Ansible: installing the latest Ansible on Ubuntu


Categories: Automation

Update Sep 2023: Installing ansible-core at user level (not system) with pip

Ansible is an agentless configuration management tool that helps operations teams manage installation, patching, and command execution across a set of servers.

In this article I’ll describe how to install the latest release of Ansible.

Install Python3

Have Python3 installed at the system level (which does require sudo privileges).

# required python3 apt packages
sudo apt update
sudo apt install -y software-properties-common python3 python3-pip python3-setuptools

# check versions
python3 --version
pip3 --version

Install Ansible at user-level (recommended)

The user-level installation of Ansible is the preferred method, does not require elevated privileges, and provides isolation of pip modules and Galaxy collections.

# use latest setuptools
pip3 install --upgrade setuptools --user
# avoid known errors by having these pip modules installed
pip3 install 'resolvelib<0.6.0' requests paramiko --user
# install Ansible at user level
pip3 install ansible-core --user

# add user binaries to PATH, check version
export PATH=$PATH:~/.local/bin
which ansible
ansible --version
ansible-galaxy --version

Install Ansible at system level

Even if this is not the recommended best-practice, you can install Ansible at the system level (so all users get the installation).  The Ansible ppa is a convenient method that also provides a constant upgrade path.

We will add the ppa according to the newer apt security standards with a ‘signed-by’ attribute referring to the public signing key (‘signing key’ listed on ppa page).  ‘add-apt-repository’ is convenient, but would use the deprecated syntax.

# download gpg public key for ansible ppa
curl -fsSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x93c4a3fd7bb9c367' | sudo tee /usr/share/keyrings/ansible-ppa.asc
sudo chmod 644 /usr/share/keyrings/ansible-ppa.asc

# if you want to verify that 'signing key' on web page matches downloaded .asc
sudo apt install -y gpg
gpg /usr/share/keyrings/ansible-ppa.asc

# add custom apt repo for Ansible ppa
echo deb [signed-by=/usr/share/keyrings/ansible-ppa.asc] http://ppa.launchpad.net/ansible/ansible/ubuntu $(lsb_release -sc) main | sudo tee "/etc/apt/sources.list.d/ansible-ppa.list"

# install Ansible at system level with apt
sudo apt update
sudo apt policy ansible-core
sudo apt install -y ansible-core

# enable 'other' executable permissions on binaries
sudo chmod o+rx /usr/bin/ansible*
# share python global packages with 'other'
for pydir in $(sudo find /usr/local/lib -maxdepth 1 -type d -name 'python*'); do sudo chmod o+rx $pydir; sudo chmod o+rx -R $pydir/dist-packages; done

# check versions
which ansible
ansible --version
ansible-galaxy --version

Although system-level installation seems like a better way to bulk administer upgrades and Python module access, it does have pitfalls.

  • When you install a newer version of Python or install a new pip module at the system level, you will need to ensure permissions are set for all users to the ‘dist-packages’ directories
  • Ansible Galaxy is also designed for user-level isolation, and there are many Galaxy collections that have pip module dependencies, so those pip dependencies will need to be installed at the system level

Smoke Test

Finally, run a quick test for validation.

# ping module, ignore warnings
$ ansible -m ping localhost

localhost | SUCCESS => {
"changed": false,
"ping": "pong"
}

 

REFERENCES

launchpad, Ansible ppa

ansible.com, installing Ansible

github issue, Ansible galaxy will error unless correct version of resolvelib

fabianlee.org, avoid CryptographyDeprecationWarning error by having paramiko module

ansible ppa on launchpad.net

stackexchange.com, using ‘gpg’ to replace key fetch done by ‘add-apt-repository’

fostips.com, correctly adding gpg key instead of add-apt-repository.  using gpg to fetch key from keyserver

digitalocean, installing Ansible on Ubuntu 22 with ppa using add-apt-repository

NOTES

installing with pip from behind proxy

sudo pip3 install requests --proxy mysquid:3128

retrieving Ansible gpg key behind proxy

sudo apt-key adv --keyserver-options http-proxy=http://mysquid:3128/ --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6125e2a8c77f2818fb7bd15b93c4a3fd7bb9c367

Installing Ansible at system level with ppa

sudo -E apt-add-repository --yes --update ppa:ansible/ansible
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367
sudo apt-get update && sudo apt-get install ansible-core -y