1
00:00:07,450 --> 00:00:08,760
- All right, for this lab,

2
00:00:08,760 --> 00:00:11,040
we are going to start
with the working version

3
00:00:11,040 --> 00:00:13,190
of Ansible Tower.

4
00:00:13,190 --> 00:00:15,073
Makes no sense to install it again.

5
00:00:15,980 --> 00:00:19,920
We are going to add the CentOS 7 machine

6
00:00:19,920 --> 00:00:22,350
that I just installed.

7
00:00:22,350 --> 00:00:24,520
Okay, let's do a quick test

8
00:00:24,520 --> 00:00:25,610
and see if we can log in.

9
00:00:25,610 --> 00:00:30,283
As I say, Ansible at 192.68.29.195.

10
00:00:31,160 --> 00:00:35,217
And yes and (indistinct).

11
00:00:35,217 --> 00:00:39,086
And also sudo ls /root.

12
00:00:39,086 --> 00:00:39,919
Is that working?

13
00:00:40,830 --> 00:00:42,070
Prompting for a password,

14
00:00:42,070 --> 00:00:44,260
but we are getting in.

15
00:00:44,260 --> 00:00:46,380
So we have privilege escalation,

16
00:00:46,380 --> 00:00:49,460
and seems to be good.

17
00:00:49,460 --> 00:00:52,630
So let's get to the
Ansible Tower interface.

18
00:00:52,630 --> 00:00:54,450
In the Ansible Tower interface,

19
00:00:54,450 --> 00:00:57,680
I am going to use my inventory,

20
00:00:57,680 --> 00:00:59,060
and in the inventory,

21
00:00:59,060 --> 00:01:01,060
well, it's up to you what you want to do.

22
00:01:01,060 --> 00:01:03,590
You can integrate it into
an existing inventory.

23
00:01:03,590 --> 00:01:04,450
I don't wanna do it.

24
00:01:04,450 --> 00:01:05,980
I want to create a new inventory

25
00:01:05,980 --> 00:01:07,483
to make this a separate topic.

26
00:01:08,440 --> 00:01:11,387
So the name is CentOS 7

27
00:01:12,360 --> 00:01:14,070
and the organization is default.

28
00:01:14,070 --> 00:01:15,390
Well, before I can do anything,

29
00:01:15,390 --> 00:01:16,803
I need to click on safe.

30
00:01:17,780 --> 00:01:20,060
Next I need to add my hosts,

31
00:01:20,060 --> 00:01:25,060
and my hosts are centos7.example.com.

32
00:01:27,220 --> 00:01:28,730
Just one host.

33
00:01:28,730 --> 00:01:29,563
One more thing.

34
00:01:29,563 --> 00:01:31,150
We need to get back to the command line

35
00:01:31,150 --> 00:01:35,520
and sudo VIM on ATC hosts to make sure

36
00:01:35,520 --> 00:01:39,530
that we actually can
reach out to this machine.

37
00:01:39,530 --> 00:01:44,530
So 192.168.29.195 on centos7.example.com.

38
00:01:51,500 --> 00:01:52,990
Short name, as well.

39
00:01:52,990 --> 00:01:54,600
There we go.

40
00:01:54,600 --> 00:01:56,830
Now that we are on the command line,

41
00:01:56,830 --> 00:01:57,810
we should also wonder,

42
00:01:57,810 --> 00:01:59,290
do we need to do anything else?

43
00:01:59,290 --> 00:02:00,790
Well, this is Ansible Tower,

44
00:02:00,790 --> 00:02:03,510
so you don't necessarily have to copy over

45
00:02:03,510 --> 00:02:06,300
SSH keys and stuff.

46
00:02:06,300 --> 00:02:08,230
So we are done with the inventory.

47
00:02:08,230 --> 00:02:11,440
Let's continue with the credentials.

48
00:02:11,440 --> 00:02:13,510
So in the credentials,

49
00:02:13,510 --> 00:02:15,040
I'm adding new credentials.

