SlideShare a Scribd company logo

Ansible: How to Get More Sleep and Require Less Coffee

Download as PPTX, PDF
Sarah Z
Sarah Z

Why you need automation, configuration management and remote execution in your life. An intro to Ansible and how it can make your life in Ops infinitely easier.

Technology
1 of 64
How to Get More Sleep and Require Less Coffee Sarah Zelechoski @szelechoski Providence VMUG – 06/19/2014
State of Ops
Why We Sleep on the Couch We’re the ones they call when • “The website is down” • The customer is having an “weird” issue • A critical exploit just entered the wild • “I can’t login to the domain” • New deployment off hours • Offshore needs 6 new VMs for testing • “I’m doing a customer demo at 8AM”
Why We Own DNKN We’re seriously overloaded • Building VM templates • Configuring clusters • Storage management • Networking • Software deployment • User/Group Authentication/Authorization • Performance Testing • OS Upgrades • Software Upgrades • Security Patching • Troubleshooting • Customer Support • Development Labs • Alerting/Monitoring
Guys What R U Doin • Building VM templates • ISO install and configuration • Network setup • Set up users/group, security, authentication/authorization • Software install and configuration • Building out clusters • Cloning N number of VMs from X number of templates • Hostname/network configuration • Firewalling • Software deployments • Turn off monitoring/alerting • Pull nodes out of Load Balanced Group • Run DB migrations • Deploy application code • Restart web server • Put nodes back in/turn monitoring back on • Server maintenance • SSH in to every server and restart a service • Write complex scripts to log in to every server and update openssl
Guys STAHP • Ad hoc is bad hoc • Complex shell scripts to account for every eventuality • DRY (yeah I used to be a ruby dev) • Any manual task can introduce human error • They shouldn’t have to call you on your on vacation
Put an M on It • Configuration Management (CM) • authoritative centralization of configuration data and actions • history of updates, changes for auditing purposes • define the exact state a system should be in • Infrastructure CM • define the state that a system should be in with respect to it’s configuration and use tools that achieve that state • enforce consistency across an entire environment • automate to increase efficiency and repeatability • easier to affect change (cloud provider, OS, etc.) • remove the human factor • disaster recovery
Tool Time • Puppet • great with Windows (as long as they’re not XP) • amazing Enterprise support • cryptic DSL (imo) • Chef • easy to learn if you’re a ruby developer! • amazing wealth of cookbooks • Almost too verbose • SaltStack
Ansible • Agentless! • Uses SSH (with one python requirement) • Everything is a YAML file • Structure is flexible (ad-hoc, playbooks, roles, orchestration) • Easily extensible via modules • Encryption and security built in • Full power at the CLI (open source!) • Even more features available in enterprise (Tower) • No Windows • Idempotent
Idempo-what? “Operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.” – wikipedia
Idempodent: Example • You need all your application servers’ tomcat setenv.sh to look like: JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat • You could get the job done with a classic echo command echo JAVA_HOME=/usr/java/latest >> /usr/local/tomcat/bin/setenv.sh echo JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" >> /usr/local/tomcat/bin/setenv.sh echo CATALINA_HOME=/usr/local/tomcat >> /usr/local/tomcat/bin/setenv.sh • But… • what if these lines already exist? • what if the file doesn’t exist on a few of the servers? • what if you needed to run your script again to update/restore another setting? • If you don’t know the beginning state of the system, the end state is unpredictable
Idempotent: Example • You could write a more complex script for i in $tomcat_env_file do echo "Processing file $i" # i hate this trick, but since a non match is status code 1 and that # will kill this script do an unless here that forces a zero has_java_home=$(grep -cE "^JAVA_HOME=" $i || true) if [ $has_java_home -eq 0 ]; then sed –f setenv-without-java-home.sed -i $i elif [ $has_java_home -eq 1 ]; then sed -f setenv-with-java-home.sed -i $i else echo "Something went very wrong. Please review $i and make sure there is only a single line containing ’JAVA_HOME=' and run script again" fi done
Ain’t Nobody Got Time For That • Use an idempotent CM tool • Tell the tool what state you need the system to be in • Tool will get you from A->Z or B->Z or even C->Z • Won’t get mangled configs • Won’t get conflicting packages • Won’t get mismatched versions • Won’t get error messages you have to handle for each unique case
Ansible: Example • template the setenv.sh file we want # {{ ansible_managed }} JAVA_HOME={{java_home}}latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME={{tomcat_home}} • provide defaults (in yml!) --- java_home: /usr/java/ tomcat_home: /usr/local/tomcat tomcat_user: {name: ‘tomcat’, group: ‘tomcat’}
Ansible: Example • write ansible task - name: Apache Tomcat | Configure | Overlay configuration template: src='setenv.j2' dest='{{tomcat_home}}/bin/setenv.sh' owner={{tomcat_user.name}} group={{tomcat_user.group}} • profit! $ cat /usr/local/tomcat/bin/setenv.sh # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/tomcat- 7/templates/cloud/app/setenv.j2 modified on 2014-04-04 13:18:35 by vagrant on vagrant JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat
Structure • Inventory • Modules • Ad Hoc Commands • Playbooks • Tasks • Variables • Templates • Handlers • Roles
Inventory: Example [production:children] webservers dbservers proxies [webservers] foo.example.com http_port=80 bar.example.com http_port=8080 [dbservers] db[01:03].example.com [dbservers:vars] pgsql_bind_nic=eth1 [proxies] 192.168.1.1 $ ansible production –a “echo hello” –u joe –k $ ansible dbservers –a “service postgresl restart” –u joe –U root –k -K
Dynamic vSphere Inventory • Any script that can output JSON can be used to generate dynamic inventory • Use pysphere (python) or rbvmomi (ruby) to communicate with vSphere/vCenter • Organize your VMs by folder or resource pool to translate in to group
Dynamic vSphere Inventory • https://github.com/RaymiiOrg/ansible-vmware $ python2 query.py -–list { "no_group": { "hosts": [ "vm0031", "vm0032", [...] "vm0999" ] }, "local": [ "127.0.0.1" ] }
Dynamic vSphere Inventory • Preface each command with the script $ ANSIBLE_HOSTS="/src/vmware-ansible/query.py" ansible all -m ping • Export an environmental variable $ export ANSIBLE_HOSTS="/src/vmware-ansible/query.py” $ ansible no_group -m ping
Modules • can be written in any language as long as they output JSON • take parameters and conditions to define desired state • handles processing of system resources, services, packages, files, etc. in idempotent fashion • “seek to avoid changes to the system unless a change needs to be made” • ansible comes preloaded with a plethora of modules • tons of community pull requests
Ad Hoc Commands • run a single, one-off command • run on a full or partial inventory • run on a single host • no need to save for later $ ansible webservers –m command –a “dpkg-query –W openssl” –u joe –k SSH password: foo.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10 bar.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10
Playbooks • More powerful configuration management • Kept in source control, developed, validated • Declare configurations of more complex mutli-system enviornments • Arrange and run tasks synchronously or asynchronously
Playbooks: Example --- - hosts: all remote_user: vagrant sudo: true sudo_user: root vars_files: - roles/vars/webserver.encrypt vars: lifecycle: dev roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/sudoers - roles/iptables - roles/clamav - roles/java-jdk-7 - roles/postgres - roles/apache - roles/tomcat-7 - { role: roles/tc-native, when: native== 'true' } - roles/ansible - roles/git - roles/liquibase - roles/cleanup post_tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}} ’port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat - '80' #httpd
