Slides from a talk given at DevOps Toronto's monthly meetup held on Nov. 7, 2017 at Indigo Digital.
Abstract:
Immutable Infrastructure promises stability and repeatability for your environment and is considered by many to be the "enlightened stage" of an Infrastructure as Code practice. The benefits of immutability in infrastructure seem obvious: if you know a system has been created via automation that you trust, and hasn't been changed since creation, then making changes quickly seems far less risky. In a cloud-based environment, Immutable Infrastructure starts with trusted, immutable machine images. Building these images can quickly outgrow bespoke scripts, and this bespoke tooling quickly begins to feel you're duplicating effort if you already have configuration management in house.
In this talk, HashiCorp's Packer will be paired with Ansible to iteratively build and test an immutable AWS AMI. The techniques and workflow should be transferrable to other configuration management tools (Chef, Puppet, Salt, et cetera) or cloud platforms (GCP, Azure, OpenStack, et cetera).
4. @redmind
im· mu· ta· ble
i(m)ˈmyo͞odəb(ə)l/
adjective
Unchanging over time or unable to be changed.
“an immutable fact”
synonyms: fixed, set, rigid, inflexible, permanent, established, carved in stone
5. Immutability in DevOps
• Promises stability and repeatability
Fast deploys?
On-demand scaling?
What’s this got to do with DevOps?
Business Velocity and Quality?
• Peak Infrastructure as Code?
@redmind
7. Toolchain: Packer
• Entirely focused on building machine images
• Similar core concepts to other tools in the “HashiStack”
Builders
Provisioners
• We define Templates made up of collections of Builders and Provisioners
• We build Artifacts with Templates
• Packer has first-class Builder support for most cloud and virtualization
platforms
• Packer has first-class Provisioner support for many configuration
management tools
@redmind
8. Toolchain: Ansible
• Popular, agentless, Python-based Configuration Management
• Made up of Playbooks, Roles, Tasks and Modules
Rich module library and community
• Maybe lacking a bit of workflow guidance…
• Has the ability to build AMIs natively?!
@redmind
9. Toolchain: Molecule
• A(n opinionated) solution to the Ansible role development workflow problem
• Inspired by Test-Kitchen, but is Python based so you don't need a full Ruby
stack to do Ansible development
• Molecule will help you write better Ansible roles
@redmind
10. Toolchain: TestInfra
• Aims to be a Serverspec equivalent written in Python
• Plugin to Pytest
• One of the two test frameworks natively supported by Molecule
@redmind
11. Toolchain: CircleCI
• In-repo, YAML-based CI tool
• CircleCI 2 is new(ish) and has native Docker support
• Frankly, it meant I didn’t have to setup Jenkins…
@redmind
12. Building Trust
• Trust may well be ”Immutability’s Chasm”
• Getting to shipping images to environments is about trust
• We build trust with Pipelines and tests
@redmind
13. Building Trust: Ansible Role
• Writing roles, testing, and versioning them independently means they're
real software
Reusable, automation libraries
• You manage dependencies with ansible-galaxy
• Molecule helps us write better roles
an opinionated workflow that lets us focus on developing the role
@redmind
14. Building Trust: Ansible Role
• One repo-per-role has three major advantages
you can make breaking changes (because tags are wonderful)
you can re-use the role in a variety of ways and places
you have gained good Separation of Concerns
• Role testing is -- largely -- unit testing
Molecule has support for integration and sophisticated clustering scenarios
@redmind
15. Building Trust: Ansible Role
@redmind
Checkout
Syntax
Check
Setup
Test
Environment
Converge
Idempotence
Check
Lint
Verify
Cleanup
16. Building Trust: Ansible Role
@redmind
<10 000ft repository view>
https://github.com/jharley/ansible-example-base
17. Building Trust: Packer Image
• Packer is a specialized tool focused on building image artifacts
• It makes some difficult things quite elegant and easy
encryption
sharing between accounts
parallelization of the build
@redmind
18. Building Trust: Packer Image
• Simple example goes a long way
• Single Builder with a Provisioner pipeline
ebs_builder - creates an AMI by launching an EC2 instance from a source AMI
• Build a base image for your organization
Use a base role (or a collection of roles you view as the baseline for your
environments)
• As you build more purpose-built images, this trusted base offers you a lot of
”organizational boilerplate” you no longer need to worry about
You also don’t need to test what you trust nearly as much
@redmind
19. Building Trust: Packer Image
@redmind
Checkout
Setup
Build
Environment
Validate
Template
Build &
Provision
Image
Launch
and
Verify Image
Tag Image as
Verified
22. Immutability and Configuration
• This is the most challenging bit
No magic bullets…
• Often specific to your applications and environments
• Common solutions
user-data
tags
DNS
AWS EC2 Systems Manager (SSM)
ZooKeeper
Consul and Vault
@redmind
23. Immutability and Configuration
• Build AMIs that are ~90% configured
• Finish on boot with environment-aware introspection
• Build sources of truth for your environment, that meets your needs,
operational comfort, and security posture
• Don’t got caught up in semantics…
@redmind