SlideShare a Scribd company logo
1 of 33
Download to read offline
More Tips and Tricks
Some “Non Bad” Practices
- Ansible core maintainer
- bcoca @ IRC and github and mailing lists
- worn hats as SA/QA/Programmer/DBA/etc
- tech janitor
Why not ‘best practice’?
- No such thing
- Many ‘good practices’
- Environments are different: Florist e-commerce != VR mobile app
- Companies and compliance are different
- Rules and standards are great … until they get in the way
- Context is important
- Similarities exist but things are rarely identical (siblings not twins)
- “One size fits all” solutions are limited and limiting
- Adaptability is key, provides choice
- Decide on a workflow, use tools to achieve it
- Pain appears when systems and workflows are in opposition
TIP: non bad practices
A style guide is about consistency.
Consistency with this style guide is important.
Consistency within a project is more important.
Consistency within one module or function is the most important.
However, know when to be inconsistent -- sometimes style guide recommendations just
aren't applicable. When in doubt, use your best judgment.
Look at other examples and decide what looks best. And don't hesitate to ask!
What is wrong?
- hosts: webservers
- service:
name: nginx
state: restarted
name: restart_nginx
- template:
src: templates/nginx.conf
dest: /etc/nginx.conf
notify: restart_nginx
name: Set nginx config
- stat: path=/etc/nginx.conf
Bad Practice
- hosts: wx01
- template:
src: templates/xl183.conf
dest: /etc/apache2.conf
notify: service
- service: name=httpd state=restarted
How can it be better?
TIPS: Better Practices
- hosts: webserver01
- stat: path=/etc/nginx.conf
- name: Configure app02 webserver
src: templates/webapp02.conf
dest: /etc/apache2.conf
notify: restart_httpd
- name: restart_httpd
service: name=httpd state=restarted
- Nothing syntactically wrong
- Dictionary order does not matter to
Ansible, but it matters to humans
- List order matters to all (- stuff)
- name: is your documentation
- Good host, group and task names
make things evident.
- Relying on explicit behaviour over
implicit keeps things clear
- Nothing I say is mandatory
Basic Layout
TIPS: Inventory
- Simple setup
- Quick to get started
- Works for your average app
- Naming by function (not actual names)
- All or nothing access
- Grouped only on one criteria
Complicating layout
TIPS: Inventory
production (groups: dc1,dc2)
staging (dc1)
- I can target environments by file
- File permissions for access (also ACLs)
- inventory_file or groups for ‘location’ and
‘environment’ variables, avoids overlap.
- Avoids relying on --limit
- More things to keep track of
- Requires more knowledge to setup
- Geared towards central mgmt host
- Overlaps with --limit
Unix tools use Unix permissions
TIPS: Inventory
jumphost#>ls -l /etc/ansible/inventory
drwxr-xr-x 2 root ops 4096 Aug 19 00:55 group_vars
drwxr-xr-x 2 root ops 4096 Aug 12 11:10 host_vars
-rw-r----- 1 root ops 1825 Aug 18 03:07 production
-rw-r----- 1 root qa 251 Aug 18 03:07 staging
-rw-r----- 1 root devel 789 Aug 18 03:07 devel
jumphost#> getfacl production
# file: production
# owner: root
# group: ops
visible permissions
my ‘back door’
Designing your inventory
TIPS: Inventory
- Inventory is the expression of your environment
- Hostnames, groups, vars are for YOUR use, they have to make sense to YOU
- Ansible cares about hosts and tasks, everything else is in support of that
- Select a single source of truth .. or try to minimize duplication of data
- Normally, there is a simpler way to do it
- Ansible makes it easy to switch approaches, don’t be afraid to test and try
- Mistakes are not failures
Generate YAML Inventory
- hosts: localhost
gather_facts: false
- template:
src: dump_hosts_yaml.j2
dest: /tmp/hosts.yml
{% set builtins = ['hostvars', 'vars', … ]%}
{% set dumped_vars = [] %}
{% for group in groups if group != 'all'%}
{% for host in groups[group] %}
{{ host }}:
{% for myhostvar in hostvars[host] if myhostvar not in builtins %}
{{ myhostvar}}: {{hostvars[host][myhostvar]|to_json}}
{% if loop.last %}{% do dumped_vars.append(host) %}{%endif %}
{% endfor %}
{% endfor %}
{% endfor %}
migrate_yaml_inventory.yml dump_hosts_yaml.j2
testvar: default from all
test2: {"key3": "valueall3", "key1": "valueall1"}
