Ansible 101 – Episode 6 – Ansible Vault and Roles

33 Comments



Jeff Geerling (geerlingguy) explores Ansible Vault and playbook organization using Roles from chapters 5 and 6 in the bestselling Ansible book, Ansible for DevOps.

Buy Ansible for DevOps: https://www.ansiblefordevops.com

Sponsor Jeff on GitHub: https://github.com/sponsors/geerlingguy
Support Jeff on Patreon: https://www.patreon.com/geerlingguy

Contents:

00:00:00 – Intro
00:06:30 – Questions from last episode
00:10:51 – Intro to Ansible Vault
00:14:00 – Encrypting a vars file with Vault
00:17:55 – Decrypt, encrypt, edit, rekey, etc.
00:21:33 – Task features – conditionals and tags
00:25:54 – Blocks
00:27:05 – Chapter 5 Cowsay
00:27:26 – Playbook organization
00:30:05 – Includes and imports
00:35:13 – Caution about dynamic tasks
00:37:18 – Playbook includes
00:39:40 – Node.js playbook example
00:46:06 – Roles
00:51:27 – Options for including Roles
00:52:30 – Real-world flexible role usage
01:00:33 – The Golden Hammer
01:01:12 – Outtro

source

33 Comments
    • blank
      Clément T.
      May 10, 2022 12:42 pm Reply

      Two things changed since you uploaded this video that I wanted to point out:

      First, since 01/31/2022, mirrors for CentOS 8 are not available at mirror.centos.org but vault.centos.org. To fix this without changing to many things in your lecture, I added these pre_tasks in the playbook:
      pre_tasks:
      – name: Ensure yum uses vault.centos.org repos.
      shell: sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS*
      – shell: sed -i -e "s|^#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS*

      Second, for some reason, the forever binary is not loaded in PATH (I think it's because root does not have /usr/local/bin in PATH), so I added a var:
      vars:
      forever_bin: /usr/local/bin/forever
      And used it instead of "forever" in the playbook, two tasks then become:
      – name: Check list of running Node.js apps.
      command: "{{ forever_bin }} list"
      register: forever_list
      changed_when: false

      – name: Start example Node.js app.
      command: "{{ forever_bin }} start {{ node_apps_location }}/app/app.js"
      when: "forever_list.stdout.find(node_apps_location + '/app/app.js') == -1"

      Hope this helps!

    • blank
      Marc ABBOUD
      May 10, 2022 12:42 pm Reply

      Hello jeff, I am doing the example in the book and this video, but I am getting this :

      " ok: [localhost] => {
      "echo_result.stdout": "VARIABLE IS NOT DEFINED!" "

      The path to api_key.yml is the same, literally doing everything the same, but can't seem to get the key in the output, I was using wsl2 and I thought maybe it has something to do with localhost and wsl2 but now I am on my macbook pro (tutorial-env), and I am getting the same output.

      Why do you think it's not printing the API key? what is inside your inventory? thanks 🙏

    • blank
      RetconTV
      May 10, 2022 12:42 pm Reply

      I'm loving this series, but since it is 2 years in the future…Did Red Shirt Jeff just teach me about security features? Should I be worried?

    • blank
      Manazil – منازل
      May 10, 2022 12:42 pm Reply

      37:00

    • blank
      Kingston Fortune
      May 10, 2022 12:42 pm Reply

      Running this in 2022, and I encountered errors in the "Check list of running nodejs apps." ansible always returns command forever not found.
      I decided to ssh into the centos server and I noticed that running the forever command as a normal user works but using root returns the error.
      so to solve the problem, I applied become: false to both "Check list of running nodejs apps." and "Start example Nodejs app." which are the last two tasks.
      Hopefully this helps someone.

      To know the exact tasks I am referring to in the video, see this timeframe: 44:06
      In the text editor, see line 45 to line 52

    • blank
      Manindra Singh
      May 10, 2022 12:42 pm Reply

      Hello @Jeff how to run workflow template through API.

    • blank
      Fredrik
      May 10, 2022 12:42 pm Reply

      I truly appreciate this. Just getting into Ansible and using roles was easy and made life so much easier. Great explanation and showcase!

    • blank
      Tony Ma
      May 10, 2022 12:42 pm Reply

      I have a lot of difficaulty to follow along the practise as I am using a MacOS with Apple M1 chip and the virtual box isn't available. I have purchased parallels pro and using it as a provider but lot's of cases I cannot find suitable box to run your script. It will be great if you can provide more details how M1 Mac with Parallels or Dockers to follow the practise. Many thanks. Great content.

    • blank
      Spicy Baguette
      May 10, 2022 12:42 pm Reply

      45:45 You're sure about that?

    • blank
      V J
      May 10, 2022 12:42 pm Reply

      Hi Jeff, thank you so much for making these videos, bought your book recently. Love from India

    • blank
      Mathew Kargarzadeh
      May 10, 2022 12:42 pm Reply

      Thanks Jeff for sharing your wonderful knowledge. much appreciated !!. Mat.

