Skip to content

A
ansible
Commit 19ac7cfe by Michael DeHaan
Options

Refactor the roles information and provide a good example of the case for using roles.

parent 102b745b
Showing with 305 additions and 637 deletions
docsite/latest/rst/playbooks.rst
Playbooks Playbooks
========= =========
...@@ -29,6 +31,9 @@ another tab, so you can apply the theory to what things look like in practice. ...@@ -29,6 +31,9 @@ another tab, so you can apply the theory to what things look like in practice.
There are also some full sets of playbooks illustrating a lot of these techniques in the There are also some full sets of playbooks illustrating a lot of these techniques in the
`ansible-examples repository <https://github.com/ansible/ansible-examples>`_. `ansible-examples repository <https://github.com/ansible/ansible-examples>`_.
There are also many jumping off points after you learn playbooks, so hop back to the documentation
index after you're done with this section.
Playbook Language Example Playbook Language Example
````````````````````````` `````````````````````````
...@@ -130,58 +135,6 @@ Just `Control-C` to kill it and run it again with `-K`. ...@@ -130,58 +135,6 @@ Just `Control-C` to kill it and run it again with `-K`.
not come into play. Ansible also takes care to not log password not come into play. Ansible also takes care to not log password
parameters. parameters.
Vars section
++++++++++++
The `vars` section contains a list of variables and values that can be used in the plays, like this::
---
- hosts: webservers
remote_user: root
vars:
http_port: 80
van_halen_port: 5150
other: 'magic'
.. note::
You can also keep variables in separate files and include them alongside inline `vars` with a `vars_files` declaration
in the play. See the `Advanced Playbooks chapter <http://www.ansibleworks.com/docs/playbooks2.html#variable-file-separation>`_
for more info.
These variables can be used later in the playbook like this::
{{ varname }}
Variables are passed through the Jinja2 templating engine. Any valid Jinja2
expression can be used between the curly braces, including the use of filters
to modify the variable (for example, `{{ varname|int }}` ensures the variable is
interpreted as an integer).
Jinja2 expressions are very similar to Python and even if you are not working
with Python you should feel comfortable with them. See the `Jinja2 documentation
<http://jinja.pocoo.org/docs/templates/>`_ to learn more about the syntax.
Please note that Jinja2 loops and conditionals are only useful in Ansible
templates, not in playbooks. Use the 'when' and 'with' keywords for
conditionals and loops in Ansible playbooks.
If there are discovered variables about the system, called 'facts', these variables bubble up back into the playbook, and can be used on each system just like explicitly set variables. Ansible provides several
of these, prefixed with 'ansible', which are documented under 'setup' in the module documentation. Additionally,
facts can be gathered by ohai and facter if they are installed. Facter variables are prefixed with ``facter_`` and Ohai variables are prefixed with ``ohai_``. These add extra dependencies and are only there for ease of users
porting over from those other configuration systems. Finally, it's possible to drop files
on to the remote systems that provide additional sources of fact data, see "Facts.d" as documented
in the Advanced Playbooks section.
How about an example. If I wanted to write the hostname into the /etc/motd file, I could say::
- name: write the motd
template: src=/srv/templates/motd.j2 dest=/etc/motd
And in /srv/templates/motd.j2::
You are logged into {{ facter_hostname }}
But we're getting ahead of ourselves, as that just showed a task in a playbook ahead of schedule. Let's talk about tasks.
Tasks list Tasks list
++++++++++ ++++++++++
...@@ -284,8 +237,8 @@ You will notice in earlier versions, this was only available as:: ...@@ -284,8 +237,8 @@ You will notice in earlier versions, this was only available as::
The old form continues to work in newer versions without any plan of deprecation. The old form continues to work in newer versions without any plan of deprecation.
Running Operations On Change Handlers: Running Operations On Change
```````````````````````````` ``````````````````````````````````````
As we've mentioned, modules are written to be 'idempotent' and can relay when As we've mentioned, modules are written to be 'idempotent' and can relay when
they have made a change on the remote system. Playbooks recognize this and they have made a change on the remote system. Playbooks recognize this and
...@@ -344,285 +297,347 @@ In the above example any queued up handlers would be processed early when the 'm ...@@ -344,285 +297,347 @@ In the above example any queued up handlers would be processed early when the 'm
statement was reached. This is a bit of a niche case but can come in handy from statement was reached. This is a bit of a niche case but can come in handy from
time to time. time to time.
Task Include Files And Encouraging Reuse Executing A Playbook
```````````````````````````````````````` ````````````````````
Suppose you want to reuse lists of tasks between plays or playbooks. You can use
include files to do this. Use of included task lists is a great way to define a role
that system is going to fulfill. Remember, the goal of a play in a playbook is to map
a group of systems into multiple roles. Let's see what this looks like...
