Use Ansible network roles
Roles are sets of Ansible defaults, files, tasks, templates, variables, and other Ansible components that work together. As you saw on Run Your First Command and Playbook, moving from a command to a playbook makes it easy to run multiple tasks and repeat the same tasks in the same order. Moving from a playbook to a role makes it even easier to reuse and share your ordered tasks. You can look at Ansible Galaxy, which lets you share your roles and use others’ roles, either directly or as inspiration.
Understanding roles
So what exactly is a role, and why should you care? Ansible roles are basically playbooks broken up into a known file structure. Moving to roles from a playbook makes sharing, reading, and updating your Ansible workflow easier. Users can write their own roles. So for example, you don’t have to write your own DNS playbook. Instead, you specify a DNS server and a role to configure it for you.
To simplify your workflow even further, the Ansible Network team has written a series of roles for common network use cases. Using these roles means you don’t have to reinvent the wheel. Instead of writing and maintaining your own create_vlan
playbooks or roles, you can concentrate on designing, codifying and maintaining the parser templates that describe your network topologies and inventory, and let Ansible’s network roles do the work. See the network-related roles on Ansible Galaxy.
A sample DNS playbook
To demonstrate the concept of what a role is, the example playbook.yml
below is a single YAML file containing a two-task playbook. This Ansible Playbook configures the hostname on a Cisco IOS XE device, then it configures the DNS (domain name system) servers.
---
- name: configure cisco routers
hosts: routers
connection: ansible.netcommon.network_cli
gather_facts: no
vars:
dns: "8.8.8.8 8.8.4.4"
tasks:
- name: configure hostname
cisco.ios.ios_config:
lines: hostname {{ inventory_hostname }}
- name: configure DNS
cisco.ios.ios_config:
lines: ip name-server {{dns}}
If you run this playbook using the ansible-playbook
command, you’ll see the output below. This example used -l
option to limit the playbook to only executing on the rtr1 node.
[user@ansible ~]$ ansible-playbook playbook.yml -l rtr1
PLAY [configure cisco routers] *************************************************
TASK [configure hostname] ******************************************************
changed: [rtr1]
TASK [configure DNS] ***********************************************************
changed: [rtr1]
PLAY RECAP *********************************************************************
rtr1 : ok=2 changed=2 unreachable=0 failed=0
This playbook configured the hostname and DNS servers. You can verify that configuration on the Cisco IOS XE rtr1 router:
rtr1#sh run | i name
hostname rtr1
ip name-server 8.8.8.8 8.8.4.4
Convert the playbook into a role
The next step is to convert this playbook into a reusable role. You can create the directory structure manually, or you can use ansible-galaxy init
to create the standard framework for a role.
[user@ansible ~]$ ansible-galaxy init system-demo
[user@ansible ~]$ cd system-demo/
[user@ansible system-demo]$ tree
.
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
This first demonstration uses only the tasks and vars directories. The directory structure would look as follows:
[user@ansible system-demo]$ tree
.
├── tasks
│ └── main.yml
└── vars
└── main.yml
Next, move the content of the vars
and tasks
sections from the original Ansible Playbook into the role. First, move the two tasks into the tasks/main.yml
file:
[user@ansible system-demo]$ cat tasks/main.yml
---
- name: configure hostname
cisco.ios.ios_config:
lines: hostname {{ inventory_hostname }}
- name: configure DNS
cisco.ios.ios_config:
lines: ip name-server {{dns}}
Next, move the variables into the vars/main.yml
file:
[user@ansible system-demo]$ cat vars/main.yml
---
dns: "8.8.8.8 8.8.4.4"
Finally, modify the original Ansible Playbook to remove the tasks
and vars
sections and add the keyword roles
with the name of the role, in this case system-demo
. You’ll have this playbook:
---
- name: configure cisco routers
hosts: routers
connection: ansible.netcommon.network_cli
gather_facts: no
roles:
- system-demo
To summarize, this demonstration now has a total of three directories and three YAML files. There is the system-demo
folder, which represents the role. This system-demo
contains two folders, tasks
and vars
. There is a main.yml
is each respective folder. The vars/main.yml
contains the variables from playbook.yml
. The tasks/main.yml
contains the tasks from playbook.yml
. The playbook.yml
file has been modified to call the role rather than specifying vars and tasks directly. Here is a tree of the current working directory:
[user@ansible ~]$ tree
.
