +ansible_ssh_pass + The ssh password to use (this is insecure, we strongly recommend using --ask-pass or SSH keys) +ansible_connection + Connection type of the host. Candidates are local, ssh or paramiko. The default is paramiko before Ansible 1.2, and 'smart' afterwards which detects whether usage of 'ssh' would be feasible based on whether ControlPersist is supported. +ansible_ssh_private_key_file + Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent. +ansible_syslog_facility + The syslog facility to log to. +ansible_python_interpreter + The target host python path. This is userful for systems with more + than one Python or not located at "/usr/bin/python" such as \*BSD, or where /usr/bin/python + is not a 2.X series Python. +ansible\_\*\_interpreter + Works for anything such as ruby or perl and works just like ansible_python_interpreter. + This replaces shebang of modules which will run on that host. + +Examples from a host file:: + + some_host ansible_ssh_port=2222 ansible_ssh_user=manager + aws_host ansible_ssh_private_key_file=/home/example/.ssh/aws.pem + freebsd_host ansible_python_interpreter=/usr/local/bin/python + ruby_module_host ansible_ruby_interpreter=/usr/bin/ruby.1.9.3 + + +Selecting Targets ++++++++++++++++++ + +We'll go over how to use the command line in :doc:`examples` section, however, basically it looks like this:: + + ansible -m -a + +Such as:: + + ansible webservers -m service -a "name=httpd state=restarted" + +Within :doc:`playbooks`, these patterns can be used for even greater purposes. + +Anyway, to use Ansible, you'll first need to know how to tell Ansible which hosts in your inventory file to talk to. +This is done by designating particular host names or groups of hosts. + +The following patterns target all hosts in the inventory file:: + + all + * + +Basically 'all' is an alias for '*'. It is also possible to address a specific host or hosts:: + + one.example.com + one.example.com:two.example.com + 192.168.1.50 + 192.168.1.* + +The following patterns address one or more groups, which are denoted +with the aforementioned bracket headers in the inventory file:: + + webservers + webservers:dbservers + +You can exclude groups as well, for instance, all webservers not in Phoenix:: + + webservers:!phoenix + +You can also specify the intersection of two groups:: + + webservers:&staging + +You can do combinations:: + + webservers:dbservers:!phoenix:&staging + +You can also use variables:: + + webservers:!{{excluded}}:&{{required}} + +Individual host names, IPs and groups, can also be referenced using +wildcards:: + + *.example.com + *.com + +It's also ok to mix wildcard patterns and groups at the same time:: + + one*.com:dbservers + +And if the pattern starts with a '~' it is treated as a regular expression:: + + ~(web|db).*\.example\.com + +Easy enough. See :doc:`examples` and then :doc:`playbooks` for how to do things to selected hosts. + +Host Variables +++++++++++++++ + +It is easy to assign variables to hosts that will be used later in playbooks:: + + [atlanta] + host1 http_port=80 maxRequestsPerChild=808 + host2 http_port=303 maxRequestsPerChild=909 + + +Group Variables ++++++++++++++++ + +Variables can also be applied to an entire group at once:: + + [atlanta] + host1 + host2 + + [atlanta:vars] + ntp_server=ntp.atlanta.example.com + proxy=proxy.atlanta.example.com + +Groups of Groups, and Group Variables ++++++++++++++++++++++++++++++++++++++ + +It is also possible to make groups of groups and assign +variables to groups. These variables can be used by /usr/bin/ansible-playbook, but not +/usr/bin/ansible:: + + [atlanta] + host1 + host2 + + [raleigh] + host2 + host3 + + [southeast:children] + atlanta + raleigh + + [southeast:vars] + some_server=foo.southeast.example.com + halon_system_timeout=30 + self_destruct_countdown=60 + escape_pods=2 + + [usa:children] + southeast + northeast + southwest + southeast + +If you need to store lists or hash data, or prefer to keep host and group specific variables +separate from the inventory file, see the next section. + +Splitting Out Host and Group Specific Data +++++++++++++++++++++++++++++++++++++++++++ + +.. versionadded:: 0.6 + +In addition to the storing variables directly in the INI file, host +and group variables can be stored in individual files relative to the +inventory file. These variable files are in YAML format. + +Assuming the inventory file path is:: + + /etc/ansible/hosts + +If the host is named 'foosball', and in groups 'raleigh' and 'webservers', variables +in YAML files at the following locations will be made available to the host:: + + /etc/ansible/group_vars/raleigh + /etc/ansible/group_vars/webservers + /etc/ansible/host_vars/foosball + +For instance, suppose you have hosts grouped by datacenter, and each datacenter +uses some different servers. The data in the groupfile '/etc/ansible/group_vars/raleigh' for +the 'raleigh' group might look like:: + + --- + ntp_server: acme.example.org + database_server: storage.example.org + +It is ok if these files do not exist, this is an optional feature. + +Tip: In Ansible 1.2 or later the group_vars/ and host_vars/ directories can exist in either +the playbook directory OR the inventory directory. If both paths exist, variables in the playbook +directory will be loaded second. + +Tip: Keeping your inventory file and variables in a git repo (or other version control) +is an excellent way to track changes to your inventory and host variables. + +.. versionadded:: 0.5 + If you ever have two python interpreters on a system, or your Python version 2 interpreter is not found + at /usr/bin/python, set an inventory variable called 'ansible_python_interpreter' to the Python + interpreter path you would like to use. + +.. seealso:: + + :doc:`examples` + Examples of basic commands + :doc:`playbooks` + Learning ansible's configuration management language + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + `irc.freenode.net `_ + #ansible IRC chat channel + diff --git a/docsite/latest/rst/playbooks_acceleration.rst b/docsite/latest/rst/playbooks_acceleration.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_acceleration.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/bestpractices.rst b/docsite/latest/rst/playbooks_best_practices similarity index 100% rename from docsite/latest/rst/bestpractices.rst rename to docsite/latest/rst/playbooks_best_practices diff --git a/docsite/latest/rst/playbooks_checkmode.rst b/docsite/latest/rst/playbooks_checkmode.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_checkmode.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_delegation.rst b/docsite/latest/rst/playbooks_delegation.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_delegation.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_environment.rst b/docsite/latest/rst/playbooks_environment.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_environment.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_error_handling.rst b/docsite/latest/rst/playbooks_error_handling.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_error_handling.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_facts.rst b/docsite/latest/rst/playbooks_facts.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_facts.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_lookups.rst b/docsite/latest/rst/playbooks_lookups.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_lookups.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_loops.rst b/docsite/latest/rst/playbooks_loops.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_loops.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_prompts.rst b/docsite/latest/rst/playbooks_prompts.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_prompts.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_roles.rst b/docsite/latest/rst/playbooks_roles.rst new file mode 100644 index 0000000000..93aacc8492 --- /dev/null +++ b/docsite/latest/rst/playbooks_roles.rst @@ -0,0 +1,674 @@ +Playbooks +========= + +.. contents:: + :depth: 2 + +Introduction +```````````` + +Playbooks are a completely different way to use ansible than in task execution mode, and are +particularly powerful. Simply put, playbooks are the basis for a really simple +configuration management and multi-machine deployment system, +unlike any that already exist, and one that is very well suited to deploying complex applications. + +Playbooks can declare configurations, but they can also orchestrate steps of +any manual ordered process, even as different steps must bounce back and forth +between sets of machines in particular orders. They can launch tasks +synchronously or asynchronously. + +While you might run the main /usr/bin/ansible program for ad-hoc +tasks, playbooks are more likely to be kept in source control and used +to push out your configuration or assure the configurations of your +remote systems are in spec. + +Let's dive in and see how they work. As you go, you may wish to open +the `github examples directory `_ in +another tab, so you can apply the theory to what things look like in practice. + +There are also some full sets of playbooks illustrating a lot of these techniques in the +`ansible-examples repository `_. + +Playbook Language Example +````````````````````````` + +Playbooks are expressed in YAML format and have a minimum of syntax. +Each playbook is composed of one or more 'plays' in a list. + +The goal of a play is to map a group of hosts to some well defined roles, represented by +things ansible calls tasks. At a basic level, a task is nothing more than a call +to an ansible module, which you should have learned about in earlier chapters. + +By composing a playbook of multiple 'plays', it is possible to +orchestrate multi-machine deployments, running certain steps on all +machines in the webservers group, then certain steps on the database +server group, then more commands back on the webservers group, etc. + +For starters, here's a playbook that contains just one play:: + + --- + - hosts: webservers + vars: + http_port: 80 + max_clients: 