Ansible Variables | Part-6 | Ansible tutorial for beginners | Ansible Variables | Devops tool.

Ansible uses variables to manage differences between systems. With Ansible, you can execute tasks and playbooks on multiple different systems with a single command. To represent the variations among those different systems, you can create variables with standard YAML syntax, including lists and dictionaries. You can define these variables in your playbooks, in your inventory, in re-usable files or roles, or at the command line. You can also create variables during a playbook run by registering the return value or values of a task as a new variable.

After you create variables, either by defining them in a file, passing them at the command line, or registering the return value or values of a task as a new variable, you can use those variables in module arguments, in conditional “when” statements, in templates, and in loops. The ansible-examples github repository contains many examples of using variables in Ansible.

-------------------------------------YAML SCRIPT---------------------------------------------------------------------

--- # VARIABLES 

- name: showing variables

  hosts: developers

  become: yes

  vars:

          pkgname: httpd

  tasks:

               - name: install httpd on this machine

                 action: yum name='{{pkgname}}' state=installed

---------------------------------------------------COMMAND----------------------------------------------------------To Run Script- ansible-playbook 3rd.yaml

To Create Script- vi 3rd.yaml

What is Docker | Part-1 | Docker tutorial for beginners | Docker | Devops & Developer tool .

 Docker 

• Docker is a very light-weight software container and containerization platform 

• Docker containers provide a way to run software in isolation 

• What does a Docker Container contain and provide? 

o Initially – only a base Linux operating system 

o A boundary or a “jail” to contain running software 

o Like a good jail, there are no unauthorized entries or exits 

o A Docker Image is the foundation for any particular Docker container 

• What is outside of Docker? 

o Other Docker containers 

o The operating system, kernel 

o Any other operating software

Containers 

• Containers are operating system level virtualization 

o Allows for multiple isolated user space instances called containers

 o They share a single kernel 

o Can be added or removed at any time 

• Containers consist of a self contained Linux file system 

o Can be from any Linux distribution which is compatible with the host kernel 

o Usually contain a single application such as a server 

• Operating system level virtualization is lightweight 

o Is often used in Cloud Computing

Container Implementation

 • Operating system level virtualization uses a set of tools 

o A virtualization subsystem 

o A cgroup hierarchy for each container 

o The container is mounted into the filesystem 

• A program inside the container is executed 

o Using chroot to restrict it to the container file system 

o The cgroup constrains use of resources and isolates the container from the rest of the system

Operating System Level Virtualization

 • Operating system level virtualization is where an operating system kernel can support multiple isolated user space instances 

o Instances are called containers or jails 

o There is little overhead as the kernel implements the containers

 • There are numerous implementations 

o chroot has been available in UNIX since 1982

 o FreeBSD jail o Linux Containers (LXC) command line tools using Linux cgroups

 o LXD a container hypervisor built on LXC

 o Docker is a suite of tools for creating and managing containers

Docker for Linux 

Docker was originally a Linux application

 It uses the kernel container functionality 

It requires a 64 bit installation using a kernel version 3.10 or later Docker runs on many popular Linux distributions 

It is available as RPM, APT, or binary versions

Docker for OS X

 Docker runs natively on OS X DMG install application running in user space

 Is built on the xhyve hypervisor 

Requires a 2010 or newer Mac with Intel MMU and EPT support Requires OS X 10.10.3 

Yosemite or newer Requires at least 4GB of RAM

Docker for Windows 

Docker runs natively on Windows 

Requires later versions of Windows 10 Pro or Enterprise 

Docker requires the Hyper-V package 

This is Microsoft's hypervisor for Windows 

It virtualizes the Docker environment and Linux kernel specDocker can't run alongside VirtualBox VMs

