OSCamp 2019 | #3 Ansible: Is that an ansible? by Felix Frank

16/05/2019 Is that an Ansible? Stop Using It Like a Puppet - OSCamp 2019 - Felix Frank
localhost:8000/2019-renewed-ansible-v-puppet.html?print-pdf#/ 1/120
IS THAT AN ANSIBLE?IS THAT AN ANSIBLE?
STOP HOLDING IT LIKE A PUPPET.STOP HOLDING IT LIKE A PUPPET.
OSCamp 2019, Berlin
Felix Frank, Systems Architect
The unbelievable Machine Company GmbH

WHAT? WHO NOW?WHAT? WHO NOW?
Felix (probably not literally a cat)
old command line geezer
open source vagabond
config management nerd
would've come here by bicycle

A text

The pig go. The pig put foot. Grunt.
The dove fly. The dove
drop something. The pig
disgusting. Rattle with dove.
The pig leave. Produce is chicken wing.
No Quack.
Go is to the fountain.
Foot in what? ketchup. Fly is in sky.
The something on the pig.
The pig rattle. The dove angry.
The dove produce.
With wing bark.

Guess the author?

The story goes as follows.

Don't use blatantly wrong tools.

When all you have
is a hammer,
everything looks like a nail

NO QUACK.NO QUACK.

Welcome to Ansible session 2

Benefits of config management
No manual tinkering. No wiki install guides.

Repeatable setup

Infrastructure as Code

Let's model a webserver

In Puppet
Class
varnish
Class
apache
Class
jvm

Class
varnish
Class
apache
Class
jvm
Package
varnish
Package
apache2
Package
open-jdk-8
File
/etc/default/varnish
File
default.vcl
File
httpd.conf
File
jce.zip
Exec
unzip jce.zip
Service
varnish
Service
apache2
vhost
corporate
vhost
ads

Class
varnish
Class
apache
Class
jvm
Package
varnish
Package
apache2
Package
open-jdk-8
File
File
default.vcl
File
httpd.conf
File
jce.zip
Exec
unzip jce.zip
Service
varnish
Service
apache2
vhost
corporate
vhost
ads

Ansible: Similar but diﬀerent

In Ansible
Role
varnish
Role
apache
Role
jvm

Role
varnish
Role
apache
Role
jvm
Apt
varnish
Apt
apache2
Apt
open-jdk-8
File
File
default.vcl
File
httpd.conf File
jce.zip
Unarchive
jce.zip
Service
varnish
Service
apache2
vhost
corporate
vhost
ads

requirement
Role
varnish
Role
apache
Role
jvm
Apt
varnish
Apt
apache2
Apt
open-jdk-8
File
File
default.vcl
File
httpd.conf File
jce.zip
Unarchive
jce.zip
Service
varnish
Service
apache2
vhost
corporate
vhost
ads

Architecture: Puppet
Master
Agent
Facter
Agent
Facter
Agent
Facter
Manifest
node A {
include B
}
PuppetDB
Hiera
API
Master API

Architecture: Ansible
Ansible
Initiator
Host
Playbook
hosts: webtier
roles:
- apache
Inventory
Hosts
[group A]
...
[group B]
Variables
group A: {
...
}
ssh
Host
ssh
Host
ssh
Host
ssh

Naming Things is Hard
Puppet Ansible
resource type module
module role
role group (more or less)
resource task

Working with: Puppet
Editing code and data
Puppet manifests
Hiera data stores

class nodejs::install {
$npmrc_auth = $::nodejs::npmrc_auth
if $caller_module_name != $module_name {
fail("Use of private class ${name} by ${caller_module_name}")
}
# npm is a Gentoo USE flag
if $::operatingsystem == 'Gentoo' {
package_use { $nodejs::nodejs_package_name:
ensure => present,
target => 'nodejs-flags',
use => $nodejs::use_flags,
before => Package[$nodejs::nodejs_package_name],
}

---
nodejs::npm_path: /opt/osdc/npm/bin/npm
nodejs::manage_package_repo: false
nodejs::repo_proxy: "10.17.81.121"
nodejs::repo_proxy_username: sys
nodejs::repo_proxy_password: o0psThisisS3cre3t
apache::default_vhost: stage_site
apache::user: fitz

