Red Hat Ansible for Network Automation

Determine which configuration file Ansible uses by default.

1. Execute the ansible command with the --version option, and review the value of the config file setting:

   [student@workstation ~]$ ansible --version
   ansible 2.5.5
     config file = /etc/ansible/ansible.cfg
     configured module search path = [u'/home/student/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
     ansible python module location = /usr/lib/python2.7/site-packages/ansible
     executable location = /usr/bin/ansible
     python version = 2.7.5 (default, Feb 20 2018, 09:19:12) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Customize the configuration file.

1. Take a few minutes to familiarize yourself with the contents of the /etc/ansible/ansible.cfg file.

2. Identify, within /etc/ansible/ansible.cfg, which settings you would like to customize. Create an ansible.cfg file in the local directory. Add to it the settings you identified for customization, customized per your needs.

   [student@workstation ~]$ cat ansible.cfg
   [defaults]
   host_key_checking = False
   # use the local inventory file without having to use -i
   inventory = inventory
   # prompt us for the password so we do not have to use -k
   ask_pass = True
   # do not gather facts unless we ask for them
   gathering = explicit
   
   [persistent_connection]
   # avoid timing out when configuring slow IOS VM
   command_timeout = 180
   connect_timeout = 100
   connect_retry_timeout = 100

   Later on in this course, you learn how to use Ansible Vault to encrypt sensitive data such as passwords. For the time being, whenever running ad hoc commands with the ansible command, or playbooks with ansible-playbook, Ansible prompts you to provide it interactively. The ask_pass = True setting in our local ansible.cfg file makes this happen even when -k or --ask-pass is not used.

3. Repeat the ansible --version command in the directory where your new ansible.cfg file is located. The output from the command should indicate that your local ansible.cfg file is now being used:

   [student@workstation ~]$ ansible --version
   ansible 2.5.0
     config file = /home/student/ansible.cfg
     configured module search path = [u'/home/student/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
     ansible python module location = /usr/lib/python2.7/site-packages/ansible
     executable location = /usr/bin/ansible
     python version = 2.7.5 (default, Feb 20 2018, 09:19:12) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Configure the connection method.

What is the best way to set the connection method? It is very often the case that the same connection method is used to connect to all of the hosts that belong to a given group. When that is the case, it makes sense to set the connection method at the group level. Create a directory named group_vars/ to hold files containing group variables, if it does not already exist.

[student@workstation ~]$ mkdir group_vars

Ansible supports connection methods network_cli and NETCONF for connecting to network devices. The NETCONF method has powerful capabilities, but not all platforms support it yet. You know that the network_cli connection method works with all network devices found in the Lab Network, so create a file named network in the group_vars/ directory that looks like this:

[student@workstation ~]$ cat group_vars/network
ansible_connection: network_cli

As long as this directory is found where your playbook is located (the playbook-level group variables) or where your inventory file lives (the inventory-level group variables), Ansible should find it and automatically load variables for groups.

Configure authentication details.

These credentials are used for accessing devices in the Lab Network:

Create these group files with contents as shown:

[student@workstation ~]$ cat group_vars/vyos
ansible_network_os: vyos
ansible_user: vyos
[student@workstation ~]$ cat group_vars/ios
ansible_network_os: ios
ansible_user: admin

Verify the configuration and troubleshoot any problems.

1. Verify that the variables are set correctly for members of the vyos group. This is an early example of the power of ad hoc commands, which are introduced in the next chapter. This ad hoc command uses the debug module to print the value of the ansible_user variable for each host in the vyos host group (the vyos host group from the hosts inventory file you created). Do not be alarmed if the hosts provide their output in a different order than the output below. The SSH password for the VyOS devices is vyos.

   [student@workstation ~]$ ansible -m debug -a "var=ansible_user" vyos
   SSH password: vyos
   leaf01 | SUCCESS => {
       "ansible_user": "vyos"
   }
   leaf02 | SUCCESS => {
       "ansible_user": "vyos"
   }
   spine01 | SUCCESS => {
       "ansible_user": "vyos"
   }
   spine02 | SUCCESS => {
       "ansible_user": "vyos"
   }

2. Verify that the variables are set correctly for members of the ios group. The SSH password for the IOS devices is student.

   [student@workstation ~]$ ansible -m debug -a "var=ansible_user" ios
   SSH password: student
   cs01 | SUCCESS => {
       "ansible_user": "admin"
   }

3. If all is set correctly, it ought to be possible to use an ad hoc command with the Ansible ping module to verify connectivity. This module indicates whether Ansible commands can be run on hosts. It happens to be named the same as the familiar network tool that performs ICMP echo requests, but the name is all they share. The Ansible ping module has nothing to do with ICMP.

   Note

   Because VyOS devices and IOS devices are using different SSH passwords, and we have not yet learned how to use Red Hat Ansible Vault to encrypt group variables, you should either test connectivity to devices individually, or use groups of devices that all use the same SSH password.