Docker Architecture

 • Docker uses a client-server architecture 

• Client 

o Is the primary user interface which communicates using a REST API 

o Over HTTP 

o Over local Unix socket

 • Server 

o Is the Docker daemon 

o Responsible for building, running, and distributing containers 

• Registry 

o Responsible for the storage, management, and delivery of Docker Images 

o Docker Hub 

Docker Images & Containers 

• Docker images are read-only templates 

o Foundation is a simplified version of the Linux operating system 

o Changes to foundation, such as application installations added to the Image 

o Images are the templates or build commands for Docker 

• Docker containers are running environments 

o Has OS, environment, program, network, etc. 

o Runs (probably one) application 

o All required software contained in image 

o Can have boot-up configuration 

o They can be run, started, stopped, and deleted

o Private 

o Other vendors

Docker Images 

• Docker images are built in layers 

o Each layer is a file system 

o The layers are combined in a union file system to make a single image 

o Images are the build component of Docker 

• Images start from a base image 

o Foundation is usually a specifically prepared Linux operating system 

o Custom base images can also be created 

o Docker Image are then built by adding layers: 

o Interactively 

o Defined in a directive file called a “Docker File

Running Containers 

• The docker `run` command starts a container based on a named Docker Image 

o Docker first looks for a local copy of the image 

o If it does not exist it is pulled from a Docker Registry 

o The default Registry is the Docker Hub Registry 

o A new container is created using the file system from the image 

o A read-write layer is added to the top of the file system 

o A network interface is created and an IP address is assigned from a pool 

o Standard input, output, and error streams are connected 

o A specified application is executed 

o Docker container appears as a child of the daemon process, ms are connected

Pulling & Running Containers 

• A Docker Image must be located on the local computer 

o It may have been created locally o It may have been pulled from a Registry 

o It may be missing 

• The `pull` command insures that the specified image is on the local computer 

o It will transfer all constituent layers of the image as separate transfers 

• The `run` command creates and initiates a container based on the image 

o The example runs the latest CentOS image o It runs the command `command`

Ansible Vault | Part-5 | Ansible tutorial for beginners | Ansible Vault | Devops & Developer tool

 Ansible Vault is a feature of ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. These vault files can then be distributed or placed in source control.

To enable this feature, a command line tool - ansible-vault - is used to edit files, and a command line flag (--ask-vault-pass, --vault-password-file or --vault-id) is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.cfg file. These options require no command line flag usage.

What Can Be Encrypted With Vault

File-level encryption

Ansible Vault can encrypt any structured data file used by Ansible.

This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files”, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included.

Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you’re using, you can encrypt the task files in their entirety.

Ansible Vault can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the src argument to the copy, template, unarchive, script or assemble modules, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).

Variable-level encryption

Ansible also supports encrypting single values inside a YAML file, using the !vault tag to let YAML and Ansible know it uses special processing. This feature is covered in more detail below.

Vault IDs and Multiple Vault Passwords

A vault ID is an identifier for one or more vault secrets; Ansible supports multiple vault passwords.

Vault IDs provide labels to distinguish between individual vault passwords.

To use vault IDs, you must provide an ID label of your choosing and a source to obtain its password (either prompt or a file path):

--vault-id label@source

This switch is available for all Ansible commands that can interact with vaults: ansible-vault, ansible-playbook, etc.

Vault-encrypted content can specify which vault ID it was encrypted with.

For example, a playbook can now include a vars file encrypted with a ‘dev’ vault ID and a ‘prod’ vault ID

Creating Encrypted Files

To create a new encrypted data file, run the following command:

ansible-vault create foo.yml

First you will be prompted for a password. After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi. Once you are done with the editor session, the file will be saved as encrypted data.

The default cipher is AES (which is shared-secret based).

