26

I'm new to Ansible. Here's my task ...

I have 400+ hosts, and I need to verify if 5 different ports are open from their end to our web server.

Individually, I could log in and run:

telnet mywebserver.com 443
telnet mywebserver.com 80
telnet mywebserver.com 8443

..and so on..

What module or plugin could be used in Ansible so I could automate this, and have it report the results (whether open or closed ports) back to my Ansible server?

Pierre.Vriens
  • 7,225
  • 14
  • 39
  • 84
AWhitaker
  • 371
  • 1
  • 3
  • 5

4 Answers4

37

You can use the Ansible wait_for module which checks a specific TCP port is open.

Since in this case, all ports should be open already, we can use a minimal no. of retries, just enough to cover network issues:

- name: Check all port numbers are accessible from the current host
  wait_for:
    host: mywebserver.com
    port: "{{ item }}"
    state: started         # Port should be open
    delay: 0               # No wait before first check (sec)
    timeout: 3             # Stop checking after timeout (sec)
  ignore_errors: yes
  with_items:
    - 443
    - 80
    - 80443

By default, Ansible will check once every second (configurable in Ansible 2.3 using the sleep attribute), so this will check 3 times per port.

Run this in a playbook against your inventory of 400+ hosts - Ansible will check in parallel that all hosts can reach mywebserver.com on those ports.

  • the parallelism is subject to the forks setting in your ansible.cfg.

We use ignore_errors: yes here so that any errors are marked in red but do not stop execution.

Open ports are reported as ok items in output and closed ports are reported as failed (you must use -vv flag on ansible-playbook to see this output).

Fine-tuning output

If you want more specific output for the success and failure cases, the code must be more complex, adding a second task:

  • wait_for task must register a variable
  • the second task produces output using debug based on success/failure condition (e.g. using Jinja2 conditional expression)
  • then you need to put both these tasks in an include file (without any with_items loop), and write a main playbook task that uses an include ... with_items to call the include file once per port.
windyzboy
  • 103
  • 2
RichVel
  • 902
  • 6
  • 16
2

AFAIK there is no built-in module for this purpose, but you can use shell + nc:

---
- hosts: all
  tasks:
    - shell: nc -z -w 1 -G 1 my.hostname.com {{ item }} || echo "Port {{ item }} is closed"
      with_items: [80,443,8443]
Konstantin Suvorov
  • 1,123
  • 5
  • 8
0

You can use wait_for module for the same

example quoted from the documentation:

- name: Wait 300 seconds for port 8000 of any IP to close active connections, don't start checking for 10 seconds
  wait_for:
    host: 0.0.0.0
    port: 8000
    delay: 10
    state: drained
Tensibai
  • 11,416
  • 2
  • 37
  • 63
user128364
  • 109
  • 3
0

We use our tool dda-serverspec (https://github.com/DomainDrivenArchitecture/dda-serverspec-crate) for such tasks. You may define your expectation

{:netcat [{:host "mywebserver.com" :port "443"} {:host "telnet mywebserver.com" :port "80"} {:host "telnet mywebserver.com" :port "8443"}]}

and test these expectation either against localhost or remote by ssh. For remote tests you've to define a targets:

{:existing [{:node-name "test-vm1"
:node-ip "35.157.19.218"}
{:node-name "test-vm2" :node-ip "18.194.113.138"}] :provisioning-user {:login "ubuntu"}}

You may run the test by java -jar dda-serverspec.jar --targets targets.edn serverspec.edn

jerger
  • 141
  • 2
  • 2