Playbooks: Example $ ansible-playbook –i production webserver.yml –k –K $ ansible-playbook –i production webserver.yml –f 10 –k –K $ ansible-playbook –i production webserver.yml --list-hosts -k –K $ ansible-playbook –i production webserver.yml –-check –k –K
Tasks: Example module parameter iterator variable - name: Apache Tomcat | Install | Grab latest tomcat tarball get_url: url='{{tomcat.base_url}}{{item.sub_url}}{{item.file}}' dest='/tmp/{{item.file}}' with_items: tomcat.files - name: Apache Tomcat | Install | Extract archive shell: tar -xvzf /tmp/{{item.file}} -C /usr/local creates=/usr/local/{{item.target}} with_items: tomcat.files - name: Apache Tomcat | Install | Give ownership of install to tomcat user file: path=/usr/local/{{item.target}} state=directory owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.files - name: Apache Tomcat | Install | Symlink install directory file: src='/usr/local/{{item.target}}' path='/usr/local/tomcat' state='link' with_items: tomcat.files - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}' owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.config_files
Variables: • Simple YAML format • Can create arrays and hashes • Can substitute vars into vars • Vars can be defined at many levels (default, role ,playbook) • Can test conditionals on vars and require them • Can be filtered and manipulated with jinja2 • Can be matched to regex!
Variables: Example #################################### ## TOMCAT ## tomcat_home: '/usr/local/tomcat' tomcat: config_files: - {file: 'tomcat.j2', target: '/etc/init.d/tomcat'} - {file: 'setenv.j2', target: '{{tomcat_home}}/bin/setenv.sh'} - {file: 'server.j2', target: '{{tomcat_home}}/conf/server.xml'} default_webapps: ['ROOT','docs','examples','host-manager','manager'] base_url: 'http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-7/v7.0.54/bin/' files: - {file: 'apache-tomcat-7.0.54.tar.gz', target: 'apache-tomcat-7.0.54'} user: {name: 'tomcat', group: 'tomcat'}
Templates • Templates are interpreted by jinja2 • stub out files • fill variables in differently depending on conditions • Powerful conditionals • Loops and iterators • Replace a file completely every time? • Yes. We configure for an end state.
Templates: Example # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd is true %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad is defined %} {% for item in ad.sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
Templates: Example # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/sudoers/templates/sudoers- debian.j2 modified on 2014-06-09 10:08:44 by vagrant on vagrant Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL yoda ALL= NOPASSWD: ALL Defaults:yoda !requiretty luke ALL=(ALL) ALL anakin ALL=(ALL) ALL %jedi ALL=(ALL) ALL
Handlers • Written just like a regular task • Only run if triggered by the notify directive • Indicates a change in the system state • Any module can be used for the handler action Handler - name: Restart Tomcat service: name=tomcat state=restarted Task - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}’ with_items: tomcat.config_files notify: Restart Tomcat
Roles • Break up configuration into repeatable chunks • Reduce, reuse, recycle • Clean, understandable structure • Stack on top of each other • Ansible Galaxy
Roles • active directory • ansible • apache • app-dynamics • artifactory • centos • clamav • cleanup • debian • git • gradle • iptables • java-jdk-6 • java-jdk-7 • jenkins • keystore • liquibase • local-users • postgres • sudoers • swarm • packer • tomcat-6 • tomcat-7 • tomcat-native • vmware-tools • zeromq
Roles • Structure roles/ tomcat-7/ defaults/ main.yml files/ blah.txt handlers/ main.yml meta/ main.yml tasks/ main.yml templates/ setenv.j2 tomcat.j2 server.j2 limits.j2 vars/ main.yml
Roles • Dependencies • Always run before the roles that depend on them • If dependencies are duplicated amongst roles, they will only be run once by default • Can use allow_duplicates to require a role to be run more than once with different conditions --- dependencies: - { role: liquibase } - { role: apache, port: 80 } - { role: postgres, dbname: appdb, bind_nice: eth1 }
Orchestration • “Rolling Updates” • Performing very complex infrastructure or cluster operations • Run plays in serial instead of parallel • Wait for certain conditions to move forward • Abort if certain percentage of failure
Orchestration: Example • turn off monitoring and alerting • remove application server from load balanced group • stop services • wait for services to stop fully • checkout new code from git • deploy webapp • restart services • wait for services to start fully • return to load blanced group
Example: Simple Service Restart • Problem • 50ish production customer VMs • Older CentOS 5 mixed with CentOS 6 • May or may not have python installed • Domain authentication • Need to restart livevault service
Example: Simple Service Restart • Create inventory • Dump IP addresses of customer VM into simple ansible inventory [customer_vms:vars] [customer_vms] 192.168.32.117 192.168.32.39 192.168.34.176 192.168.34.28 192.168.33.100 192.168.32.197 192.168.34.181 192.168.34.158 ...
Example: Simple Service Restart • Use an ad hoc command to make sure VMs are bootstrapped for Ansible $ ansible cusomter_vms -i oldvms –u domainjoe -s -U root -m raw -a "sudo yum install -y python-simplejson" -k –K • Restart the live vault service $ ansible customer_vms –i oldvms –u domainjoe –s –U root -m service –a "name=livevault state=restarted" –k -K
Example: Heartbleed • openssl exploit • good news: patched for your OS • other packages updated along with openssl • 6 different environments (production, test, demo, etc.) • may require service restarts • need verification of final state version
Example: Heartbleed --- hosts: all sudo: yes sudo_user: root tasks: - name: OpenSSL | Get current version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get current version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}" - name: OpenSSL | Apt | Install debconf-utils apt: pkg='debconf-utils' state='latest'
Example: Heartbleed - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Upgrade Openssl apt: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes' with_items: - 'openssl' - 'libssl1.0.0' - name: OpenSSL | Get new version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get new version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"
Example: Heartbleed $ ansible-playbook -i cloud-daily, openssl.yml -u joe -k -K SSH password: sudo password [defaults to SSH password]: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u9, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u9" }
Example: Heartbleed TASK: [OpenSSL | Apt | Install debconf-utils] ********************************* ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Upgrade Openssl] *************************************** changed: [cloud-daily] => (item=openssl,libssl1.0.0) TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u11, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u11" } PLAY RECAP ******************************************************************** cloud-daily : ok=11 changed=5 unreachable=0 failed=0
Example: Join Domain • every new VM needs to be added to a domain • packages needed (winbind/samba) • domain could depend on environment • samba/winbind configuration different per machine • sudoers will be different per machine • domain admin must authenticate • this happens a lot • reusable playbook and roles
Example: Join Domain • Roles • install active directory requirements (active-directory) • join the assigned domain (active-directory-join) • maniuplate sudoers (sudoers)
Example: Join Domain • active-directory active-directory/ tasks/ main.yml templates/ nsswitch.j2 • tasks (main.yml) --- - name: AD Authentication| Install | Install dependencies for AD authentication apt: pkg={{item}} state=installed force=yes with_items: - krb5-user - libpam-krb5 - winbind - samba - name: AD Authentication | Configure | Allow for authentication using winbind template: src='nsswitch.j2' dest='/etc/nsswitch.conf'