Modules are available from the Puppet Forge

web1
db1
web2
Profile: apache_customer1
Profile: apache_customer2
Profile: nginx
Profile: mysql
nginx
mysql
io_tuning
apache
Roles Profiles Modules
Custom code organized into Roles and Profiles

http://projects.theforeman.org/projects/foreman/wiki/Screenshots
Optionally use ENCs like the Foreman

http://maxpixel.freegreatpicture.com/Dream-Space-Sky-Galaxy-Magic-Unicorn-Fantasy-2035174
orchestration through MCollective

visualization with e.g. PuppetBoard

http://www.dailymail.co.uk/news/article-3152277/Dog-tor-Doolittle-Pet-pooch-friends-animals-loves-snuggling-hamster-bird-pals.html

Working with: Ansible
Write code in Ansible's YAML language:
structure things into roles
orchestrate roles across your infrastructure in playbooks

---
# roles/varnish/tasks/main.yml
- name: Install the varnish package
apt: name=varnish state=installed
- name: Write varnish config files
template: src={{ item.template }} dest={{ item.dest }} mode=0644
with_items:
- dest: /etc/default/varnish
src: etc_default_varnish.j2
- dest: /etc/varnish/default.vcl
src: etc_varnish_default.vcl.j2
- name: Manage varnish service
i i i i

---
# playbooks/webtier.yml
- name: Provision webservers
hosts: web
roles:
- common
- apache
- name: Provision reverse proxies
hosts: proxies
roles:
- common
- varnish

Open Source Roles from Ansible Galaxy

customize machines and groups using
--- | ---
# inventory/group_vars/all/vars.yml | # inventory/group_vars/web/vars
ssh_enabled: true | ssh_root_login: true
ssh_root_login: false |
| password_hashes:
password_hashes: | root: ""
root: "$6$deadbeef" | felix: "{{ password_hashes.fe
felix: "$6$acceff00" | gitlab_ssh_key: "{{ vault_gitla
variables

Ansible
Initiator
Host
Playbook
hosts: webtier
roles:
- apache
Inventory
Hosts
[group A]
...
[group B]
Variables
group A: {
...
}
ssh
Host
ssh
Host
ssh
Host
ssh
run from anywhere using ssh

http://projects.theforeman.org/projects/foreman/wiki/Screenshots
Foreman supports Ansible as well

https://img.memecdn.com/youre-doing-it-wrong_o_195760.jpg
not very comfortable without Ansible Tower
(now awx)

We've seen the parallels
Nowforthediﬀerences

Puppet models systems
system state will (should) converge
equilibrium o en a er single transaction
each machine has a definitive catalog of state

The Puppet Model

Ansible models
distributed activity
structured like a script, convergence is up to the user
a play in a playbook is like a view or projection
assigns tasks to hosts, rather than state

The Ansible Model

In Summary

Ansible v Puppet

Or let's use a metaphor

Imagine your infrastructure
was a theatre stage

So don't try to push Ansible into a Puppet-shaped box.
https://img.memecdn.com/youre-doing-it-wrong_o_195760.jpg

Some Ansible tips
Having a site.yml is nice, but it should not be
the primary use case.
Running the code for all machines will become
too slow sooner or later.

Tags aren't very flexible.
Better to rely on single-purpose playbooks.
Create ad-hoc playbooks whenever you need.

Don't shoot for DRY on playbook level.
But do make DRY roles.

Take advice on best practices
from the upstream Ansible documentation
with a grain of salt.

Let's look at site.yml

Ansible in Puppet-like mode

Use the tooling.
Orchestrate

Proper Ansible

When to choose Ansible over Puppet
need to cover code deployments?
primarily managing switches and similar gear?
many use cases for "ad hoc" management?
ubiquitous Python but no Ruby?

When to choose Puppet over Ansible
managing only OS level system properties?
very heterogeneous environment?
you value power over simplicity?
ubiquitous Ruby but no Python?
(or Python 3 only?)
you are certain that scale will be huge

Should I combine both?
Only if you know what you are doing.
There is value in limiting your tool chain.

Finally, what's the best way to lead discussions about config
management tools?
Well...

http://www.mrwallpaper.com/wallpapers/man-tiger-hug-1024x1024.jpg
Thanks for listening!

We are filling many (not only tech) roles!
Check out our careers page

Questions?

Testing tools
Style Puppet Ansible
Preview --noop --check
Unit rspec-puppet N/A
Static catalog-diﬀ N/A
Acceptance beaker testinfra

@felis_rex / ﬀrank Puppet vs. Ansible CfgMgmtCamp 2018
Attributions
The Git logo, available under .
The Jenkins logo:
Creative Commons 3.0
https://jenkins.io/

OSCamp 2019 | #3 Ansible: Is that an ansible? by Felix Frank

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

OSCamp 2019 | #3 Ansible: Is that an ansible? by Felix Frank