Ansible can execute commands in Linux hosts using ssh, powershell in Windows hosts and just plain bash commands when interacting with the localhost and don't want to use a remote protocol.
We can define what protocol to use along some other options specific to the hosts in the inventory file, lets see an example
nginx1 ansible_host=nginx1.example.com ansible_connection=ssh[windows_hosts]
db1 ansible_host=db1.example.com ansible_connection=winrm[local_machine]
ansible_master ansible_host=localhost ansible_connection=local
ansible_host must point to the real hostname or ip address of the host, also hosts can have an alias in order to avoid long or complicated hostnames, nginx1 is the alias for nginx1.example.com
Ansible is not usefull only to run large complicated playbooks, its also usefull when you want to run simple commands on group of servers.
In this scenario we have a group of two servers named web1 and web2, and they are grouped into the [webservers] section of our inventory.
The goal is to create on each server a user named webops, create a directory that will hold the ssh key for this user and finally copy the key to web1 and web2, Finnaly we will verify that nginx is set to start on boot.
In this article i will show you how to install and configure ansible and how to run a basic playbook.
We have two computers, the control computer and the target computer. The control computer will be used to install ansible and run all ansible commands from there.
The target computer will be used as a remote computer that we want to execute commands through ansible.
I assume that both computers run Centos 7.
Install Ansible on control computer
Type the following on control computer, those commands will install the epel repository and ansible its self.
$ su - root #…
In some environments you might not be able to install telnet or nc to verify if a port is open, but still using standard linux commands you can check if…
To encrypt application data, add
--opt encrypted when creating the overlay network. This enables IPSEC encryption at the level of the vxlan. This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.
When you enable overlay encryption, Docker creates IPSEC tunnels between all the nodes where tasks are scheduled for services attached to the overlay network. These tunnels use the AES algorithm and manager nodes automatically rotate the keys every 12 hours.
Example creating an encrypted overlay network
$ docker network create --opt encrypted --driver overlay enc-network
MTLS: Mutual TLS
Docket content trust is a security mechanism that allows only images with a specific sign to run to our docker environment. This ensures that we run secure images.
We need first to login to our docker repository using the docker login command
$ docker login
After a successful login we need to generate the certificate for our docker repository user, which in my case is ‘kpat’. Creating the certificate requires to generate a passphrase as well, don’t forget the passphrase, write it dwn.
$ docker trust key generate kpat Generating key for kpat... Enter passphrase for new kpat key with…
Docker utilizes n architecture called Container Network Model (CNM) to manage container networking.
CNM is based on the following concepts
Its all the network resources that the container will use, its an isolated environment by other containers and from the host
An Endpoint consists of two network interfaces, the one interface is connected to the Network sandbox of the container and the other one to a designated network. A network sandbox might have many Endpoints.
A network is a group of endpoints that allow containers to communicate each other.
An important think to know is that…
How to copy a file/directory from a host to another who can communicate only by a 3rd host (Jump Host)
Using — append and — partial allows us to resume rsync in case that the rsync is interrupted
rsync — bwlimit=20000 — progress — append — partial -vz -e ‘ssh -J <USER>@<JUMP_HOST> -p 22’ <USER>@<SOURCE_HOST>:/SOURCE/PATH /LOCAL/PATH
Scenario: we have a swarm of 3 servers and a 4th server which will be our storage, a directory on this host that will be mounted over ssh
Install the following plugin on all servers of the swarm
$ docker plugin install --grant-all-permissions vieux/sshfs
latest: Pulling from vieux/sshfs
52d435ada6a4: Download complete
Status: Downloaded newer image for vieux/sshfs:latest
Installed plugin vieux/sshfs
On the storage server create the following directory and file
Note: kpatronas is my home directory, adjust this to your environment
$ mkdir /home/kpatronas/data
$ echo Hello world! > /home/kpatronas/data/message.txt
Now on the swarm manager lets create…
DevOps engineer, loves Linux, Python, cats and Amiga computers