    • blank
      Aaron Chamberlain
      May 10, 2022 12:42 pm Reply

      45:33 Note for those following the examples, it's likely included in the book, but the npm ansible module is not included by default. It is part of the Ansible Galaxy community.general package. Look up the community.general.npm package and it will provide the command to install it.

    • blank
      Michael Vilain
      May 10, 2022 12:42 pm Reply

      You've answered a question I've been asking myself after write Ansible code "in a vacuum" with no one to review it. If a role's main task get long, when is it a good idea to break it into separate files and include them rather than search for that bit of code in a long file.

    • blank
      Nico Braun
      May 10, 2022 12:42 pm Reply

      LMAO the comment about node dependencies is too true.

    • blank
      Vincent Ricci
      May 10, 2022 12:42 pm Reply

      Much appreciate all the tips. great job!

    • blank
      elabed dhahbi
      May 10, 2022 12:42 pm Reply

      i missed the free book but at least i still can watch the videos nice series i really appreciated

    • blank
      Brooke Hedrick
      May 10, 2022 12:42 pm Reply

      For "The simplest nodejs app"…
      The forever command was not working for me as root/become. I logged in with "vagrant ssh" and could run forever, but "sudo forever" said command not found. I do have global set.

      – name: Install Forever to run our server

      npm:

      name: forever

      global: yes

      state: present

      I ended up using /usr/local/bin/forever to get things working since the goal was to get the nodejs app running. In the process, I got to learn about "forever cleanlogs"!

    • blank
      Dzintars Klavins
      May 10, 2022 12:42 pm Reply

      I use tags when i build the role for debug reasons. I simply don't want to run and wait the hole playbook or role just to debug a single task.

    • blank
      kolorob backend
      May 10, 2022 12:42 pm Reply

      today I was going through the documentation for big blue button, and in its ansible dependencies it mentioned 2 of your packages for ansible docker and ansible nodejs. what are the odds

    • blank
      Mike Eggleston
      May 10, 2022 12:42 pm Reply

      Thank you for making the video. Tags could be useful for STIG plays.

    • blank
      chuckinator0
      May 10, 2022 12:42 pm Reply

      When using —vault-password-file, isn’t that the same as having an unencrypted variable in the first place? And then you need to encrypt that file, and so on. Do you have to use something like Hashicorp Vault at some point anyway?

    • blank
      Arrey Ashu
      May 10, 2022 12:42 pm Reply

      Consider making a video course for RHCE EX294 or Advanced Ansible EX447. You are good at it.

    • blank
      M Dzulfiqr
      May 10, 2022 12:42 pm Reply

      Hi! great video! I just wanna ask your help to solve my problem to install my ansible, it's always got stuck everytime I tried installing it, it says : Error: Package: python-paramiko-2.1.1-0.10.el7.noarch (epel)
      Requires: python-cryptography
      Error: Package: ansible-2.9.10-1.el7.noarch (epel)
      Requires: python2-cryptography
      Error: Package: python-paramiko-2.1.1-0.10.el7.noarch (epel)
      Requires: python2-pyasn1

      PLease help me, I have searched every where and no solution on the internet

    • blank
      Tzelon Machluf
      May 10, 2022 12:42 pm Reply

      Hey Jeff, just wanted to thank you for the great videos. I'm leaning a lot from it.

    • blank
      Mora Fermi
      May 10, 2022 12:42 pm Reply

      @19:00 How did you manage to say "asterisk' six times so fast!?
      😉

    • blank
      Craig Lovell
      May 10, 2022 12:42 pm Reply

      @Jeff Geerling I was wondering, what is the difference between your vagrant boxes, and the standard boxes? I know ubuntu has an official box, but there are other ones from you and bento. What's the difference?

    • blank
      Aman Srivastava
      May 10, 2022 12:42 pm Reply

      may god bless you for all that you're doing for the community. Love from India 🇮🇳

    • blank
      prakash mirji
      May 10, 2022 12:42 pm Reply

      awesome stuff…concepts are explained really well

    • blank
      John Haggin
      May 10, 2022 12:42 pm Reply

      Hi, Thank you for all this. Greetings from Turkmenistan. QUESTION: Apt has cache_valid_time, what about yum? What is the best practice for yum update idempotency? Thanks.

    • blank
      Jerome Lacqua
      May 10, 2022 12:42 pm Reply

      Hi Jeff
      I follow you since many years on galaxy and also the books you ve done, thanks for all your work with ansible and also for sharing it with us! Now ansible has its you tube channel! Cheers from South of France!

    • blank
      David Gilmore
      May 10, 2022 12:42 pm Reply

      Thanks as always Jeff!

    • blank
      Sivasankar KS
      May 10, 2022 12:42 pm Reply

      Hello Jeff. Thank you for your valuable session. where can I get
      the "latest updated" – Ansible for DevOps PDF book?

Leave us a comment