A task include file simply contains a flat list of tasks, like so:: Now that you've learned playbook syntax, how do you run a playbook? It's simple.
Let's run a playbook using a parallelism level of 10::
--- ansible-playbook playbook.yml -f 10
# possibly saved as tasks/foo.yml
- name: placeholder foo
command: /bin/foo
- name: placeholder bar
command: /bin/bar
Include directives look like this, and can be mixed in with regular tasks in a playbook:: Tips and Tricks
```````````````
tasks: Look at the bottom of the playbook execution for a summary of the nodes that were targeted
- include: tasks/foo.yml and how they performed. General failures and fatal "unreachable" communication attempts are
kept separate in the counts.
You can also pass variables into includes. We call this a 'parameterized include'. If you ever want to see detailed output from successful modules as well as unsuccessful ones,
use the '--verbose' flag. This is available in Ansible 0.5 and later.
For instance, if deploying multiple wordpress instances, I could Ansible playbook output is vastly upgraded if the cowsay
contain all of my wordpress tasks in a single wordpress.yml file, and use it like so:: package is installed. Try it!
tasks: To see what hosts would be affected by a playbook before you run it, you
- include: wordpress.yml user=timmy can do this::
- include: wordpress.yml user=alice
- include: wordpress.yml user=bob
Variables passed in can then be used in the included files. You can reference them like this:: ansible-playbook playbook.yml --list-hosts.
{{ user }} .. seealso::
(In addition to the explicitly passed-in parameters, all variables from :doc:`YAMLSyntax`
the vars section are also available for use here as well.) Learn about YAML syntax
:doc:`bestpractices`
Various tips about managing playbooks in the real world
:doc:`modules`
Learn about available modules
:doc:`moduledev`
Learn how to extend Ansible by writing your own modules
:doc:`patterns`
Learn about how to select hosts
`Github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_
Complete playbook files from the github project source
`Mailing List <http://groups.google.com/group/ansible-project>`_
Questions? Help? Ideas? Stop by the list on Google Groups
Starting in 1.0, variables can also be passed to include files using an alternative syntax,
which also supports structured variables::
tasks:
- include: wordpress.yml Playbooks
vars: =========
remote_user: timmy
some_list_variable:
- alpha
- beta
- gamma
Playbooks can include other playbooks too, but that's mentioned in a later section. .. contents::
:depth: 2
.. note:: Introduction
As of 1.0, task include statements can be used at arbitrary depth. ````````````
They were previously limited to a single level, so task includes
could not include other files containing task includes.
Includes can also be used in the 'handlers' section, for instance, if you Playbooks are a completely different way to use ansible than in task execution mode, and are
want to define how to restart apache, you only have to do that once for all particularly powerful. Simply put, playbooks are the basis for a really simple
of your playbooks. You might make a handlers.yml that looks like:: configuration management and multi-machine deployment system,
unlike any that already exist, and one that is very well suited to deploying complex applications.
--- Playbooks can declare configurations, but they can also orchestrate steps of
# this might be in a file like handlers/handlers.yml any manual ordered process, even as different steps must bounce back and forth
- name: restart apache between sets of machines in particular orders. They can launch tasks
service: name=apache state=restarted synchronously or asynchronously.
And in your main playbook file, just include it like so, at the bottom While you might run the main /usr/bin/ansible program for ad-hoc
of a play:: tasks, playbooks are more likely to be kept in source control and used
to push out your configuration or assure the configurations of your
remote systems are in spec.
handlers: Let's dive in and see how they work. As you go, you may wish to open
- include: handlers/handlers.yml the `github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_ in
another tab, so you can apply the theory to what things look like in practice.
You can mix in includes along with your regular non-included tasks and handlers. There are also some full sets of playbooks illustrating a lot of these techniques in the
`ansible-examples repository <https://github.com/ansible/ansible-examples>`_.
Includes can also be used to import one playbook file into another. This allows There are also many jumping off points after you learn playbooks, so hop back to the documentation
you to define a top-level playbook that is composed of other playbooks. index after you're done with this section.
For example:: Playbook Language Example
`````````````````````````
- name: this is a play at the top level of a file Playbooks are expressed in YAML format and have a minimum of syntax.
hosts: all Each playbook is composed of one or more 'plays' in a list.
remote_user: root
tasks:
- name: say hi
tags: foo
shell: echo "hi..."
- include: load_balancers.yml The goal of a play is to map a group of hosts to some well defined roles, represented by
- include: webservers.yml things ansible calls tasks. At a basic level, a task is nothing more than a call
- include: dbservers.yml to an ansible module, which you should have learned about in earlier chapters.
Note that you cannot do variable substitution when including one playbook By composing a playbook of multiple 'plays', it is possible to
inside another. orchestrate multi-machine deployments, running certain steps on all
machines in the webservers group, then certain steps on the database
server group, then more commands back on the webservers group, etc.