ansible_python_interpreter: /usr/bin/python2.7
testvar: default from all
test2: {"key3": "valueall3", "key1": "valueall1"}
testvar: inv groupvar
test2: {"key3": "valueall3", "key1": "valueall1"}
cron_service: crond
test_prio: tests
Generate INI Inventory
{% set builtins = ['hostvars', 'vars', 'groups', 'group_names', … '] %}{% set
dumped_vars = [] %}
{% for group in groups if group != 'all'%}
{% for host in groups[group] %}
{{ host }} {% for myhostvar in hostvars[host] if myhostvar not in builtins and host
not in dumped_vars %} {{ myhostvar}}={{hostvars[host][myhostvar]|to_json}} {% if
loop.last %}{% do dum
ped_vars.append(host) %}{% endif %} {% endfor %}
{% endfor %}
{% endfor %}
ubuntu15test testvar=”default from all” test= {"key3": "valueall3", "key1": "valueall1"}
ubuntu14test testvar=”default from all” test2= {"key3": "valueall3", "key1": "valueall1"}
centos7test testvar=”inv groupvar” ansible_ssh_host="" test2={"key3": ...
Variable Sources
TIPS: vars can go in many places
PRECEDENCE (low to high):
role defaults
inventory file vars
inventory group_vars, host_vars
playbook group_vars, host_vars
host facts
play vars, vars_prompt, vars_files
registered vars
role parameters and include vars
block(only for tasks in block), task vars
extra vars (CLI, global, precedence)
● Many choices, flexible!
● Many choices, confusing!
● Where do I define my var?
○ Locality (host, group, play, role, task)
○ Use only what you need, ignore rest
○ Inheritance and scope (play, host)
● group/host_vars are always loaded
● variables are flattened per host
Variable Sources
TIPS: vars can go in many places
- Avoid vault errors
- Allows ‘need to know’
- group/host_vars are still autoloaded
- explicit: vars_files, include_vars from vars/
- vault files require passwords
- ansible cannot know if vault is needed, must
run play and open vault to find out.
- no tardis plugin (yet)
TIPS: vars can go in many places
- Interactive vars
- Per play
- Available only at start
- Smart prompting:
- only if tty is present
- skip if already provided (extra vars)
- Unconditional
- name: "myvar"
prompt: "Question?"
TIPS: vars can go in many places
- Interactive vars
- It is a task:
- Can appear at any point a task can
- Tasks are conditional (when, tags)
- host scope, persists across plays
- No validation
- Only if tty is present
- result var structure (myvar.user_input)
- pause: prompt=”Question?”
register: myvar
Single deployment script
- hosts: localhost
- name: app_name
prompt: “Which app do you want to deploy?”
default: mainapp
- name: app_version
prompt: “Choose version/tag (default HEAD)”
default: ‘HEAD’
- git: repo=git@myreposerver/{{app_version}} version={{app_version}}
Normal Interactive command
When using cron:
- pass in extra vars
- let it use defaults
3 plays that can run in parallel
Tricks: parallel playbook execution
- name: play1
hosts: all
gather_facts: false
- debug: msg=starting1
- wait_for: timeout=10
- debug: msg=ending1
- name: play2
hosts: all
gather_facts: false
- debug: msg=starting2
- wait_for: timeout=14
- debug: msg=ending2
- name: play3
hosts: all
gather_facts: false
- debug: msg=starting3
- wait_for: timeout=16
- debug: msg=ending3
play1.yml play3.ymlplay2.yml
Sometimes you don’t want to run stuff serially .. if only ansible-playbook ran in parallel!
From the command line
Tricks: parallel playbook execution
#> time ansible-playbook play?.yml
real 0m40.691s
user 0m1.371s
sys 0m0.353s
#>time parallel ansible-playbook {} ::: play?.yml
real 0m16.816s
user 0m3.928s
sys 0m0.848s
#> time $(ls play?.yml|xargs -n1 -P3 ansible-playbook)
real 0m16.788s
user 0m3.963s
sys 0m0.842s
- Ansible is unix tool, many other tools do parallel
- Several options to run in parallel
- Easy to redirect output
- manage resources with nice and ionice
- use with inotify, tcpserver, cron, at
… even with procmail filters
Tricks: parallel playbook execution
- name: really trying hard to avoid shell scripts
hosts: localhost
gather_facts: False
- shell: ansible-playbook play1.yml
async: 10000
poll: 0
- shell: ansible-playbook play2.yml
async: 10000
poll: 0
- shell: ansible-playbook play3.yml
async: 10000
poll: 0
#>time ansible-playbook async.yml
real 0m3.572s
user 0m0.497s
sys 0m0.105s
Less typing!