To create a new encrypted data file with the Vault ID ‘password1’ assigned to it and be prompted for the password, run:

ansible-vault create --vault-id password1@prompt foo.yml

Editing Encrypted Files
To edit an encrypted file in place, use the ansible-vault edit command. This command will decrypt the file to a temporary file and allow you to edit the file, saving it back when done and removing the temporary file:
ansible-vault edit foo.yml
To edit a file encrypted with the ‘vault2’ password file and assigned the ‘pass2’ vault ID:
ansible-vault edit --vault-id pass2@vault2 foo.yml
Rekeying Encrypted Files
Should you wish to change your password on a vault-encrypted file or files, you can do so with the rekey command:
ansible-vault rekey foo.yml bar.yml baz.yml
This command can rekey multiple data files at once and will ask for the original password and also the new password.
To rekey files encrypted with the ‘preprod2’ vault ID and the ‘ppold’ file and be prompted for the new password:
ansible-vault rekey --vault-id preprod2@ppold --new-vault-id preprod2@prompt foo.yml bar.yml baz.yml
A different ID could have been set for the rekeyed files by passing it to --new-vault-id.
Encrypting Unencrypted Files
If you have existing files that you wish to encrypt, use the ansible-vault encrypt command. This command can operate on multiple files at once:
ansible-vault encrypt foo.yml bar.yml baz.yml
To encrypt existing files with the ‘project’ ID and be prompted for the password:
ansible-vault encrypt --vault-id project@prompt foo.yml bar.yml baz.yml
Note
It is technically possible to separately encrypt files or strings with the same vault ID but different passwords, if different password files or prompted passwords are provided each time. This could be desirable if you use vault IDs as references to classes of passwords (rather than a single password) and you always know which specific password or file to use in context. However this may be an unnecessarily complex use-case. If two files are encrypted with the same vault ID but different passwords by accident, you can use the rekey command to fix the issue.
Decrypting Encrypted Files
If you have existing files that you no longer want to keep encrypted, you can permanently decrypt them by running the ansible-vault decrypt command. This command will save them unencrypted to the disk, so be sure you do not want ansible-vault edit instead:
ansible-vault decrypt foo.yml bar.yml baz.yml
Viewing Encrypted Files
If you want to view the contents of an encrypted file without editing it, you can use the ansible-vault view command:
ansible-vault view foo.yml bar.yml baz.yml
Use encrypt_string to create encrypted variables to embed in yaml
The ansible-vault encrypt_string command will encrypt and format a provided string into a format that can be included in ansible-playbook YAML files.
To encrypt a string provided as a cli arg:
ansible-vault encrypt_string --vault-password-file a_password_file 'foobar' --name 'the_secret'
Result:
the_secret: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      62313365396662343061393464336163383764373764613633653634306231386433626436623361
      6134333665353966363534333632666535333761666131620a663537646436643839616531643561
      63396265333966386166373632626539326166353965363262633030333630313338646335303630
      3438626666666137650a353638643435666633633964366338633066623234616432373231333331
      6564
To use a vault-id label for ‘dev’ vault-id:
ansible-vault encrypt_string --vault-id dev@a_password_file 'foooodev' --name 'the_dev_secret'
Result:
the_dev_secret: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613233633461343837653833666333643061636561303338373661313838333565653635353162
          3263363434623733343538653462613064333634333464660a663633623939393439316636633863
          61636237636537333938306331383339353265363239643939666639386530626330633337633833
          6664656334373166630a363736393262666465663432613932613036303963343263623137386239
          6330
To encrypt a string read from stdin and name it ‘db_password’:
echo -n 'letmein' | ansible-vault encrypt_string --vault-id dev@a_password_file --stdin-name 'db_password'
Warning
This method leaves the string in your shell history. Do not use it outside of testing.
Result:
Reading plaintext input from stdin. (ctrl-d to end input)
db_password: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          61323931353866666336306139373937316366366138656131323863373866376666353364373761
          3539633234313836346435323766306164626134376564330a373530313635343535343133316133