.. note:: For starters, here's a playbook that contains just one play::
You can not conditionally path the location to an include file,
like you can with 'vars_files'. If you find yourself needing to do
this, consider how you can restructure your playbook to be more
class/role oriented. This is to say you cannot use a 'fact' to
decide what include file to use. All hosts contained within the
play are going to get the same tasks. ('*when*' provides some
ability for hosts to conditionally skip tasks).
.. _roles:
Roles
`````
.. versionadded:: 1.2
Now that you have learned about vars_files, tasks, and handlers, what is the best way to organize your playbooks?
The short answer is to use roles! Roles are ways of automatically loading certain vars_files, tasks, and
handlers based on a known file structure. Grouping content by roles also allows easy sharing of roles with other users.
Roles are just automation around 'include' directives as redescribed above, and really don't contain much
additional magic beyond some improvements to search path handling for referenced files. However, that can be a big thing!
Example project structure::
site.yml
webservers.yml
fooservers.yml
roles/
common/
files/
templates/
tasks/
handlers/
vars/
meta/
webservers/
files/
templates/
tasks/
handlers/
vars/
meta/
In a playbook, it would look like this::
--- ---
- hosts: webservers - hosts: webservers
roles: vars:
- common http_port: 80
- webservers max_clients: 200
remote_user: root
tasks:
- name: ensure apache is at the latest version
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
notify:
- restart apache
- name: ensure apache is running
service: name=httpd state=started
handlers:
- name: restart apache
service: name=httpd state=restarted
This designates the following behaviors, for each role 'x': Below, we'll break down what the various features of the playbook language are.
- If roles/x/tasks/main.yml exists, tasks listed therein will be added to the play Basics
- If roles/x/handlers/main.yml exists, handlers listed therein will be added to the play ``````
- If roles/x/vars/main.yml exists, variables listed therein will be added to the play
- If roles/x/meta/main.yml exists, any role dependencies listed therein will be added to the list of roles (1.3 and later)
- Any copy tasks can reference files in roles/x/files/ without having to path them relatively or absolutely
- Any script tasks can reference scripts in roles/x/files/ without having to path them relatively or absolutely
- Any template tasks can reference files in roles/x/templates/ without having to path them relatively or absolutely
.. note:: Hosts and Users
Role dependencies are discussed below. +++++++++++++++
If any files are not present, they are just ignored. So it's ok to not have a 'vars/' subdirectory for the role, For each play in a playbook, you get to choose which machines in your infrastructure
for instance. to target and what remote user to complete the steps (called tasks) as.
Note, you are still allowed to list tasks, vars_files, and handlers "loose" in playbooks without using roles, The `hosts` line is a list of one or more groups or host patterns,
but roles are a good organizational feature and are highly recommended. if there are loose things in the playbook, separated by colons, as described in the :ref:`patterns`
the roles are evaluated first. documentation. The `remote_user` is just the name of the user account::
Also, should you wish to parameterize roles, by adding variables, you can do so, like this:: ---
- hosts: webservers
remote_user: root
.. Note::
The `remote_user` parameter was formerly called just `user`. It was renamed in Ansible 1.4 to make it more distinguishable from the `user` module (used to create users on remote systems).
Support for running things from sudo is also available::
--- ---
- hosts: webservers - hosts: webservers
roles: remote_user: yourname
- common sudo: yes
- { role: foo_app_instance, dir: '/opt/a', port: 5000 }
- { role: foo_app_instance, dir: '/opt/b', port: 5001 }
While it's probably not something you should do often, you can also conditionally apply roles like so:: You can also use sudo on a particular task instead of the whole play::
--- ---
- hosts: webservers - hosts: webservers
roles: remote_user: yourname
- { role: some_role, when: "ansible_os_family == 'RedHat'" } tasks:
- service: name=nginx state=started
sudo: yes
This works by applying the conditional to every task in the role. Conditionals are covered later on in
the documentation.
Finally, you may wish to assign tags to the roles you specify. You can do so inline::: You can also login as you, and then sudo to different users than root::
--- ---
- hosts: webservers - hosts: webservers
roles: remote_user: yourname
- { role: foo, tags: ["bar", "baz"] } sudo: yes
sudo_user: postgres
If you need to specify a password to sudo, run `ansible-playbook` with ``--ask-sudo-pass`` (`-K`).
If you run a sudo playbook and the playbook seems to hang, it's probably stuck at the sudo prompt.
Just `Control-C` to kill it and run it again with `-K`.
If the play still has a 'tasks' section, those tasks are executed after roles are applied. .. important::
If you want to define certain tasks to happen before AND after roles are applied, you can do this:: When using `sudo_user` to a user other than root, the module
arguments are briefly written into a random tempfile in /tmp.