Tricks: parallel playbook execution
- name: really trying hard to avoid shell scripts v2
hosts: localhost
gather_facts: False
- shell: ansible-playbook play{{item}}.yml
async: 10000
poll: 0
with_items: [1,2,3]
#>time ansible-playbook async2.yml
real 0m3.531s
user 0m0.463s
sys 0m0.107s
ansible-meta … with results!
Tricks: parallel playbook execution
- name: really trying hard to avoid shell scripts v3
hosts: localhost
gather_facts: False
- shell: ansible-playbook play{{item}}.yml
async: 10000
poll: 0
with_items: [1,2,3]
register: runplays
- async_status: jid={{runplays.results[item.index].ansible_job_id}}
resgister: jobs
until: jobs.finished
with_indexed_items: [1,2,3]
retries: 100
#>time ansible-playbook async3.yml
real 0m24.140s
user 0m1.239s
sys 0m0.265s
Static vs Dynamic
TIPS: includes
- Beginning in 2.0 includes can be dynamic, loops, conditionals!
- Static includes are not real tasks, dynamic includes … almost are
- Only task includes can be dynamic, play includes are always static
- Dynamic includes do not show included tasks in --list-tasks/tags
- Handler includes are static by default (both types have config setting)
- Task includes have dynamic include detection, use static: yes|no (>=2.1) directive to control
- Task behaviour can change in each case
dynamic include loops
TIPS: includes
- hosts: localhost
gather_facts: False
- include: test.yml
with_items: [1,2]
static: yes
- set_fact: outer={{item}}
- debug: msg="{{outer}} and {{item}}"
with_items: ['a','b']
TASK [debug]
ok: [localhost] => (item=a) => {
"item": "a",
"msg": "1 and a"
ok: [localhost] => (item=b) => {
"item": "b",
"msg": "1 and b"
TASK [debug]
ok: [localhost] => (item=a) => {
"item": "a",
"msg": "2 and a"
ok: [localhost] => (item=b) => {
"item": "b",
"msg": "2 and b"
Since 2.1 you can use
loop_control instead of set_fact
New in 2.2
Tricks: include_role
- hosts: localhost
- package: name={{httpd}} state=latest
- include_role:
name: webapp
tasks_from: install.yml
- service: name={{httpd}} state=started
- include_role:
name: webapp
tasks_from: configure.yml
vars_from: “{{ansible_os}}.yml”
with_items: “{{ applications }}”
Multiple notification
TIPS: fun with handlers
- hosts: all
- name: configure nginx
template: src=nginx.j2 dest=/etc/nginx.conf
- restart_uwcgi
- restart_nginx
- name: restart_uwcgi
service: name=uwcgi state=restarted
- name: restart_nginx
service: name=nginx state=restarted
- Most flexible
- Can get repetitive
- List can be a variable
Chaining handlers
TIPS: fun with handlers
- hosts: all
- name: configure nginx
template: src=nginx.j2 dest=/etc/nginx.conf
notify: restart_nginx_cluster
- name: restart_nginx_cluster
service: name=uwcgi state=restarted
notify: restart_nginx
- name: restart_nginx
service: name=nginx state=restarted
- Call observes definition order
- Cannot call previous
- Less flexible
- Can call middle of chain
Grouping handlers
TIPS: fun with handlers
- hosts: all
- name: configure nginx
template: src=nginx.j2 dest=/etc/nginx.conf
notify: restart_nginx_cluster
- name: restart_nginx_cluster
wait_for: seconds=1
changed_when: true
notify: [‘restart_uwcgi’, ‘nginx’]
- name: restart_uwcgi
service: name=uwcgi state=restarted
- name: restart_nginx
service: name=nginx state=restarted
- Still flexible
- Less repetition
- Needs dummy task
- Also relies on chain
- List can be a variable
listen! new in 2.2
TIPS: fun with handlers
- hosts: all
- name: configure nginx
template: src=nginx.j2 dest=/etc/nginx.conf
notify: restart_nginx_cluster
- name: restart_uwcgi
service: name=uwcgi state=restarted
listen: restart_nginx_cluster
- name: restart_nginx
service: name=nginx state=restarted
listen: restart_nginx_cluster
- Still flexible
- Less repetition
- listen is not unique
- Does not rely on chain
- List can be a variable
include as handler
TIPS: fun with handlers
- hosts: all
- name: configure nginx
template: src=nginx.j2 dest=/etc/nginx.conf
notify: restart_nginx_cluster
- name: restart_nginx_cluster
include: nginx_cluster_restart.yml
static: no
- Only dynamic includes
- Include itself is handler
- File can be variable
- Also toggleable from config
- Ansible is flexible, many ways to do things
- Choice can be daunting
- Easy to make mistakes, easy to correct them
- “Best” is relative, depends on context, test it!