   1. Verify connectivity to IOS devices. The SSH password for IOS devices is student.

      [student@workstation ~]$ ansible -m ping ios
      SSH password: student
      cs01 | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }

   2. Verify connectivity to VyOS devices. The SSH password is vyos for VyOS devices.

      [student@workstation ~]$ ansible -m ping vyos
      SSH password: vyos
      leaf02 | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }
      spine01 | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }
      leaf01 | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }
      spine02 | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }

4. Download the verify-access.yml playbook from materials.example.com. In this example, wget is a standard tool for downloading files at the command line by way of the HTTP protocol. The backslash (\) is the shell line continuation character. The greater than symbol (>) is how the shell indicates that this is a continuation of a line. The line continuation notation is used when the command is too long to fit conveniently inside the box used on the page for displaying a command. When copying a command that uses line continuation notation, remove the secondary prompts that are represented as greater-than symbols.

   [student@workstation ~]$ wget \
   > http://materials.example.com/playbooks/verify-access.yml

5. The playbook you downloaded verifies that connectivity and authentication are configured correctly. It skips servers located inside the Lab Network. Those are not expected to be accessible until the Lab Network has been configured and is routing traffic correctly.

   [student@workstation ~]$ cat verify-access.yml
   ---
   - name: a play that verifies access to members of host group 'all'
     hosts: network
     gather_facts: no
   
     tasks:
   
     - name: "verify access to {{ inventory_hostname }}"
       ping:
       register: ping_response
   
     - name: debug
       debug:
         msg: "{{ ping_response }}"
   
     - name: assert that the response contains the string 'pong'
       assert:
         that: ping_response.ping == "pong"

6. Use the ansible-playbook command to perform the play in the verify-access.yml playbook. Note that because VyOS devices and IOS devices are using different SSH passwords, and you have not yet learned how to use Red Hat Ansible Vault to encrypt group variables, use the --limit=SUBSET (-l SUBSET) option to limit the scope of the playbook to targets that all use the same SSH password. The SSH password for IOS devices is student, and it is vyos for VyOS devices.

   [student@workstation ~]$ ansible-playbook -l ios verify-access.yml
   SSH password: student
   
   PLAY [a play that verifies access to members of host group 'all'] **************
   
   TASK [verify access to cs01] ***************************************************
   ok: [cs01]
   
   TASK [debug] *******************************************************************
   ok: [cs01] => {
       "msg": {
           "changed": false,
           "failed": false,
           "ping": "pong"
       }
   }
   
   TASK [assert that the response contains the string 'pong'] *********************
   ok: [cs01] => {
       "changed": false,
       "msg": "All assertions passed"
   }
   
   PLAY RECAP *********************************************************************
   cs01                      : ok=3   changed=0   unreachable=0   failed=0

7. Download the show-current-access-vars.yml playbook from materials.example.com:

   [student@workstation ~]$ wget \
   > http://materials.example.com/playbooks/show-current-access-vars.yml

8. This playbook you downloaded displays the values of important connection and authentication variables.

   [student@workstation ~]$ cat show-current-access-vars.yml
   ---
   - name: a play that exposes the current access vars
     hosts: network
     gather_facts: no
   
     tasks:
     - name: show the value of key variables
       debug:
         msg: >
           host: {{ inventory_hostname }},
           con: {{ ansible_connection }},
           nos: {{ ansible_network_os }},
           user: {{ ansible_user }},
           pass: {{ ansible_ssh_pass }}

9. Use the ansible-playbook command to perform the play in the show-current-access-vars.yml playbook. Because VyOS devices and IOS devices are using different SSH passwords, and we have not yet learned how to use Red Hat Ansible Vault to encrypt group variables, use the --limit=SUBSET (-l SUBSET) option to limit the scope of the playbook to targets that all use the same SSH password. The SSH password for IOS devices is student, and it is vyos for VyOS devices.

   [student@workstation ~]$ ansible-playbook -l vyos show-current-access-vars.yml
   SSH password: vyos
   
   PLAY [a play that exposes the current access vars] *****************************
   
   TASK [show the value of key variables] *****************************************
   ok: [spine01] => {
       "msg": "host: spine01, con: network_cli, nos: vyos, user: vyos, pass: vyos\n"
   }
   ok: [leaf01] => {
       "msg": "host: leaf01, con: network_cli, nos: vyos, user: vyos, pass: vyos\n"
   }
   ok: [spine02] => {
       "msg": "host: spine02, con: network_cli, nos: vyos, user: vyos, pass: vyos\n"
   }
   ok: [leaf02] => {
       "msg": "host: leaf02, con: network_cli, nos: vyos, user: vyos, pass: vyos\n"
   }
   
   PLAY RECAP *********************************************************************
   leaf01                    : ok=1   changed=0   unreachable=0   failed=0
   leaf02                    : ok=1   changed=0   unreachable=0   failed=0
   spine01                   : ok=1   changed=0   unreachable=0   failed=0
   spine02                   : ok=1   changed=0   unreachable=0   failed=0