These are deleted immediately after the command is executed. This
only occurs when sudoing from a user like 'bob' to 'timmy', not
when going from 'bob' to 'root', or logging in directly as 'bob' or
'root'. If this concerns you that this data is briefly readable
(not writeable), avoid transferring uncrypted passwords with
`sudo_user` set. In other cases, '/tmp' is not used and this does
not come into play. Ansible also takes care to not log password
parameters.
--- Tasks list
- hosts: webservers ++++++++++
pre_tasks:
- shell: echo 'hello'
roles:
- { role: some_role }
tasks:
- shell: echo 'still busy'
post_tasks:
- shell: echo 'goodbye'
.. note:: Each play contains a list of tasks. Tasks are executed in order, one
If using tags with tasks (described later as a means of only running part of a playbook), at a time, against all machines matched by the host pattern,
be sure to also tag your pre_tasks and post_tasks and pass those along as well, especially if the pre before moving on to the next task. It is important to understand that, within a play,
and post tasks are used for monitoring outage window control or load balancing. all hosts are going to get the same task directives. It is the purpose of a play to map
a selection of hosts to tasks.
Role Default Variables When running the playbook, which runs top to bottom, hosts with failed tasks are
`````````````````````` taken out of the rotation for the entire playbook. If things fail, simply correct the playbook file and rerun.
.. versionadded:: 1.3 The goal of each task is to execute a module, with very specific arguments.
Variables, as mentioned above, can be used in arguments to modules.
Role default variables allow you to set default variables for included or dependent roles (see below). To create Modules are 'idempotent', meaning if you run them
defaults, simply add a `defaults/main.yml` file in your role directory. These variables will have the lowest priority again, they will make only the changes they must in order to bring the
of any variables available, and can be easily overridden by any other variable, including inventory variables. system to the desired state. This makes it very safe to rerun
the same playbook multiple times. They won't change things
unless they have to change things.
Role Dependencies The `command` and `shell` modules will typically rerun the same command again,
````````````````` which is totally ok if the command is something like
'chmod' or 'setsebool', etc. Though there is a 'creates' flag available which can
be used to make these modules also idempotent.
.. versionadded:: 1.3 Every task should have a `name`, which is included in the output from
running the playbook. This is output for humans, so it is
nice to have reasonably good descriptions of each task step. If the name
is not provided though, the string fed to 'action' will be used for
output.
Role dependencies allow you to automatically pull in other roles when using a role. Role dependencies are stored in the Tasks can be declared using the legacy "action: module options" format, but
`meta/main.yml` file contained within the role directory. This file should contain it is recommeded that you use the more conventional "module: options" format.
a list of roles and parameters to insert before the specified role, such as the following in an example This recommended format is used throughout the documentation, but you may
`roles/myapp/meta/main.yml`:: encounter the older format in some playbooks.
--- Here is what a basic task looks like, as with most modules,
dependencies: the service module takes key=value arguments::
- { role: common, some_parameter: 3 }
- { role: apache, port: 80 }
- { role: postgres, dbname: blarg, other_parameter: 12 }
Role dependencies can also be specified as a full path, just like top level roles:: tasks:
- name: make sure apache is running
service: name=httpd state=running
--- The `command` and `shell` modules are the one modules that just takes a list
dependencies: of arguments, and don't use the key=value form. This makes
- { role: '/path/to/common/roles/foo', x: 1 } them work just like you would expect. Simple::
Roles dependencies are always executed before the role that includes them, and are recursive. By default, tasks:
roles can also only be added as a dependency once - if another role also lists it as a dependency it will - name: disable selinux
not be run again. This behavior can be overridden by adding `allow_duplicates: yes` to the `meta/main.yml` file. command: /sbin/setenforce 0
For example, a role named 'car' could add a role named 'wheel' to its dependencies as follows::
--- The command and shell module care about return codes, so if you have a command
dependencies: whose successful exit code is not zero, you may wish to do this::
- { role: wheel, n: 1 }
- { role: wheel, n: 2 }
- { role: wheel, n: 3 }
- { role: wheel, n: 4 }
And the `meta/main.yml` for wheel contained the following:: tasks:
- name: run this command and ignore the result
shell: /usr/bin/somecommand || /bin/true
--- Or this::
allow_duplicates: yes
dependencies: tasks:
- { role: tire } - name: run this command and ignore the result
- { role: brake } shell: /usr/bin/somecommand
ignore_errors: True
The resulting order of execution would be as follows::
tire(n=1) If the action line is getting too long for comfort you can break it on
brake(n=1) a space and indent any continuation lines::
wheel(n=1)
tire(n=2) tasks:
brake(n=2) - name: Copy ansible inventory file to client
wheel(n=2) copy: src=/etc/ansible/hosts dest=/etc/ansible/hosts
... owner=root group=root mode=0644
car
Variables can be used in action lines. Suppose you defined
a variable called 'vhost' in the 'vars' section, you could do this::
tasks:
- name: create a virtual host file for {{ vhost }}
template: src=somefile.j2 dest=/etc/httpd/conf.d/{{ vhost }}
Those same variables are usable in templates, which we'll get to later.
