mirror of https://github.com/ansible/ansible.git
Docs: User guide overhaul, part 1 (#63056)
parent
da1a945088
commit
941a9b68fc
@ -1,37 +1,10 @@
|
||||
***************************************
|
||||
**************
|
||||
Basic Concepts
|
||||
***************************************
|
||||
**************
|
||||
|
||||
These concepts are common to all uses of Ansible, including network automation. You need to understand them to use Ansible for network automation. This basic introduction provides the background you need to follow the examples in this guide.
|
||||
|
||||
.. contents:: Topics
|
||||
.. contents::
|
||||
:local:
|
||||
|
||||
Control Node
|
||||
================================================================================
|
||||
|
||||
Any machine with Ansible installed. You can run commands and playbooks, invoking ``/usr/bin/ansible`` or ``/usr/bin/ansible-playbook``, from any control node. You can use any computer that has Python installed on it as a control node - laptops, shared desktops, and servers can all run Ansible. However, you cannot use a Windows machine as a control node. You can have multiple control nodes.
|
||||
|
||||
Managed Nodes
|
||||
================================================================================
|
||||
|
||||
The network devices (and/or servers) you manage with Ansible. Managed nodes are also sometimes called "hosts". Ansible is not installed on managed nodes.
|
||||
|
||||
Inventory
|
||||
================================================================================
|
||||
|
||||
A list of managed nodes. An inventory file is also sometimes called a "hostfile". Your inventory can specify information like IP address for each managed node. An inventory can also organize managed nodes, creating and nesting groups for easier scaling. To learn more about inventory, see :ref:`the Working with Inventory<intro_inventory>` section.
|
||||
|
||||
Modules
|
||||
================================================================================
|
||||
|
||||
The units of code Ansible executes. Each module has a particular use, from administering users on a specific type of database to managing VLAN interfaces on a specific type of network device. You can invoke a single module with a task, or invoke several different modules in a playbook. For an idea of how many modules Ansible includes, take a look at the :ref:`list of all modules <modules_by_category>` or the :ref:`list of network modules<network_modules>`.
|
||||
|
||||
Tasks
|
||||
================================================================================
|
||||
|
||||
The units of action in Ansible. You can execute a single task once with an ad-hoc command.
|
||||
|
||||
Playbooks
|
||||
================================================================================
|
||||
|
||||
Ordered lists of tasks, saved so you can run those tasks in that order repeatedly. Playbooks can include variables as well as tasks. Playbooks are written in YAML and are easy to read, write, share and understand. To learn more about playbooks, see :ref:`about_playbooks`.
|
||||
.. include:: ../../shared_snippets/basic_concepts.txt
|
||||
|
@ -0,0 +1,14 @@
|
||||
**********************
|
||||
Logging Ansible output
|
||||
**********************
|
||||
|
||||
By default Ansible sends output about plays, tasks, and module arguments to your screen (STDOUT) on the control node. If you want to capture Ansible output in a log, you have three options:
|
||||
|
||||
* To save Ansible output in a single log on the control node, set the ``log_path`` :ref:`configuration file setting <intro_configuration>`. You may also want to set ``display_args_to_stdout``, which helps to differentiate similar tasks by including variable values in the Ansible output.
|
||||
* To save Ansible output in separate logs, one on each managed node, set the ``no_target_syslog`` and ``syslog_facility`` :ref:`configuration file settings <intro_configuration>`.
|
||||
* To save Ansible output to a secure database, use :ref:`Ansible Tower <ansible_tower>`. Tower allows you to review history based on hosts, projects, and particular inventories over time, using graphs and/or a REST API.
|
||||
|
||||
Protecting sensitive data with ``no_log``
|
||||
=========================================
|
||||
|
||||
If you save Ansible output to a log, you expose any secret data in your Ansible output, such as passwords and user names. To keep sensitive values out of your logs, mark tasks that expose them with the ``no_log: True`` attribute. However, the ``no_log`` attribute does not affect debugging output, so be careful not to debug playbooks in a production environment. See :ref:`keep_secret_data` for an example.
|
@ -0,0 +1,29 @@
|
||||
Control node
|
||||
============
|
||||
|
||||
Any machine with Ansible installed. You can run commands and playbooks, invoking ``/usr/bin/ansible`` or ``/usr/bin/ansible-playbook``, from any control node. You can use any computer that has Python installed on it as a control node - laptops, shared desktops, and servers can all run Ansible. However, you cannot use a Windows machine as a control node. You can have multiple control nodes.
|
||||
|
||||
Managed nodes
|
||||
=============
|
||||
|
||||
The network devices (and/or servers) you manage with Ansible. Managed nodes are also sometimes called "hosts". Ansible is not installed on managed nodes.
|
||||
|
||||
Inventory
|
||||
=========
|
||||
|
||||
A list of managed nodes. An inventory file is also sometimes called a "hostfile". Your inventory can specify information like IP address for each managed node. An inventory can also organize managed nodes, creating and nesting groups for easier scaling. To learn more about inventory, see :ref:`the Working with Inventory<intro_inventory>` section.
