In this post, you will learn how to set up a basic Ansible Inventory. Besides that, you will learn how to encrypt sensitive information by means of Ansible Vault. Enjoy!
1. Introduction
In a previous post, you learned how to set up an Ansible test environment. In this post, you will start using the test environment. Just as a reminder, the environment consists of one Controller and two Target machines. The Controller and Target machines run in a VirtualBox VM. Development of the Ansible scripts is done with IntelliJ on the host machine. The files are synchronized from the host machine to the Controller by means of a script.
In this blog, you will create an inventory file. The inventory file contains information about the Target machines in order for the Controller to locate and access the machines for executing tasks. The inventory file will also contain sensitive information such as the password being used for accessing the Target machines. In a second part of this blog you will solve this security problem by means of Ansible Vault.
The files being used in this blog are available in the corresponding git repository at GitHub.
2. Prerequisites
The following prerequisites apply to this blog:
- You need an Ansible test environment, see a previous blog how to set up a test environment;
- If you use your own environment, you should know that Ubuntu 22.04 LTS is used for the Controller and Target machines and Ansible version 2.13.3;
- Basic Linux knowledge.
3. Create an Inventory File
The Ansible Controller will need to know some information about the Targets in order to be able to execute tasks. This information can be easily provided by means of an inventory file. Within an inventory, you will specify the name of the Target, its IP address, how to connect to the Target, etc. Take a look at the Ansible documentation for all the details. In this section, you will experiment with some of the inventory features.
By default, Ansible will search for the inventory in /etc/ansible/hosts but you can also provide a custom location for the inventory when executing Ansible. That is what you will do in this section.
Create in the root of the repository a directory inventory and create an inventory.ini file. Add the following content to the file:
target1
target2
[targets]
target1
target2
[target1_group]
target1
[target2_group]
target2
[target_groups:children]
target1_group
target2_group
The first two lines contain the names for the Target machines. You can give this any name you would like, but in this case, you just call them target1 and target2.
When you want to address several machines at once, you can create groups. A group is defined between square brackets followed by the list of machines belonging to this group. In the inventory above, you can recognize group targets which contains target1 and target2. This group is not really necessary, because by default a group all exists which is equal to the group targets in this case. The groups target1_group and target2_group are for illustrative purposes and do not make much sense because they contain only one machine. However, in real life, you can imagine to have groups for application machines, database machines, etc. or you might want to group machines by region for example.
You can also define a group of groups like target_groups. You need to add :children to the definition and then you can combine several groups into a new group. The group target_groups consists of the group target1_group and target2_group. This actually means that group target_groups consists of machines target1 and target2.
4. Define Variables
The inventory file you created just contains names of machines and groups. But this information is not enough for Ansible to be able to locate and connect to the machines. One approach is to add variables in the inventory file containing this information. A better approach is to define a directory host_vars containing subdirectories for each machine containing the variables. Ansible will scan these directories in order to find the variables for each machine. You can also define variables for the groups. In this case, you create a directory group_vars.
Create in directory inventory a directory host_vars containing the directories target1 and target2. The directory tree of directory inventory looks as follows:
├── host_vars
│ ├── target1
│ └── target2
└── inventory.ini
Create in directory target1 a file vars with the following contents:
ansible_host: 192.168.2.12
ansible_connection: ssh
ansible_user: osboxes
ansible_ssh_pass: osboxes.org
The variables defined here are some special variables for Ansible to be able to locate and connect to the machine:
- ansible_host: the IP address of the
target1machine; - ansible_connection: the way you want to connect to
target1; - ansible_user: the system user Ansible can use to execute tasks onto the machine;
- ansible_ssh_pass: the password of the
ansible_user. Do not store passwords in plain text in real life! This is only done for testing purposes and a proper solution is provided later on this post.
Note that you can also define these variables in the inventory file on the same line as where you define the name of the machine. In this case, the variables need to be defined as key=value (with an equal sign and not with a colon).
Add a vars file to directory target2 with similar contents but with the connection values for target2.
5. Test Inventory Settings
Now it is time to do some testing in order to verify whether it works. Start the Controller and the two Target machines. Synchronize the files you created to the Controller machine and navigate in a terminal window to the MyAnsiblePlanet directory. Connect once manually to both Target machines so that the SSH fingerprint is available onto the Controller machine, otherwise you will get an error message when Ansible tries to connect to the Target machines.
$ ssh osboxes@192.168.2.12
$ ssh osboxes@192.168.2.13
With the following command, you will ping the target1 machine. The command consists of the following items:
- ansible: The Ansible executable;
- target1: The name of the machine where you want to execute the task. This corresponds to the name in the inventory;
- -m ping: Execute the ping command;
- -i inventory/inventory.ini: The path of the inventory file.
The command to execute:
$ ansible target1 -m ping -i inventory/inventory.ini
target1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
The response indicates a success. Execute the same command but for the target2 machine. The result should also be a success response.
Just like you can execute a task on a single machine, you can also execute a task on a group. Execute the command for the targets group:
$ ansible targets -m ping -i inventory/inventory.ini
target2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
target1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
As you can see, the command is executed on both Target machines, as expected.
Execute the command for the other groups as well.
6. Encrypt Password
Now that you know that the inventory configuration is working as expected, it is time to get back to the password in plain text problem. This can be solved by using Ansible Vault. Ansible Vault probably deserves its own blog, but in this section you just going to apply one way of encrypting sensitive information. The encryption will be done for the target1 machine.
Create in directory inventory/target1 a file vault and copy the ansible_ssh_pass variable to this vault file. Change the variable name from ansible_ssh_pass into vault_ansible_ssh_pass.
vault_ansible_ssh_pass: osboxes.org
In the vars file, you replace the plain text password with a reference to this new vault_ansible_ssh_pass variable using Jinja2 syntax. Note that it is also required to add double quotes around the reference.
ansible_host: 192.168.2.12
ansible_connection: ssh
ansible_user: osboxes
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"
Encrypt the vault file with password itisniceweather (or whatever password you would like).
$ ansible-vault encrypt inventory/host_vars/target1/vault
New Vault password:
Confirm New Vault password:
Encryption successful
The vault file contents is now encrypted.
$ANSIBLE_VAULT;1.1;AES256
34353662643861663663363161366239343633636561663564653030663134623266323363353433
6233383939396335343639623165306330393031383836320a616430336132643638333862363965
36303837313239386566633332326165663336363464623437383638333936613038663366343833
3737316665323230620a343163356138656535363837646566643962393366353266613462616437
32346531613637396666623864333330643261366139306162373038633636633934326165616438
6565363034333137623539643539666234386339393965663362
The password you have used for encrypting the file should be saved in a password manager. Ansible will need it to decrypt the password.
Try to execute the ping command for target1 like you did before.
$ ansible target1 -m ping -i inventory/inventory.ini
ERROR! Attempting to decrypt but no vault secrets found
This fails because Ansible cannot decrypt the password field.
Add the parameter --ask-vault-pass to the command in order that Ansible asks you for the vault password.
$ ansible target1 -m ping -i inventory/inventory.ini --ask-vault-pass
Vault password:
target1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
And now it works again! This is a better way for handling sensitive information in your Ansible files. There are several more ways of handling sensitive information. As said before, Ansible Vault deserves its own blog. In the meanwhile, more information can be found in the Ansible documentation.
7. Conclusion
In this post, you learned the basics of an Ansible Inventory file and you learned how to encrypt sensitive information in the inventory file. You have gained the basic skills to start setting up an inventory file yourself for your environment.
mydeveloperplanet.com 