Now in a very basic playbook all the tasks will be listed directly in that play, though it will usually
make more sense to break up tasks using the 'include:' directive. We'll show that a bit later.
Action Shorthand
````````````````
.. versionadded:: 0.8
Ansible prefers listing modules like this in 0.8 and later::
template: src=templates/foo.j2 dest=/etc/foo.conf
You will notice in earlier versions, this was only available as::
action: template src=templates/foo.j2 dest=/etc/foo.conf
The old form continues to work in newer versions without any plan of deprecation.
Handlers: Running Operations On Change
``````````````````````````````````````
As we've mentioned, modules are written to be 'idempotent' and can relay when
they have made a change on the remote system. Playbooks recognize this and
have a basic event system that can be used to respond to change.
These 'notify' actions are triggered at the end of each block of tasks in a playbook, and will only be
triggered once even if notified by multiple different tasks.
For instance, multiple resources may indicate
that apache needs to be restarted because they have changed a config file,
but apache will only be bounced once to avoid unneccessary restarts.
Here's an example of restarting two services when the contents of a file
change, but only if the file changes::
- name: template configuration file
template: src=template.j2 dest=/etc/foo.conf
notify:
- restart memcached
- restart apache
The things listed in the 'notify' section of a task are called
handlers.
Handlers are lists of tasks, not really any different from regular
tasks, that are referenced by name. Handlers are what notifiers
notify. If nothing notifies a handler, it will not run. Regardless
of how many things notify a handler, it will run only once, after all
of the tasks complete in a particular play.
Here's an example handlers section::
handlers:
- name: restart memcached
service: name=memcached state=restarted
- name: restart apache
service: name=apache state=restarted
Handlers are best used to restart services and trigger reboots. You probably
won't need them for much else.
.. note:: .. note::
Variable inheritance and scope are detailed in the Advanced Playbook section. Notify handlers are always run in the order written.
Roles are described later on. It's worthwhile to point out that handlers are
automatically processed between 'pre_tasks', 'roles', 'tasks', and 'post_tasks'
sections. If you ever want to flush all the handler commands immediately though,
in 1.2 and later, you can::
tasks:
- shell: some tasks go here
- meta: flush_handlers
- shell: some other tasks
In the above example any queued up handlers would be processed early when the 'meta'
statement was reached. This is a bit of a niche case but can come in handy from
time to time.
Executing A Playbook Executing A Playbook
```````````````````` ````````````````````
...@@ -642,10 +657,10 @@ kept separate in the counts. ...@@ -642,10 +657,10 @@ kept separate in the counts.
If you ever want to see detailed output from successful modules as well as unsuccessful ones, If you ever want to see detailed output from successful modules as well as unsuccessful ones,
use the '--verbose' flag. This is available in Ansible 0.5 and later. use the '--verbose' flag. This is available in Ansible 0.5 and later.
Also, in version 0.5 and later, Ansible playbook output is vastly upgraded if the cowsay Ansible playbook output is vastly upgraded if the cowsay
package is installed. Try it! package is installed. Try it!
In version 0.7 and later, to see what hosts would be affected by a playbook before you run it, you To see what hosts would be affected by a playbook before you run it, you
can do this:: can do this::
ansible-playbook playbook.yml --list-hosts. ansible-playbook playbook.yml --list-hosts.
...@@ -654,10 +669,6 @@ can do this:: ...@@ -654,10 +669,6 @@ can do this::
:doc:`YAMLSyntax` :doc:`YAMLSyntax`
Learn about YAML syntax Learn about YAML syntax
:doc:`playbooks`
Review the basic Playbook language features
:doc:`playbooks2`
Learn about Advanced Playbook Features
:doc:`bestpractices` :doc:`bestpractices`
Various tips about managing playbooks in the real world Various tips about managing playbooks in the real world
:doc:`modules` :doc:`modules`
......
docsite/latest/rst/playbooks_roles.rst
Playbooks Playbook Roles and Include Statements
========= =====================================
.. contents:: .. contents::
:depth: 2 :depth: 2
...@@ -7,342 +7,29 @@ Playbooks ...@@ -7,342 +7,29 @@ Playbooks
Introduction Introduction
```````````` ````````````
Playbooks are a completely different way to use ansible than in task execution mode, and are While it is possible to write a playbook in one very large file (and you might start out learning playbooks this way),
particularly powerful. Simply put, playbooks are the basis for a really simple eventually you'll want to reuse files and start to organize things.
configuration management and multi-machine deployment system,
unlike any that already exist, and one that is very well suited to deploying complex applications.
