et Geoffroy Desvernay
présentent
ansible
@Centrale Marseille
Pourquoi/Comment/Et alors ?
Pourquoi ?
- Petite équipe (1,5 ETP en 2018)
- PRA
- Besoin d'autonomie des != sysadmins
- … et de tranquilité des sysadmins ;)
Approche
- git all-in-one roles/inventories/playbooks(can kill cats) – With install script (~/.ansible.cfg)
- Ansible dev®(roles) != Ansible User (write playbooks/inventory only)
- ¡¡¡ Autonomie pour les Ansible User's !!!
All-in-one git ?
inventory/inventest
par défaut on "joue" dans une infra de tests
ansible-playbook -i inventory
playbooks en vrac™
playbooks simples…
… ou moins simples
inventory/group_vars/librenms.yml
---
librenms:
db:
host: metrodb0.db
user: librenms
name: librenms
pass: UNPASSWD
app_key: 'base64:UNECLE'
admin:
user: cri
pass: MonPassAdmin
mail: mon_mail@chez.moi
site:
id: librenms
name: librenms.chez.moi
index: index.php
aliases:
- lnms.chez.moi
backend: php-fpm
rootdir: /usr/local/www/librenms/html
nginx_includes:
- librenms.inc.j2
configfiles:
- src: files/librenms/config.php.j2
dest: ../config.php
limit_openbasedir: Falseplaybooks/librenms.yml
# librenms/freebsd
# 1. charge l'inventory pour le groupe librenms
- hosts: librenms
# 2. la BDD
- hosts: librenmsdb
tasks:
- name: DB created
include_role:
name: criecm.mariadb
tasks_from: db.yml
vars:
# la variable vient du groupe librenms...
mariadb: '{{ hostvars[groups["librenms"][0]].librenms.db }}'playbooks/librenms.yml
# 3. l'appli
- hosts: librenms
roles:
- criecm.common
- criecm.nginx
- criecm.php-fpm
vars:
php_version: 7.2
sites:
# la variable "sites" suit la doc des modules criecm.nginx et criecm.php-fpm
- '{{ librenms.site }}'
codedir: /usr/local/www/librenms
# proxified_by:
# - 10.2.0.
crons:
- name: 'discovery-wrapper.py'
job: '/usr/local/www/librenms/cronic /usr/local/www/librenms/discovery-wrapper.py 1'
minute: '33'
hour: '*/6'
user: '_librenms'playbooks/librenms.yml
tasks:
- name: install librenms
pkgng:
name: librenms
state: latest
register: install
- name: chown dirs
file:
path: '{{ item }}'
state: directory
owner: '_{{ librenms.site.id }}'
group: '{{ www_user }}'
mode: 'u+rwX,g=rX,o-rwx'
recurse: yes
loop:
- '{{ codedir }}/logs'
- /var/log/librenms
- /var/db/librenms
- '{{ codedir }}/storage'
- name: .env
template:
src: files/librenms/dotenv.j2
dest: '{{ codedir }}/.env'
backup: yes
register: newconf
- name: validate config
command: 'php validate.php'
register: validconf
args:
chdir: '{{ codedir }}'
when: newconf.changed
- name: get key
command: 'grep ^APP_KEY=[a-zA-Z0-9] {{ codedir }}/.env'
failed_when: False
register: appkey
- name: gen key
command: 'php artisan key:generate'
args:
chdir: '{{ codedir }}'
when: newconf.changed and appkey.rc != 0
# - name: db schema
# shell: 'php artisan update -n'
# args:
# chdir: '{{ codedir }}'
# when: newconf.changed or install.changed
- name: librenms admin user
command: 'php artisan user:add -r admin -e {{ librenms.admin.mail }} -n -p "{{ librenms.admin.pass }}" -vvv {{ librenms.admin.user }}'
args:
chdir: '{{ codedir }}'
when: newconf.changed
- name: rrdcached
lineinfile:
dest: /etc/rc.conf
line: '{{ item.key }}="{{ item.value }}"'
regexp: '^{{ item.key }} *='
with_dict:
rrdcached_enable: 'YES'
rrdcached_flags: '-s _librenms -l /var/run/rrdcached.sock -p /var/run/rrdcached.pid -b /var/db/librenms/rrd/ -U _librenms -G _librenms'
- name: launch rrdcached
service:
name: rrdcached
state: started
enabled: yes
- name: /usr/local/www/librenms/.env
template:
src: files/librenms/dotenv.j2
dest: '{{ codedir }}/.env'
backup: yes
- name: validate
command: 'php validate.php'
args:
chdir: '{{ codedir }}'
- name: chown logs
file:
state: directory
owner: librenms
group: _librenms
mode: '0770'
path: '{{ codedir }}/logs'
- name: DB update/install
command: './build-base.php'
become_user: '_librenms'
become_method: su
args:
chdir: /usr/local/www/librenms
- name: chmod
file:
path: '/usr/local/www/librenms/{{ item }}'
mode: '0750'
owner: librenms
group: _librenms
loop:
- cronic
- discovery-wrapper.py
- poller-wrapper.pyProblèmes
- Difficile de reprendre le(s) rôle(s) d'un autre…
Réponses ?
- Une interface simple d'usage juste pour lire/modifier l'inventory ?
- Rôles réutilisables ailleurs ?
- Utiliser ansible-vault ?