{"id":4510,"date":"2025-05-11T14:32:51","date_gmt":"2025-05-11T14:32:51","guid":{"rendered":"https:\/\/geekmungus.co.uk\/?p=4510"},"modified":"2025-05-11T14:32:52","modified_gmt":"2025-05-11T14:32:52","slug":"ansible-workstation-setup-and-example","status":"publish","type":"post","link":"https:\/\/geekmungus.co.uk\/?p=4510","title":{"rendered":"Ansible Workstation Setup and Example"},"content":{"rendered":"\n
I\u2019m trying a simple example Ansible configuration, I have three Raspberry Pi, each with Ubuntu Linux 22.04.4 LTS installed, one I’m going to use as the Ansible Workstation, then use it to configure the other two servers for different use cases. Its a simple setup, but helps build understanding.<\/p>\n\n\n\n
My Ansible workstation is called dev1 on IP: 192.168.1.4, I then have two other servers called dev2 and dev3, which are on IP addresses: 192.168.1.7 and 192.168.1.6 respectively.<\/p>\n\n\n\n
Configure Git Repository<\/h1>\n\n\n\n
Its advised to setup a git repository, in my case I created on and cloned it down to the workstation machine. I\u2019m using a Personal Access Token, so enter your Github Username and PAT when prompted.<\/p>\n\n\n\n
I have a git repository cloned which has created the \u201cansible\u201d directory to hold all the Ansible configuration, but we also need a directory to hold the Python Virtual environment we\u2019re going to use with our Ansible Configuration. So we setup a virtual environment called \u201cansible-env\u201d, then source it, then install ansible inside the virtual environment and we are then ready to rhumble!<\/p>\n\n\n\n
cd ~\nvirtualenv ansible-env\n\nsource ansible-env\/bin\/activate\n\npip install ansible\n\nansible --version<\/code><\/pre>\n\n\n\n
That\u2019s the first part done, we have Ansible installed and ready to start managing our two other servers, but to do that we need to create our Ansible configuration.<\/p>\n\n\n\n
Quick Test 1 (Password Authentication)<\/h1>\n\n\n\n
We’ll now perform a quick test to see what happens:<\/p>\n\n\n\n
ansible -i ansble_inventory all -m ping -u ubuntu --ask-pass<\/code><\/pre>\n\n\n\n
That appears to be fine, so we’ll now create a two files on called ansible_inventory and one called main.yml with the contents as follows:<\/p>\n\n\n\n
That should complete and install Apache to the two managed servers.<\/p>\n\n\n\n
Setup of SSH Keys for use with Ansible<\/h1>\n\n\n\n
Ideally we don’t want to have to enter our user’s password and the sudo password each time we run the Ansible playbook, especially if we’re looking to have this automated, so what what can we use? Well, we have SSH Key-Based Authentication as an option, so let’s try that!<\/p>\n\n\n\n
Step 1 – Generate SSH Key Pair on your Local Machine<\/h2>\n\n\n\n
We first create n SSH key pair on your local machine, we’ll go with the defaults and the default storage location, and we won’t specify a passphrase, but in production you will want to set a passphrase because if someone has your Private Key they have your access, at least a passphrase an help mitigate this somewhat!<\/p>\n\n\n\n
Once completed, you’ll have two files within your ~\/.ssh\/<\/strong> directory: id_rsa <\/strong>(Private Key) and id_rsa.pub<\/strong> (Public Key). You must never share or expose your Private Key.<\/p>\n\n\n\n
Step 2 – Copy SSH Public Key to Remote Machine(s)<\/h2>\n\n\n\n
Ok, so now we copy the key to the remote machines, in this example we’ll copy the Public Key to dev2 and dev3, so we can log on to these without needing to enter a password. In my case my user account is called “ubuntu” both on my Ansible Workstation, but also on the two remote servers (dev2 and dev3). Of course if you had your own user account you’d use that instead.<\/p>\n\n\n\n
Of course, this time you are connecting you will be prompted for a password when you’re logging on, and that is so it can copy the SSH Public Key to the server.<\/p>\n\n\n\n
ubuntu@dev1:~\/.ssh$ ssh-copy-id -i ~\/.ssh\/id_rsa.pub ubuntu@192.168.1.6\n\/usr\/bin\/ssh-copy-id: INFO: Source of key(s) to be installed: \"\/home\/ubuntu\/.ssh\/id_rsa.pub\"\n\/usr\/bin\/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n\/usr\/bin\/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\nubuntu@192.168.1.6's password:\n\nNumber of key(s) added: 1\n\nNow try logging into the machine, with: \"ssh 'ubuntu@192.168.1.6'\"\nand check to make sure that only the key(s) you wanted were added.<\/code><\/pre>\n\n\n\n
We have our user account’s Public Key now stored on both the dev2 and dev3 remote servers, so we can try to connect to them in turn with the below commands:<\/p>\n\n\n\n
If all has worked well, you’ll log into the server via SSH, but not be prompted for a password! And now we are ready to use this with Ansible, so we can run our Ansible against our two servers, without having to enter a password.<\/p>\n\n\n\n
Quick Test 2 (Key-Based Authentication)<\/h1>\n\n\n\n
We can now perform a test with Ansible using Key-Based Authentication (i.e. password-less), this will be as simple as running:<\/p>\n\n\n\n
However, what you’ll notice is an error “Missing Sudo Password”, we have this issue because our play includes “become: yes”, which means the “ubuntu” user we are using is attempting to become “root” and we haven’t specified the sudo password, there are a few ways to resolve this, one is to just add “–ask-become-pass”<\/em> to the end of the command, that’s fine but it slightly defeats the point of a password-less Ansible playbook run.<\/p>\n\n\n\n
Instead, for our example we’ll use one of the other options, which is to ensure the “ubuntu” user on the remote host has password-less sudo, now in a real world environment you can do this as a method, but what you need to ensure is that the user account you use is never used for anything else but running Ansible, you may also want to set a very long password and\/or disable password authentication for that account altogether, i.e. means that only Key-Based Authentication can be used. Anyway let’s resolve this problem.<\/p>\n\n\n\n
Firstly SSH to each of our servers dev2 and dev3 in this example and edit the sudoers file:<\/p>\n\n\n\n
sudo visudo<\/code><\/pre>\n\n\n\n
Then add this line to the file above the “includedir” statement the following, in our case we using the “ubuntu” username.<\/p>\n\n\n\n
You should now be able to sudo from this user account without needing to enter a password, give it a quick try with “sudo -s”, if you’re not prompted for a password, we’re all set.<\/p>\n\n\n\n
Let’s try running our Ansible again from the Ansible workstation:<\/p>\n\n\n\n
That looks like a success to me!<\/p>\n\n\n\n<\/figure>\n\n\n\n
Conclusion<\/h1>\n\n\n\n
We’ve performed the installation of Ansible on our workstation, we’ve then configured an SSH key pair for our Ansible Workstation user, deployed the public key to our two managed servers (dev2 and dev3), configured password-less sudo, and finally used this to run our Ansible Playbook which installed Apache onto our two managed servers.<\/p>\n","protected":false},"excerpt":{"rendered":"
![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/05\/image-1-1024x195.png\")
<\/figure>\n\n\n\n