50
00:02:15,040 --> 00:02:18,290
We call it sent credentials.

51
00:02:18,290 --> 00:02:22,980
The organization is going to
be my default organization,

52
00:02:22,980 --> 00:02:24,370
and the credential type.

53
00:02:24,370 --> 00:02:26,180
It's the most important property.

54
00:02:26,180 --> 00:02:28,340
That will be the machine credentials.

55
00:02:28,340 --> 00:02:29,543
There we go.

56
00:02:30,450 --> 00:02:32,963
Then it's asking for
username and password.

57
00:02:33,870 --> 00:02:36,300
So anyhow, it's getting this from cash.

58
00:02:36,300 --> 00:02:38,080
I need a new password.

59
00:02:38,080 --> 00:02:41,740
You have a choice here
between SSH keys and password.

60
00:02:41,740 --> 00:02:44,110
SSH keys is convenient
from the command line

61
00:02:44,110 --> 00:02:48,040
but you might also want to use a password.

62
00:02:48,040 --> 00:02:50,340
Depends on your security setting.

63
00:02:50,340 --> 00:02:53,350
An important one is the
privilege escalation method.

64
00:02:53,350 --> 00:02:56,221
I need to set privilege escalation to sudo

65
00:02:56,221 --> 00:02:58,430
and a privilege escalation per username.

66
00:02:58,430 --> 00:03:01,730
That will be root and a
privilege escalation password.

67
00:03:01,730 --> 00:03:05,770
That will be my very secret root password.

68
00:03:05,770 --> 00:03:07,680
The nice thing about this is

69
00:03:07,680 --> 00:03:10,890
by using this manual privilege escalation

70
00:03:10,890 --> 00:03:13,740
integrated into Ansible Tower,

71
00:03:13,740 --> 00:03:17,010
I don't need to configure
any passwordless sudo.

72
00:03:17,010 --> 00:03:18,940
So I kind of like this.

73
00:03:18,940 --> 00:03:21,590
This makes it more secure, right?

74
00:03:21,590 --> 00:03:23,320
Then we have the projects.

75
00:03:23,320 --> 00:03:26,170
That's just staying
the same because we are

76
00:03:26,170 --> 00:03:28,743
in the same git repository.

77
00:03:29,840 --> 00:03:32,870
Might need to to do an
update every now and then.

78
00:03:32,870 --> 00:03:34,730
That's also something
that you might need to do

79
00:03:34,730 --> 00:03:37,030
while working with Ansible to make sure

80
00:03:37,030 --> 00:03:38,510
that you have access to the latest

81
00:03:38,510 --> 00:03:40,589
and greatest YAML files.

82
00:03:40,589 --> 00:03:43,793
Then we are going to configure a template.

83
00:03:45,350 --> 00:03:47,090
So that's my job template.

84
00:03:47,090 --> 00:03:51,110
That's just a singular job, CentOS job,

85
00:03:51,110 --> 00:03:53,080
and it's a run,

86
00:03:53,080 --> 00:03:57,013
and the inventory is CentOS 7.

87
00:03:57,013 --> 00:03:58,143
Here we go.

88
00:03:59,290 --> 00:04:03,460
Then the product is my default product,

89
00:04:03,460 --> 00:04:05,170
and the playbook.

90
00:04:05,170 --> 00:04:06,943
Do we have any nice playbook?

91
00:04:08,000 --> 00:04:09,580
run and test httpd.

92
00:04:09,580 --> 00:04:12,000
That's what we were asked for in the lab.

93
00:04:12,000 --> 00:04:14,220
And next we have the credentials.

94
00:04:14,220 --> 00:04:19,220
So in the credentials, we
have these sent credentials,

95
00:04:20,610 --> 00:04:25,610
and then I'm doing my select
and that should do it.

96
00:04:25,730 --> 00:04:28,320
Now, there is one thing to realize,

97
00:04:28,320 --> 00:04:29,870
and that is the playbook.