          36643666306434616266376434363239346433643238336464643566386135356334303736353136
          6565633133366366360a326566323363363936613664616364623437336130623133343530333739
          3039
To be prompted for a string to encrypt, encrypt it, and give it the name ‘new_user_password’:
ansible-vault encrypt_string --vault-id dev@a_password_file --stdin-name 'new_user_password'
Output:
Reading plaintext input from stdin. (ctrl-d to end input)
User enters ‘hunter2’ and hits ctrl-d.
Warning
Do not press Enter after supplying the string. That will add a newline to the encrypted value.
Result:
new_user_password: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          37636561366636643464376336303466613062633537323632306566653533383833366462366662
          6565353063303065303831323539656138653863353230620a653638643639333133306331336365
          62373737623337616130386137373461306535383538373162316263386165376131623631323434
          3866363862363335620a376466656164383032633338306162326639643635663936623939666238
          3161
See also Single Encrypted Variable
Providing Vault Passwords
When all data is encrypted using a single password the --ask-vault-pass or --vault-password-file cli options should be used.
For example, to use a password store in the text file /path/to/my/vault-password-file:
ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml
To prompt for a password:
ansible-playbook --ask-vault-pass site.yml
To get the password from a vault password executable script my-vault-password.py:
ansible-playbook --vault-password-file my-vault-password.py
The config option DEFAULT_VAULT_PASSWORD_FILE can be used to specify a vault password file so that the --vault-password-file cli option does not have to be specified every time.
Labelling Vaults
Since Ansible 2.4 the --vault-id can be used to indicate which vault ID (‘dev’, ‘prod’, ‘cloud’, etc) a password is for as well as how to source the password (prompt, a file path, etc).
By default the vault-id label is only a hint, any values encrypted with the password will be decrypted. The config option DEFAULT_VAULT_ID_MATCH can be set to require the vault id to match the vault ID used when the value was encrypted. This can reduce errors when different values are encrypted with different passwords.
For example, to use a password file dev-password for the vault-id ‘dev’:
ansible-playbook --vault-id dev@dev-password site.yml
To prompt for the password for the ‘dev’ vault ID:
ansible-playbook --vault-id dev@prompt site.yml
To get the ‘dev’ vault ID password from an executable script my-vault-password.py:
ansible-playbook --vault-id dev@my-vault-password.py
The config option DEFAULT_VAULT_IDENTITY_LIST can be used to specify a default vault ID and password source so that the --vault-id cli option does not have to be specified every time.
The --vault-id option can also be used without specifying a vault-id. This behaviour is equivalent to --ask-vault-pass or --vault-password-file so is rarely used.
For example, to use a password file dev-password:
ansible-playbook --vault-id dev-password site.yml
To prompt for the password:
ansible-playbook --vault-id @prompt site.yml
To get the password from an executable script my-vault-password.py:
ansible-playbook --vault-id my-vault-password.py
Note
Prior to Ansible 2.4, the --vault-id option is not supported so --ask-vault-pass or --vault-password-file must be used.
Multiple Vault Passwords
Ansible 2.4 and later support using multiple vault passwords, --vault-id can be provided multiple times.
For example, to use a ‘dev’ password read from a file and to be prompted for the ‘prod’ password:
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml
By default the vault ID labels (dev, prod etc.) are only hints, Ansible will attempt to decrypt vault content with each password. The password with the same label as the encrypted data will be tried first, after that each vault secret will be tried in the order they were provided on the command line.
Where the encrypted data doesn’t have a label, or the label doesn’t match any of the provided labels, the passwords will be tried in the order they are specified.
In the above case, the ‘dev’ password will be tried first, then the ‘prod’ password for cases where Ansible doesn’t know which vault ID is used to encrypt something.
To add a vault ID label to the encrypted data use the --vault-id option with a label when encrypting the data.
The DEFAULT_VAULT_ID_MATCH config option can be set so that Ansible will only use the password with the same label as the encrypted data. This is more efficient and may be more predictable when multiple passwords are used.
