24

I'm new to Ansible. Here's my task ...

I have 400+ hosts, and I need to verify if 5 different ports are open from their end to our web server.

Individually, I could log in and run:

telnet mywebserver.com 443
telnet mywebserver.com 80
telnet mywebserver.com 8443

..and so on..

What module or plugin could be used in Ansible so I could automate this, and have it report the results (whether open or closed ports) back to my Ansible server?

Pierre.Vriens
  • 7,205
  • 14
  • 37
  • 84
AWhitaker
  • 351
  • 1
  • 2
  • 5

4 Answers4

36

You can use the Ansible wait_for module which checks a specific TCP port is open.

Since in this case, all ports should be open already, we can use a minimal no. of retries, just enough to cover network issues:

- name: Check all port numbers are accessible from the current host
  wait_for:
    host: mywebserver.com
    port: "{{ item }}"
    state: started         # Port should be open
    delay: 0               # No wait before first check (sec)
    timeout: 3             # Stop checking after timeout (sec)
  ignore_errors: yes
  with_items:
    - 443
    - 80
    - 80443

By default, Ansible will check once every second (configurable in Ansible 2.3 using the sleep attribute), so this will check 3 times per port.

Run this in a playbook against your inventory of 400+ hosts - Ansible will check in parallel that all hosts can reach mywebserver.com on those ports.

  • the parallelism is subject to the forks setting in your ansible.cfg.

We use ignore_errors: yes here so that any errors are marked in red but do not stop execution.

Open ports are reported as ok items in output and closed ports are reported as failed (you must use -vv flag on ansible-playbook to see this output).

Fine-tuning output

If you want more specific output for the success and failure cases, the code must be more complex, adding a second task:

  • wait_for task must register a variable
  • the second task produces output using debug based on success/failure condition (e.g. using Jinja2 conditional expression)
  • then you need to put both these tasks in an include file (without any with_items loop), and write a main playbook task that uses an include ... with_items to call the include file once per port.
windyzboy
  • 103
  • 2
RichVel
  • 892
  • 6
  • 16
  • Importantly they'd need to set host: mywebserver.com. – Xiong Chiamiov Aug 05 '17 at 18:18
  • @XiongChiamiov - host: x is not required. I just re-tested with Ansible 2.3.1 and the host attribute of wait_for tasks defaults to the current server being processed from inventory. – RichVel Aug 06 '17 at 09:02
  • Exactly, which is why OP needs to override it: they're testing connectivity to another webserver from all of their servers (re-read the question). – Xiong Chiamiov Aug 06 '17 at 15:18
  • 2
    Good point, have updated the answer with hosts attribute. – RichVel Aug 07 '17 at 06:47
  • Thank you! This works for me, and gives me enough to work on. – AWhitaker Aug 07 '17 at 17:29
  • Have to mention that wait_for works only for TCP ports – storm Jul 18 '18 at 11:00
  • @storm - good point, edited to mention TCP only for wait_for. However, checking for open UDP ports is hard because it has no concept of a connection (only what the application defines) - a UDP check would require various steps beyond scope of Ansible - see this answer. – RichVel Jul 28 '18 at 06:45
  • Ansible 2.5 has deprecated with_items etc, replacing them with the loop construct - see this section of the Ansible 2.5 porting guide. You might want to do a set_fact to create a ports fact containing list of ports, then use ports instead of the items in porting guide. – RichVel Feb 14 '19 at 09:36
  • Actually Ansible 2.5 did not deprecate with_items and other lookup-based loops, though it did deprecate some other with* loops - see the top of docs page on loops. However, it is possible to re-write them with the loop construct. – RichVel Apr 09 '21 at 09:48
2

AFAIK there is no built-in module for this purpose, but you can use shell + nc:

---
- hosts: all
  tasks:
    - shell: nc -z -w 1 -G 1 my.hostname.com {{ item }} || echo "Port {{ item }} is closed"
      with_items: [80,443,8443]
Konstantin Suvorov
  • 1,093
  • 5
  • 8
0

You can use wait_for module for the same

example quoted from the documentation:

- name: Wait 300 seconds for port 8000 of any IP to close active connections, don't start checking for 10 seconds
  wait_for:
    host: 0.0.0.0
    port: 8000
    delay: 10
    state: drained
Tensibai
  • 11,366
  • 2
  • 35
  • 62
user128364
  • 109
  • 3
0

We use our tool dda-serverspec (https://github.com/DomainDrivenArchitecture/dda-serverspec-crate) for such tasks. You may define your expectation

{:netcat [{:host "mywebserver.com" :port "443"} {:host "telnet mywebserver.com" :port "80"} {:host "telnet mywebserver.com" :port "8443"}]}

and test these expectation either against localhost or remote by ssh. For remote tests you've to define a targets:

{:existing [{:node-name "test-vm1"
:node-ip "35.157.19.218"}
{:node-name "test-vm2" :node-ip "18.194.113.138"}] :provisioning-user {:login "ubuntu"}}

You may run the test by java -jar dda-serverspec.jar --targets targets.edn serverspec.edn

jerger
  • 141
  • 2
  • 2