98
00:04:29,870 --> 00:04:32,930
The playbook is hard
coded with a host name.

99
00:04:32,930 --> 00:04:35,530
So if this playbook is doing a host all,

100
00:04:35,530 --> 00:04:36,630
then it will be all right.

101
00:04:36,630 --> 00:04:39,730
If this playbook is doing
a host something specific

102
00:04:39,730 --> 00:04:41,850
which is not sent to S7,

103
00:04:41,850 --> 00:04:44,140
then it is not going to be alright.

104
00:04:44,140 --> 00:04:45,670
Let's figure out if that is working,

105
00:04:45,670 --> 00:04:47,960
and if it's not working, let's fix it.

106
00:04:47,960 --> 00:04:50,040
I mean, this is part of what you will find

107
00:04:50,040 --> 00:04:55,040
in reality while working
with Ansible Tower itself.

108
00:04:55,830 --> 00:04:56,663
There we go.

109
00:04:56,663 --> 00:04:58,570
This is what I was afraid of.

110
00:04:58,570 --> 00:05:03,370
Could not match supplied
host pattern, ignoring rocky.

111
00:05:03,370 --> 00:05:05,170
So how are we going to fix that?

112
00:05:05,170 --> 00:05:06,490
Well, there are two options.

113
00:05:06,490 --> 00:05:09,880
Option number one, you are
going to fix it in the playbook.

114
00:05:09,880 --> 00:05:13,883
That will probably be
the best option because,

115
00:05:14,750 --> 00:05:17,330
well, the problem here
is really in the playbook

116
00:05:17,330 --> 00:05:19,160
and we want the playbook to be running

117
00:05:19,160 --> 00:05:21,080
in the Ansible Tower environment.

118
00:05:21,080 --> 00:05:23,840
Option number two, we
could do a dirty trick

119
00:05:23,840 --> 00:05:27,490
and in the inventory define
a group with the name rocky.

120
00:05:27,490 --> 00:05:29,930
If we have a group with the name rocky,

121
00:05:29,930 --> 00:05:33,360
then it will work in this
environment, as well.

122
00:05:33,360 --> 00:05:34,193
You know what?

123
00:05:34,193 --> 00:05:35,450
I feel like doing the dirty trick.

124
00:05:35,450 --> 00:05:38,070
In the end, It's really
up to what you wanna do,

125
00:05:38,070 --> 00:05:41,320
but I'm just going to create a new group

126
00:05:41,320 --> 00:05:42,620
with the name Rocky.

127
00:05:42,620 --> 00:05:43,770
And I hope you sense

128
00:05:43,770 --> 00:05:46,830
that this is not a really
a perfect solution.

129
00:05:46,830 --> 00:05:51,160
But if we add this group
rocky, there we go.

130
00:05:51,160 --> 00:05:54,900
Then we add the host, existing host,

131
00:05:54,900 --> 00:05:58,520
and that will be sent
to us at example.com.

132
00:05:58,520 --> 00:06:00,200
We add that to the group.

133
00:06:00,200 --> 00:06:01,713
We get back to the template.

134
00:06:02,620 --> 00:06:07,000
We run the CentOS 7 template's job again.

135
00:06:07,000 --> 00:06:08,280
And there we go.

136
00:06:08,280 --> 00:06:10,140
And you can see that,

137
00:06:10,140 --> 00:06:12,090
well, it is reaching out.

138
00:06:12,090 --> 00:06:13,230
We see install, start,

139
00:06:13,230 --> 00:06:14,570
and enable HTTP

140
00:06:14,570 --> 00:06:18,250
and install packages working
on the package insulation.

141
00:06:18,250 --> 00:06:20,220
All of this depends on the quality

142
00:06:20,220 --> 00:06:21,890
of the playbook, of course,

143
00:06:21,890 --> 00:06:23,870
because in playbook development,

144
00:06:23,870 --> 00:06:25,760
you can develop your playbooks

145
00:06:25,760 --> 00:06:29,560
in such a way that it easily will work

146
00:06:29,560 --> 00:06:33,050
across different
distributions by using packets

147
00:06:33,050 --> 00:06:37,700
and by using flexible host names

148
00:06:37,700 --> 00:06:39,440
that are easy to reuse.