|
||||
|
||||
Modules
|
||||
=======
|
||||
|
||||
The units of code Ansible executes. Each module has a particular use, from administering users on a specific type of database to managing VLAN interfaces on a specific type of network device. You can invoke a single module with a task, or invoke several different modules in a playbook. For an idea of how many modules Ansible includes, take a look at the :ref:`list of all modules <modules_by_category>`.
|
||||
|
||||
Tasks
|
||||
=====
|
||||
|
||||
The units of action in Ansible. You can execute a single task once with an ad-hoc command.
|
||||
|
||||
Playbooks
|
||||
=========
|
||||
|
||||
Ordered lists of tasks, saved so you can run those tasks in that order repeatedly. Playbooks can include variables as well as tasks. Playbooks are written in YAML and are easy to read, write, share and understand. To learn more about playbooks, see :ref:`about_playbooks`.
|
@ -0,0 +1,12 @@
|
||||
.. _basic_concepts:
|
||||
|
||||
****************
|
||||
Ansible concepts
|
||||
****************
|
||||
|
||||
These concepts are common to all uses of Ansible. You need to understand them to use Ansible for any kind of automation. This basic introduction provides the background you need to follow the rest of the User Guide.
|
||||
|
||||
.. contents::
|
||||
:local:
|
||||
|
||||
.. include:: /shared_snippets/basic_concepts.txt
|
@ -0,0 +1,80 @@
|
||||
.. _connections:
|
||||
|
||||
******************************
|
||||
Connection methods and details
|
||||
******************************
|
||||
|
||||
This section shows you how to expand and refine the connection methods Ansible uses for your inventory.
|
||||
|
||||
ControlPersist and paramiko
|
||||
---------------------------
|
||||
|
||||
By default, Ansible uses native OpenSSH, because it supports ControlPersist (a performance feature), Kerberos, and options in ``~/.ssh/config`` such as Jump Host setup. If your control machine uses an older version of OpenSSH that does not support ControlPersist, Ansible will fallback to a Python implementation of OpenSSH called 'paramiko'.
|
||||
|
||||
SSH key setup
|
||||
-------------
|
||||
|
||||
By default, Ansible assumes you are using SSH keys to connect to remote machines. SSH keys are encouraged, but you can use password authentication if needed with the ``--ask-pass`` option. If you need to provide a password for :ref:`privilege escalation <become>` (sudo, pbrun, etc.), use ``--ask-become-pass``.
|
||||
|
||||
.. include:: shared_snippets/SSH_password_prompt.txt
|
||||
|
||||
To set up SSH agent to avoid retyping passwords, you can do:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ssh-agent bash
|
||||
$ ssh-add ~/.ssh/id_rsa
|
||||
|
||||
Depending on your setup, you may wish to use Ansible's ``--private-key`` command line option to specify a pem file instead. You can also add the private key file:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ssh-agent bash
|
||||
$ ssh-add ~/.ssh/keypair.pem
|
||||
|
||||
Another way to add private key files without using ssh-agent is using ``ansible_ssh_private_key_file`` in an inventory file as explained here: :ref:`intro_inventory`.
|
||||
|
||||
Running against localhost
|
||||
-------------------------
|
||||
|
||||
You can run commands against the control node by using "localhost" or "127.0.0.1" for the server name:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ansible localhost -m ping -e 'ansible_python_interpreter="/usr/bin/env python"'
|
||||
|
||||
You can specify localhost explicitly by adding this to your inventory file:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"
|
||||
|
||||
.. _host_key_checking_on:
|
||||
|
||||
Host key checking
|
||||
-----------------
|
||||
|
||||
Ansible enables host key checking by default. Checking host keys guards against server spoofing and man-in-the-middle attacks, but it does require some maintenance.
|
||||
|
||||
If a host is reinstalled and has a different key in 'known_hosts', this will result in an error message until corrected. If a new host is not in 'known_hosts' your control node may prompt for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.
|
||||
|
||||
If you understand the implications and wish to disable this behavior, you can do so by editing ``/etc/ansible/ansible.cfg`` or ``~/.ansible.cfg``:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
[defaults]
|
||||
host_key_checking = False
|
||||
|
||||
Alternatively this can be set by the :envvar:`ANSIBLE_HOST_KEY_CHECKING` environment variable:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ export ANSIBLE_HOST_KEY_CHECKING=False
|
||||
|
||||
Also note that host key checking in paramiko mode is reasonably slow, therefore switching to 'ssh' is also recommended when using this feature.
|
||||
|
||||
Other connection methods
|
||||
------------------------
|
||||
|
||||
Ansible can use a variety of connection methods beyond SSH. You can select any connection plugin, including managing things locally and managing chroot, lxc, and jail containers.
|
||||
A mode called 'ansible-pull' can also invert the system and have systems 'phone home' via scheduled git checkouts to pull configuration directives from a central repository.
|
Loading…
Reference in New Issue