X

Solaris News, Views, and Real-World Experiences from the Field

  • August 14, 2017

Installing Ansible on Solaris 11.3 (Updated)

Scott Dickson
Enterprise Systems Architect

Lately, I have been involved in a number of customer projects involving Ansible to manage various aspects of a Solaris environment, notably on the SPARC Model 300 in the Oracle Compute Cloud. Since Ansible does not ship with Solaris and is not natively in the Solaris repository of free or open source software, we have to add it to the system.  This blog shows how to do that.

Ansible is a Python-based tool for configuration management and configuration of systems of all sorts.  Rather than relying on an agent to carry out its actions (like Puppet or Chef), Ansible relies on its ability to ssh into a system to carry out its work.  I have found Ansible easy to learn, easy to use, and easy to extend to do what I need.  More about some of that in subsequent posts.

Since Ansible replies on Python, one might choose to just use pip to install it, and that's fine.  But, it seemed to me that using as much as possible of the installed and supported Python modules and libraries delivered with Solaris would lead to an overall more stable experience.  It removes the need to use Python's virtualenv capability or to have to deal with version conflicts between the OS-delivered libraries and Ansible's requirements.

Often, there might be an Ansible management node within an environment.  This can be for centralization, key management, security, or whatever.  In my case, I created a separate kernel zone to act as my Ansible launching pad.  Nothing special about creating this kernel zone.  I just did a regular zonecfg create for the kernel zone.  When I installed it, I used my own manifest and system configuration profile.

The key bit of the manifest was what packages to install.  By default, a kernel zone is built with solaris-small-server, which is sufficient.  But here there are a number of other required packages.  Notable, you need a C compiler and you need several pieces from the developer/gnu package.  (I believe that the whole package is not required, but it turned into too much trouble to figure out which pieces I could get rid of, so I kept the whole thing.)

Ansible works much better with OpenSSH than with the older SunSSH shipped with Solaris.  So, we include OpenSSH in our manifest.  If you wanted to avoid the SunSSH, you could use  <software_data action="avoid"> to avoid installing it if you wanted.  Instead, once I have installed the kernel zone, I just use

# pkg set-mediator -I openssh ssh

to select openssh as the default implementer for ssh.

Then, there are a number of Python libraries required for Ansible.  If you were to just use pip to install Ansible, it would pull all of these down from PyPi.  But, I especially wanted to use as much from Solaris as possible.  In this way, I can avoid some of the version mismatches with other Python utilities on the system.  Turns out for base Ansible there are just these few libraries.  I also experimented with the Ansible OpenStack libraries.  These install nicely and work, but they do break some other parts of Solaris in doing so.  More about that in another blog post.  For now, just add these libraries and Ansble installs nicely.

 

      <software_data action="install">
        <name>pkg:/entire@0.5.11-0.175.3.18</name>
        <name>pkg:/group/system/solaris-small-server</name>
        <name>pkg:/developer/gcc</name>
        <name>pkg:/developer/gnu</name>
        <name>pkg:/network/openssh</name>
        <name>pkg:/library/security/openssl/openssl-fips-140</name>
        <name>pkg:/library/python/cffi</name>
        <name>pkg:/library/python/jinja2</name>
        <name>pkg:/library/python/pyyaml</name>
        <name>pkg:/library/python/paramiko</name>
        <name>pkg:/library/python/setuptools</name>
        <name>pkg:/library/python/pyasn1</name>
        <name>pkg:/library/python/cryptography</name>
        <name>pkg:/library/python/six</name>
        <name>pkg:/library/python/ipaddress</name>
        <name>pkg:/library/python/pycparser</name>
      </software_data>

In my system configuration profile, I did nothing that was not very stock.  You could use sysconfig interactively if you preferred.  All it does is assign IP addresses, system identity, and the initial users in my case, at least for the Ansible management node.

EDIT - 1 Sep 2017

Of course, I left something out before.  In order to make the installation work,  you need to provide some options to gcc and make sure that the builder can find the compiler that you already installed.

You need to do this:

# ln -s /usr/bin/gcc /usr/bin/cc
# export CC=gcc
# export CFLAGS="-I/usr/include/gmp -I/usr/lib/libffi-3.0.9/include -I/usr/include/openssl/fips-140"

END of EDIT

Once the kernel zone (or non-global zone or LDom or bare metal - doesn't really matter) is built, log into it and actually install Ansible.  You still use pip for this, since that's the best way to get ansible installed.

 


root@wkshpvm03:~# pip install ansible
Collecting ansible
  Downloading ansible-2.3.2.0.tar.gz (4.3MB)
    100% |████████████████████████████████| 4.3MB 140kB/s
Requirement already satisfied: jinja2 in /usr/lib/python2.7/vendor-packages (from ansible)
Requirement already satisfied: PyYAML in /usr/lib/python2.7/vendor-packages (from ansible)
Requirement already satisfied: paramiko in /usr/lib/python2.7/vendor-packages (from ansible)
Collecting pycrypto>=2.6 (from ansible)
  Downloading pycrypto-2.6.1.tar.gz (446kB)
    100% |████████████████████████████████| 450kB 1.3MB/s
Requirement already satisfied: setuptools in /usr/lib/python2.7/vendor-packages (from ansible)
Requirement already satisfied: markupsafe in /usr/lib/python2.7/vendor-packages (from jinja2->ansible)
Requirement already satisfied: cryptography>=0.8 in /usr/lib/python2.7/vendor-packages (from paramiko->ansible)
Requirement already satisfied: pyasn1>=0.1.7 in /usr/lib/python2.7/vendor-packages (from paramiko->ansible)
Requirement already satisfied: idna>=2.0 in /usr/lib/python2.7/vendor-packages (from cryptography>=0.8->paramiko->ansible)
Requirement already satisfied: six>=1.4.1 in /usr/lib/python2.7/vendor-packages (from cryptography>=0.8->paramiko->ansible)
Requirement already satisfied: enum34 in /usr/lib/python2.7/vendor-packages (from cryptography>=0.8->paramiko->ansible)
Requirement already satisfied: ipaddress in /usr/lib/python2.7/vendor-packages (from cryptography>=0.8->paramiko->ansible)
Requirement already satisfied: cffi>=1.4.1 in /usr/lib/python2.7/vendor-packages (from cryptography>=0.8->paramiko->ansible)
Requirement already satisfied: pycparser in /usr/lib/python2.7/vendor-packages (from cffi>=1.4.1->cryptography>=0.8->paramiko->ansible)
Installing collected packages: pycrypto, ansible
  Running setup.py install for pycrypto ... done
  Running setup.py install for ansible ... done
Successfully installed ansible-2.3.2.0 pycrypto-2.6.1

 

You see that most of the prerequisites got satisfied by the packages we installed in the AI manifest.  PyCrypto and Ansible itself were the only things that had to be added, and neither of them ships with Solaris.

At this point, ansible is ready to go.  Set up your ansible.cfg and hosts files to suit your needs and jump in. 

root@wkshpvm04:~# ansible -m ping wkshpvm02
/usr/lib/python2.7/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
wkshpvm02 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

Happy Ansible-ing!  More on my adventures with Ansible on future posts.

Join the discussion

Comments ( 5 )
  • Solar Tuesday, August 15, 2017
    You don't need paramiko and pycrypto... In fact you don't need pip at all.

    https://crc32c.blogspot.com/2017/05/ansible-23-on-solaris-113.html
  • Scott Dickson Tuesday, August 15, 2017
    Even better! I was sticking with pip since it would be pretty familiar to people and would be easy to use to add additional modules.

    But, thanks for sharing your work. We both decided OpenSSH is the right answer.
  • anon Friday, August 25, 2017
    Any plans on getting Ansible officially into Solaris 11?
  • Scott Dickson Tuesday, August 29, 2017
    Personally, I would love to see Ansible integrated into Solaris. But, unfortunately, I don't know of any plans in that direction. Not to say that the folks in engineering might not have other visibility.
  • Thomas Wagner Wednesday, October 11, 2017
    For Solaris 11.3 X86 there is now an IPS package for ansible 2.4.0 in the SFE project.
    It adds the dependencies phython/ipaddress-27 (if your OS is below SRU14) and python/setuptools-27@36.5
    Projekt page: http://sfe.opencsw.org

    If it works out, there should be sparc packages available end of november 2017.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content

Oracle

Integrated Cloud Applications & Platform Services