Introduction

Ansible is a tool for managing your server infrastructure, including doing code deploys, installing and configuring servers, and the services that run on them. In comparison to other similar tools out there, I like Ansible because:

1. It just uses SSH. Once you have your SSH keys set up correctly on your client machine and your target servers, you are good to go.
2. The list of target servers are stored in a simple .ini file.
3. The execution scripts, or "playbooks", are simply .yml files. You don't have to learn a custom syntax.

To get a more detailed overview of Ansible, see the Ansible website.

In this tutorial, I will show you how to install Ansible on your client machine, then run some simple commands to confirm that it worked. I am using Fedora on my client machine, and CentOS on my servers, but the steps outlined here should also be helpful for users of other distributions.

User accounts and keys

As Ansible will be connecting to remote target servers to carry out work on them via SSH, you will need to ensure that:

1. The user account that Ansible will use has already been added to each server that we want to manage.
2. The public SSH key for that account has been added to the authorized keys for that account on each server.
3. The account has sudo rights on each server.

For our purposes, let us assume that the account your want to use is called deploy and this user is already set up on your client machine with a public/private key set for SSH.

As root, execute the following on each target server to set up the deploy user:

root@server$ useradd deploy
root@server$ passwd deploy

You will be prompted for a password now, choose something secure and take note of it.

Now add sudo rights for deploy:

root@server$ visudo

Then add a new line:

deploy   ALL=(ALL)       ALL

Now su to the deploy user, and set up the public key:

root@server$ su deploy
deploy@server$ mkdir ~/.ssh

Now copy the public key (from your local /home/deploy/.ssh/id_rsa.pub file) into: ~/.ssh/authorized_keys and set privileges appropriately:

deploy@server$ chmod 700 ~/.ssh
deploy@server$ chmod 600 ~/.ssh/authorized_keys

You should now be able to log into the target server from deploy@client as deploy@server (this is exactly what Ansible itself will do each time you run it from the client).

Installing Ansible

Dependencies

Ansible requires Python 2.6+ (but not Python 3). Let's install this first:

root@client$ yum install python

And some additional Python libraries that are also required:

root@client$ yum install python-paramiko
root@client$ yum install PyYAML
root@client$ yum install python-jinja2

Note: Managed servers also need Python (2.6+ recommended).

Note 2: It should be possible to use Ansible to install Python on managed servers via "raw mode", but I have not needed to do this as the CentOS 6.2 build I was using already came with Python.

Install Ansible from Github

There are a number of ways to install Ansible (for example via yum), however to get the latest version the best thing to do is simple check it out from Git on Github (the creator of Ansible told me it's safe to work off the mainline[^1]):

root@client$ mkdir /opt/ansible
root@client$ cd /opt/ansible
root@client$ git clone git://github.com/ansible/ansible.git
root@client$ cd ansible
root@client$ chown -R deploy:deploy /opt/ansible
root@client$ su deploy
deploy@client$ source ./hacking/env-setup

That last command runs a shell script that sets up environment variables for Ansible. You can add a call to this to your /home/deploy/.bashrc file if you wish to get it to execute each time you login as deploy on your client machine.

Setting up the hosts file for Ansible

This file contains a lists of servers (usually public IPs) that Ansible will manage. On your local machine:

root@client$ mkdir /etc/ansible
root@client$ nano /etc/ansible/hosts

And inside the new hosts file place:

# Each should have your (deploy user) SSH key in authorized_keys
 
[appservers]
192.168.0.1
192.168.0.1
192.168.0.1
 
[dbservers]
192.168.0.1
192.168.0.1
 
# etc...

You should also ensure that deploy owns that config file too:

root@client$ chown -R deploy:deploy /etc/ansible

Testing Ansible

Now lets switch to the deploy user if you haven't already, and set the ANSIBLE_HOSTS environment variable to point to the hosts file we just created (again, you should consider adding this to /home/deploy/.bashrc for convience):

root@client$ su deploy
deploy@client$ export ANSIBLE_HOSTS=/etc/ansible/hosts

The simplest thing to do is to get Ansible to ping all of the servers: you should get "success" for each one listed in the /etc/ansible/hosts file:

deploy@client$ ansible all -m ping -K
192.168.0.1 | success >> {
    "changed": false, 
    "ping": "pong"
}
 
...

Note that the -K param tells Ansible to prompt you for the sudo password for deploy (as set earlier on each target server). If Ansible complains about the private key being encrypted, then append the -k flag to get it to prompt for that password too or else use ssh-agent to remember the password.

Using ssh-agent to remember the key password

Rather than having to type in the SSH key password for deploy each time you run an Ansible command, you can use ssh-agent to remember it (you will only have to enter it once):

deploy@client$ ssh-agent bash
deploy@client$ ssh-add ~/.ssh/id_rsa

Note: you will still need to use -K and the sudo password each time, but not the -k and key password.

What next?

At this point I will refer you to the excellent documentation on the Ansible website for further learning, in particular you should become aquainted with Ansible Playbooks which is where you will do the bulk of your work with the tool.

---

Updated 2023 : note that the above post was originally published in 2013 and is completely outdated, but is left here for archival purposes. I have fixed some links, and removed the link to Michael DeHaan's Twitter account as it's now dead.