Example: Join Domain • active-directory-join active-directory-join/ tasks/ main.yml templates/ krb5.j2 pam/ common-account.j2 common-auth.j2 common-password.j2 common-session-interactive.j2 sudo.j2 smb.j2 vars/ example.com office.lan
Example: Join Domain • vars (office.lan) --- #################################### ## ACTIVE DIRECTORY ## ad_domain: office.lan ad_primary_dc: ad1.office.lan ad_secondary_dc: ad2.office.lan ad_workgroup: OFFICE ad_sudoers_groups: - 'domain admins' - 'qasudoers' - 'devsudoers'
Example: Join Domain • templates (smb.j2) # {{ ansible_managed }} # #======================= Global Settings ======================= [global] bind interfaces only = yes interfaces = lo eth0 wlan workgroup = {{ad_workgroup}} netbios name = {{ansible_hostname|truncate(15, True, end='')}} password server = {{ad_primary_dc}} {{ad_secondary_dc}} realm = {% filter upper %}{{ad_domain}}{% endfilter %} security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
Example: Join Domain • tasks (main.yml) --- - name: AD Authentication | Configure | Place kerberos config for domain authentication template: src='krb5.j2' dest='/etc/krb5.conf' - name: AD Authentication | Configure | Place samba config for domain authentication template: src='smb.j2' dest='/etc/samba/smb.conf' - name: AD Authentication | Configure | Start services and enable on boot (Debian) service: name={{item}} state='restarted' enabled='yes' with_items: - winbind - name: AD Authentication | Configure | Start services and do not enable on boot (Debian) service: name={{item}} state='restarted' enabled='no' with_items: - samba - name: AD Authentication | Configure | kinit shell: echo "{{ad_domain_admin_password}}" | kinit {{ad_domain_admin_username}}@{% filter upper %}{{ad_domain}}{% endfilter %}
Example: Join Domain - name: AD Authentication | Configure | Join Active Directory shell: net ads join -U{{ad_domain_admin_username}}%'{{ad_domain_admin_password}}' - name: AD Authentication | Configure | Enable pam authentication via winbind (Debian) template: src='pam/{{item.name}}' dest='/etc/pam.d/{{item.target}}' with_items: - {name: 'common-session-interactive.j2', target: 'common-session-interactive'} - {name: 'common-password.j2', target: 'common-password'} - {name: 'common-account.j2', target: 'common-account'} - {name: 'common-auth.j2', target: 'common-auth'} - {name: 'sudo.j2', target: 'sudo'} - name: AD Authentication | Configure | Set domain controllers to be ntp servers lineinfile: regexp='^server {{item}}' insertafter='^#server ntp.your-provider.example' line='server {{item}}' state=present dest='/etc/ntp.conf' with_items: - "{{ad_primary_dc}}" - "{{ad_secondary_dc}}" - name: AD Authentication | Configure | Restart services service: name={{item}} state='restarted' with_items: - winbind - samba - ntpd
Example: Join Domain • sudoers sudoers/ tasks/ main.yml templates/ sudoers-debian.j2 • tasks (main.yml) --- - name: User | sudo Configure | Don't always set home and Preserve env home template: src='sudoers-debian.j2' dest='/tmp/sudoers' owner='root' group='root' mode='0600' validate='visudo -cf %s’ - name: User | sudo Configure | Place new config shell: 'cp -vf /tmp/sudoers /etc/sudoers’ - name: User | sudo Configure | Clean up temporary files file: path='/tmp/sudoers' state='absent’
Example: Join Domain • templates (sudoers-debian.j2) # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd == 'true' %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad_sudoers_groups is defined %} {% for item in ad_sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
Example: Join Domain • Put it all together in a playbook --- - hosts: all sudo: True sudo_user: root vars_prompt: - name: "ad_domain" prompt: "Domain to join (e.g. office.lan)" private: no - name: "ad_domain_admin_username" prompt: "Domain Admin username" private: no - name: "ad_domain_admin_password" prompt: "Domain Admin password" private: yes vars_files: - ../roles/active-directory-join/vars/{{ad_domain}}.encrypt roles: - ../roles/active-directory - ../roles/active-directory-join - ../roles/sudoers tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22' delay='5' timeout='300' sudo: no delegate_to: localhost
Example: Join Domain $ ansible-playbook -i new-vm-clone, ad-join.yml –u joe -k -K SSH password: sudo password [defaults to SSH password]: Domain to join (e.g. office.lan): office.lan Domain Admin username: admin Domain Admin password: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [new-vm-clone] TASK: [../roles/active-directory | AD Authentication| Install | Install dependencies for AD authentication] *** ok: [new-vm-clone] => (item=krb5-user,libpam-krb5,winbind,samba) TASK: [../roles/active-directory | AD Authentication | Configure | Allow for authentication using winbind] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place kerberos config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place samba config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and enable on boot] *** changed: [new-vm-clone] => (item=winbind)
Example: Join Domain TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and do not enable on boot] *** changed: [new-vm-clone] => (item=samba) TASK: [../roles/active-directory-join | AD Authentication | Configure | kinit] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Join Active Directory] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Enable pam authentication via winbind] *** changed: [new-vm-clone] => (item={'name': 'common-session-interactive.j2', 'target': 'common-session-interactive'}) changed: [new-vm-clone] => (item={'name': 'common-password.j2', 'target': 'common-password'}) changed: [new-vm-clone] => (item={'name': 'common-account.j2', 'target': 'common-account'}) changed: [new-vm-clone] => (item={'name': 'common-auth.j2', 'target': 'common-auth'}) changed: [new-vm-clone] => (item={'name': 'sudo.j2', 'target': 'sudo'}) TASK: [../roles/active-directory-join | AD Authentication | Configure | Set domain controllers to be ntp servers] *** ok: [new-vm-clone] => (item=ad1.office.lan) ok: [new-vm-clone] => (item=ad2.office.lan) TASK: [../roles/active-directory-join | AD Authentication | Configure | Restart services] *** changed: [new-vm-clone] => (item=winbind) changed: [new-vm-clone] => (item=samba)
Example: Join Domain TASK: [../roles/sudoers | User | sudo Configure | Don't always set home and Preserve env home] *** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Place new config] *********** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Clean up temporary files] *** changed: [new-vm-clone] TASK: [Reboot the Server] ***************************************************** changed: [new-vm-clone] TASK: [Wait for Server to come back] ****************************************** ok: [new-vm-clone] PLAY RECAP ******************************************************************** new-vm-clone : ok=18 changed=13 unreachable=0 failed=0
Example: Server provisioner • Build and configure webserver --- #packer provisioning only - hosts: all connection: local remote_user: vagrant sudo: True sudo_user: root vars_files: - roles/vars/cloud.encrypt vars: lifecycle: 'production' build_flavor: 'cloud' app_flavor: 'app' roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/active-directory - roles/cloud-baseline - roles/sudoers - roles/iptables - roles/java-jdk-7 - roles/tomcat-7 - { role: roles/tomcat-native, when: native == 'true' } - roles/ansible - roles/app-dynamics - roles/opsview - roles/cleanup - roles/git tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat
Where do I go from here? • Stop doing everything by hand! • If you find yourself logging in to more than one VM to do the same task... • If you have been meaning to get around to patching or updating a bunch of VMs... • If you know all of the prompts of the OS installer by heart... • If scp and vi are your favorite tools... • If you dread the next release of your application • If you wince every time your phone rings
Use Ansible • Get more sleep • Require less coffee
Recommended Reading • http://docs.ansible.com/ • https://github.com/ansible/ansible-examples • https://gist.github.com/marktheunissen/2979474 • http://jpmens.net/ • https://galaxy.ansible.com/ • http://docs.ansible.com/vsphere_guest_module.html

