Join Log in
Score:1
sudosysadmin avatar Server

Is this possible with Ansible?

vn flag
sudosysadmin

I am trying to put together an Ansible environment that will accomplish the following...

  • Provider version control for Ansible playbooks
  • Automatically push approved pull requests to a mirror server
  • Ansible server runs the playbook through the mirror (i.e. a proxy) to be executed on managed nodes

Reasons for this particular setup...

  1. The mirror already has access to all managed nodes
  2. The approved playbooks on the mirror will be read-only to not allow those executing them to change them

I know there is Ansible Tower (or AWX) but I'm trying to accomplish this setup by only standing up a Linux server with Ansible capabilities. As for my questions...

  1. Is it possible to run playbooks from a proxy?
  2. If so, are there any good references on how to accomplish this?

Thank you!

Ansible Environment Proof of Concept

156
0 + 0
in flag
Zoredache
You don't have to use AWX, but you would be making your life difficult if you didn't use some tool for this. Also consider Rundeck, Jenkins or something else that would fetch and execute the approved playbooks.
0
Reply
Score:0
John Mahowald avatar Server
cn flag
John Mahowald

Ansible Engine itself, ansible-playbook from the ansible package, provides a means to access hosts remotely and run modules on them. That's it, the core tool does not have an API. Adding more features like approval or role based access controls implies adding components on top. Possibly take advantage of tools you may already use.

ansible-runner is the API to Ansible that powers AWX, abstracted into a library and container image. Consider it for scripting Ansible. If you were wondering why there is no official ansible container image, this is it.

A relatively simple case is just running ansible-playbook. Playbook development is approved via whatever collaborative change control process. Then someone manually logs into the bastion/management host, fetches the approved playbook from version control, and runs that exact tag. Simple, no extra components to set up. But lacks strict controls over what exactly gets run. Not trivial to make the playbook immutable to whomever is running them, still need to trust the person.

Version control oriented continuous delivery pipeline could fit your workflow. Full featured forges like GitLab can require approvals to merge requests. On approval, the resulting playbook is automatically run on a pipeline worker with ansible-runner. Workers are what remotes into hosts of the environment, via ssh. Strong controls that the version approved is what runs. However, this style of pipeline is optimized for a developer experience, and maybe not great at scheduled runs of the same thing.

Any ops tool that can run arbitrary scripts can run playbooks. Rundeck or Jenkins may not be full featured development hubs, but running things on triggers is their core competency. Again consider ansible-runner as the environment to execute Ansible in.

And there are Ansible specific web interfaces, primarily AWX or Semaphore. AWX is fairly complex, a thing to do all things Ansible for any size enterprise. Semaphore is a bit simpler. Being Ansible specific can be an advantage. But by no means are they they only alterative to interactive Ansible at the terminal. Your organization may prefer other tools for developing, approving, and running things.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.