Playbooks can declare configurations, but they can also orchestrate steps of At a basic level, including task files allows you to break up bits of configuration policy into smaller files. Taks includes
any manual ordered process, even as different steps must bounce back and forth pull in tasks from other files. Since handlers are tasks too, you can also include handler files from the 'handlers:' section.
between sets of machines in particular orders. They can launch tasks
synchronously or asynchronously.
While you might run the main /usr/bin/ansible program for ad-hoc See :doc:`playbooks` if you need a review of these concepts.
tasks, playbooks are more likely to be kept in source control and used
to push out your configuration or assure the configurations of your
remote systems are in spec.
Let's dive in and see how they work. As you go, you may wish to open Playbooks can also include plays from other playbook files. When that is done, the plays will be inserted into the playbook to form
the `github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_ in a longer list of plays.
another tab, so you can apply the theory to what things look like in practice.
There are also some full sets of playbooks illustrating a lot of these techniques in the When you start to think about it -- tasks, handlers, variables, and so -- begin to form larger concepts. You start to think about modelling
`ansible-examples repository <https://github.com/ansible/ansible-examples>`_. what something is, rather than how to make something look like something. It's no longer "apply this handful of THINGS" to these hosts, you say "these hosts are a dbservers" or "these hosts are webservers". In programming, we might call that 'encapsulating' how things work. For instance,
you can drive a car without knowing how the engine works.
Playbook Language Example Roles in Ansible build on the idea of include files and combine them to form clean, reusable abstractions -- they allow you to focus
````````````````````````` more on the big picture and only dive down into the details when needed.
Playbooks are expressed in YAML format and have a minimum of syntax. We'll start with understanding includes so roles make more sense, but our ultimate goal should be understanding roles -- roles
Each playbook is composed of one or more 'plays' in a list. are great and you should use them every time you write playbooks.
The goal of a play is to map a group of hosts to some well defined roles, represented by See the `ansible-examples repository on github <https://github.com/ansible/ansible-examples>`_ for lots of examples of all of this
things ansible calls tasks. At a basic level, a task is nothing more than a call put together. You may wish to have this open in a seperate tab as you dive in.
to an ansible module, which you should have learned about in earlier chapters.
By composing a playbook of multiple 'plays', it is possible to
orchestrate multi-machine deployments, running certain steps on all
machines in the webservers group, then certain steps on the database
server group, then more commands back on the webservers group, etc.
For starters, here's a playbook that contains just one play::
---
- hosts: webservers
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: ensure apache is at the latest version
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
notify:
- restart apache
- name: ensure apache is running
service: name=httpd state=started
handlers:
- name: restart apache
service: name=httpd state=restarted
Below, we'll break down what the various features of the playbook language are.
Basics
``````
Hosts and Users
+++++++++++++++
For each play in a playbook, you get to choose which machines in your infrastructure
to target and what remote user to complete the steps (called tasks) as.
The `hosts` line is a list of one or more groups or host patterns,
separated by colons, as described in the :ref:`patterns`
documentation. The `remote_user` is just the name of the user account::
---
- hosts: webservers
remote_user: root
.. Note::
The `remote_user` parameter was formerly called just `user`. It was renamed in Ansible 1.4 to make it more distinguishable from the `user` module (used to create users on remote systems).
Support for running things from sudo is also available::
---
- hosts: webservers
remote_user: yourname
sudo: yes
You can also use sudo on a particular task instead of the whole play::
---
- hosts: webservers
remote_user: yourname
tasks:
- service: name=nginx state=started
sudo: yes
You can also login as you, and then sudo to different users than root::
---
- hosts: webservers
remote_user: yourname
sudo: yes
sudo_user: postgres
If you need to specify a password to sudo, run `ansible-playbook` with ``--ask-sudo-pass`` (`-K`).
If you run a sudo playbook and the playbook seems to hang, it's probably stuck at the sudo prompt.
Just `Control-C` to kill it and run it again with `-K`.
.. important::
When using `sudo_user` to a user other than root, the module
arguments are briefly written into a random tempfile in /tmp.
These are deleted immediately after the command is executed. This
only occurs when sudoing from a user like 'bob' to 'timmy', not
when going from 'bob' to 'root', or logging in directly as 'bob' or
'root'. If this concerns you that this data is briefly readable
(not writeable), avoid transferring uncrypted passwords with
`sudo_user` set. In other cases, '/tmp' is not used and this does
not come into play. Ansible also takes care to not log password
parameters.
Vars section
++++++++++++
The `vars` section contains a list of variables and values that can be used in the plays, like this::
---
- hosts: webservers
remote_user: root
vars:
http_port: 80
van_halen_port: 5150
other: 'magic'
.. note::
You can also keep variables in separate files and include them alongside inline `vars` with a `vars_files` declaration
in the play. See the `Advanced Playbooks chapter <http://www.ansibleworks.com/docs/playbooks2.html#variable-file-separation>`_
for more info.
