The debops run/check commands
DebOps roles can store encrypted secrets (passwords and other confiential data)
in a project directory, under ansible/secret/
subdirectory. For normal
operation, the secrets need to be unlocked so that Ansible roles and playbooks
can access and manipulate them. To make this process easier, DebOps provides
the debops run and debops check commands which will
automatically unlock and lock the encrypted secrets as needed.
An additional benefit of using these commands is that the user does not have to provide a full path to the playbooks - the script will try to find the correct playbook in a set of different directories or even inside Ansible Collections.
debops run
Execute one or more Ansible Playbooks against the Ansible inventory. Playbooks
are included with the DebOps installation by default, they can be provided by
Ansible Collections or stored in the ansible/playbooks/
subdirectory in
the DebOps project directory. You can also specify full path to an Ansible
playbook on disk.
The debops run command will automatically unlock and lock the
encrypted ansible/secret/
directory as needed, to give the playbooks
and roles access to secrets. If git-crypt
is used for secret encryption,
this process might fail if the project directory contains uncommitted changes.
Easiest way to mitigate this is to unlock the project directory using the
debops project unlock
command before making any changes.
Options
The options below need to be specified before any playbooks to take effect.
-h, --help
Display the help and usage information
--project-dir <project_dir>
Path to the project directory to work on. If it's not specified, the script will use the current directory.
-V <view>, --view <view>
Specify the name of the "infrastructure view" to use for running Ansible playbooks. If not specified, the default view will be used automatically. Using this option overrides the automatic view detection performed by DebOps based on the current working directory.
-E, --bell
Emit an ASCII "bell" at the end of the ansible-playbook command execution to notify the user. This might be useful during longer playbook runs.
--eval
Do not execute ansible-playbook command; instead print out all the environment variables and the command itself to stdout.
-v, --verbose
Increase output verbosity. More letters means higher verbosity.
--
Mark the end of the debops run options. Any of the options after this mark will be passed to the ansible-playbook command as-is.
<[<namespace>.<collection>/]playbook>
Specify one or more Ansible Playbooks to execute.
If you specify simple names like
site
,service/core
and similar, the script will look for the corresponding playbooks in the default Ansible Collection (debops.debops
). If not found there, theansible/playbooks/
subdirectory in the current DebOps project directory will be checked next. Finally the name will be assumed to be a normal filesystem path with optional.yml
or.yaml
extension.You can also specify the namespace and collection at the start of the path to select a specific collection instead of the default one, for example
debops.debops/site
ordebops.debops/service/core
. The playbooks should be stored in theplaybooks/
subdirectory of the Ansible Collection, you can use subdirectories to manage a large set of playbooks easier.[ansible_args]
You can specify all arguments supported by the ansible-playbook command to augment the execution, for example
--diff
,--check
,--limit
, and so on. See ansible-playbook --help for more details.
Examples
Execute the site.yml
DebOps playbook against all hosts in the Ansible
inventory:
debops run site
Run the layer/common.yml
DebOps playbook against specific hosts in the
Ansible inventory. User will be notified at the end of playbook execution:
debops run -E layer/common -l webserver,dbserver,appserver
Display the commands which will run a DebOps playbook for a specific service on specific hosts:
debops run --eval service/mariadb_server -l dbservers
Do the same as above, by specifying the Ansible Collection in which to look for the playbook:
debops run --eval debops.debops/service/mariadb_server -l dbservers
Run a playbook from a custom Ansible Collection in a specific "infrastructure view" meant to be used to deploy an application:
debops run -V deployment company.collection/app/setup -l appservers
Run a playbook with DebOps in a verbose debug mode:
debops run -vvv service/sshd -l webserver
Same as above, but also enable verbose debug mode in Ansible itself:
debops run -vvv service/sshd -l webserver -vvv
debops check
Execute one or more Ansible Playbooks against the Ansible inventory in check
mode. This command behaves the same as the debops run command, but
automatically adds the --diff
and --check
ansible-playbook
options to enable the "check mode". In this mode, Ansible will execute the
playbook without making any actual changes to the host.