200 + remote_user: root + tasks: + - name: ensure apache is at the latest version + yum: pkg=httpd state=latest + - name: write the apache config file + template: src=/srv/httpd.j2 dest=/etc/httpd.conf + notify: + - restart apache + - name: ensure apache is running + service: name=httpd state=started + handlers: + - name: restart apache + service: name=httpd state=restarted + +Below, we'll break down what the various features of the playbook language are. + +Basics +`````` + +Hosts and Users ++++++++++++++++ + +For each play in a playbook, you get to choose which machines in your infrastructure +to target and what remote user to complete the steps (called tasks) as. + +The `hosts` line is a list of one or more groups or host patterns, +separated by colons, as described in the :ref:`patterns` +documentation. The `remote_user` is just the name of the user account:: + + --- + - hosts: webservers + remote_user: root + +.. Note:: + + The `remote_user` parameter was formerly called just `user`. It was renamed in Ansible 1.4 to make it more distinguishable from the `user` module (used to create users on remote systems). + +Support for running things from sudo is also available:: + + --- + - hosts: webservers + remote_user: yourname + sudo: yes + +You can also use sudo on a particular task instead of the whole play:: + + --- + - hosts: webservers + remote_user: yourname + tasks: + - service: name=nginx state=started + sudo: yes + + +You can also login as you, and then sudo to different users than root:: + + --- + - hosts: webservers + remote_user: yourname + sudo: yes + sudo_user: postgres + +If you need to specify a password to sudo, run `ansible-playbook` with ``--ask-sudo-pass`` (`-K`). +If you run a sudo playbook and the playbook seems to hang, it's probably stuck at the sudo prompt. +Just `Control-C` to kill it and run it again with `-K`. + +.. important:: + + When using `sudo_user` to a user other than root, the module + arguments are briefly written into a random tempfile in /tmp. + These are deleted immediately after the command is executed. This + only occurs when sudoing from a user like 'bob' to 'timmy', not + when going from 'bob' to 'root', or logging in directly as 'bob' or + 'root'. If this concerns you that this data is briefly readable + (not writeable), avoid transferring uncrypted passwords with + `sudo_user` set. In other cases, '/tmp' is not used and this does + not come into play. Ansible also takes care to not log password + parameters. + +Vars section +++++++++++++ + +The `vars` section contains a list of variables and values that can be used in the plays, like this:: + + --- + - hosts: webservers + remote_user: root + vars: + http_port: 80 + van_halen_port: 5150 + other: 'magic' + +.. note:: + You can also keep variables in separate files and include them alongside inline `vars` with a `vars_files` declaration + in the play. See the `Advanced Playbooks chapter `_ + for more info. + +These variables can be used later in the playbook like this:: + + {{ varname }} + +Variables are passed through the Jinja2 templating engine. Any valid Jinja2 +expression can be used between the curly braces, including the use of filters +to modify the variable (for example, `{{ varname|int }}` ensures the variable is +interpreted as an integer). + +Jinja2 expressions are very similar to Python and even if you are not working +with Python you should feel comfortable with them. See the `Jinja2 documentation +`_ to learn more about the syntax. +Please note that Jinja2 loops and conditionals are only useful in Ansible +templates, not in playbooks. Use the 'when' and 'with' keywords for +conditionals and loops in Ansible playbooks. + +If there are discovered variables about the system, called 'facts', these variables bubble up back into the playbook, and can be used on each system just like explicitly set variables. Ansible provides several +of these, prefixed with 'ansible', which are documented under 'setup' in the module documentation. Additionally, +facts can be gathered by ohai and facter if they are installed. Facter variables are prefixed with ``facter_`` and Ohai variables are prefixed with ``ohai_``. These add extra dependencies and are only there for ease of users +porting over from those other configuration systems. Finally, it's possible to drop files +on to the remote systems that provide additional sources of fact data, see "Facts.d" as documented +in the Advanced Playbooks section. + +How about an example. If I wanted to write the hostname into the /etc/motd file, I could say:: + + - name: write the motd + template: src=/srv/templates/motd.j2 dest=/etc/motd + +And in /srv/templates/motd.j2:: + + You are logged into {{ facter_hostname }} + +But we're getting ahead of ourselves, as that just showed a task in a playbook ahead of schedule. Let's talk about tasks. + +Tasks list +++++++++++ + +Each play contains a list of tasks. Tasks are executed in order, one +at a time, against all machines matched by the host pattern, +before moving on to the next task. It is important to understand that, within a play, +all hosts are going to get the same task directives. It is the purpose of a play to map +a selection of hosts to tasks. + +When running the playbook, which runs top to bottom, hosts with failed tasks are +taken out of the rotation for the entire playbook. If things fail, simply correct the playbook file and rerun. + +The goal of each task is to execute a module, with very specific arguments. +Variables, as mentioned above, can be used in arguments to modules. + +Modules are 'idempotent', meaning if you run them +again, they will make only the changes they must in order to bring the +system to the desired state. This makes it very safe to rerun +the same playbook multiple times. They won't change things +unless they have to change things. + +The `command` and `shell` modules will typically rerun the same command again, +which is totally ok if the command is something like +'chmod' or 'setsebool', etc. Though there is a 'creates' flag available which can +be used to make these modules also idempotent. + +Every task should have a `name`, which is included in the output from +running the playbook. This is output for humans, so it is +nice to have reasonably good descriptions of each task step. If the name +is not provided though, the string fed to 'action' will be used for +output. + +Tasks can be declared using the legacy "action: module options" format, but +it is recommeded that you use the more conventional "module: options" format. +This recommended format is used throughout the documentation, but you may +encounter the older format in some playbooks. + +Here is what a basic task looks like, as with most modules, +the service module takes key=value arguments:: + + tasks: + - name: make sure apache is running + service: name=httpd state=running + +The `command` and `shell` modules are the one modules that just takes a list +of arguments, and don't use the key=value form. This makes +them work just like you would expect. Simple:: + + tasks: + - name: disable selinux + command: /sbin/setenforce 0 + +The command and shell module care about return codes, so if you have a command +whose successful exit code is not zero, you may wish to do this:: + + tasks: + - name: run this command and ignore the result + shell: /usr/bin/somecommand || /bin/true + +Or this:: + + tasks: + - name: run this command and ignore the result + shell: /usr/bin/somecommand + ignore_errors: True + + +If the action line is getting too long for comfort you can break it on +a space and indent any continuation lines:: + + tasks: + - name: Copy ansible inventory file to client + copy: src=/etc/ansible/hosts dest=/etc/ansible/hosts + owner=root group=root mode=0644 + +Variables can be used in action lines. Suppose you defined +a variable called 'vhost' in the 'vars' section, you could do this:: + + tasks: + - name: create a virtual host file for {{ vhost }} + template: src=somefile.j2 dest=/etc/httpd/conf.d/{{ vhost }} + +Those same variables are usable in templates, which we'll get to later. + +Now in a very basic playbook all the tasks will be listed directly in that play, though it will usually +make more sense to break up tasks using the 'include:' directive. We'll show that a bit later. + +Action Shorthand +```````````````` + +.. versionadded:: 0.8 + +Ansible prefers listing modules like this in 0.8 and later:: + + template: src=templates/foo.j2 dest=/etc/foo.conf + +You will notice in earlier versions, this was only available as:: + + action: template src=templates/foo.j2 dest=/etc/foo.conf + +The old form continues to work in newer versions without any plan of deprecation. + +Running Operations On Change +```````````````````````````` + +As we've mentioned, modules are written to be 'idempotent' and can relay when +they have made a change on the remote system. Playbooks recognize this and +have a basic event system that can be used to respond to change. + +These 'notify' actions are triggered at the end of each block of tasks in a playbook, and will only be +triggered once even if notified by multiple different tasks. + +For instance, multiple resources may indicate +that apache needs to be restarted because they have changed a config file, +but apache will only be bounced once to avoid unneccessary restarts. + +Here's an example of restarting two services when the contents of a file +change, but only if the file changes:: + + - name: template configuration file + template: src=template.j2 dest=/etc/foo.conf + notify: + - restart memcached + - restart apache + +The things listed in the 'notify' section of a task are called +handlers. + +Handlers are lists of tasks, not really any different from regular +tasks, that are referenced by name. Handlers are what notifiers +notify. If nothing notifies a handler, it will not run. Regardless +of how many things notify a handler, it will run only once, after all +of the tasks complete in a particular play. + +Here's an example handlers section:: + + handlers: + - name: restart memcached + service: name=memcached state=restarted + - name: restart apache + service: name=apache state=restarted + +Handlers are best used to restart services and trigger reboots. You probably +won't need them for much else. + +.. note:: + Notify handlers are always run in the order written. + +Roles are described later on. It's worthwhile to point out that handlers are +automatically processed between 'pre_tasks', 'roles', 'tasks', and 'post_tasks' +sections. If you ever want to flush all the handler commands immediately though, +in 1.2 and later, you can:: + + tasks: + - shell: some tasks go here + - meta: flush_handlers + - shell: some other tasks + +In the above example any queued up handlers would be processed early when the 'meta' +statement was reached. This is a bit of a niche case but can come in handy from +time to time. + +Task Include Files And Encouraging Reuse +```````````````````````````````````````` + +Suppose you want to reuse lists of tasks between plays or playbooks. You can use +include files to do this. Use of included task lists is a great way to define a role +that system is going to fulfill. Remember, the goal of a play in a playbook is to map +a group of systems into multiple roles. Let's see what this looks like... + +A task include file simply contains a flat list of tasks, like so:: + + --- + # possibly saved as tasks/foo.yml + - name: placeholder foo + command: /bin/foo + - name: placeholder bar + command: /bin/bar + +Include directives look like this, and can be mixed in with regular tasks in a playbook:: + + tasks: + - include: tasks/foo.yml + +You can also pass variables into includes. We call this a 'parameterized include'. + +For instance, if deploying multiple wordpress instances, I could +contain all of my wordpress tasks in a single wordpress.yml file, and use it like so:: + + tasks: + - include: wordpress.yml user=timmy + - include: wordpress.yml user=alice + - include: wordpress.yml user=bob + +Variables passed in can then be used in the included files. You can reference them like this:: + + {{ user }} + +(In addition to the explicitly passed-in parameters, all variables from +the vars section are also available for use here as well.) + +Starting in 1.0, variables can also be passed to include files using an alternative syntax, +which also supports structured variables:: + + tasks: + + - include: wordpress.yml + vars: + remote_user: timmy + some_list_variable: + - alpha + - beta + - gamma + +Playbooks can include other playbooks too, but that's mentioned in a later section. + +.. note:: + As of 1.0, task include statements can be used at arbitrary depth. + They were previously limited to a single level, so task includes + could not include other files containing task includes. + +Includes can also be used in the 'handlers' section, for instance, if you +want to define how to restart apache, you only have to do that once for all +of your playbooks. You might make a handlers.yml that looks like:: + + --- + # this might be in a file like handlers/handlers.yml + - name: restart apache + service: name=apache state=restarted + +And in your main playbook file, just include it like so, at the bottom +of a play:: + + handlers: + - include: handlers/handlers.yml + +You can mix in includes along with your regular non-included tasks and handlers. + +Includes can also be used to import one playbook file into another. This allows +you to define a top-level playbook that is composed of other playbooks. + +For example:: + + - name: this is a play at the top level of a file + hosts: all + remote_user: root + tasks: + - name: say hi + tags: foo + shell: echo "hi..." + + - include: load_balancers.yml + - include: webservers.yml + - include: dbservers.yml + +Note that you cannot do variable substitution when including one playbook +inside another. + +.. note:: + You can not conditionally path the location to an include file, + like you can with 'vars_files'. If you find yourself needing to do + this, consider how you can restructure your playbook to be more + class/role oriented. This is to say you cannot use a 'fact' to + decide what include file to use. All hosts contained within the + play are going to get the same tasks. ('*when*' provides some + ability for hosts to conditionally skip tasks). + +.. _roles: + +Roles +````` + +.. versionadded:: 1.2 + +Now that you have learned about vars_files, tasks, and handlers, what is the best way to organize your playbooks? +The short answer is to use roles! Roles are ways of automatically loading certain vars_files, tasks, and +handlers based on a known file structure. Grouping content by roles also allows easy sharing of roles with other users. + +Roles are just automation around 'include' directives as redescribed above, and really don't contain much +additional magic beyond some improvements to search path handling for referenced files. However, that can be a big thing! + +Example project structure:: + + site.yml + webservers.yml + fooservers.yml + roles/ + common/ + files/ + templates/ + tasks/ + handlers/ + vars/ + meta/ + webservers/ + files/ + templates/ + tasks/ + handlers/ + vars/ + meta/ + +In a playbook, it would look like this:: + + --- + - hosts: webservers + roles: + - common + - webservers + +This designates the following behaviors, for each role 'x': + +- If roles/x/tasks/main.yml exists, tasks listed therein will be added to the play +- If roles/x/handlers/main.yml exists, handlers listed therein will be added to the play +- If roles/x/vars/main.yml exists, variables listed therein will be added to the play +- If roles/x/meta/main.yml exists, any role dependencies listed therein will be added to the list of roles (1.3 and later) +- Any copy tasks can reference files in roles/x/files/ without having to path them relatively or absolutely +- Any script tasks can reference scripts in roles/x/files/ without having to path them relatively or absolutely +- Any template tasks can reference files in roles/x/templates/ without having to path them relatively or absolutely + +.. note:: + Role dependencies are discussed below. + +If any files are not present, they are just ignored. So it's ok to not have a 'vars/' subdirectory for the role, +for instance. + +Note, you are still allowed to list tasks, vars_files, and handlers "loose" in playbooks without using roles, +but roles are a good organizational feature and are highly recommended. if there are loose things in the playbook, +the roles are evaluated first. + +Also, should you wish to parameterize roles, by adding variables, you can do so, like this:: + + --- + - hosts: webservers + roles: + - common + - { role: foo_app_instance, dir: '/opt/a', port: 5000 } + - { role: foo_app_instance, dir: '/opt/b', port: 5001 } + +While it's probably not something you should do often, you can also conditionally apply roles like so:: + + --- + - hosts: webservers + roles: + - { role: some_role, when: "ansible_os_family == 'RedHat'" } + +This works by applying the conditional to every task in the role. Conditionals are covered later on in +the documentation. + +Finally, you may wish to assign tags to the roles you specify. You can do so inline::: + + --- + - hosts: webservers + roles: + - { role: foo, tags: ["bar", "baz"] } + + +If the play still has a 'tasks' section, those tasks are executed after roles are applied. + +If you want to define certain tasks to happen before AND after roles are applied, you can do this:: + + --- + - hosts: webservers + pre_tasks: + - shell: echo 'hello' + roles: + - { role: some_role } + tasks: + - shell: echo 'still busy' + post_tasks: + - shell: echo 'goodbye' + +.. note:: + If using tags with tasks (described later as a means of only running part of a playbook), + be sure to also tag your pre_tasks and post_tasks and pass those along as well, especially if the pre + and post tasks are used for monitoring outage window control or load balancing. + +Role Default Variables +`````````````````````` + +.. versionadded:: 1.3 + +Role default variables allow you to set default variables for included or dependent roles (see below). To create +defaults, simply add a `defaults/main.yml` file in your role directory. These variables will have the lowest priority +of any variables available, and can be easily overridden by any other variable, including inventory variables. + +Role Dependencies +````````````````` + +.. versionadded:: 1.3 + +Role dependencies allow you to automatically pull in other roles when using a role. Role dependencies are stored in the +`meta/main.yml` file contained within the role directory. This file should contain +a list of roles and parameters to insert before the specified role, such as the following in an example +`roles/myapp/meta/main.yml`:: + + --- + dependencies: + - { role: common, some_parameter: 3 } + - { role: apache, port: 80 } + - { role: postgres, dbname: blarg, other_parameter: 12 } + +Role dependencies can also be specified as a full path, just like top level roles:: + + --- + dependencies: + - { role: '/path/to/common/roles/foo', x: 1 } + +Roles dependencies are always executed before the role that includes them, and are recursive. By default, +roles can also only be added as a dependency once - if another role also lists it as a dependency it will +not be run again. This behavior can be overridden by adding `allow_duplicates: yes` to the `meta/main.yml` file. +For example, a role named 'car' could add a role named 'wheel' to its dependencies as follows:: + + --- + dependencies: + - { role: wheel, n: 1 } + - { role: wheel, n: 2 } + - { role: wheel, n: 3 } + - { role: wheel, n: 4 } + +And the `meta/main.yml` for wheel contained the following:: + + --- + allow_duplicates: yes + dependencies: + - { role: tire } + - { role: brake } + +The resulting order of execution would be as follows:: + + tire(n=1) + brake(n=1) + wheel(n=1) + tire(n=2) + brake(n=2) + wheel(n=2) + ... + car + +.. note:: + Variable inheritance and scope are detailed in the Advanced Playbook section. + +Executing A Playbook +```````````````````` + +Now that you've learned playbook syntax, how do you run a playbook? It's simple. +Let's run a playbook using a parallelism level of 10:: + + ansible-playbook playbook.yml -f 10 + +Tips and Tricks +``````````````` + +Look at the bottom of the playbook execution for a summary of the nodes that were targeted +and how they performed. General failures and fatal "unreachable" communication attempts are +kept separate in the counts. + +If you ever want to see detailed output from successful modules as well as unsuccessful ones, +use the '--verbose' flag. This is available in Ansible 0.5 and later. + +Also, in version 0.5 and later, Ansible playbook output is vastly upgraded if the cowsay +package is installed. Try it! + +In version 0.7 and later, to see what hosts would be affected by a playbook before you run it, you +can do this:: + + ansible-playbook playbook.yml --list-hosts. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic Playbook language features + :doc:`playbooks2` + Learn about Advanced Playbook Features + :doc:`bestpractices` + Various tips about managing playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_strategies.rst b/docsite/latest/rst/playbooks_strategies.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_strategies.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_tags.rst b/docsite/latest/rst/playbooks_tags.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_tags.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + + diff --git a/docsite/latest/rst/playbooks_variables.rst b/docsite/latest/rst/playbooks_variables.rst new file mode 100644 index 0000000000..8d3777bdbd --- /dev/null +++ b/docsite/latest/rst/playbooks_variables.rst @@ -0,0 +1,1330 @@ +Advanced Playbooks +================== + +Here are some advanced features of the playbooks language. Using all of these features +is not necessary, but many of them will prove useful. If a feature doesn't seem immediately +relevant, feel free to skip it. For many people, the features documented in `playbooks` will +be 90% or more of what they use in Ansible. + +.. contents:: + :depth: 2 + +Tags +```` + +.. versionadded:: 0.6 + +If you have a large playbook it may become useful to be able to run a +specific part of the configuration. Both plays and tasks support a +"tags:" attribute for this reason. + +Example:: + + tasks: + + - yum: name={{ item }} state=installed + with_items: + - httpd + - memcached + tags: + - packages + + - template: src=templates/src.j2 dest=/etc/foo.conf + tags: + - configuration + +If you wanted to just run the "configuration" and "packages" part of a very long playbook, you could do this:: + + ansible-playbook example.yml --tags "configuration,packages" + +Playbooks Including Playbooks +````````````````````````````` + +.. versionadded:: 0.6 + +To further advance the concept of include files, playbook files can +include other playbook files. Suppose you define the behavior of all +your webservers in "webservers.yml" and all your database servers in +"dbservers.yml". You can create a "site.yml" that would reconfigure +all of your systems like this:: + + --- + - include: playbooks/webservers.yml + - include: playbooks/dbservers.yml + +This concept works great with tags to rapidly select exactly what plays you want to run, and exactly +what parts of those plays. + +Ignoring Failed Commands +```````````````````````` + +.. versionadded:: 0.6 + +Generally playbooks will stop executing any more steps on a host that +has a failure. Sometimes, though, you want to continue on. To do so, +write a task that looks like this:: + + - name: this will not be counted as a failure + command: /bin/false + ignore_errors: yes + +Overriding Changed Result +````````````````````````` + +.. versionadded:: 1.3 + +When a shell/command or other module runs it will typically report +"changed" status based on whether it thinks it affected machine state. + +Sometimes you will know, based on the return code +or output that it did not make any changes, and wish to override +the "changed" result such that it does not appear in report output or +does not cause handlers to fire:: + + tasks: + + - shell: /usr/bin/billybass --mode="take me to the river" + register: bass_result + changed_when: "bass_result.rc != 2" + + # this will never report 'changed' status + - shell: wall 'beep' + +Accessing Complex Variable Data +``````````````````````````````` + +Some provided facts, like networking information, are made available as nested data structures. To access +them a simple {{ foo }} is not sufficient, but it is still easy to do. Here's how we get an IP address:: + + {{ ansible_eth0["ipv4"]["address"] }} + +Similarly, this is how we access the first element of an array:: + + {{ foo[0] }} + +Magic Variables, and How To Access Information About Other Hosts +```````````````````````````````````````````````````````````````` + +Even if you didn't define them yourself, Ansible provides a few variables for you automatically. +The most important of these are 'hostvars', 'group_names', and 'groups'. Users should not use +these names themselves as they are reserved. 'environment' is also reserved. + +Hostvars lets you ask about the variables of another host, including facts that have been gathered +about that host. If, at this point, you haven't talked to that host yet in any play in the playbook +or set of playbooks, you can get at the variables, but you will not be able to see the facts. + +If your database server wants to use the value of a 'fact' from another node, or an inventory variable +assigned to another node, it's easy to do so within a template or even an action line:: + + {{ hostvars['test.example.com']['ansible_distribution'] }} + +Additionally, *group_names* is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host:: + + {% if 'webserver' in group_names %} + # some part of a configuration file that only applies to webservers + {% endif %} + +*groups* is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group. +For example:: + + {% for host in groups['app_servers'] %} + # something that applies to all app servers. + {% endfor %} + +A frequently used idiom is walking a group to find all IP addresses in that group:: + + {% for host in groups['app_servers'] %} + {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} + {% endfor %} + +An example of this could include pointing a frontend proxy server to all of the app servers, setting up the correct firewall rules between servers, etc. + +Just a few other 'magic' variables are available... There aren't many. + +Additionally, *inventory_hostname* is the name of the hostname as configured in Ansible's inventory host file. This can +be useful for when you don't want to rely on the discovered hostname `ansible_hostname` or for other mysterious +reasons. If you have a long FQDN, *inventory_hostname_short* also contains the part up to the first +period, without the rest of the domain. + +Don't worry about any of this unless you think you need it. You'll know when you do. + +Also available, *inventory_dir* is the pathname of the directory holding Ansible's inventory host file, *inventory_file* is the pathname and the filename pointing to the Ansible's inventory host file. + +Variable File Separation +```````````````````````` + +It's a great idea to keep your playbooks under source control, but +you may wish to make the playbook source public while keeping certain +important variables private. Similarly, sometimes you may just +want to keep certain information in different files, away from +the main playbook. + +You can do this by using an external variables file, or files, just like this:: + + --- + - hosts: all + remote_user: root + vars: + favcolor: blue + vars_files: + - /vars/external_vars.yml + tasks: + - name: this is just a placeholder + command: /bin/echo foo + +This removes the risk of sharing sensitive data with others when +sharing your playbook source with them. + +The contents of each variables file is a simple YAML dictionary, like this:: + + --- + # in the above example, this would be vars/external_vars.yml + somevar: somevalue + password: magic + +.. note:: + It's also possible to keep per-host and per-group variables in very + similar files, this is covered in :ref:`patterns`. + +Prompting For Sensitive Data +```````````````````````````` + +You may wish to prompt the user for certain input, and can +do so with the similarly named 'vars_prompt' section. This has uses +beyond security, for instance, you may use the same playbook for all +software releases and would prompt for a particular release version +in a push-script:: + + --- + - hosts: all + remote_user: root + vars: + from: "camelot" + vars_prompt: + name: "what is your name?" + quest: "what is your quest?" + favcolor: "what is your favorite color?" + +There are full examples of both of these items in the github examples/playbooks directory. + +If you have a variable that changes infrequently, it might make sense to +provide a default value that can be overridden. This can be accomplished using +the default argument:: + + vars_prompt: + - name: "release_version" + prompt: "Product release version" + default: "1.0" + +An alternative form of vars_prompt allows for hiding input from the user, and may later support +some other options, but otherwise works equivalently:: + + vars_prompt: + - name: "some_password" + prompt: "Enter password" + private: yes + - name: "release_version" + prompt: "Product release version" + private: no + +If `Passlib `_ is installed, vars_prompt can also crypt the +entered value so you can use it, for instance, with the user module to define a password:: + + vars_prompt: + - name: "my_password2" + prompt: "Enter password2" + private: yes + encrypt: "md5_crypt" + confirm: yes + salt_size: 7 + +You can use any crypt scheme supported by 'Passlib': + +- *des_crypt* - DES Crypt +- *bsdi_crypt* - BSDi Crypt +- *bigcrypt* - BigCrypt +- *crypt16* - Crypt16 +- *md5_crypt* - MD5 Crypt +- *bcrypt* - BCrypt +- *sha1_crypt* - SHA-1 Crypt +- *sun_md5_crypt* - Sun MD5 Crypt +- *sha256_crypt* - SHA-256 Crypt +- *sha512_crypt* - SHA-512 Crypt +- *apr_md5_crypt* - Apache’s MD5-Crypt variant +- *phpass* - PHPass’ Portable Hash +- *pbkdf2_digest* - Generic PBKDF2 Hashes +- *cta_pbkdf2_sha1* - Cryptacular’s PBKDF2 hash +- *dlitz_pbkdf2_sha1* - Dwayne Litzenberger’s PBKDF2 hash +- *scram* - SCRAM Hash +- *bsd_nthash* - FreeBSD’s MCF-compatible nthash encoding + +However, the only parameters accepted are 'salt' or 'salt_size'. You can use you own salt using +'salt', or have one generated automatically using 'salt_size'. If nothing is specified, a salt +of size 8 will be generated. + +Passing Variables On The Command Line +````````````````````````````````````` + +In addition to `vars_prompt` and `vars_files`, it is possible to send variables over +the Ansible command line. This is particularly useful when writing a generic release playbook +where you may want to pass in the version of the application to deploy:: + + ansible-playbook release.yml --extra-vars "version=1.23.45 other_variable=foo" + +This is useful, for, among other things, setting the hosts group or the user for the playbook. + +Example:: + + --- + - remote_user: '{{ user }}' + hosts: '{{ hosts }}' + tasks: + - ... + + ansible-playbook release.yml --extra-vars "hosts=vipers user=starbuck" + +As of Ansible 1.2, you can also pass in extra vars as quoted JSON, like so:: + + --extra-vars '{"pacman":"mrs","ghosts":["inky","pinky","clyde","sue"]}' + +The key=value form is obviously simpler, but it's there if you need it! + +As of Ansible 1.3, extra vars can be loaded from a JSON file with the "@" syntax:: + + --extra-vars "@some_file.json" + +Also as of Ansible 1.3, extra vars can be formatted as YAML, either on the command line +or in a file as above. + +Conditional Execution +````````````````````` + +(Note: this section covers 1.2 conditionals, if you are using a previous version, select +the previous version of the documentation, `Ansible 1.1 Docs `_ . +Those conditional forms continue to be operational in 1.2, although the new mechanisms are cleaner.) + +Sometimes you will want to skip a particular step on a particular host. This could be something +as simple as not installing a certain package if the operating system is a particular version, +or it could be something like performing some cleanup steps if a filesystem is getting full. + +This is easy to do in Ansible, with the `when` clause, which contains a Jinja2 expression (see chapter +`Playbooks `_ for more info). +Don't panic -- it's actually pretty simple:: + + tasks: + - name: "shutdown Debian flavored systems" + command: /sbin/shutdown -t now + when: ansible_os_family == "Debian" + +A number of Jinja2 "filters" can also be used in when statements, some of which are unique +and provided by Ansible. Suppose we want to ignore the error of one statement and then +decide to do something conditionally based on success or failure:: + + tasks: + - command: /bin/false + register: result + ignore_errors: True + - command: /bin/something + when: result|failed + - command: /bin/something_else + when: result|success + - command: /bin/still/something_else + when: result|skipped + + +As a reminder, to see what derived variables are available, you can do:: + + ansible hostname.example.com -m setup + +Tip: Sometimes you'll get back a variable that's a string and you'll want to do a comparison on it. You can do this like so:: + + tasks: + - shell: echo "only on Red Hat 6, derivatives, and later" + when: ansible_os_family == "RedHat" and ansible_lsb.major_release|int >= 6 + +Note the above example requires the lsb_release package on the target host in order to return the ansible_lsb.major_release fact. + +Variables defined in the playbooks or inventory can also be used. + +An example may be the execution of a task based on a variable's boolean value:: + + vars: + epic: true + +Then a conditional execution with action on the boolean value of epic being True:: + + tasks: + - shell: echo "This certainly is epic!" + when: epic + +With a boolean value of False:: + + tasks: + - shell: echo "This certainly isn't epic!" + when: not epic + +If a required variable has not been set, you can skip or fail using Jinja2's +`defined` test. For example:: + + tasks: + - shell: echo "I've got '{{ foo }}' and am not afraid to use it!" + when: foo is defined + + - fail: msg="Bailing out: this play requires 'bar'" + when: bar is not defined + +This is especially useful in combination with the conditional import of vars +files (see below). + +It's also easy to provide your own facts if you want, which is covered in :doc:`moduledev`. To run them, just +make a call to your own custom fact gathering module at the top of your list of tasks, and variables returned +there will be accessible to future tasks:: + + tasks: + - name: gather site specific fact data + action: site_facts + - command: echo {{ my_custom_fact_can_be_used_now }} + +One useful trick with *when* is to key off the changed result of a last command. As an example:: + + tasks: + - template: src=/templates/foo.j2 dest=/etc/foo.conf + register: last_result + - command: echo 'the file has changed' + when: last_result.changed + +{{ last_result }} is a variable set by the register directive. This assumes Ansible 0.8 and later. + +When combining `when` with `with_items`, be aware that the `when` statement is processed separately for each item. +This is by design:: + + tasks: + - command: echo {{ item }} + with_items: [ 0, 2, 4, 6, 8, 10 ] + when: item > 5 + +Note that if you have several tasks that all share the same conditional statement, you can affix the conditional +to a task include statement as below. Note this does not work with playbook includes, just task includes. All the tasks +get evaluated, but the conditional is applied to each and every task:: + + - include: tasks/sometasks.yml + when: "'reticulating splines' in output" + +Conditional Imports +``````````````````` + +Sometimes you will want to do certain things differently in a playbook based on certain criteria. +Having one playbook that works on multiple platforms and OS versions is a good example. + +As an example, the name of the Apache package may be different between CentOS and Debian, +but it is easily handled with a minimum of syntax in an Ansible Playbook:: + + --- + - hosts: all + remote_user: root + vars_files: + - "vars/common.yml" + - [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ] + tasks: + - name: make sure apache is running + service: name={{ apache }} state=running + +.. note:: + The variable 'ansible_os_family' is being interpolated into + the list of filenames being defined for vars_files. + +As a reminder, the various YAML files contain just keys and values:: + + --- + # for vars/CentOS.yml + apache: httpd + somethingelse: 42 + +How does this work? If the operating system was 'CentOS', the first file Ansible would try to import +would be 'vars/CentOS.yml', followed by '/vars/os_defaults.yml' if that file +did not exist. If no files in the list were found, an error would be raised. +On Debian, it would instead first look towards 'vars/Debian.yml' instead of 'vars/CentOS.yml', before +falling back on 'vars/os_defaults.yml'. Pretty simple. + +To use this conditional import feature, you'll need facter or ohai installed prior to running the playbook, but +you can of course push this out with Ansible if you like:: + + # for facter + ansible -m yum -a "pkg=facter ensure=installed" + ansible -m yum -a "pkg=ruby-json ensure=installed" + + # for ohai + ansible -m yum -a "pkg=ohai ensure=installed" + +Ansible's approach to configuration -- separating variables from tasks, keeps your playbooks +from turning into arbitrary code with ugly nested ifs, conditionals, and so on - and results +in more streamlined & auditable configuration rules -- especially because there are a +minimum of decision points to track. + +Do-Until +```````` + +Sometimes you would want to retry a task till a certain condition is met, In such conditions the Do/Until feature will help. +Here's an example which show's the syntax to be applied for the task.:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + +The above example run the shell module recursively till the module's result has "all systems go" in it's stdout or the task has +been retried for 5 times with a delay of 10 seconds. The default value for "retries" is 3 and "delay" is 5. + +The task returns the results returned by the last task run. The results of individual retries can be viewed by -vv option. +The results will have a new key "attempts" which will have the number of the retries for the task. + +.. Note:: + + The Do/Until does not take decision on whether to fail or pass the play when the maximum retries are completed, the user can + can do that in the next task as follows. + +Example:: + + - action: shell /usr/bin/foo + register: result + until: register.stdout.find("all systems go") != -1 + retries: 5 + delay: 10 + failed_when: result.attempts == 5 + + +Loops +````` + +To save some typing, repeated tasks can be written in short-hand like so:: + + - name: add several users + user: name={{ item }} state=present groups=wheel + with_items: + - testuser1 + - testuser2 + +If you have defined a YAML list in a variables file, or the 'vars' section, you can also do:: + + with_items: somelist + +The above would be the equivalent of:: + + - name: add user testuser1 + user: name=testuser1 state=present groups=wheel + - name: add user testuser2 + user: name=testuser2 state=present groups=wheel + +The yum and apt modules use with_items to execute fewer package manager transactions. + +Note that the types of items you iterate over with 'with_items' do not have to be simple lists of strings. +If you have a list of hashes, you can reference subkeys using things like:: + + - name: add several users + user: name={{ item.name }} state=present groups={{ item.groups }} + with_items: + - { name: 'testuser1', groups: 'wheel' } + - { name: 'testuser2', groups: 'root' } + +Nested Loops +```````````` + +Loops can be nested as well:: + + - name: give users access to multiple databases + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - [ 'alice', 'bob', 'eve' ] + - [ 'clientdb', 'employeedb', 'providerdb' ] + +As with the case of 'with_items' above, you can use previously defined variables. Just specify the variable's name without templating it with '{{ }}':: + + - name: here, 'users' contains the above list of employees + mysql_user: name={{ item[0] }} priv={{ item[1] }}.