These variables can be used later in the playbook like this::
{{ varname }}
Variables are passed through the Jinja2 templating engine. Any valid Jinja2
expression can be used between the curly braces, including the use of filters
to modify the variable (for example, `{{ varname|int }}` ensures the variable is
interpreted as an integer).
Jinja2 expressions are very similar to Python and even if you are not working
with Python you should feel comfortable with them. See the `Jinja2 documentation
<http://jinja.pocoo.org/docs/templates/>`_ to learn more about the syntax.
Please note that Jinja2 loops and conditionals are only useful in Ansible
templates, not in playbooks. Use the 'when' and 'with' keywords for
conditionals and loops in Ansible playbooks.
If there are discovered variables about the system, called 'facts', these variables bubble up back into the playbook, and can be used on each system just like explicitly set variables. Ansible provides several
of these, prefixed with 'ansible', which are documented under 'setup' in the module documentation. Additionally,
facts can be gathered by ohai and facter if they are installed. Facter variables are prefixed with ``facter_`` and Ohai variables are prefixed with ``ohai_``. These add extra dependencies and are only there for ease of users
porting over from those other configuration systems. Finally, it's possible to drop files
on to the remote systems that provide additional sources of fact data, see "Facts.d" as documented
in the Advanced Playbooks section.
How about an example. If I wanted to write the hostname into the /etc/motd file, I could say::
- name: write the motd
template: src=/srv/templates/motd.j2 dest=/etc/motd
And in /srv/templates/motd.j2::
You are logged into {{ facter_hostname }}
But we're getting ahead of ourselves, as that just showed a task in a playbook ahead of schedule. Let's talk about tasks.
Tasks list
++++++++++
Each play contains a list of tasks. Tasks are executed in order, one
at a time, against all machines matched by the host pattern,
before moving on to the next task. It is important to understand that, within a play,
all hosts are going to get the same task directives. It is the purpose of a play to map
a selection of hosts to tasks.
When running the playbook, which runs top to bottom, hosts with failed tasks are
taken out of the rotation for the entire playbook. If things fail, simply correct the playbook file and rerun.
The goal of each task is to execute a module, with very specific arguments.
Variables, as mentioned above, can be used in arguments to modules.
Modules are 'idempotent', meaning if you run them
again, they will make only the changes they must in order to bring the
system to the desired state. This makes it very safe to rerun
the same playbook multiple times. They won't change things
unless they have to change things.
The `command` and `shell` modules will typically rerun the same command again,
which is totally ok if the command is something like
'chmod' or 'setsebool', etc. Though there is a 'creates' flag available which can
be used to make these modules also idempotent.
Every task should have a `name`, which is included in the output from
running the playbook. This is output for humans, so it is
nice to have reasonably good descriptions of each task step. If the name
is not provided though, the string fed to 'action' will be used for
output.
Tasks can be declared using the legacy "action: module options" format, but
it is recommeded that you use the more conventional "module: options" format.
This recommended format is used throughout the documentation, but you may
encounter the older format in some playbooks.
Here is what a basic task looks like, as with most modules,
the service module takes key=value arguments::
tasks:
- name: make sure apache is running
service: name=httpd state=running
The `command` and `shell` modules are the one modules that just takes a list
of arguments, and don't use the key=value form. This makes
them work just like you would expect. Simple::
tasks:
- name: disable selinux
command: /sbin/setenforce 0
The command and shell module care about return codes, so if you have a command
whose successful exit code is not zero, you may wish to do this::
tasks:
- name: run this command and ignore the result
shell: /usr/bin/somecommand || /bin/true
Or this::
tasks:
- name: run this command and ignore the result
shell: /usr/bin/somecommand
ignore_errors: True
If the action line is getting too long for comfort you can break it on
a space and indent any continuation lines::
tasks:
- name: Copy ansible inventory file to client
copy: src=/etc/ansible/hosts dest=/etc/ansible/hosts
owner=root group=root mode=0644
Variables can be used in action lines. Suppose you defined
a variable called 'vhost' in the 'vars' section, you could do this::
tasks:
- name: create a virtual host file for {{ vhost }}
template: src=somefile.j2 dest=/etc/httpd/conf.d/{{ vhost }}
Those same variables are usable in templates, which we'll get to later.
Now in a very basic playbook all the tasks will be listed directly in that play, though it will usually
make more sense to break up tasks using the 'include:' directive. We'll show that a bit later.
Action Shorthand
````````````````
.. versionadded:: 0.8
Ansible prefers listing modules like this in 0.8 and later::
template: src=templates/foo.j2 dest=/etc/foo.conf
You will notice in earlier versions, this was only available as::
action: template src=templates/foo.j2 dest=/etc/foo.conf
The old form continues to work in newer versions without any plan of deprecation.