More Related Content

What's hot

What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...

What's hot (20)

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ansible intro
Ansible introAnsible intro
Ansible intro
AIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge ShareAIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge Share
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
Red Hat OpenStack 17 저자직강+스터디그룹_3주차
Red Hat OpenStack 17 저자직강+스터디그룹_3주차Red Hat OpenStack 17 저자직강+스터디그룹_3주차
Red Hat OpenStack 17 저자직강+스터디그룹_3주차
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Ceph Object Storage Reference Architecture Performance and Sizing Guide
Ceph Object Storage Reference Architecture Performance and Sizing GuideCeph Object Storage Reference Architecture Performance and Sizing Guide
Ceph Object Storage Reference Architecture Performance and Sizing Guide
Installing Aix
Installing AixInstalling Aix
Installing Aix
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible

Viewers also liked

Viewers also liked (8)

Ansible leveraging 2.0
Ansible leveraging 2.0Ansible leveraging 2.0
Ansible leveraging 2.0
What's New in v2 - AnsibleFest London 2015
What's New in v2 - AnsibleFest London 2015What's New in v2 - AnsibleFest London 2015
What's New in v2 - AnsibleFest London 2015
Hacking ansible
Hacking ansibleHacking ansible
Hacking ansible
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
Foreman in your datacenter
Foreman in your datacenterForeman in your datacenter
Foreman in your datacenter
Automated Deployments with Ansible
Automated Deployments with AnsibleAutomated Deployments with Ansible
Automated Deployments with Ansible
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestration
Test-Driven Infrastructure with Ansible, Test Kitchen, Serverspec and RSpec
Test-Driven Infrastructure with Ansible, Test Kitchen, Serverspec and RSpecTest-Driven Infrastructure with Ansible, Test Kitchen, Serverspec and RSpec
Test-Driven Infrastructure with Ansible, Test Kitchen, Serverspec and RSpec

Similar to More tips n tricks

Puppet atbazaarvoice
Puppet atbazaarvoicePuppet atbazaarvoice
Puppet atbazaarvoice
Dave Barcelo

Similar to More tips n tricks (20)

Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Ansible with oci
Ansible with ociAnsible with oci
Ansible with oci
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for Dummies
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
Ansible Devops North East - slides
Ansible Devops North East - slides Ansible Devops North East - slides
Ansible Devops North East - slides
Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)
MariaDB, MySQL and Ansible: automating database infrastructures
MariaDB, MySQL and Ansible: automating database infrastructuresMariaDB, MySQL and Ansible: automating database infrastructures
MariaDB, MySQL and Ansible: automating database infrastructures
Metadata-driven Testing
Metadata-driven TestingMetadata-driven Testing
Metadata-driven Testing
Puppet atbazaarvoice
Puppet atbazaarvoicePuppet atbazaarvoice
Puppet atbazaarvoice
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone
Ansible is Our WishboneAnsible is Our Wishbone
Ansible is Our Wishbone
Getting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdfGetting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdf
Puppet for Sys Admins
Puppet for Sys AdminsPuppet for Sys Admins
Puppet for Sys Admins
Bash production guide
Bash production guideBash production guide
Bash production guide
Variable precedence: Where should I put a variable?
Variable precedence: Where should I put a variable?Variable precedence: Where should I put a variable?
Variable precedence: Where should I put a variable?
Introduction to Ansible - Peter Halligan
Introduction to Ansible - Peter HalliganIntroduction to Ansible - Peter Halligan
Introduction to Ansible - Peter Halligan
Ansible new paradigms for orchestration
Ansible new paradigms for orchestrationAnsible new paradigms for orchestration
Ansible new paradigms for orchestration
Puppet at Bazaarvoice
Puppet at BazaarvoicePuppet at Bazaarvoice
Puppet at Bazaarvoice
Introducing Ansible
Introducing AnsibleIntroducing Ansible
Introducing Ansible
#OktoCampus - Workshop : An introduction to Ansible
#OktoCampus - Workshop : An introduction to Ansible#OktoCampus - Workshop : An introduction to Ansible
#OktoCampus - Workshop : An introduction to Ansible