*:ALL password=foo + with_nested: + - users + - [ 'clientdb', 'employeedb', 'providerdb' ] + +Lookup Plugins - Accessing Outside Data +``````````````````````````````````````` + +.. versionadded:: 0.8 + +Various *lookup plugins* allow additional ways to iterate over data. Ansible will have more of these +over time. You can write your own, as is covered in the API section. Each typically takes a list and +can accept more than one parameter. + +``with_fileglob`` matches all files in a single directory, non-recursively, that match a pattern. It can +be used like this:: + + --- + - hosts: all + + tasks: + + # first ensure our target directory exists + - file: dest=/etc/fooapp state=directory + + # copy each file over that matches the given pattern + - copy: src={{ item }} dest=/etc/fooapp/ owner=root mode=600 + with_fileglob: + - /playbooks/files/fooapp/* + +``with_file`` loads data in from a file directly:: + + - authorized_key: user=foo key={{ item }} + with_file: + - /home/foo/.ssh/id_rsa.pub + +.. note:: + + When using ``with_fileglob`` or ``with_file`` with :ref:`roles`, if you + specify a relative path (e.g., :file:`./foo`), Ansible resolves the path + relative to the :file:`roles//files` directory. + +.. versionadded:: 0.9 + +Many new lookup abilities were added in 0.9. Remember, lookup plugins are run on the *controlling* machine:: + + --- + - hosts: all + + tasks: + + - debug: msg="{{ lookup('env','HOME') }} is an environment variable" + + - debug: msg="{{ item }} is a line from the result of this command" + with_lines: + - cat /etc/motd + + - debug: msg="{{ lookup('pipe','date') }} is the raw result of running this command" + + - debug: msg="{{ lookup('redis_kv', 'redis://localhost:6379,somekey') }} is value in Redis for somekey" + + - debug: msg="{{ lookup('dnstxt', 'example.com') }} is a DNS TXT record for example.com" + + - debug: msg="{{ lookup('template', './some_template.j2') }} is a value from evaluation of this template" + +As an alternative you can also assign lookup plugins to variables or use them +elsewhere. This macros are evaluated each time they are used in a task (or +template):: + + vars: + motd_value: "{{ lookup('file', '/etc/motd') }}" + + tasks: + - debug: msg="motd value is {{ motd_value }}" + +.. versionadded:: 1.0 + +``with_sequence`` generates a sequence of items in ascending numerical order. You +can specify a start, end, and an optional step value. + +Arguments should be specified in key=value pairs. If supplied, the 'format' is a printf style string. + +Numerical values can be specified in decimal, hexadecimal (0x3f8) or octal (0600). +Negative numbers are not supported. This works as follows:: + + --- + - hosts: all + + tasks: + + # create groups + - group: name=evens state=present + - group: name=odds state=present + + # create some test users + - user: name={{ item }} state=present groups=evens + with_sequence: start=0 end=32 format=testuser%02x + + # create a series of directories with even numbers for some reason + - file: dest=/var/stuff/{{ item }} state=directory + with_sequence: start=4 end=16 stride=2 + + # a simpler way to use the sequence plugin + # create 4 groups + - group: name=group{{ item }} state=present + with_sequence: count=4 + +.. versionadded:: 1.1 + +``with_password`` and associated lookup macro generate a random plaintext password and store it in +a file at a given filepath. Support for crypted save modes (as with vars_prompt) is pending. If the +file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set +up random passwords per host (what simplifies password management in 'host_vars' variables). + +Generated passwords contain a random mix of upper and lowercase ASCII letters, the +numbers 0-9 and punctuation (". , : - _"). The default length of a generated password is 30 characters. +This length can be changed by passing an extra parameter:: + + --- + - hosts: all + + tasks: + + # create a mysql user with a random password: + - mysql_user: name={{ client }} + password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}" + priv={{ client }}_{{ tier }}_{{ role }}.*:ALL + + (...) + + # dump a mysql database with a given password (this example showing the other form). + - mysql_db: name={{ client }}_{{ tier }}_{{ role }} + login_user={{ client }} + login_password={{ item }} + state=dump + target=/tmp/{{ client }}_{{ tier }}_{{ role }}_backup.sql + with_password: credentials/{{ client }}/{{ tier }}/{{ role }}/mysqlpassword length=15 + + (...) + + # create a user with a given password + - user: name=guestuser + state=present + uid=5000 + password={{ item }} + with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt + +Setting the Environment (and Working With Proxies) +`````````````````````````````````````````````````` + +.. versionadded:: 1.1 + +It is quite possible that you may need to get package updates through a proxy, or even get some package +updates through a proxy and access other packages not through a proxy. Ansible makes it easy for you +to configure your environment by using the 'environment' keyword. Here is an example:: + + - hosts: all + remote_user: root + + tasks: + + - apt: name=cobbler state=installed + environment: + http_proxy: http://proxy.example.com:8080 + +The environment can also be stored in a variable, and accessed like so:: + + - hosts: all + remote_user: root + + # here we make a variable named "env" that is a dictionary + vars: + proxy_env: + http_proxy: http://proxy.example.com:8080 + + tasks: + + - apt: name=cobbler state=installed + environment: "{{ proxy_env }}" + +While just proxy settings were shown above, any number of settings can be supplied. The most logical place +to define an environment hash might be a group_vars file, like so:: + + --- + # file: group_vars/boston + + ntp_server: ntp.bos.example.com + backup: bak.bos.example.com + proxy_env: + http_proxy: http://proxy.bos.example.com:8080 + https_proxy: http://proxy.bos.example.com:8080 + +Getting values from files +````````````````````````` + +.. versionadded:: 0.8 + +Sometimes you'll want to include the content of a file directly into a playbook. You can do so using a macro. +This syntax will remain in future versions, though we will also will provide ways to do this via lookup plugins (see "More Loops") as well. What follows +is an example using the authorized_key module, which requires the actual text of the SSH key as a parameter:: + + tasks: + - name: enable key-based ssh access for users + authorized_key: user={{ item }} key="{{ lookup('file', '/keys/' + item ) }}" + with_items: + - pinky + - brain + - snowball + +Selecting Files And Templates Based On Variables +```````````````````````````````````````````````` + +Sometimes a configuration file you want to copy, or a template you will use may depend on a variable. +The following construct selects the first available file appropriate for the variables of a given host, which is often much cleaner than putting a lot of if conditionals in a template. + +The following example shows how to template out a configuration file that was very different between, say, CentOS and Debian:: + + - name: template a file + template: src={{ item }} dest=/etc/myapp/foo.conf + first_available_file: + - /srv/templates/myapp/{{ ansible_distribution }}.conf + - /srv/templates/myapp/default.conf + +first_available_file is only available to the copy and template modules. + +Asynchronous Actions and Polling +```````````````````````````````` + +By default tasks in playbooks block, meaning the connections stay open +until the task is done on each node. If executing playbooks with +a small parallelism value (aka ``--forks``), you may wish that long +running operations can go faster. The easiest way to do this is +to kick them off all at once and then poll until they are done. + +You will also want to use asynchronous mode on very long running +operations that might be subject to timeout. + +To launch a task asynchronously, specify its maximum runtime +and how frequently you would like to poll for status. The default +poll value is 10 seconds if you do not specify a value for `poll`:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op (15 sec), wait for up to 45, poll every 5 + command: /bin/sleep 15 + async: 45 + poll: 5 + +.. note:: + There is no default for the async time limit. If you leave off the + 'async' keyword, the task runs synchronously, which is Ansible's + default. + +Alternatively, if you do not need to wait on the task to complete, you may +"fire and forget" by specifying a poll value of 0:: + + --- + - hosts: all + remote_user: root + tasks: + - name: simulate long running op, allow to run for 45, fire and forget + command: /bin/sleep 15 + async: 45 + poll: 0 + +.. note:: + You shouldn't "fire and forget" with operations that require + exclusive locks, such as yum transactions, if you expect to run other + commands later in the playbook against those same resources. + +.. note:: + Using a higher value for ``--forks`` will result in kicking off asynchronous + tasks even faster. This also increases the efficiency of polling. + +Local Playbooks +``````````````` + +It may be useful to use a playbook locally, rather than by connecting over SSH. This can be useful +for assuring the configuration of a system by putting a playbook on a crontab. This may also be used +to run a playbook inside a OS installer, such as an Anaconda kickstart. + +To run an entire playbook locally, just set the "hosts:" line to "hosts:127.0.0.1" and then run the playbook like so:: + + ansible-playbook playbook.yml --connection=local + +Alternatively, a local connection can be used in a single playbook play, even