Ansible 101 – Episode 6 – Ansible Vault and Roles
Jeff Geerling (geerlingguy) explores Ansible Vault and playbook organization using Roles from chapters 5 and 6 in the bestselling Ansible book, Ansible for DevOps.
Buy Ansible for DevOps: https://www.ansiblefordevops.com
Sponsor Jeff on GitHub: https://github.com/sponsors/geerlingguy
Support Jeff on Patreon: https://www.patreon.com/geerlingguy
Contents:
00:00:00 – Intro
00:06:30 – Questions from last episode
00:10:51 – Intro to Ansible Vault
00:14:00 – Encrypting a vars file with Vault
00:17:55 – Decrypt, encrypt, edit, rekey, etc.
00:21:33 – Task features – conditionals and tags
00:25:54 – Blocks
00:27:05 – Chapter 5 Cowsay
00:27:26 – Playbook organization
00:30:05 – Includes and imports
00:35:13 – Caution about dynamic tasks
00:37:18 – Playbook includes
00:39:40 – Node.js playbook example
00:46:06 – Roles
00:51:27 – Options for including Roles
00:52:30 – Real-world flexible role usage
01:00:33 – The Golden Hammer
01:01:12 – Outtro
source
33 Comments
Clément T.
May 10, 2022 12:42 pmTwo things changed since you uploaded this video that I wanted to point out:
First, since 01/31/2022, mirrors for CentOS 8 are not available at mirror.centos.org but vault.centos.org. To fix this without changing to many things in your lecture, I added these pre_tasks in the playbook:
pre_tasks:
– name: Ensure yum uses vault.centos.org repos.
shell: sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS*
– shell: sed -i -e "s|^#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS*
Second, for some reason, the forever binary is not loaded in PATH (I think it's because root does not have /usr/local/bin in PATH), so I added a var:
vars:
forever_bin: /usr/local/bin/forever
And used it instead of "forever" in the playbook, two tasks then become:
– name: Check list of running Node.js apps.
command: "{{ forever_bin }} list"
register: forever_list
changed_when: false
– name: Start example Node.js app.
command: "{{ forever_bin }} start {{ node_apps_location }}/app/app.js"
when: "forever_list.stdout.find(node_apps_location + '/app/app.js') == -1"
Hope this helps!
Marc ABBOUD
May 10, 2022 12:42 pmHello jeff, I am doing the example in the book and this video, but I am getting this :
" ok: [localhost] => {
"echo_result.stdout": "VARIABLE IS NOT DEFINED!" "
The path to api_key.yml is the same, literally doing everything the same, but can't seem to get the key in the output, I was using wsl2 and I thought maybe it has something to do with localhost and wsl2 but now I am on my macbook pro (tutorial-env), and I am getting the same output.
Why do you think it's not printing the API key? what is inside your inventory? thanks 🙏
RetconTV
May 10, 2022 12:42 pmI'm loving this series, but since it is 2 years in the future…Did Red Shirt Jeff just teach me about security features? Should I be worried?
Manazil – منازل
May 10, 2022 12:42 pm37:00
Kingston Fortune
May 10, 2022 12:42 pmRunning this in 2022, and I encountered errors in the "Check list of running nodejs apps." ansible always returns command forever not found.
I decided to ssh into the centos server and I noticed that running the forever command as a normal user works but using root returns the error.
so to solve the problem, I applied become: false to both "Check list of running nodejs apps." and "Start example Nodejs app." which are the last two tasks.
Hopefully this helps someone.
To know the exact tasks I am referring to in the video, see this timeframe: 44:06
In the text editor, see line 45 to line 52
Manindra Singh
May 10, 2022 12:42 pmHello @Jeff how to run workflow template through API.
Fredrik
May 10, 2022 12:42 pmI truly appreciate this. Just getting into Ansible and using roles was easy and made life so much easier. Great explanation and showcase!
Tony Ma
May 10, 2022 12:42 pmI have a lot of difficaulty to follow along the practise as I am using a MacOS with Apple M1 chip and the virtual box isn't available. I have purchased parallels pro and using it as a provider but lot's of cases I cannot find suitable box to run your script. It will be great if you can provide more details how M1 Mac with Parallels or Dockers to follow the practise. Many thanks. Great content.
Spicy Baguette
May 10, 2022 12:42 pm45:45 You're sure about that?
V J
May 10, 2022 12:42 pmHi Jeff, thank you so much for making these videos, bought your book recently. Love from India
Mathew Kargarzadeh
May 10, 2022 12:42 pmThanks Jeff for sharing your wonderful knowledge. much appreciated !!. Mat.