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business

More tips n tricks

  • 1. More Tips and Tricks Some “Non Bad” Practices
  • 2. #>whoami? - Ansible core maintainer - bcoca @ IRC and github and mailing lists - worn hats as SA/QA/Programmer/DBA/etc - tech janitor 2
  • 3. Why not ‘best practice’? - No such thing - Many ‘good practices’ - Environments are different: Florist e-commerce != VR mobile app - Companies and compliance are different - Rules and standards are great … until they get in the way - Context is important - Similarities exist but things are rarely identical (siblings not twins) - “One size fits all” solutions are limited and limiting - Adaptability is key, provides choice - Decide on a workflow, use tools to achieve it - Pain appears when systems and workflows are in opposition TIP: non bad practices 3
  • 4. PEP8 A style guide is about consistency. Consistency with this style guide is important. Consistency within a project is more important. Consistency within one module or function is the most important. However, know when to be inconsistent -- sometimes style guide recommendations just aren't applicable. When in doubt, use your best judgment. Look at other examples and decide what looks best. And don't hesitate to ask! 4
  • 5. What is wrong? - hosts: webservers handlers: - service: name: nginx state: restarted name: restart_nginx tasks: - template: src: templates/nginx.conf dest: /etc/nginx.conf notify: restart_nginx name: Set nginx config pre_tasks: - stat: path=/etc/nginx.conf Bad Practice 5 - hosts: wx01 tasks: - template: src: templates/xl183.conf dest: /etc/apache2.conf notify: service handlers: - service: name=httpd state=restarted
  • 6. How can it be better? TIPS: Better Practices 6 - hosts: webserver01 pre_tasks: - stat: path=/etc/nginx.conf tasks: - name: Configure app02 webserver template: src: templates/webapp02.conf dest: /etc/apache2.conf notify: restart_httpd handlers: - name: restart_httpd service: name=httpd state=restarted - Nothing syntactically wrong - Dictionary order does not matter to Ansible, but it matters to humans - List order matters to all (- stuff) - name: is your documentation - Good host, group and task names make things evident. - Relying on explicit behaviour over implicit keeps things clear - Nothing I say is mandatory
  • 7. Basic Layout TIPS: Inventory 7 ansible/ inventory group_vars/ all.yml appservers.yml databases.yml loadbalancers.yml network.yml webservers/ secrets.yml service_vars.yml host_vars/ webserver01.yml webserver02.yml PROS - Simple setup - Quick to get started - Works for your average app - Naming by function (not actual names) CONS - All or nothing access - Grouped only on one criteria
  • 8. Complicating layout TIPS: Inventory 8 ansible/inventory/ production (groups: dc1,dc2) development(idf) staging (dc1) group_vars/ all.yml appservers.yml databases.yml loadbalancers.yml network.yml webservers/ secrets.yml service_vars.yml dc1.yml dc2.yml idf.yml host_vars/ PROS - I can target environments by file - File permissions for access (also ACLs) - inventory_file or groups for ‘location’ and ‘environment’ variables, avoids overlap. - Avoids relying on --limit CONS - More things to keep track of - Requires more knowledge to setup - Geared towards central mgmt host - Overlaps with --limit
  • 9. Unix tools use Unix permissions TIPS: Inventory 9 jumphost#>ls -l /etc/ansible/inventory drwxr-xr-x 2 root ops 4096 Aug 19 00:55 group_vars drwxr-xr-x 2 root ops 4096 Aug 12 11:10 host_vars -rw-r----- 1 root ops 1825 Aug 18 03:07 production -rw-r----- 1 root qa 251 Aug 18 03:07 staging -rw-r----- 1 root devel 789 Aug 18 03:07 devel jumphost#> getfacl production # file: production # owner: root # group: ops user:bcoca:rw- user::rw- group::r-- other::--- visible permissions my ‘back door’
  • 10. Designing your inventory TIPS: Inventory 10 - Inventory is the expression of your environment - Hostnames, groups, vars are for YOUR use, they have to make sense to YOU - Ansible cares about hosts and tasks, everything else is in support of that - Select a single source of truth .. or try to minimize duplication of data - Normally, there is a simpler way to do it - Ansible makes it easy to switch approaches, don’t be afraid to test and try - Mistakes are not failures
  • 11. Generate YAML Inventory Tricks 11 - hosts: localhost gather_facts: false tasks: - template: src: dump_hosts_yaml.j2 dest: /tmp/hosts.yml {% set builtins = ['hostvars', 'vars', … ]%} {% set dumped_vars = [] %} {% for group in groups if group != 'all'%} {{group}}: {% for host in groups[group] %} {{ host }}: {% for myhostvar in hostvars[host] if myhostvar not in builtins %} {{ myhostvar}}: {{hostvars[host][myhostvar]|to_json}} {% if loop.last %}{% do dumped_vars.append(host) %}{%endif %} {% endfor %} {% endfor %} {% endfor %} migrate_yaml_inventory.yml dump_hosts_yaml.j2
  • 12. 12 ungrouped: ubuntu15test: testvar: default from all test2: {"key3": "valueall3", "key1": "valueall1"} ansible_python_interpreter: /usr/bin/python2.7 ansible_ssh_host: ubuntu: ubuntu12test: ubuntu14test: testvar: default from all test2: {"key3": "valueall3", "key1": "valueall1"} tests: ubuntu12test: ubuntu15test: centos7test: testvar: inv groupvar test2: {"key3": "valueall3", "key1": "valueall1"} cron_service: crond ansible_ssh_host: test_prio: tests aptdistros: ubuntu12test: ubuntu14test: /tmp/hosts.yml
  • 13. Generate INI Inventory Tricks 13 {% set builtins = ['hostvars', 'vars', 'groups', 'group_names', … '] %}{% set dumped_vars = [] %} {% for group in groups if group != 'all'%} [{{group}}] {% for host in groups[group] %} {{ host }} {% for myhostvar in hostvars[host] if myhostvar not in builtins and host not in dumped_vars %} {{ myhostvar}}={{hostvars[host][myhostvar]|to_json}} {% if loop.last %}{% do dum ped_vars.append(host) %}{% endif %} {% endfor %} {% endfor %} {% endfor %} dump_hosts_ini.j2
  • 14. 14 [ungrouped] ubuntu15test testvar=”default from all” test= {"key3": "valueall3", "key1": "valueall1"} [ubuntu] ubuntu12test ubuntu14test testvar=”default from all” test2= {"key3": "valueall3", "key1": "valueall1"} [tests] ubuntu12test ubuntu15test centos7test testvar=”inv groupvar” ansible_ssh_host="" test2={"key3": ... [aptdistros] ubuntu12test /tmp/hosts.ini
  • 15. Variable Sources TIPS: vars can go in many places 15 PRECEDENCE (low to high): role defaults inventory file vars inventory group_vars, host_vars playbook group_vars, host_vars host facts play vars, vars_prompt, vars_files registered vars set_facts role parameters and include vars block(only for tasks in block), task vars extra vars (CLI, global, precedence) ● Many choices, flexible! ● Many choices, confusing! ● Where do I define my var? ○ Locality (host, group, play, role, task) ○ Use only what you need, ignore rest ○ Inheritance and scope (play, host) ● group/host_vars are always loaded ● variables are flattened per host
  • 16. Variable Sources TIPS: vars can go in many places 16 inventory/ ... playbooks/ webconfig/ ... certificates/ load_balancer_main.yml load_balancer_internal.yml ldap.yml vars/ vaulted_certificates.yml - Avoid vault errors - Allows ‘need to know’ - group/host_vars are still autoloaded - explicit: vars_files, include_vars from vars/ - vault files require passwords - ansible cannot know if vault is needed, must run play and open vault to find out. - no tardis plugin (yet)
  • 17. vars_prompt TIPS: vars can go in many places 17 - Interactive vars - Per play - Available only at start - Smart prompting: - only if tty is present - skip if already provided (extra vars) - Unconditional vars_prompt: - name: "myvar" prompt: "Question?"
  • 18. Pause TIPS: vars can go in many places 18 - Interactive vars - It is a task: - Can appear at any point a task can - Tasks are conditional (when, tags) - host scope, persists across plays - No validation - Only if tty is present - result var structure (myvar.user_input) - pause: prompt=”Question?” register: myvar
  • 19. Single deployment script Tricks 19 #!/usr/bin/ansible-playbook - hosts: localhost vars_prompt: - name: app_name prompt: “Which app do you want to deploy?” default: mainapp - name: app_version prompt: “Choose version/tag (default HEAD)” default: ‘HEAD’ tasks: - git: repo=git@myreposerver/{{app_version}} version={{app_version}} ... bin/deploy Normal Interactive command When using cron: - pass in extra vars - let it use defaults
  • 20. 3 plays that can run in parallel Tricks: parallel playbook execution 20 - name: play1 hosts: all gather_facts: false tasks: - debug: msg=starting1 - wait_for: timeout=10 - debug: msg=ending1 - name: play2 hosts: all gather_facts: false tasks: - debug: msg=starting2 - wait_for: timeout=14 - debug: msg=ending2 - name: play3 hosts: all gather_facts: false tasks: - debug: msg=starting3 - wait_for: timeout=16 - debug: msg=ending3 play1.yml play3.ymlplay2.yml Sometimes you don’t want to run stuff serially .. if only ansible-playbook ran in parallel!
  • 21. From the command line Tricks: parallel playbook execution 21 #> time ansible-playbook play?.yml real 0m40.691s user 0m1.371s sys 0m0.353s #>time parallel ansible-playbook {} ::: play?.yml real 0m16.816s user 0m3.928s sys 0m0.848s #> time $(ls play?.yml|xargs -n1 -P3 ansible-playbook) real 0m16.788s user 0m3.963s sys 0m0.842s - Ansible is unix tool, many other tools do parallel - Several options to run in parallel - Easy to redirect output - manage resources with nice and ionice - use with inotify, tcpserver, cron, at … even with procmail filters
  • 22. ansible-meta? Tricks: parallel playbook execution 22 - name: really trying hard to avoid shell scripts hosts: localhost gather_facts: False tasks: - shell: ansible-playbook play1.yml async: 10000 poll: 0 - shell: ansible-playbook play2.yml async: 10000 poll: 0 - shell: ansible-playbook play3.yml async: 10000 poll: 0 #>time ansible-playbook async.yml real 0m3.572s user 0m0.497s sys 0m0.105s