├── playbook.yml
└── system-demo
├── tasks
│ └── main.yml
└── vars
└── main.yml
Running the playbook results in identical behavior with slightly different output:
[user@ansible ~]$ ansible-playbook playbook.yml -l rtr1
PLAY [configure cisco routers] *************************************************
TASK [system-demo : configure hostname] ****************************************
ok: [rtr1]
TASK [system-demo : configure DNS] *********************************************
ok: [rtr1]
PLAY RECAP *********************************************************************
rtr1 : ok=2 changed=0 unreachable=0 failed=0
As seen above each task is now prepended with the role name, in this case system-demo
. When running a playbook that contains several roles, this will help pinpoint where a task is being called from. This playbook returned ok
instead of changed
because it has identical behavior for the single file playbook we started from.
As before, the playbook will generate the following configuration on a Cisco IOS-XE router:
rtr1#sh run | i name
hostname rtr1
ip name-server 8.8.8.8 8.8.4.4
This is why Ansible roles can be simply thought of as deconstructed playbooks. They are simple, effective and reusable. Now another user can simply include the system-demo
role instead of having to create a custom “hard coded” playbook.
Variable precedence
What if you want to change the DNS servers? You aren’t expected to change the vars/main.yml
within the role structure. Ansible has many places where you can specify variables for a given play. See Using Variables for details on variables and precedence. There are actually 21 places to put variables. While this list can seem overwhelming at first glance, the vast majority of use cases only involve knowing the spot for variables of least precedence and how to pass variables with most precedence. See Variable precedence: Where should I put a variable? for more guidance on where you should put variables.
Lowest precedence
The lowest precedence is the defaults
directory within a role. This means all the other 20 locations you could potentially specify the variable will all take higher precedence than defaults
, no matter what. To immediately give the vars from the system-demo
role the least precedence, rename the vars
directory to defaults
.
[user@ansible system-demo]$ mv vars defaults
[user@ansible system-demo]$ tree
.
├── defaults
│ └── main.yml
├── tasks
│ └── main.yml
Add a new vars
section to the playbook to override the default behavior (where the variable dns
is set to 8.8.8.8 and 8.8.4.4). For this demonstration, set dns
to 1.1.1.1, so playbook.yml
becomes:
---
- name: configure cisco routers
hosts: routers
connection: ansible.netcommon.network_cli
gather_facts: no
vars:
dns: 1.1.1.1
roles:
- system-demo
Run this updated playbook on rtr2:
[user@ansible ~]$ ansible-playbook playbook.yml -l rtr2
The configuration on the rtr2 Cisco router will look as follows:
rtr2#sh run | i name-server
ip name-server 1.1.1.1
The variable configured in the playbook now has precedence over the defaults
directory. In fact, any other spot you configure variables would win over the values in the defaults
directory.
Highest precedence
Specifying variables in the defaults
directory within a role will always take the lowest precedence, while specifying vars
as extra vars with the -e
or --extra-vars=
will always take the highest precedence, no matter what. Re-running the playbook with the -e
option overrides both the defaults
directory (8.8.4.4 and 8.8.8.8) as well as the newly created vars
within the playbook that contains the 1.1.1.1 dns server.
[user@ansible ~]$ ansible-playbook playbook.yml -e "dns=192.168.1.1" -l rtr3
The result on the Cisco IOS XE router will only contain the highest precedence setting of 192.168.1.1:
rtr3#sh run | i name-server
ip name-server 192.168.1.1
How is this useful? Why should you care? Extra vars are commonly used by network operators to override defaults. A powerful example of this is with the Job Template Survey feature on AWX or the Red Hat Ansible Automation Platform. It is possible through the web UI to prompt a network operator to fill out parameters with a Web form. This can be really simple for non-technical playbook writers to execute a playbook using their Web browser.
Update an installed role
The Ansible Galaxy page for a role lists all available versions. To update a locally installed role to a new or different version, use the ansible-galaxy install
command with the version and --force
option. You may also need to manually update any dependent roles to support this version. See the role Read Me tab in Galaxy for dependent role minimum version requirements.
[user@ansible]$ ansible-galaxy install mynamespace.my_role,v2.7.1 --force
See also
- Ansible Galaxy documentation
Ansible Galaxy user guide