149
00:06:39,440 --> 00:06:42,220
If the playbook is too specific,

150
00:06:42,220 --> 00:06:44,430
then it won't work.

151
00:06:44,430 --> 00:06:46,650
And oh, what are we getting here?

152
00:06:46,650 --> 00:06:48,930
I am getting message.

153
00:06:48,930 --> 00:06:52,220
You need to be root to
perform this command.

154
00:06:52,220 --> 00:06:53,710
Aha.

155
00:06:53,710 --> 00:06:56,300
That's nothing that
depends on the playbook.

156
00:06:56,300 --> 00:06:59,170
You need to be root to
perform this command.

157
00:06:59,170 --> 00:07:00,910
That depends on something else,

158
00:07:00,910 --> 00:07:02,740
and this something else is quite common.

159
00:07:02,740 --> 00:07:04,953
Let me explain why this is a common error.

160
00:07:05,820 --> 00:07:07,940
If you look at the credentials,

161
00:07:07,940 --> 00:07:11,110
we have our sent credentials,

162
00:07:11,110 --> 00:07:12,900
and in the sent credentials,

163
00:07:12,900 --> 00:07:15,770
I've told it to do privilege escalation.

164
00:07:15,770 --> 00:07:17,490
And why doesn't that work?

165
00:07:17,490 --> 00:07:20,510
Well, that doesn't work because
you need to specify that

166
00:07:20,510 --> 00:07:22,680
on the job template, as well.

167
00:07:22,680 --> 00:07:25,770
So let me get back to the CentOS job

168
00:07:25,770 --> 00:07:27,390
and let me tick this option,

169
00:07:27,390 --> 00:07:31,210
enable privilege escalation
to ensure that it will work

170
00:07:31,210 --> 00:07:33,140
with privileged escalation.

171
00:07:33,140 --> 00:07:34,770
I'm saving.

172
00:07:34,770 --> 00:07:37,140
And I am launching again.

173
00:07:37,140 --> 00:07:38,260
And here we go.

174
00:07:38,260 --> 00:07:40,123
Now it should be doing something.

175
00:07:42,090 --> 00:07:44,390
So as you can see, it's progressing.

176
00:07:44,390 --> 00:07:46,100
The package is installed

177
00:07:46,100 --> 00:07:49,920
and everything else should
be doing all right, as well.

178
00:07:49,920 --> 00:07:51,440
If it fails at this point,

179
00:07:51,440 --> 00:07:53,430
it's due to the quality of the playbook,

180
00:07:53,430 --> 00:07:55,210
not due to Ansible Tower.

181
00:07:55,210 --> 00:07:59,133
So for now, let's consider this
lab completed successfully.

182
00:08:01,950 --> 00:08:04,620
Uh-oh, there's only one
thing that is failing here.

183
00:08:04,620 --> 00:08:06,240
And there we go.

184
00:08:06,240 --> 00:08:10,540
You can see it's telling us
status code was minus one,

185
00:08:10,540 --> 00:08:12,440
name or service, not known.

186
00:08:12,440 --> 00:08:14,330
Why do we have name or service not known?

187
00:08:14,330 --> 00:08:18,800
Well, doing an http://rocky is
trying to reach out to Rocky.

188
00:08:18,800 --> 00:08:21,180
The name of my machine is not Rocky.

189
00:08:21,180 --> 00:08:22,640
It's CentOS 7.

190
00:08:22,640 --> 00:08:26,580
You cannot reach a host based
on the Ansible group name.

191
00:08:26,580 --> 00:08:29,130
That's a minor problem in the playbook.

192
00:08:29,130 --> 00:08:30,690
Nothing wrong with Ansible.

193
00:08:30,690 --> 00:08:32,640
So let's continue with the next lesson.