Bootstrapping Cloud Instances into Ansible23 November 2015 · Filed in Explanation
A while ago, I wrote an article about bootstrapping servers into Ansible—in other words, how to prepare servers to be managed via Ansible. In order for a server to be managed via Ansible, you usually must first create a user account for Ansible, populate the appropriate SSH keys, and grant the new Ansible user sudo permissions. The process I described in my earlier blog post works great for manually-built servers (physical or virtual), but I recently needed to revisit this process for cloud instances. Was it possible to use the process I’d found to bootstrap cloud instances into Ansible?
Cloud instances are a slightly different beast than manually-built servers primarily because password authentication isn’t an option—generally speaking, you’re required to use SSH keys when working with cloud instances. Ansible is SSH-based, as you probably already know, so this shouldn’t be an issue, but it was still something I hadn’t tested or verified. After a bit of testing, I found the bootstrap process I described in my earlier post can be easily adapted for cloud instances.
For reference, here’s the command I use when bootstrapping manually-built servers into Ansible:
ansible-playbook bootstrap.yml -k -K --extra-vars \ "hosts=newhost.domain.com user=admin"
bootstrap.yml playbook simply creates an Ansible user, populates the appropriate SSH keys, and sets
sudo permissions. The playbook relies upon the variables passed on the command-line, which tell it what hosts should be affected and what user account (and password, via the
-K parameters) to use to modify the remote server.
With a cloud instance, this needed to change. First, you don’t know the password; you’re required to use an SSH key for authentication. You generally do know the user account, but not the password. After a short bit of trial and error, I found the following command-line worked with a freshly-booted cloud instance:
ansible-playbook bootstrap.yml --extra-vars \ "hosts=172.16.6.7 user=ubuntu" --private-key=~/.ssh/cloudkey.pem
The command is largely the same, with two major changes:
-Kparameters are gone. The password is unknown, so there’s no point in telling Ansible to prompt for any passwords.
--private-keyparameter supplies the path and name of the SSH keypair (obtained from your cloud platform) that allow initial authentication to the new cloud instance.
- You’ll note I omitted the
-iparameter to specify an inventory file; this is because I created an
ansible.cfgin this directory and specified the inventory file there. (It makes the command-line easier and simpler.)
As before, I use the
--extra-vars parameter to supply the specific host being bootstrapped into Ansible as well as the name of the initial user account (in this case, I’m bootstrapping an Ubuntu cloud image, so the initial user is “ubuntu”). Once the initial bootstrap process completes successsfully, I can then run subsequent playbooks against this cloud instance with no further configuration or command-line parameters required.