  • 23. Less typing! Tricks: parallel playbook execution 23 - name: really trying hard to avoid shell scripts v2 hosts: localhost gather_facts: False tasks: - shell: ansible-playbook play{{item}}.yml async: 10000 poll: 0 with_items: [1,2,3] #>time ansible-playbook async2.yml real 0m3.531s user 0m0.463s sys 0m0.107s
  • 24. ansible-meta … with results! Tricks: parallel playbook execution 24 - name: really trying hard to avoid shell scripts v3 hosts: localhost gather_facts: False tasks: - shell: ansible-playbook play{{item}}.yml async: 10000 poll: 0 with_items: [1,2,3] register: runplays - async_status: jid={{runplays.results[item.index].ansible_job_id}} resgister: jobs until: jobs.finished with_indexed_items: [1,2,3] retries: 100 #>time ansible-playbook async3.yml real 0m24.140s user 0m1.239s sys 0m0.265s
  • 25. Static vs Dynamic TIPS: includes 25 - Beginning in 2.0 includes can be dynamic, loops, conditionals! - Static includes are not real tasks, dynamic includes … almost are - Only task includes can be dynamic, play includes are always static - Dynamic includes do not show included tasks in --list-tasks/tags - Handler includes are static by default (both types have config setting) - Task includes have dynamic include detection, use static: yes|no (>=2.1) directive to control - Task behaviour can change in each case
  • 26. dynamic include loops TIPS: includes 26 - hosts: localhost gather_facts: False tasks: - include: test.yml with_items: [1,2] static: yes - set_fact: outer={{item}} - debug: msg="{{outer}} and {{item}}" with_items: ['a','b'] TASK [debug] ******************************************************** ok: [localhost] => (item=a) => { "item": "a", "msg": "1 and a" } ok: [localhost] => (item=b) => { "item": "b", "msg": "1 and b" } TASK [debug] ******************************************************** ok: [localhost] => (item=a) => { "item": "a", "msg": "2 and a" } ok: [localhost] => (item=b) => { "item": "b", "msg": "2 and b" } play.yml test.yml Since 2.1 you can use loop_control instead of set_fact
  • 27. New in 2.2 Tricks: include_role 27 - hosts: localhost tasks: - package: name={{httpd}} state=latest - include_role: name: webapp tasks_from: install.yml - service: name={{httpd}} state=started - include_role: name: webapp tasks_from: configure.yml vars_from: “{{ansible_os}}.yml” with_items: “{{ applications }}”
  • 28. Multiple notification TIPS: fun with handlers 28 - hosts: all tasks: - name: configure nginx template: src=nginx.j2 dest=/etc/nginx.conf notify: - restart_uwcgi - restart_nginx handlers: - name: restart_uwcgi service: name=uwcgi state=restarted - name: restart_nginx service: name=nginx state=restarted - Most flexible - Can get repetitive - List can be a variable
  • 29. Chaining handlers TIPS: fun with handlers 29 - hosts: all tasks: - name: configure nginx template: src=nginx.j2 dest=/etc/nginx.conf notify: restart_nginx_cluster handlers: - name: restart_nginx_cluster service: name=uwcgi state=restarted notify: restart_nginx - name: restart_nginx service: name=nginx state=restarted - Call observes definition order - Cannot call previous - Less flexible - Can call middle of chain
  • 30. Grouping handlers TIPS: fun with handlers 30 - hosts: all tasks: - name: configure nginx template: src=nginx.j2 dest=/etc/nginx.conf notify: restart_nginx_cluster handlers: - name: restart_nginx_cluster wait_for: seconds=1 changed_when: true notify: [‘restart_uwcgi’, ‘nginx’] - name: restart_uwcgi service: name=uwcgi state=restarted - name: restart_nginx service: name=nginx state=restarted - Still flexible - Less repetition - Needs dummy task - Also relies on chain - List can be a variable
  • 31. listen! new in 2.2 TIPS: fun with handlers 31 - hosts: all tasks: - name: configure nginx template: src=nginx.j2 dest=/etc/nginx.conf notify: restart_nginx_cluster handlers: - name: restart_uwcgi service: name=uwcgi state=restarted listen: restart_nginx_cluster - name: restart_nginx service: name=nginx state=restarted listen: restart_nginx_cluster - Still flexible - Less repetition - listen is not unique - Does not rely on chain - List can be a variable
  • 32. include as handler TIPS: fun with handlers 32 - hosts: all tasks: - name: configure nginx template: src=nginx.j2 dest=/etc/nginx.conf notify: restart_nginx_cluster handlers: - name: restart_nginx_cluster include: nginx_cluster_restart.yml static: no - Only dynamic includes - Include itself is handler - File can be variable - Also toggleable from config
  • 33. #>exit - Ansible is flexible, many ways to do things - Choice can be daunting - Easy to make mistakes, easy to correct them - “Best” is relative, depends on context, test it! 33