Running Operations On Change
````````````````````````````
As we've mentioned, modules are written to be 'idempotent' and can relay when
they have made a change on the remote system. Playbooks recognize this and
have a basic event system that can be used to respond to change.
These 'notify' actions are triggered at the end of each block of tasks in a playbook, and will only be
triggered once even if notified by multiple different tasks.
For instance, multiple resources may indicate
that apache needs to be restarted because they have changed a config file,
but apache will only be bounced once to avoid unneccessary restarts.
Here's an example of restarting two services when the contents of a file
change, but only if the file changes::
- name: template configuration file
template: src=template.j2 dest=/etc/foo.conf
notify:
- restart memcached
- restart apache
The things listed in the 'notify' section of a task are called
handlers.
Handlers are lists of tasks, not really any different from regular
tasks, that are referenced by name. Handlers are what notifiers
notify. If nothing notifies a handler, it will not run. Regardless
of how many things notify a handler, it will run only once, after all
of the tasks complete in a particular play.
Here's an example handlers section::
handlers:
- name: restart memcached
service: name=memcached state=restarted
- name: restart apache
service: name=apache state=restarted
Handlers are best used to restart services and trigger reboots. You probably
won't need them for much else.
.. note::
Notify handlers are always run in the order written.
Roles are described later on. It's worthwhile to point out that handlers are
automatically processed between 'pre_tasks', 'roles', 'tasks', and 'post_tasks'
sections. If you ever want to flush all the handler commands immediately though,
in 1.2 and later, you can::
tasks:
- shell: some tasks go here
- meta: flush_handlers
- shell: some other tasks
In the above example any queued up handlers would be processed early when the 'meta'
statement was reached. This is a bit of a niche case but can come in handy from
time to time.
Task Include Files And Encouraging Reuse Task Include Files And Encouraging Reuse
```````````````````````````````````````` ````````````````````````````````````````
...@@ -376,7 +63,8 @@ contain all of my wordpress tasks in a single wordpress.yml file, and use it lik ...@@ -376,7 +63,8 @@ contain all of my wordpress tasks in a single wordpress.yml file, and use it lik
- include: wordpress.yml user=alice - include: wordpress.yml user=alice
- include: wordpress.yml user=bob - include: wordpress.yml user=bob
Variables passed in can then be used in the included files. You can reference them like this:: Variables passed in can then be used in the included files. We've already covered them a bit in :doc:`intro_variales`.
You can reference them like this::
{{ user }} {{ user }}
...@@ -622,33 +310,7 @@ The resulting order of execution would be as follows:: ...@@ -622,33 +310,7 @@ The resulting order of execution would be as follows::
car car
.. note:: .. note::
Variable inheritance and scope are detailed in the Advanced Playbook section. Variable inheritance and scope are detailed in the :doc:`playbooks_variables`.
Executing A Playbook
````````````````````
Now that you've learned playbook syntax, how do you run a playbook? It's simple.
Let's run a playbook using a parallelism level of 10::
ansible-playbook playbook.yml -f 10
Tips and Tricks
```````````````
Look at the bottom of the playbook execution for a summary of the nodes that were targeted
and how they performed. General failures and fatal "unreachable" communication attempts are
kept separate in the counts.
If you ever want to see detailed output from successful modules as well as unsuccessful ones,
use the '--verbose' flag. This is available in Ansible 0.5 and later.
Also, in version 0.5 and later, Ansible playbook output is vastly upgraded if the cowsay
package is installed. Try it!
In version 0.7 and later, to see what hosts would be affected by a playbook before you run it, you
can do this::
ansible-playbook playbook.yml --list-hosts.
.. seealso:: .. seealso::
...@@ -656,19 +318,14 @@ can do this:: ...@@ -656,19 +318,14 @@ can do this::
Learn about YAML syntax Learn about YAML syntax
:doc:`playbooks` :doc:`playbooks`
Review the basic Playbook language features Review the basic Playbook language features
:doc:`playbooks2`
Learn about Advanced Playbook Features
:doc:`bestpractices` :doc:`bestpractices`
Various tips about managing playbooks in the real world Various tips about managing playbooks in the real world
:doc:`modules` :doc:`modules`
Learn about available modules Learn about available modules
:doc:`moduledev` :doc:`developing_modules`
Learn how to extend Ansible by writing your own modules Learn how to extend Ansible by writing your own modules
:doc:`patterns`
Learn about how to select hosts
`Github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_ `Github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_
Complete playbook files from the github project source Complete playbook files from the github project source
`Mailing List <http://groups.google.com/group/ansible-project>`_ `Mailing List <http://groups.google.com/group/ansible-project>`_
Questions? Help? Ideas? Stop by the list on Google Groups Questions? Help? Ideas? Stop by the list on Google Groups
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment