Docker image for ansible

All #awesome-ci Docker images

ansible • ansible-lint • awesome-ci • black • checkmake • eslint • file-lint • gofmt • goimports • golint • jsonlint • phpcbf • phpcs • phplint • php-cs-fixer • pycodestyle • pylint • terraform-docs • terragrunt • terragrunt-fmt • yamlfmt • yamllint

All #awesome-ci Makefiles

Visit cytopia/makefiles for seamless project integration, minimum required best-practice code linting and CI.

View Dockerfile on GitHub.

Tiny Alpine-based multistage-build dockerized version of Ansible[1] in many different flavours. It comes with Mitogen[2] to speed up your runs by up to 600%[3][4] (see Examples). The image is built nightly against multiple stable versions and pushed to Dockerhub.

• [1] Official project: https://github.com/ansible/ansible
• [2] Official project: https://github.com/dw/mitogen
• [3] How to Speed Up Your Ansible Playbooks Over 600%
• [4] Mitogen for Ansible

Available Docker image versions

Ansible base

The following Ansible Docker images are as small as possible and only contain Ansible itself.

Ansible tools

The following Ansible Docker images contain everything from Ansible base and additionally: bash, git, gpg, jq, ssh and Ansible mitogen strategy plugin (see Examples).

Ansible aws

The following Ansible Docker images contain everything from Ansible tools and additionally: aws-cli, boto, boto3 and botocore.

Ansible awsk8s

The following Ansible Docker images contain everything from Ansible aws and additionally: openshift and kubectl.

Ansible awskops

The following Ansible Docker images contain everything from Ansible awsk8s and additionally: kops in its latest patch level version.

Kops 1.12 (latest 1.12.x)

---------- More kops images truncated due to Dockerhubs limit on description size. See GitHub page for all tags ----------

Ansible awshelm

The following Ansible Docker images contain everything from Ansible awsk8s and additionally: helm in its latest patch level version.

Helm 2.14 (latest 2.14.x)

---------- More helm images truncated due to Dockerhubs limit on description size. See GitHub page for all tags ----------

Docker environment variables

Environment variables are available for all flavours except for Ansible base.

Docker mounts

The working directory inside the Docker container is /data/ and should be mounted locally to the root of your project where your Ansible playbooks are.

Examples

Run Ansible playbook

docker run --rm -v $(pwd):/data cytopia/ansible ansible-playbook playbook.yml

Run Ansible playbook with Mitogen

Mitogen updates Ansible’s slow and wasteful shell-centric implementation with pure-Python equivalents, invoked via highly efficient remote procedure calls to persistent interpreters tunnelled over SSH.

No changes are required to target hosts. The extension is considered stable and real-world use is encouraged.

Configuration

ansible.cfg

[defaults]
strategy_plugins = /usr/lib/python3.6/site-packages/ansible_mitogen/plugins/strategy
strategy         = mitogen_linear

Invocation

docker run --rm -v $(pwd):/data cytopia/ansible:latest-tools ansible-playbook playbook.yml

Further readings:

• Mitogen on GitHub
• Mitogen Documentation
• How to Speed Up Your Ansible Playbooks Over 600%
• Speed up Ansible with Mitogen

Run Ansible playbook with non-root user

# Use 'ansible' user inside Docker container
docker run --rm \
  -e USER=ansible \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

# Use 'ansible' user inside Docker container
# Use custom uid/gid for 'ansible' user inside Docker container
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local ssh keys mounted

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.ssh/:/home/ansible/.ssh/:ro \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local gpg keys mounted

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible Galaxy

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-galaxy install -r requirements.yml

Run Ansible playbook with AWS credentials

# Basic
docker run --rm \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml

# With AWS Session Token
docker run --rm \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml

# With ~/.aws/ config and credentials directories mounted (read/only)
# If you want to make explicit use of aws profiles, use this variant
# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.aws/config:/home/ansible/.aws/config:ro \
  -v ${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml

Run Ansible playbook against AWS and gpg vault initialization

Imagine your Ansible vault uses a script to gpg encrypt the passphrase for team members against multiple gpg keys. Using Docker will not allow you to have a popup open where you can enter the gpg key password. To circumvent this, you will need to initialize the gpg key password and then run Ansible.

The following Ansible vault script which can be shows how this is setup:

#!/bin/sh
# Read password from argument
if [ "${#}" -gt "0" ]; then
	gpg --pinentry-mode loopback --passphrase "${1}" --decrypt vault/pass.gpg
# Ask for password or use keyring (does not work inside Docker)
else
	gpg --batch --use-agent --decrypt vault/pass.gpg
fi

With this in mind the Ansible call would look as follows

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.aws/config:/home/ansible/.aws/config:ro \
  -v ${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible \
  sh -c './vault/open_vault.sh '''THE_GPG_PASSWORD_HERE'''; ansible-playbook playbook.yml'

• Note 1: the quoting for the GPG password is required in case you are using a ! as part of the passwort
• Note 2: every $ sign in your password will require 3 backslashes in front of it: \\\$

As the command is getting pretty long, you could wrap it into a Makefile.

ifneq (,)
.error This Makefile requires GNU Make.
endif

.PHONY: dry run

CURRENT_DIR = $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
GPG_PASS =

dry:
	docker run --rm \
		-e USER=ansible \
		-e MY_UID=1000 \
		-e MY_GID=1000 \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible \
		sh -c './vault/open_vault.sh '''$(GPG_PASS)'''; ansible-playbook playbook.yml --check'

run:
	docker run --rm \
		-e USER=ansible \
		-e MY_UID=1000 \
		-e MY_GID=1000 \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible \
		sh -c './vault/open_vault.sh '''$(GPG_PASS)'''; ansible-playbook playbook.yml'

Then you can call it easily:

make dry GPG_PASS='THE_GPG_PASSWORD_HERE'
make run GPG_PASS='THE_GPG_PASSWORD_HERE'

Related #awesome-ci projects

Docker images

Save yourself from installing lot's of dependencies and pick a dockerized version of your favourite linter below for reproducible local or remote CI tests:

GitHub	DockerHub	Type	Description
awesome-ci		Basic	Tools for git, file and static source code analysis
file-lint		Basic	Baisc source code analysis
ansible		Ansible	Multiple versions and flavours of Ansible
ansible-lint		Ansible	Lint Ansible
gofmt		Go	Format Go source code [1]
goimports		Go	Format Go source code [1]
golint		Go	Lint Go code
eslint		Javascript	Lint Javascript code
jsonlint		JSON	Lint JSON files [1]
checkmake		Make	Lint Makefiles
phpcbf		PHP	PHP Code Beautifier and Fixer
phpcs		PHP	PHP Code Sniffer
phplint		PHP	PHP Code Linter [1]
php-cs-fixer		PHP	PHP Coding Standards Fixer
black		Python	The uncompromising Python code formatter
pycodestyle		Python	Python style guide checker
pylint		Python	Python source code, bug and quality checker
terraform-docs		Terraform	Terraform doc generator (TF 0.12 ready) [1]
terragrunt		Terraform	Terragrunt and Terraform
terragrunt-fmt		Terraform	terraform fmt for Terragrunt files [1]
yamlfmt		Yaml	Format Yaml files [1]
yamllint		Yaml	Lint Yaml files

[1] Uses a shell wrapper to add enhanced functionality not available by original project.

Makefiles

Visit cytopia/makefiles for dependency-less, seamless project integration and minimum required best-practice code linting for CI. The provided Makefiles will only require GNU Make and Docker itself removing the need to install anything else.

License

MIT License

Copyright (c) 2019 cytopia