Red Hat Ansible for Network Automation

Bookmark this page
P1234567AAAAAAA
PreviousNext

Lab: Deploying Ansible

In this lab, you will deploy a local Ansible hosts inventory, custom configuration, and supporting variables, to fully and safely automate the process of performing tasks on remote devices in the Lab Network.

Outcomes

You should be able to:

  • Clone the ansible-generic-project Git repository to create a local directory for your new Ansible project.

  • Create a hosts inventory file.

  • Create a directory structure to hold group variables.

  • Create plain and encrypted group variables files.

  • Create a Vault password directory and Vault password file outside of your project directory and protect these with appropriate file-system permissions.

  • Create a local ansible.cfg file to provide customization.

  • Verify connectivity to managed network devices, omitting the servers.

  • Commit your work to the Git repository.

Open a terminal window on the workstation VM.

Instructions

Perform the following steps:

  • Clone the ansible-generic-project Git repository to create a local directory for your new Ansible project. Use the following URL in the Lab Environment:

    • http://git.lab.example.com:3000/student/ansible-generic-project.git

  • Create a hosts inventory file.

  • Create a directory structure to hold group variables.

  • Create plain and encrypted group files.

  • Create a Vault password directory and Vault password file outside of your project directory and protect these with appropriate file-system permissions.

  • Create a local ansible.cfg file to provide local customization. Use gathering = explicit, for instance, to avoid typing gather_facts: False at the top of every play.

  • Verify connectivity to managed network devices, omitting the servers.

    • The verify-access.yml playbook is provided with ansible-generic-project. Use that playbook to verify access or create your own.

    If failing the verification, troubleshoot and resolve the problem.

    The show-current-access-vars.yml playbook is also provided with ansible-generic-project. This might be useful if connection and authentication tests are failing.

  • Commit your work to the Git repository. If prompted for credentials, user and password are student and student. The commands are shown here.

    [student@workstation ]$ git add -A :/
[student@workstation ]$ git commit -m "ch7 lab1"
[student@workstation ]$ git push

  1. Clone the ansible-generic-project Git repository to create a local directory for your new Ansible project. Use the following URL in the Lab Environment: http://git.lab.example.com:3000/student/ansible-generic-project.git 

    [student@workstation ~]$ git clone \
> http://git.lab.example.com:3000/student/ansible-generic-project.git

    Change into the directory created by the git clone command. 

    [student@workstation ~]$ cd ansible-generic-project
[student@workstation ansible-generic-project]$

  2. Download the example.com hosts inventory file. 

    [student@workstation ansible-generic-project]$ wget \
> http://materials.example.com/full/inventory

  3. Create a directory structure to hold group variables, and create plain and encrypted group variables files.

    1. Create group_vars/ subdirectories for groups with variables listed in Appendix B. 

      [student@workstation ansible-generic-project]$ mkdir -p group_vars/ios
[student@workstation ansible-generic-project]$ mkdir group_vars/local
[student@workstation ansible-generic-project]$ mkdir group_vars/network
[student@workstation ansible-generic-project]$ mkdir group_vars/vyos

    2. Map groups to connection and authentication variables. 

      [student@workstation ansible-generic-project]$ cat group_vars/ios/vars.yml
ansible_network_os: ios

[student@workstation ansible-generic-project]$ cat group_vars/local/vars.yml
ansible_network_os: local

[student@workstation ansible-generic-project]$ cat group_vars/network/vars.yml
ansible_connection: network_cli

[student@workstation ansible-generic-project]$ cat group_vars/vyos/vars.yml
ansible_network_os: vyos

    3. Create encrypted vault.yml variables files to hold sensitive data. Use redhat as the Vault password.

      The group_vars/ios/vault.yml file contains "ansible_user: admin" and "ansible_password: student". 

      [student@workstation ansible-generic-project]$ ansible-vault create \
> group_vars/ios/vault.yml
New Vault password: redhat
Confirm New Vault password: redhat

      The group_vars/vyos/vault.yml file contains "ansible_user: vyos" and "ansible_password: vyos". 

      [student@workstation ansible-generic-project]$ ansible-vault create \
> group_vars/vyos/vault.yml
New Vault password: redhat
Confirm New Vault password: redhat

  4. Create a Vault password directory and Vault password file outside of your project directory and protect these with appropriate file-system permissions.

    Note

    You can skip this step if you already completed it in Guided Exercise 4.3. 

    [student@workstation ansible-generic-project]$ cd ..
[student@workstation ~]$ mkdir .rhv
[student@workstation ~]$ chmod 700 .rhv
[student@workstation ~]$ ls -ld .rhv
drwx------. 2 student student   25 May 29 15:42 .rhv
[student@workstation ~]$ echo redhat > .rhv/vault-secret
[student@workstation ~]$ chmod 600 .rhv/vault-secret
[student@workstation ~]$ ls -l .rhv/vault-secret
-rw-------. 1 student student 7 May 29 15:43 .rhv/vault-secret
[student@workstation ~]$ cd ansible-generic-project

  5. Create a local ansible.cfg file to provide customization. 

    [student@workstation ansible-generic-project]$ cat ansible.cfg
[defaults]
inventory = inventory
host_key_checking = False
gathering = explicit
vault_password_file = ../.rhv/vault-secret

[persistent_connection]
command_timeout = 180
connect_timeout = 100
connect_retry_timeout = 100

  6. Verify connectivity to managed network devices, omitting the servers.

    The verify-access.yml playbook is provided with the ansible-generic-project Git repo. Use that playbook to verify access or create your own. 

    [student@workstation ansible-generic-project]$ ansible-playbook verify-access.yml

    If failing the verification, troubleshoot and resolve the problem.

    The show-current-access-vars.yml playbook is provided with the ansible-generic-project Git repo. This might be useful if the connection and authentication tests are failing. Use -l SUBSET to limit the target set to a particular host or group. In this example, for instance, access variables are viewed for spine01. 

    [student@workstation ansible-generic-project]$ ansible-playbook -l spine01 \
> show-current-access-vars.yml

PLAY [a play that exposes the current access vars] ***************************

TASK [show the value of key variables] ***************************************
ok: [spine01] => {
    "msg": "host: spine01,  con: ssh,  nos: vyos,  user: vyos,  pass: vyos\n"
}

PLAY RECAP *******************************************************************
spine01                    : ok=1    changed=0    unreachable=0    failed=0

  7. Commit your work to the Git repository.

    1. Add a .gitignore file that instructs Git not to store vault.yml files. 

      [student@workstation ansible-generic-project]$ cat .gitignore
**/vault.yml

    2. Update the repository. If prompted the Git credentials are student, password student. 

      [student@workstation ansible-generic-project]$ git add -A :/
[student@workstation ansible-generic-project]$ git commit -m "ch7 lab 1"
[student@workstation ansible-generic-project]$ git push
PreviousNext
Revision: do457-2.5-4693601