Aaron Chamberlain
May 10, 2022 12:42 pm45:33 Note for those following the examples, it's likely included in the book, but the npm ansible module is not included by default. It is part of the Ansible Galaxy community.general package. Look up the community.general.npm package and it will provide the command to install it.
Michael Vilain
May 10, 2022 12:42 pmYou've answered a question I've been asking myself after write Ansible code "in a vacuum" with no one to review it. If a role's main task get long, when is it a good idea to break it into separate files and include them rather than search for that bit of code in a long file.
Nico Braun
May 10, 2022 12:42 pmLMAO the comment about node dependencies is too true.
Vincent Ricci
May 10, 2022 12:42 pmMuch appreciate all the tips. great job!
elabed dhahbi
May 10, 2022 12:42 pmi missed the free book but at least i still can watch the videos nice series i really appreciated
Brooke Hedrick
May 10, 2022 12:42 pmFor "The simplest nodejs app"…
The forever command was not working for me as root/become. I logged in with "vagrant ssh" and could run forever, but "sudo forever" said command not found. I do have global set.
– name: Install Forever to run our server
npm:
name: forever
global: yes
state: present
I ended up using /usr/local/bin/forever to get things working since the goal was to get the nodejs app running. In the process, I got to learn about "forever cleanlogs"!
Dzintars Klavins
May 10, 2022 12:42 pmI use tags when i build the role for debug reasons. I simply don't want to run and wait the hole playbook or role just to debug a single task.
kolorob backend
May 10, 2022 12:42 pmtoday I was going through the documentation for big blue button, and in its ansible dependencies it mentioned 2 of your packages for ansible docker and ansible nodejs. what are the odds
Mike Eggleston
May 10, 2022 12:42 pmThank you for making the video. Tags could be useful for STIG plays.
chuckinator0
May 10, 2022 12:42 pmWhen using —vault-password-file, isn’t that the same as having an unencrypted variable in the first place? And then you need to encrypt that file, and so on. Do you have to use something like Hashicorp Vault at some point anyway?
Arrey Ashu
May 10, 2022 12:42 pmConsider making a video course for RHCE EX294 or Advanced Ansible EX447. You are good at it.
M Dzulfiqr
May 10, 2022 12:42 pmHi! great video! I just wanna ask your help to solve my problem to install my ansible, it's always got stuck everytime I tried installing it, it says : Error: Package: python-paramiko-2.1.1-0.10.el7.noarch (epel)
Requires: python-cryptography
Error: Package: ansible-2.9.10-1.el7.noarch (epel)
Requires: python2-cryptography
Error: Package: python-paramiko-2.1.1-0.10.el7.noarch (epel)
Requires: python2-pyasn1
PLease help me, I have searched every where and no solution on the internet
Tzelon Machluf
May 10, 2022 12:42 pmHey Jeff, just wanted to thank you for the great videos. I'm leaning a lot from it.
Mora Fermi
May 10, 2022 12:42 pm@19:00 How did you manage to say "asterisk' six times so fast!?
😉
Craig Lovell
May 10, 2022 12:42 pm@Jeff Geerling I was wondering, what is the difference between your vagrant boxes, and the standard boxes? I know ubuntu has an official box, but there are other ones from you and bento. What's the difference?
Aman Srivastava
May 10, 2022 12:42 pmmay god bless you for all that you're doing for the community. Love from India 🇮🇳
prakash mirji
May 10, 2022 12:42 pmawesome stuff…concepts are explained really well
John Haggin
May 10, 2022 12:42 pmHi, Thank you for all this. Greetings from Turkmenistan. QUESTION: Apt has cache_valid_time, what about yum? What is the best practice for yum update idempotency? Thanks.
Jerome Lacqua
May 10, 2022 12:42 pmHi Jeff
I follow you since many years on galaxy and also the books you ve done, thanks for all your work with ansible and also for sharing it with us! Now ansible has its you tube channel! Cheers from South of France!
David Gilmore
May 10, 2022 12:42 pmThanks as always Jeff!
Tomáš
May 10, 2022 12:42 pmI looked up at RedHat summit you mentioned yesterday and foud : https://twitter.com/Pytlicek/status/1255831533992230912 :/
Sivasankar KS
May 10, 2022 12:42 pmHello Jeff. Thank you for your valuable session. where can I get
the "latest updated" – Ansible for DevOps PDF book?