I’m trying a simple example Ansible configuration, I have three Raspberry Pi, each with Ubuntu Linux 22.04.4 LTS installed, one I’m going to use as the Ansible Workstation, then use it to configure the other two servers for different use cases. Its a simple setup, but helps build understanding.

My Ansible workstation is called dev1 on IP: 192.168.1.4, I then have two other servers called dev2 and dev3, which are on IP addresses: 192.168.1.7 and 192.168.1.6 respectively.

Configure Git Repository

Its advised to setup a git repository, in my case I created on and cloned it down to the workstation machine. I’m using a Personal Access Token, so enter your Github Username and PAT when prompted.

git clone https://github.com/tristanhself/ansible.git

Setup Workstation (Install Python, Python Virtual Environment and Ansible)

To set things up, we now need to install Python.

sudo apt update
sudo apt install python3 python3-pip
sudo apt install sshpass
pip3 install virtualenv

I have a git repository cloned which has created the “ansible” directory to hold all the Ansible configuration, but we also need a directory to hold the Python Virtual environment we’re going to use with our Ansible Configuration. So we setup a virtual environment called “ansible-env”, then source it, then install ansible inside the virtual environment and we are then ready to rhumble!

cd ~
virtualenv ansible-env

source ansible-env/bin/activate

pip install ansible

ansible --version

That’s the first part done, we have Ansible installed and ready to start managing our two other servers, but to do that we need to create our Ansible configuration.

Quick Test 1 (Password Authentication)

We’ll now perform a quick test to see what happens:

ansible -i ansble_inventory all -m ping -u ubuntu --ask-pass

That appears to be fine, so we’ll now create a two files on called ansible_inventory and one called main.yml with the contents as follows:

ansible_inventory

[servers]
dev2 ansible_host=192.168.1.7
dev3 ansible_host=192.168.1.6

main.yml

---
- name: Set up a server
  hosts: all
  become: yes
  tasks:
    - name: Install Apache
      apt:
        name: apache2
        state: present

then run with:

ansible-playbook -i ansible_inventory main.yml -u ubuntu --ask-pass --ask-become-pass

That should complete and install Apache to the two managed servers.

Setup of SSH Keys for use with Ansible

Ideally we don’t want to have to enter our user’s password and the sudo password each time we run the Ansible playbook, especially if we’re looking to have this automated, so what what can we use? Well, we have SSH Key-Based Authentication as an option, so let’s try that!

Step 1 – Generate SSH Key Pair on your Local Machine

We first create n SSH key pair on your local machine, we’ll go with the defaults and the default storage location, and we won’t specify a passphrase, but in production you will want to set a passphrase because if someone has your Private Key they have your access, at least a passphrase an help mitigate this somewhat!

ssh-keygen -t rsa -b 4096 -C "yourname@domain.com"

Once completed, you’ll have two files within your ~/.ssh/ directory: id_rsa (Private Key) and id_rsa.pub (Public Key). You must never share or expose your Private Key.

Step 2 – Copy SSH Public Key to Remote Machine(s)

Ok, so now we copy the key to the remote machines, in this example we’ll copy the Public Key to dev2 and dev3, so we can log on to these without needing to enter a password. In my case my user account is called “ubuntu” both on my Ansible Workstation, but also on the two remote servers (dev2 and dev3). Of course if you had your own user account you’d use that instead.

ssh-copy-id -i ~/.ssh/id_rsa.pub ubuntu@192.168.1.7
ssh-copy-id -i ~/.ssh/id_rsa.pub ubuntu@192.168.1.6

Of course, this time you are connecting you will be prompted for a password when you’re logging on, and that is so it can copy the SSH Public Key to the server.

ubuntu@dev1:~/.ssh$ ssh-copy-id -i ~/.ssh/id_rsa.pub ubuntu@192.168.1.6
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ubuntu/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ubuntu@192.168.1.6's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ubuntu@192.168.1.6'"
and check to make sure that only the key(s) you wanted were added.

Step 3 – Verify SSH Key-Based Authentication

We have our user account’s Public Key now stored on both the dev2 and dev3 remote servers, so we can try to connect to them in turn with the below commands:

ssh ubuntu@192.168.1.7
ssh ubuntu@192.168.1.6

If all has worked well, you’ll log into the server via SSH, but not be prompted for a password! And now we are ready to use this with Ansible, so we can run our Ansible against our two servers, without having to enter a password.

Quick Test 2 (Key-Based Authentication)

We can now perform a test with Ansible using Key-Based Authentication (i.e. password-less), this will be as simple as running:

ansible-playbook -i ansible_inventory main.yml -u ubuntu

However, what you’ll notice is an error “Missing Sudo Password”, we have this issue because our play includes “become: yes”, which means the “ubuntu” user we are using is attempting to become “root” and we haven’t specified the sudo password, there are a few ways to resolve this, one is to just add “–ask-become-pass” to the end of the command, that’s fine but it slightly defeats the point of a password-less Ansible playbook run.

ansible-playbook -i ansible_inventory main.yml -u ubuntu --ask-become-pass

Instead, for our example we’ll use one of the other options, which is to ensure the “ubuntu” user on the remote host has password-less sudo, now in a real world environment you can do this as a method, but what you need to ensure is that the user account you use is never used for anything else but running Ansible, you may also want to set a very long password and/or disable password authentication for that account altogether, i.e. means that only Key-Based Authentication can be used. Anyway let’s resolve this problem.

Firstly SSH to each of our servers dev2 and dev3 in this example and edit the sudoers file:

sudo visudo

Then add this line to the file above the “includedir” statement the following, in our case we using the “ubuntu” username.

ubuntu ALL=(ALL) NOPASSWD:ALL

You should now be able to sudo from this user account without needing to enter a password, give it a quick try with “sudo -s”, if you’re not prompted for a password, we’re all set.

Let’s try running our Ansible again from the Ansible workstation:

ansible-playbook -i ansible_inventory main.yml -u ubuntu

That looks like a success to me!

Conclusion

We’ve performed the installation of Ansible on our workstation, we’ve then configured an SSH key pair for our Ansible Workstation user, deployed the public key to our two managed servers (dev2 and dev3), configured password-less sudo, and finally used this to run our Ansible Playbook which installed Apache onto our two managed servers.