Run Ansible like a Chef

Run Ansible like a Chef

While Ansible is my main tool, i liked also Chef. Now i will try to set up Ansible as Chef - running playbooks completely unattended on managed nodes.

I setup Ansible environment so that execution is regular and without need for gui server (AWX) or central service with root access to every machine.

Setup

To get this working, i set up Ansible in two parts:

• Master which maintains Ansible environments for every managed host
• Agent code with runs on managed hosts.

Master contains:

• Inventory (variables, secrets) for each host
• Agent version information
• Code to manage agent Ansible environment

Agent part contains all the playbooks running in managed host.

Process

Agent code is in git repository and will be pulled when running master Ansible playbook in master repository. This could be done also automatically, but whis way i have a bit more control over process.

In master i take all host variables from variable host_vars[hostname] and clean it up with filter_plugins/clean.py. Not sure if this is needed, but it won’t hurt.

In agent we save all variables to host_vars/hostname.yml file. This file will contain also unencrypted secrets. That should not be a big problem as those secrets will be saved unencrypted to some other part of filesystem anyway. Those variables will then used in every run as settings for playbooks running in agent.

Agent runs everything as systemd service that is triggered by systemd timer. This way all logs go to systemd journal.

Code

Example code for Ansible agent is here: https://github.com/ljesmin/ansible_example, it contains just couple of roles for setting up sudo and users.

Example code for Ansible master is here: https://github.com/ljesmin/ansible_master

Agent setup in example is written for Ubuntu Bionic.