Recommended

Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Timothy Appnel
 
Ansible intro
Ansible introAnsible intro
Ansible introMarcelo Quintiliano da Silva
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible + WordPress
Ansible + WordPressAnsible + WordPress
Ansible + WordPressAlan Lok
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introductionManuel de la Peña Peña
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using dockerLarry Cai
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 

Recommended

Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Timothy Appnel
 
Ansible intro
Ansible introAnsible intro
Ansible introMarcelo Quintiliano da Silva
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible + WordPress
Ansible + WordPressAnsible + WordPress
Ansible + WordPressAlan Lok
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introductionManuel de la Peña Peña
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using dockerLarry Cai
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation EasyPeter Sankauskas
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102APNIC
 
Ansible
AnsibleAnsible
AnsibleVladimír Smitka
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleJeff Geerling
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerGeorge Miranda
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to AnsibleDan Vaida
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with AnsibleAhmed AbouZaid
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them AllTim Fairweather
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible referencelaonap166
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef
 
Ansible Case Studies
Ansible Case StudiesAnsible Case Studies
Ansible Case StudiesGreg DeKoenigsberg
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleMichael Bahr
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 
Ansible and AWS
Ansible and AWSAnsible and AWS
Ansible and AWSPeter Sankauskas
 
Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Pavel Chunyayev
 
Hosting Ruby Web Apps
Hosting Ruby Web AppsHosting Ruby Web Apps
Hosting Ruby Web AppsMichael Reinsch
 

More Related Content

What's hot

How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation EasyPeter Sankauskas
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102APNIC
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleJeff Geerling
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerGeorge Miranda
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to AnsibleDan Vaida
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with AnsibleAhmed AbouZaid
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them AllTim Fairweather
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible referencelaonap166
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleMichael Bahr
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 

What's hot (20)

How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation Easy
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102
 
Ansible
AnsibleAnsible
Ansible
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and Packer
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to Ansible
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible reference
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015
 
Ansible Case Studies
Ansible Case StudiesAnsible Case Studies
Ansible Case Studies
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for Docker
 
Ansible and AWS
Ansible and AWSAnsible and AWS
Ansible and AWS
 

Similar to Ansible: How to Get More Sleep and Require Less Coffee

Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Pavel Chunyayev
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)DECK36
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of AnsibleDevOps Ltd.
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Managing Infrastructure as Code
Managing Infrastructure as CodeManaging Infrastructure as Code
Managing Infrastructure as CodeAllan Shone
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesMike Splain
 
Planning to Fail #phpne13
Planning to Fail #phpne13Planning to Fail #phpne13
Planning to Fail #phpne13Dave Gardner
 
Automating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAutomating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAkshaya Mahapatra
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnwgarrett honeycutt
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns appliedLars Fronius
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesHiroshi SHIBATA
 
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Miguel Zuniga
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at ScaleAntony Messerl
 
Planning to Fail #phpuk13
Planning to Fail #phpuk13Planning to Fail #phpuk13
Planning to Fail #phpuk13Dave Gardner
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 

Similar to Ansible: How to Get More Sleep and Require Less Coffee (20)

Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015
 
Hosting Ruby Web Apps
Hosting Ruby Web AppsHosting Ruby Web Apps
Hosting Ruby Web Apps
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of Ansible
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Managing Infrastructure as Code
Managing Infrastructure as CodeManaging Infrastructure as Code
Managing Infrastructure as Code
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of Kubernetes
 
Planning to Fail #phpne13
Planning to Fail #phpne13Planning to Fail #phpne13
Planning to Fail #phpne13
 
Automating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAutomating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps Approach
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns applied
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 Minutes
 
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
 
Corley scalability
Corley scalabilityCorley scalability
Corley scalability
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
 
Planning to Fail #phpuk13
Planning to Fail #phpuk13Planning to Fail #phpuk13
Planning to Fail #phpuk13
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Ansible: How to Get More Sleep and Require Less Coffee

  • 1. How to Get More Sleep and Require Less Coffee Sarah Zelechoski @szelechoski Providence VMUG – 06/19/2014
  • 3. Why We Sleep on the Couch We’re the ones they call when • “The website is down” • The customer is having an “weird” issue • A critical exploit just entered the wild • “I can’t login to the domain” • New deployment off hours • Offshore needs 6 new VMs for testing • “I’m doing a customer demo at 8AM”
  • 4. Why We Own DNKN We’re seriously overloaded • Building VM templates • Configuring clusters • Storage management • Networking • Software deployment • User/Group Authentication/Authorization • Performance Testing • OS Upgrades • Software Upgrades • Security Patching • Troubleshooting • Customer Support • Development Labs • Alerting/Monitoring
  • 5. Guys What R U Doin • Building VM templates • ISO install and configuration • Network setup • Set up users/group, security, authentication/authorization • Software install and configuration • Building out clusters • Cloning N number of VMs from X number of templates • Hostname/network configuration • Firewalling • Software deployments • Turn off monitoring/alerting • Pull nodes out of Load Balanced Group • Run DB migrations • Deploy application code • Restart web server • Put nodes back in/turn monitoring back on • Server maintenance • SSH in to every server and restart a service • Write complex scripts to log in to every server and update openssl
  • 6. Guys STAHP • Ad hoc is bad hoc • Complex shell scripts to account for every eventuality • DRY (yeah I used to be a ruby dev) • Any manual task can introduce human error • They shouldn’t have to call you on your on vacation
  • 7. Put an M on It • Configuration Management (CM) • authoritative centralization of configuration data and actions • history of updates, changes for auditing purposes • define the exact state a system should be in • Infrastructure CM • define the state that a system should be in with respect to it’s configuration and use tools that achieve that state • enforce consistency across an entire environment • automate to increase efficiency and repeatability • easier to affect change (cloud provider, OS, etc.) • remove the human factor • disaster recovery
  • 8. Tool Time • Puppet • great with Windows (as long as they’re not XP) • amazing Enterprise support • cryptic DSL (imo) • Chef • easy to learn if you’re a ruby developer! • amazing wealth of cookbooks • Almost too verbose • SaltStack
  • 9. Ansible • Agentless! • Uses SSH (with one python requirement) • Everything is a YAML file • Structure is flexible (ad-hoc, playbooks, roles, orchestration) • Easily extensible via modules • Encryption and security built in • Full power at the CLI (open source!) • Even more features available in enterprise (Tower) • No Windows • Idempotent
  • 10. Idempo-what? “Operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.” – wikipedia
  • 11. Idempodent: Example • You need all your application servers’ tomcat setenv.sh to look like: JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat • You could get the job done with a classic echo command echo JAVA_HOME=/usr/java/latest >> /usr/local/tomcat/bin/setenv.sh echo JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" >> /usr/local/tomcat/bin/setenv.sh echo CATALINA_HOME=/usr/local/tomcat >> /usr/local/tomcat/bin/setenv.sh • But… • what if these lines already exist? • what if the file doesn’t exist on a few of the servers? • what if you needed to run your script again to update/restore another setting? • If you don’t know the beginning state of the system, the end state is unpredictable
  • 12. Idempotent: Example • You could write a more complex script for i in $tomcat_env_file do echo "Processing file $i" # i hate this trick, but since a non match is status code 1 and that # will kill this script do an unless here that forces a zero has_java_home=$(grep -cE "^JAVA_HOME=" $i || true) if [ $has_java_home -eq 0 ]; then sed –f setenv-without-java-home.sed -i $i elif [ $has_java_home -eq 1 ]; then sed -f setenv-with-java-home.sed -i $i else echo "Something went very wrong. Please review $i and make sure there is only a single line containing ’JAVA_HOME=' and run script again" fi done
  • 13. Ain’t Nobody Got Time For That • Use an idempotent CM tool • Tell the tool what state you need the system to be in • Tool will get you from A->Z or B->Z or even C->Z • Won’t get mangled configs • Won’t get conflicting packages • Won’t get mismatched versions • Won’t get error messages you have to handle for each unique case
  • 14. Ansible: Example • template the setenv.sh file we want # {{ ansible_managed }} JAVA_HOME={{java_home}}latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME={{tomcat_home}} • provide defaults (in yml!) --- java_home: /usr/java/ tomcat_home: /usr/local/tomcat tomcat_user: {name: ‘tomcat’, group: ‘tomcat’}
  • 15. Ansible: Example • write ansible task - name: Apache Tomcat | Configure | Overlay configuration template: src='setenv.j2' dest='{{tomcat_home}}/bin/setenv.sh' owner={{tomcat_user.name}} group={{tomcat_user.group}} • profit! $ cat /usr/local/tomcat/bin/setenv.sh # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/tomcat- 7/templates/cloud/app/setenv.j2 modified on 2014-04-04 13:18:35 by vagrant on vagrant JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat
  • 16. Structure • Inventory • Modules • Ad Hoc Commands • Playbooks • Tasks • Variables • Templates • Handlers • Roles
  • 17. Inventory: Example [production:children] webservers dbservers proxies [webservers] foo.example.com http_port=80 bar.example.com http_port=8080 [dbservers] db[01:03].example.com [dbservers:vars] pgsql_bind_nic=eth1 [proxies] 192.168.1.1 $ ansible production –a “echo hello” –u joe –k $ ansible dbservers –a “service postgresl restart” –u joe –U root –k -K
  • 18. Dynamic vSphere Inventory • Any script that can output JSON can be used to generate dynamic inventory • Use pysphere (python) or rbvmomi (ruby) to communicate with vSphere/vCenter • Organize your VMs by folder or resource pool to translate in to group
  • 19. Dynamic vSphere Inventory • https://github.com/RaymiiOrg/ansible-vmware $ python2 query.py -–list { "no_group": { "hosts": [ "vm0031", "vm0032", [...] "vm0999" ] }, "local": [ "127.0.0.1" ] }
  • 20. Dynamic vSphere Inventory • Preface each command with the script $ ANSIBLE_HOSTS="/src/vmware-ansible/query.py" ansible all -m ping • Export an environmental variable $ export ANSIBLE_HOSTS="/src/vmware-ansible/query.py” $ ansible no_group -m ping
  • 21. Modules • can be written in any language as long as they output JSON • take parameters and conditions to define desired state • handles processing of system resources, services, packages, files, etc. in idempotent fashion • “seek to avoid changes to the system unless a change needs to be made” • ansible comes preloaded with a plethora of modules • tons of community pull requests
  • 22. Ad Hoc Commands • run a single, one-off command • run on a full or partial inventory • run on a single host • no need to save for later $ ansible webservers –m command –a “dpkg-query –W openssl” –u joe –k SSH password: foo.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10 bar.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10
  • 23. Playbooks • More powerful configuration management • Kept in source control, developed, validated • Declare configurations of more complex mutli-system enviornments • Arrange and run tasks synchronously or asynchronously
  • 24. Playbooks: Example --- - hosts: all remote_user: vagrant sudo: true sudo_user: root vars_files: - roles/vars/webserver.encrypt vars: lifecycle: dev roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/sudoers - roles/iptables - roles/clamav - roles/java-jdk-7 - roles/postgres - roles/apache - roles/tomcat-7 - { role: roles/tc-native, when: native== 'true' } - roles/ansible - roles/git - roles/liquibase - roles/cleanup post_tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}} ’port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat - '80' #httpd
  • 25. Playbooks: Example $ ansible-playbook –i production webserver.yml –k –K $ ansible-playbook –i production webserver.yml –f 10 –k –K $ ansible-playbook –i production webserver.yml --list-hosts -k –K $ ansible-playbook –i production webserver.yml –-check –k –K
  • 26. Tasks: Example module parameter iterator variable - name: Apache Tomcat | Install | Grab latest tomcat tarball get_url: url='{{tomcat.base_url}}{{item.sub_url}}{{item.file}}' dest='/tmp/{{item.file}}' with_items: tomcat.files - name: Apache Tomcat | Install | Extract archive shell: tar -xvzf /tmp/{{item.file}} -C /usr/local creates=/usr/local/{{item.target}} with_items: tomcat.files - name: Apache Tomcat | Install | Give ownership of install to tomcat user file: path=/usr/local/{{item.target}} state=directory owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.files - name: Apache Tomcat | Install | Symlink install directory file: src='/usr/local/{{item.target}}' path='/usr/local/tomcat' state='link' with_items: tomcat.files - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}' owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.config_files
  • 27. Variables: • Simple YAML format • Can create arrays and hashes • Can substitute vars into vars • Vars can be defined at many levels (default, role ,playbook) • Can test conditionals on vars and require them • Can be filtered and manipulated with jinja2 • Can be matched to regex!
  • 28. Variables: Example #################################### ## TOMCAT ## tomcat_home: '/usr/local/tomcat' tomcat: config_files: - {file: 'tomcat.j2', target: '/etc/init.d/tomcat'} - {file: 'setenv.j2', target: '{{tomcat_home}}/bin/setenv.sh'} - {file: 'server.j2', target: '{{tomcat_home}}/conf/server.xml'} default_webapps: ['ROOT','docs','examples','host-manager','manager'] base_url: 'http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-7/v7.0.54/bin/' files: - {file: 'apache-tomcat-7.0.54.tar.gz', target: 'apache-tomcat-7.0.54'} user: {name: 'tomcat', group: 'tomcat'}
  • 29. Templates • Templates are interpreted by jinja2 • stub out files • fill variables in differently depending on conditions • Powerful conditionals • Loops and iterators • Replace a file completely every time? • Yes. We configure for an end state.
  • 30. Templates: Example # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd is true %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad is defined %} {% for item in ad.sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
  • 31. Templates: Example # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/sudoers/templates/sudoers- debian.j2 modified on 2014-06-09 10:08:44 by vagrant on vagrant Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL yoda ALL= NOPASSWD: ALL Defaults:yoda !requiretty luke ALL=(ALL) ALL anakin ALL=(ALL) ALL %jedi ALL=(ALL) ALL
  • 32. Handlers • Written just like a regular task • Only run if triggered by the notify directive • Indicates a change in the system state • Any module can be used for the handler action Handler - name: Restart Tomcat service: name=tomcat state=restarted Task - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}’ with_items: tomcat.config_files notify: Restart Tomcat
  • 33. Roles • Break up configuration into repeatable chunks • Reduce, reuse, recycle • Clean, understandable structure • Stack on top of each other • Ansible Galaxy
  • 34. Roles • active directory • ansible • apache • app-dynamics • artifactory • centos • clamav • cleanup • debian • git • gradle • iptables • java-jdk-6 • java-jdk-7 • jenkins • keystore • liquibase • local-users • postgres • sudoers • swarm • packer • tomcat-6 • tomcat-7 • tomcat-native • vmware-tools • zeromq
  • 36. Roles • Dependencies • Always run before the roles that depend on them • If dependencies are duplicated amongst roles, they will only be run once by default • Can use allow_duplicates to require a role to be run more than once with different conditions --- dependencies: - { role: liquibase } - { role: apache, port: 80 } - { role: postgres, dbname: appdb, bind_nice: eth1 }
  • 37. Orchestration • “Rolling Updates” • Performing very complex infrastructure or cluster operations • Run plays in serial instead of parallel • Wait for certain conditions to move forward • Abort if certain percentage of failure
  • 38. Orchestration: Example • turn off monitoring and alerting • remove application server from load balanced group • stop services • wait for services to stop fully • checkout new code from git • deploy webapp • restart services • wait for services to start fully • return to load blanced group
  • 39. Example: Simple Service Restart • Problem • 50ish production customer VMs • Older CentOS 5 mixed with CentOS 6 • May or may not have python installed • Domain authentication • Need to restart livevault service
  • 40. Example: Simple Service Restart • Create inventory • Dump IP addresses of customer VM into simple ansible inventory [customer_vms:vars] [customer_vms] 192.168.32.117 192.168.32.39 192.168.34.176 192.168.34.28 192.168.33.100 192.168.32.197 192.168.34.181 192.168.34.158 ...
  • 41. Example: Simple Service Restart • Use an ad hoc command to make sure VMs are bootstrapped for Ansible $ ansible cusomter_vms -i oldvms –u domainjoe -s -U root -m raw -a "sudo yum install -y python-simplejson" -k –K • Restart the live vault service $ ansible customer_vms –i oldvms –u domainjoe –s –U root -m service –a "name=livevault state=restarted" –k -K
  • 42. Example: Heartbleed • openssl exploit • good news: patched for your OS • other packages updated along with openssl • 6 different environments (production, test, demo, etc.) • may require service restarts • need verification of final state version
  • 43. Example: Heartbleed --- hosts: all sudo: yes sudo_user: root tasks: - name: OpenSSL | Get current version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get current version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}" - name: OpenSSL | Apt | Install debconf-utils apt: pkg='debconf-utils' state='latest'
  • 44. Example: Heartbleed - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Upgrade Openssl apt: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes' with_items: - 'openssl' - 'libssl1.0.0' - name: OpenSSL | Get new version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get new version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"
  • 45. Example: Heartbleed $ ansible-playbook -i cloud-daily, openssl.yml -u joe -k -K SSH password: sudo password [defaults to SSH password]: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u9, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u9" }
  • 46. Example: Heartbleed TASK: [OpenSSL | Apt | Install debconf-utils] ********************************* ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Upgrade Openssl] *************************************** changed: [cloud-daily] => (item=openssl,libssl1.0.0) TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u11, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u11" } PLAY RECAP ******************************************************************** cloud-daily : ok=11 changed=5 unreachable=0 failed=0
  • 47. Example: Join Domain • every new VM needs to be added to a domain • packages needed (winbind/samba) • domain could depend on environment • samba/winbind configuration different per machine • sudoers will be different per machine • domain admin must authenticate • this happens a lot • reusable playbook and roles
  • 48. Example: Join Domain • Roles • install active directory requirements (active-directory) • join the assigned domain (active-directory-join) • maniuplate sudoers (sudoers)
  • 49. Example: Join Domain • active-directory active-directory/ tasks/ main.yml templates/ nsswitch.j2 • tasks (main.yml) --- - name: AD Authentication| Install | Install dependencies for AD authentication apt: pkg={{item}} state=installed force=yes with_items: - krb5-user - libpam-krb5 - winbind - samba - name: AD Authentication | Configure | Allow for authentication using winbind template: src='nsswitch.j2' dest='/etc/nsswitch.conf'
  • 50. Example: Join Domain • active-directory-join active-directory-join/ tasks/ main.yml templates/ krb5.j2 pam/ common-account.j2 common-auth.j2 common-password.j2 common-session-interactive.j2 sudo.j2 smb.j2 vars/ example.com office.lan
  • 51. Example: Join Domain • vars (office.lan) --- #################################### ## ACTIVE DIRECTORY ## ad_domain: office.lan ad_primary_dc: ad1.office.lan ad_secondary_dc: ad2.office.lan ad_workgroup: OFFICE ad_sudoers_groups: - 'domain admins' - 'qasudoers' - 'devsudoers'
  • 52. Example: Join Domain • templates (smb.j2) # {{ ansible_managed }} # #======================= Global Settings ======================= [global] bind interfaces only = yes interfaces = lo eth0 wlan workgroup = {{ad_workgroup}} netbios name = {{ansible_hostname|truncate(15, True, end='')}} password server = {{ad_primary_dc}} {{ad_secondary_dc}} realm = {% filter upper %}{{ad_domain}}{% endfilter %} security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
  • 53. Example: Join Domain • tasks (main.yml) --- - name: AD Authentication | Configure | Place kerberos config for domain authentication template: src='krb5.j2' dest='/etc/krb5.conf' - name: AD Authentication | Configure | Place samba config for domain authentication template: src='smb.j2' dest='/etc/samba/smb.conf' - name: AD Authentication | Configure | Start services and enable on boot (Debian) service: name={{item}} state='restarted' enabled='yes' with_items: - winbind - name: AD Authentication | Configure | Start services and do not enable on boot (Debian) service: name={{item}} state='restarted' enabled='no' with_items: - samba - name: AD Authentication | Configure | kinit shell: echo "{{ad_domain_admin_password}}" | kinit {{ad_domain_admin_username}}@{% filter upper %}{{ad_domain}}{% endfilter %}
  • 54. Example: Join Domain - name: AD Authentication | Configure | Join Active Directory shell: net ads join -U{{ad_domain_admin_username}}%'{{ad_domain_admin_password}}' - name: AD Authentication | Configure | Enable pam authentication via winbind (Debian) template: src='pam/{{item.name}}' dest='/etc/pam.d/{{item.target}}' with_items: - {name: 'common-session-interactive.j2', target: 'common-session-interactive'} - {name: 'common-password.j2', target: 'common-password'} - {name: 'common-account.j2', target: 'common-account'} - {name: 'common-auth.j2', target: 'common-auth'} - {name: 'sudo.j2', target: 'sudo'} - name: AD Authentication | Configure | Set domain controllers to be ntp servers lineinfile: regexp='^server {{item}}' insertafter='^#server ntp.your-provider.example' line='server {{item}}' state=present dest='/etc/ntp.conf' with_items: - "{{ad_primary_dc}}" - "{{ad_secondary_dc}}" - name: AD Authentication | Configure | Restart services service: name={{item}} state='restarted' with_items: - winbind - samba - ntpd
  • 55. Example: Join Domain • sudoers sudoers/ tasks/ main.yml templates/ sudoers-debian.j2 • tasks (main.yml) --- - name: User | sudo Configure | Don't always set home and Preserve env home template: src='sudoers-debian.j2' dest='/tmp/sudoers' owner='root' group='root' mode='0600' validate='visudo -cf %s’ - name: User | sudo Configure | Place new config shell: 'cp -vf /tmp/sudoers /etc/sudoers’ - name: User | sudo Configure | Clean up temporary files file: path='/tmp/sudoers' state='absent’
  • 56. Example: Join Domain • templates (sudoers-debian.j2) # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd == 'true' %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad_sudoers_groups is defined %} {% for item in ad_sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
  • 57. Example: Join Domain • Put it all together in a playbook --- - hosts: all sudo: True sudo_user: root vars_prompt: - name: "ad_domain" prompt: "Domain to join (e.g. office.lan)" private: no - name: "ad_domain_admin_username" prompt: "Domain Admin username" private: no - name: "ad_domain_admin_password" prompt: "Domain Admin password" private: yes vars_files: - ../roles/active-directory-join/vars/{{ad_domain}}.encrypt roles: - ../roles/active-directory - ../roles/active-directory-join - ../roles/sudoers tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22' delay='5' timeout='300' sudo: no delegate_to: localhost
  • 58. Example: Join Domain $ ansible-playbook -i new-vm-clone, ad-join.yml –u joe -k -K SSH password: sudo password [defaults to SSH password]: Domain to join (e.g. office.lan): office.lan Domain Admin username: admin Domain Admin password: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [new-vm-clone] TASK: [../roles/active-directory | AD Authentication| Install | Install dependencies for AD authentication] *** ok: [new-vm-clone] => (item=krb5-user,libpam-krb5,winbind,samba) TASK: [../roles/active-directory | AD Authentication | Configure | Allow for authentication using winbind] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place kerberos config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place samba config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and enable on boot] *** changed: [new-vm-clone] => (item=winbind)
  • 59. Example: Join Domain TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and do not enable on boot] *** changed: [new-vm-clone] => (item=samba) TASK: [../roles/active-directory-join | AD Authentication | Configure | kinit] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Join Active Directory] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Enable pam authentication via winbind] *** changed: [new-vm-clone] => (item={'name': 'common-session-interactive.j2', 'target': 'common-session-interactive'}) changed: [new-vm-clone] => (item={'name': 'common-password.j2', 'target': 'common-password'}) changed: [new-vm-clone] => (item={'name': 'common-account.j2', 'target': 'common-account'}) changed: [new-vm-clone] => (item={'name': 'common-auth.j2', 'target': 'common-auth'}) changed: [new-vm-clone] => (item={'name': 'sudo.j2', 'target': 'sudo'}) TASK: [../roles/active-directory-join | AD Authentication | Configure | Set domain controllers to be ntp servers] *** ok: [new-vm-clone] => (item=ad1.office.lan) ok: [new-vm-clone] => (item=ad2.office.lan) TASK: [../roles/active-directory-join | AD Authentication | Configure | Restart services] *** changed: [new-vm-clone] => (item=winbind) changed: [new-vm-clone] => (item=samba)
  • 60. Example: Join Domain TASK: [../roles/sudoers | User | sudo Configure | Don't always set home and Preserve env home] *** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Place new config] *********** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Clean up temporary files] *** changed: [new-vm-clone] TASK: [Reboot the Server] ***************************************************** changed: [new-vm-clone] TASK: [Wait for Server to come back] ****************************************** ok: [new-vm-clone] PLAY RECAP ******************************************************************** new-vm-clone : ok=18 changed=13 unreachable=0 failed=0
  • 61. Example: Server provisioner • Build and configure webserver --- #packer provisioning only - hosts: all connection: local remote_user: vagrant sudo: True sudo_user: root vars_files: - roles/vars/cloud.encrypt vars: lifecycle: 'production' build_flavor: 'cloud' app_flavor: 'app' roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/active-directory - roles/cloud-baseline - roles/sudoers - roles/iptables - roles/java-jdk-7 - roles/tomcat-7 - { role: roles/tomcat-native, when: native == 'true' } - roles/ansible - roles/app-dynamics - roles/opsview - roles/cleanup - roles/git tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat
  • 62. Where do I go from here? • Stop doing everything by hand! • If you find yourself logging in to more than one VM to do the same task... • If you have been meaning to get around to patching or updating a bunch of VMs... • If you know all of the prompts of the OS installer by heart... • If scp and vi are your favorite tools... • If you dread the next release of your application • If you wince every time your phone rings
  • 63. Use Ansible • Get more sleep • Require less coffee
  • 64. Recommended Reading • http://docs.ansible.com/ • https://github.com/ansible/ansible-examples • https://gist.github.com/marktheunissen/2979474 • http://jpmens.net/ • https://galaxy.ansible.com/ • http://docs.ansible.com/vsphere_guest_module.html

Editor's Notes

  1. Say we can put these fires out long enough to get ourselves into the next work day
  2. Cluster ssh Bash scripts Building templates by hand Yo dawg, I heard you like snapshots of your snapshots
  3. Don’t repeat yourself If you have to do a manual task more than two times, you need to rethink Consistency is key
  4. You’ve heard of SCM, change management, release management, patch management… Configuration management
  5. Describe the end state you want. Tool will get you to that state regardless of starting point.
  6. structure
  7. Restart livevault
  8. Heartbleed/openssl Playbook that turned in to a role
  9. Join machines to the domain
  10. Full server build with roles
  11. Phillip fry