Ansible 1.5 release

Ansible 's 1.5 was released.

There are a lot of changes at 1.5, some of which are all there.

  • Parameter encryption with ansible vault
  • Acceleration by ssh pipelineing
  • It was abolished from 1.4 and warning was issued when_ XXX was completely deleted. Instead of using when.
  • Only _if will be deprecated.
  • Add no_log option to stop logging
  • Added parameters to git module (accept_hostkey, key_file, ssh_opts)
  • Addition of various modules

Among these many changes, we will explain about ansible vault, ssh pipelining, added assert module in this article.

Ansible vault

There are many things you would like to write playbook using information you want to keep secret such as password and API key. Chef has a function to encrypt databag. Ansible vault function has been added to Ansible this time.

ansible-vault use the command, to encrypt the files that are specified in the vars_file.

  • Create encrypted file

    If you do not have anything you can create with create.

    Code-Block .. :: Bash

    Ansible-Vault Pasento Create Vars.Yml Vault Password : Confirm Password Vault : (input so here is defined by the EDITOR The editor is open)

  • encryption

    • Ansible-vault encrypt vars.yml

    Then encrypt the plaintext file. By the way, encrypting the encrypted file with ansible-vault again will make me angry properly so please be relieved.

  • Decryption

    • Ansible-vault decrypt vars.yml

    You can decode vars.yml with. Please be aware that the vars.yml file itself is replaced

  • Edit

    • Ansible-vault edit vars.yml

    The editor will be launched just like when creating it.

  • change Password

    • Ansible-vault rekey vars.yml

    You can change your password

I use this file encrypted with these commands.

---
- hosts: localhost
  vars_files:
      - vars.yml
  tasks:
    - debug: msg="{{ spam }}"

Sure you have this, at the time of execution --ask-vault-pass and put on, you have have heard the password. If you do not attach it, you get an error if it is encrypted.

% ansible-playbook -i ansible_hosts  vault.yml --ask-vault-pass
Vault password:

Alternatively, you can specify a password file as follows.

% ansible-playbook -i ansible_hosts  vault.yml --vault-password-file ~/.ssh/pass.txt

-–vault-password-file because you can specify any ansible-pull, is useful for people who are to start the ansible-pull in the cron.

vault of the document is ここ located in the.

However, this ブログ in but have been mentioned, ansible vault will whole encryption. Therefore, you can not say, grep by variable name, for example.

There is a possibility that it will be improved in the future, but in the present situation it may be nice to remember that there are such problems.

SSH Pipelining

Ansible writes out module as a script file, forwards it to remote, and then executes it. SSH Pipelining speeds up execution by reducing the number of executions of ssh and actual file transfer. (I'm sorry, I have not chased the details.)

This effect is quite high, and the execution time that took 1 minute is 30 seconds.

The initial setting of pipelining is invalidated, but if you set ansible.cfg like this it will be activated.

[defaults]
pipelining=True

Warning

sudo使用時の注意

If you use the sudo リモート側の /etc/sudoers in requiretty you need to disable.

Assert module

But has been added to the various module at every time of the release, I thought and I think we personally best this time is this assert module is .

The assert module is used as follows.

  • Assert : {That : "! Ansible_os_family = 'RedHat'"}

Alternatively, you can check more than one.

assert:
   that:
     - "'foo' in some_command_result.stdout"
     - "number_of_the_counting == 3"

Actually this is the same as adding fail to the fail module, but using assert makes it easier to write. However, it is a bit of a feeling that "that" is necessary. Also, there are places that must be surrounded by "(that is, they were not worse than I thought)

By the way it is the execution result.

_____________________________________________________
< TASK: assert that="ansible_os_family == \"Ubuntu\"" >
 -----------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

failed: [localhost] => {"assertion": "ansible_os_family == \"Ubuntu\"", "evaluated_to": false, "failed": true}

With successfully assert module, to check the state of the server serverspec and envassert such as another of You may not need a mechanism. (We will investigate whether we can check port numbers ...)

Summary

Ansible 1.5 has been released and introduced some of the important functions.

In the 1.6 release, it is predicted that parameter references in the form of $ foo and $ {foo} are completely deleted. Let's be aware of writing from now.