The config option DEFAULT_VAULT_IDENTITY_LIST can have multiple values which is equivalent to multiple --vault-id cli options.
The --vault-id can be used in lieu of the --vault-password-file or --ask-vault-pass options, or it can be used in combination with them.
When using ansible-vault commands that encrypt content (ansible-vault encrypt, ansible-vault encrypt_string, etc) only one vault-id can be used.
Vault Password Client Scripts
When implementing a script to obtain a vault password it may be convenient to know which vault ID label was requested. For example a script loading passwords from a secret manager may want to use the vault ID label to pick either the ‘dev’ or ‘prod’ password.
Since Ansible 2.5 this is supported through the use of Client Scripts. A Client Script is an executable script with a name ending in -client. Client Scripts are used to obtain vault passwords in the same way as any other executable script. For example:
ansible-playbook --vault-id dev@contrib/vault/vault-keyring-client.py
The difference is in the implementation of the script. Client Scripts are executed with a --vault-id option so they know which vault ID label was requested. So the above Ansible execution results in the below execution of the Client Script:
contrib/vault/vault-keyring-client.py --vault-id dev
contrib/vault/vault-keyring-client.py is an example of Client Script that loads passwords from the system keyring.
Speeding Up Vault Operations
By default, Ansible uses PyCrypto to encrypt and decrypt vault files. If you have many encrypted files, decrypting them at startup may cause a perceptible delay. To speed this up, install the cryptography package:
pip install cryptography
Vault Format
A vault encrypted file is a UTF-8 encoded txt file.
The file format includes a newline terminated header.
For example:
$ANSIBLE_VAULT;1.1;AES256
or:
$ANSIBLE_VAULT;1.2;AES256;vault-id-label
The header contains the vault format id, the vault format version, the vault cipher, and a vault-id label (with format version 1.2), separated by semi-colons ‘;’
The first field $ANSIBLE_VAULT is the format id. Currently $ANSIBLE_VAULT is the only valid file format id. This is used to identify files that are vault encrypted (via vault.is_encrypted_file()).
The second field (1.X) is the vault format version. All supported versions of ansible will currently default to ‘1.1’ or ‘1.2’ if a labeled vault-id is supplied.
The ‘1.0’ format is supported for reading only (and will be converted automatically to the ‘1.1’ format on write). The format version is currently used as an exact string compare only (version numbers are not currently ‘compared’).
The third field (AES256) identifies the cipher algorithm used to encrypt the data. Currently, the only supported cipher is ‘AES256’. [vault format 1.0 used ‘AES’, but current code always uses ‘AES256’]
The fourth field (vault-id-label) identifies the vault-id label used to encrypt the data. For example using a vault-id of dev@prompt results in a vault-id-label of ‘dev’ being used.
Note: In the future, the header could change. Anything after the vault id and version can be considered to depend on the vault format version. This includes the cipher id, and any additional fields that could be after that.
The rest of the content of the file is the ‘vaulttext’. The vaulttext is a text armored version of the encrypted ciphertext. Each line will be 80 characters wide, except for the last line which may be shorter.
Vault Payload Format 1.1 - 1.2
The vaulttext is a concatenation of the ciphertext and a SHA256 digest with the result ‘hexlifyied’.
‘hexlify’ refers to the hexlify() method of the Python Standard Library’s binascii module.
hexlify()’ed result of:
hexlify()’ed string of the salt, followed by a newline (0x0a)
hexlify()’ed string of the crypted HMAC, followed by a newline. The HMAC is:
a RFC2104 style HMAC
inputs are:
The AES256 encrypted ciphertext
A PBKDF2 key. This key, the cipher key, and the cipher IV are generated from:
the salt, in bytes
10000 iterations
SHA256() algorithm
the first 32 bytes are the cipher key
the second 32 bytes are the HMAC key
remaining 16 bytes are the cipher IV
hexlify()’ed string of the ciphertext. The ciphertext is:
AES256 encrypted data. The data is encrypted using:
AES-CTR stream cipher
cipher key
IV
a 128 bit counter block seeded from an integer IV
the plaintext
the original plaintext
padding up to the AES256 blocksize. (The data used for padding is based on RFC5652)



 
Next  Previous