Score:0

What are common variables to mention in an inventory ansible yaml file?

uz flag
  • I try to build a pipe-line to install my product.
  • My product is installed in a lab with at least 8 machines (on-prem lab).
  • I have several labs on-prem, several labs on cloud
  • Each machine has a role, for example: a Center-DB machine, a Center-Queue machine or a Center-App machine, a Middle machine and a Client machine, etc... So, some labs are: 1 Center - 1 Middle - 1 Client. or 3 Centers (App, DB, Queue) - 2 Middles - 3 Clients
  • Some of the machines has one service like DB, and some several like: DB, IIS, and message broker
  • The lab is in a secured VLAN meaning that in order to run scripts from remote I need to connect to the machine with their IP and not with their FQDN and supply credentials.
  • Credentials are the same for all machines.
  • In addition, there is an option in the installation file to installed the product secured (with cert and port 443) or not secured.
  • During installation process, I need to first copy to each machine it's specific installation files, then install them with specific arguments.

Except of list of host and IP addresses in inventories ansible yaml file, is it expectable to add variables or Keys such as:

  • "credentials"
  • "protocol",
  • "files",
  • "machine-type" etc...?

OR should they placed in a different file like roles (tasks). Please, help me to decide which information goes to where. My example yaml file is below:

---
cred:
    user: a
    pass: 1
center:
    dbs:
        - db:
              fqdn: center-db.foo.com
              cn: center-db
              files:
                  - C:\folder\Server.msi
              ip: 1.1.1.1
    queues: 
        - queue: 
              fqdn: center-queue.foo.com
              cn: center-queue
              files:
                  - C:\folder\Server.msi
              ip: 2.2.2.2
    apps:
        - app:
              fqdn: center-app.foo.com
              cn: center-app
              files:
                  - C:\folder\Server.msi
                  - C:\folder\Center-Client.msi
                  - C:\folder\files
              ip: 3.3.3.3
                  

               clients:
                  - client:
                        db:
                            cn: Client-DB
                        app:
                            fqdn: Client-APP.foo.com
                            cn: Client-APP
                            files:
                                - C:\folder\Server.msi
                                - C:\folder\Client-Client.msi
                            ip: 4.4.4.4
Score:1
cn flag

Ansible allows structuring inventory vars and tasks in many ways. Develop your own opinions on where to put things in a logical way, based on what various Ansible plugins expect.

The lab is in a secured VLAN meaning that in order to run scripts from remote I need to connect to the machine with their IP and not with their FQDN and supply credentials.

False. DNS is possible for every environment. Perhaps delegate a zone hiddai.lab.example.net to a test lab DNS server, and hosts use FQDNs in this zone.

That said, ansible_host variable can be provided override host names or IP addresses for the connection plugins to use.

Do not use IP addresses that are allocated for other users. 1.1.1.1 is not yours, it is Cloudflare DNS. Use either your real IP addresses, or documentation test nets like 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24.

In addition, I need to decide if my product will installed secure or not in my lab (which protocol - HTTPS or HTTP?)

Always secure, so HTTPS. Lab setting can be more relaxed on PKI, personal simple CA, self signed certs.

Except of list of host and IP addresses in inventories ansible yaml file, is it expectable to add variables or Keys such as: "credentials", "protocol", "files", "machine-type", etc...

No, separate host list from the role-level application configuration data. This allows for multiple inventories. Minimal duplication of data between multiple labs, staging, and production inventories.

Limit inventory to what is needed for connecting to a host: host name, user, maybe credentials, connection plugin. Put application details somewhere else, for example group_vars.

    cred:
        user: a
        pass: 1

Speaking of credentials, I consider a one character password unacceptably short. Don't even have it as a fake example. Ideally replace password auth with something better like key or cert based auth. Or at least long word-based passphrases, such as unluckily-pretense-occupy-quartered.

Your file paths appear to be Windows. Read Ansible's winrm documentation and consider your options for auth.

Storing creds in inventory means anyone with the inventory file can run commands. Secure the file appropriately. Consider storing creds in separate key files, or in some secret system you can access with an Ansible lookup.

Your vars file is YAML, but not in a structure Ansible's static YAML inventory plugin expects. Perhaps something like this as inventory/lab.yml I have changed some values to actual examples per internet RFCs.

---
all:
    children: 
        windows:
            # Group containing only Windows hosts allow for 
            # Windows-specific auth and connection variables
            vars:
                ansible_user: a
                ansible_password: unluckily-pretense-occupy-quartered
                ansible_connection: winrm
                ansible_winrm_transport: credssp
            children:
                db:
                    # FQDN as inventory_hostname should resolve if in DNS
                    # Ansible pieces out the top label for you as special var inventory_hostname_short
                    hosts: 
                        center-db.hiddai.lab.example.net:
                            # ansible_host overrides what to connect to
                            # Such as when there is no DNS
                            ansible_host: 203.0.113.23
            children:
                queue:
                    hosts:
                        center-queue.hiddai.lab.example.net:
                            ansible_host: 203.0.113.83

            children:
                app:
                    hosts:
                        center-app.hiddai.lab.example.net:
                            ansible_host: 203.0.113.62
                            
            children:
                client:
                    hosts:
                        client-app.hiddai.lab.example.net:
                            ansible_host: 203.0.113.28
                            db: center-db

I am unclear what "center" is in this example, software product, deployment name, client name? As Ansible inventory is actually flat internally, I've collapsed that out. Add it back as a variable or group if desired.

Regarding host specific application configuration data, consider group_vars. These can be relative to your inventory file, with file name matching group name.

inventory/group_vars/windows.yml

---
base_dir: 'C:\folder\'
files_common: 
  - Server.msi

inventory/group_vars/app.yml

---
files_additional:
  - files
  - Center-Client.msi

inventory/group_vars/client.yml

---
files_additional:
  - Client-Client.msi

Note I invented a couple variables for the files. Being different named, you can combine them later into one list, so {{ files_common + files_additional }}

Ideally, write and use Ansible roles, which have their own variables and tasks. Consider role default values suitable for most use cases. For example, win_package tasks to install these msi packages, and by default downloading them from an https server. But make the source package file a variable, so it can be overridden.

And the plays are what maps these host patterns to roles. I am unsure what to call your app given only generic names, so I've prefixed the roles with "thing". play.yml:

---

hosts: db
roles:
- thingdb

hosts: queue
roles:
- thingqueue

hosts: app
roles:
- thingapp

hosts: client
roles:
- thingclient

Run such a playbook with ansible-playbook play.yml -i inventory/lab.yml

Not included: the roles. I don't know what you want to accomplish, and this answer is getting a little long.

uz flag
you've mentioned that: "Ideally, write and use Ansible roles". Is that mean that I can avoid "group_var" folder and organize the vars in Role\common\vars folder...OR those folders have completely different goals?
John Mahowald avatar
cn flag
Roles enable reuse. All of this is optional, depending on how you want to structure things. Use both roles (with defaults for its variables) with group_vars (overriding role vars for certain groups), or use neither.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.