if other plays in the playbook +use the default remote connection type:: + + hosts: 127.0.0.1 + connection: local + +Turning Off Facts +````````````````` + +If you know you don't need any fact data about your hosts, and know everything about your systems centrally, you +can turn off fact gathering. This has advantages in scaling Ansible in push mode with very large numbers of +systems, mainly, or if you are using Ansible on experimental platforms. In any play, just do this:: + + - hosts: whatever + gather_facts: no + +Pull-Mode Playbooks +``````````````````` + +The use of playbooks in local mode (above) is made extremely powerful with the addition of `ansible-pull`. +A script for setting up ansible-pull is provided in the examples/playbooks directory of the source +checkout. + +The basic idea is to use Ansible to set up a remote copy of Ansible on each managed node, each set to run via +cron and update playbook source via git. This inverts the default push architecture of Ansible into a pull +architecture, which has near-limitless scaling potential. The setup playbook can be tuned to change +the cron frequency, logging locations, and parameters to ansible-pull. + +This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve +logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull. + +Register Variables +`````````````````` + +.. versionadded:: 0.7 + +Often in a playbook it may be useful to store the result of a given command in a variable and access +it later. Use of the command module in this way can in many ways eliminate the need to write site specific facts, for +instance, you could test for the existence of a particular program. + +The 'register' keyword decides what variable to save a result in. The resulting variables can be used in templates, action lines, or *when* statements. It looks like this (in an obviously trivial example):: + + - name: test play + hosts: all + + tasks: + + - shell: cat /etc/motd + register: motd_contents + + - shell: echo "motd contains the word hi" + when: motd_contents.stdout.find('hi') != -1 + +As shown previously, the registered variable's string contents are accessible with the 'stdout' value. +The registered result can be used in the "with_items" of a task if it is converted into +a list (or already is a list) as shown below. "stdout_lines" is already available on the object as +well though you could also call "home_dirs.stdout.split()" if you wanted, and could split by other +fields:: + + - name: registered variable usage as a with_items list + hosts: all + + tasks: + + - name: retrieve the list of home directories + command: ls /home + register: home_dirs + + - name: add home dirs to the backup spooler + file: path=/mnt/bkspool/{{ item }} src=/home/{{ item }} state=link + with_items: home_dirs.stdout_lines + # with_items: home_dirs.stdout.split() + +Rolling Updates +``````````````` + +.. versionadded:: 0.7 + +By default, Ansible will try to manage all of the machines referenced in a play in parallel. For a rolling updates +use case, you can define how many hosts Ansible should manage at a single time by using the ''serial'' keyword:: + + + - name: test play + hosts: webservers + serial: 3 + +In the above example, if we had 100 hosts, 3 hosts in the group 'webservers' +would complete the play completely before moving on to the next 3 hosts. + +Maximum Failure Percentage +`````````````````````````` + +.. versionadded:: 1.3 + +By default, Ansible will continue executing actions as long as there are hosts in the group that have not yet failed. +In some situations, such as with the rolling updates described above, it may be desireable to abort the play when a +certain threshold of failures have been reached. To acheive this, as of version 1.3 you can set a maximum failure +percentage on a play as follows:: + + - hosts: webservers + max_fail_percentage: 30 + serial: 10 + +In the above example, if more than 3 of the 10 servers in the group were to fail, the rest of the play would be aborted. + +.. note:: + + The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort + when 2 of the systems failed, the percentage should be set at 49 rather than 50. + +Delegation +`````````` + +.. versionadded:: 0.7 + +If you want to perform a task on one host with reference to other hosts, use the 'delegate_to' keyword on a task. +This is ideal for placing nodes in a load balanced pool, or removing them. It is also very useful for controlling +outage windows. Using this with the 'serial' keyword to control the number of hosts executing at one time is also +a good idea:: + + --- + - hosts: webservers + serial: 5 + + tasks: + - name: take out of load balancer pool + command: /usr/bin/take_out_of_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + - name: actual steps would go here + yum: name=acme-web-stack state=latest + + - name: add back to load balancer pool + command: /usr/bin/add_back_to_pool {{ inventory_hostname }} + delegate_to: 127.0.0.1 + + +These commands will run on 127.0.0.1, which is the machine running Ansible. There is also a shorthand syntax that +you can use on a per-task basis: 'local_action'. Here is the same playbook as above, but using the shorthand +syntax for delegating to 127.0.0.1:: + + --- + # ... + tasks: + - name: take out of load balancer pool + local_action: command /usr/bin/take_out_of_pool {{ inventory_hostname }} + + # ... + + - name: add back to load balancer pool + local_action: command /usr/bin/add_back_to_pool {{ inventory_hostname }} + +A common pattern is to use a local action to call 'rsync' to recursively copy files to the managed servers. +Here is an example:: + + --- + # ... + tasks: + - name: recursively copy files from management server to target + local_action: command rsync -a /path/to/files {{ inventory_hostname }}:/path/to/target/ + +Note that you must have passphrase-less SSH keys or an ssh-agent configured for this to work, otherwise rsync +will need to ask for a passphrase. + +Accelerated Mode +```````````````` + +.. versionadded:: 1.3 + +While SSH using the ControlPersist feature is quite fast and scalable, there is a certain amount of overhead involved in +creating connections. This can become something of a bottleneck when the number of hosts grows into the hundreds or +thousands. To help overcome this, Ansible offers an accelerated connection option. Accelerated mode can be anywhere from +2-6x faster than SSH with ControlPersist enabled, and 10x faster than paramiko. + +Accelerated mode works by launching a temporary daemon over SSH. Once the daemon is running, Ansible will connect directly +to it via a raw socket connection. Ansible secures this communication by using a temporary AES key that is uploaded during +the SSH connection (this key is different for every host, and is also regenerated every time the daemon is started). By default, +Ansible will use port 5099 for the accelerated connection, though this is configurable. Once running, the daemon will accept +connections for 30 minutes, after which time it will terminate itself and need to be restarted over SSH. + +Accelerated mode offers several improvments over the original fireball mode: + +* No bootstrapping is required, only a single line needs to be added to each play you wish to run in accelerated mode. +* Support for sudo commands (see below for more details and caveats). +* Fewer requirements! ZeroMQ is no longer required, nor are there any special packages beyond python-keyczar. + +In order to use accelerated mode, simply add `accelerate: true` to your play:: + + --- + - hosts: all + accelerate: true + tasks: + - name: some task + command: echo {{ item }} + with_items: + - foo + - bar + - baz + +If you wish to change the port Ansible will use for the accelerated connection, just add the `accelerated_port` option:: + + --- + - hosts: all + accelerate: true + # default port is 5099 + accelerate_port: 10000 + +The `accelerate_port` option can also be specified in the environment variable ACCELERATE_PORT, or in your `ansible.cfg` configuration:: + + [accelerate] + accelerate_port = 5099 + +As noted above, accelerated mode also supports running tasks via sudo, however there are two important caveats: + +* You must remove requiretty from your sudoers options. +* Prompting for the sudo password is not yet supported, so the NOPASSWD option is required for commands. + + + +Fireball Mode +````````````` + +.. versionadded:: 0.8 (deprecated as of 1.3) + +.. note:: + + The following section has been deprecated as of Ansible 1.3 in favor of the accelerated mode described above. This + documentation is here for users who may still be using the original fireball connection method only, and should not + be used for any new deployments. + +Ansible's core connection types of 'local', 'paramiko', and 'ssh' are augmented in version 0.8 and later by a new extra-fast +connection type called 'fireball'. It can only be used with playbooks and does require some additional setup +outside the lines of Ansible's normal "no bootstrapping" philosophy. You are not required to use fireball mode +to use Ansible, though some users may appreciate it. + +Fireball mode works by launching a temporary 0mq daemon from SSH that by default lives for only 30 minutes before +shutting off. Fireball mode, once running, uses temporary AES keys to encrypt a session, and requires direct +communication to given nodes on the configured port. The default is 5099. The fireball daemon runs as any user you +set it down as. So it can run as you, root, or so on. If multiple users are running Ansible as the same batch of hosts, +take care to use unique ports. + +Fireball mode is roughly 10 times faster than paramiko for communicating with nodes and may be a good option +if you have a large number of hosts:: + + --- + + # set up the fireball transport + - hosts: all + gather_facts: no + connection: ssh # or paramiko + sudo: yes + tasks: + - action: fireball + + # these operations will occur over the fireball transport + - hosts: all + connection: fireball + tasks: + - shell: echo "Hello {{ item }}" + with_items: + - one + - two + +In order to use fireball mode, certain dependencies must be installed on both ends. You can use this playbook as a basis for initial bootstrapping on +any platform. You will also need gcc and zeromq-devel installed from your package manager, which you can of course also get Ansible to install:: + + --- + - hosts: all + sudo: yes + gather_facts: no + connection: ssh + tasks: + - easy_install: name=pip + - pip: name={{ item }} state=present + with_items: + - pyzmq + - pyasn1 + - PyCrypto + - python-keyczar + +Fedora and EPEL also have Ansible RPM subpackages available for fireball-dependencies. + +Also see the module documentation section. + + +Understanding Variable Precedence +````````````````````````````````` + +You have already learned about inventory variables, 'vars', and 'vars_files'. In the +event the same variable name occurs in more than one place, what happens? There are really three tiers +of precedence, and within those tiers, some minor ordering rules that you probably won't even need to remember. +We'll explain them anyway though. + +Variables that are set during the execution of the play have highest priority. This includes registered +variables and facts, which are discovered pieces of information about remote hosts. + +Descending in priority are variables defined in the playbook. 'vars_files' as defined in the playbook are next up, +followed by variables as passed to ansible-playbook via --extra-vars (-e), then variables defined in the 'vars' section. These +should all be taken to be basically the same thing -- good places to define constants about what the play does to all hosts +in the play. + +Finally, inventory variables have the least priority. Variables about hosts override those about groups. +If a variable is defined in multiple groups and one group is a child of the other, the child group variable +will override the variable set in the parent. + +This makes the 'group_vars/all' file the best place to define a default value you wish to override in another +group, or even in a playbook. For example, your organization might set a default ntp server in group_vars/all +and then override it based on a group based on a geographic region. However if you type 'ntpserver: asdf.example.com' +in a vars section of a playbook, you know from reading the playbook that THAT specific value is definitely the one +that is going to be used. You won't be fooled by some variable from inventory sneaking up on you. + +So, in short, if you want something easy to remember: facts beat playbook definitions, and +playbook definitions beat inventory variables. + +There's a little bit more if you are using roles -- roles fit in the "playbook definitions" category of scale. They are +trumped by facts, and still trump inventory variables. However, there's a bit of extra magic. + +Variables passed as parameters to the role are accesible only within that role (and dependencies of that role). You can +almost think of them like programming functions or macros. + +Variables loaded via the 'vars/' directory of a role are made available to all roles and tasks, which in older versions of Ansible +could be confusing in the case of a reused variable name. In Ansible 1.3 and later, however, vars/ directories are guaranteed to be scoped to the current role, just like roles parameters. They are still available globally though, so if you want to set a variable like "ntp_server" in a common role, other roles can still make use of it. Thus they are just like "vars_files" construct that they emulate, but they have a bit more of a "Do What I Mean" semantic to them. They are smarter. + +If there are role dependencies involved, dependent roles can set variables visible to the roles that require them, but +the requiring role is allowed to override those variables. For instance if a role "myapp" requires "apache", and +the value of "apache_port" in "apache" is 80, "myapp" could choose to set it to 8080. Thus you may think of this somewhat +like an inheritance system if you're a developer -- though it's not exactly -- and we don't require folks to think in programming terms to know how things work. + +If you want, you can choose to prefix variable names with the name of your role and be extra sure of where +data sources are coming from, but this is optional. However it can be a nice thing to do in your templates as you immediately +know where the variable was defined. + +Ultimately, the variable system may seem complex -- but it's really not. It's mostly a "Do What I Mean" kind of system, though knowing the details may help you if you get stuck or are trying to do something advanced. Feel free to experiment! + +Check Mode ("Dry Run") --check +``````````````````````````````` + +.. versionadded:: 1.1 + +When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module +instrumented to support 'check mode' (which contains the primary core modules, but it is not required that all modules do +this) will report what changes they would have made. Other modules that do not support check mode will also take no +action, but just will not report what changes they might have made. + +Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, +it may be less useful for you. However it is great for one-node-at-time basic configuration management use cases. + +Example:: + + ansible-playbook foo.yml --check + +Running a task in check mode +```````````````````````````` + +.. versionadded:: 1.3 + +Sometimes you may want to have a task to be executed even in check +mode. To achieve this, use the `always_run` clause on the task. Its +value is a Jinja2 expression, just like the `when` clause. In simple +cases a boolean YAML value would be sufficient as a value. + +Example:: + + tasks: + + - name: this task is run even in check mode + command: /something/to/run --even-in-check-mode + always_run: yes + +As a reminder, a task with a `when` clause evaluated to false, will +still be skipped even if it has a `always_run` clause evaluated to +true. + + +Showing Differences with --diff +``````````````````````````````` + +.. versionadded:: 1.1 + +The --diff option to ansible-playbook works great with --check (detailed above) but can also be used by itself. When this flag is supplied, if any templated files on the remote system are changed, and the ansible-playbook CLI will report back +the textual changes made to the file (or, if used with --check, the changes that would have been made). Since the diff +feature produces a large amount of output, it is best used when checking a single host at a time, like so:: + + ansible-playbook foo.yml --check --diff --limit foo.example.com + +Dictionary & Nested (Complex) Arguments +``````````````````````````````````````` + +As a review, most tasks in Ansible are of this form:: + + tasks: + + - name: ensure the cobbler package is installed + yum: name=cobbler state=installed + +However, in some cases, it may be useful to feed arguments directly in from a hash (dictionary). In fact, a very small +number of modules (the CloudFormations module is one) actually require complex arguments. They work like this:: + + tasks: + + - name: call a module that requires some complex arguments + foo_module: + fibonacci_list: + - 1 + - 1 + - 2 + - 3 + my_pets: + dogs: + - fido + - woof + fish: + - limpet + - nemo + - "{{ other_fish_name }}" + +You can of course use variables inside these, as noted above. + +If using local_action, you can do this:: + + - name: call a module that requires some complex arguments + local_action: + module: foo_module + arg1: 1234 + arg2: 'asdf' + +Which of course means that, though more verbose, this is also legal syntax:: + + - name: foo + template: { src: '/templates/motd.j2', dest: '/etc/motd' } + +Local Facts (Facts.d) +````````````````````` + +.. versionadded:: 1.3 + +As discussed in the playbooks chapter, Ansible facts are a way of getting data about remote systems for use in playbook variables. +Usually these are discovered automatically by the 'setup' module in Ansible. Users can also write custom facts modules, as described +in the API guide. However, what if you want to have a simple way to provide system or user +provided data for use in Ansible variables, without writing a fact module? For instance, what if you want users to be able to control some aspect about how their systems are managed? "Facts.d" is one such mechanism. + +If a remotely managed system has an "/etc/ansible/facts.d" directory, any files in this directory +ending in ".fact", can be JSON, INI, or executable files returning JSON, and these can supply local facts in Ansible. + +For instance assume a /etc/ansible/facts.d/preferences.fact:: + + [general] + asdf=1 + bar=2 + +This will produce a hash variable fact named "general" with 'asdf' and 'bar' as members. +To validate this, run the following:: + + ansible -m setup -a "filter=ansible_local" + +And you will see the following fact added:: + + "ansible_local": { + "preferences": { + "general": { + "asdf" : "1", + "bar" : "2" + } + } + } + +And this data can be accessed in a template/playbook as:: + + {{ ansible_local.preferences.general.asdf }} + +The local namespace prevents any user supplied fact from overriding system facts +or variables defined elsewhere in the playbook. + +Style Points +```````````` + +Ansible playbooks are colorized. If you do not like this, set the ANSIBLE_NOCOLOR=1 environment variable. + +Ansible playbooks also look more impressive with cowsay installed, and we encourage installing this package. + +.. seealso:: + + :doc:`YAMLSyntax` + Learn about YAML syntax + :doc:`playbooks` + Review the basic playbook features + :doc:`bestpractices` + Various tips about playbooks in the real world + :doc:`modules` + Learn about available modules + :doc:`moduledev` + Learn how to extend Ansible by writing your own modules + :doc:`patterns` + Learn about how to select hosts + `Github examples directory `_ + Complete playbook files from the github project source + `Mailing List `_ + Questions? Help? Ideas? Stop by the list on Google Groups + +