SlideShare a Scribd company logo

Ansible, best practices

Bas Meijer
Bas Meijer

Title: Ansible, best practices. Ansible has taken a prominent place in the configmanagement world. By now many people involved in DevOps have taken a look at it, or done a first project with it. Now it is time to step back and look at quality and craftmanship. Bas Meijer, Ansible ambassador, will talk about Ansible best practices, and will show tips, tricks and examples based on several projects. About the speaker Bas is a systems engineer and software developer and wasted decades on latenight hacking. He is currently helping out 2 enterprises with continuous delivery and devops.

Engineering
1 of 44
Download to read offline
Ansible, best practices. Bas Meijer 2016 Amsterdam
Topics in this workshop • Ansible. • Get organized. • Format with style. • Inventories and
 environments. • Variable precendence. • A vault with secrets. • Build quality in. • Roles in detail. • Managing efforts. • Benchmarking where you are. 2
What is Ansible? • A radically simple IT automation engine for: • cloud provisioning • configuration management • application construction and deployment • intra-service orchestration • many other IT needs 3
Why Ansible? • Simple to learn and share. Easy to audit. • Global open source community. • Minimal requirements. • Secure, only SSH. • Integrates really well with cloud, Docker, etc. • Role-based access & delegation in Tower. 4
Application Construction • vagrant, local mode • packer, image creation • docker build • cloud & bare metal provisioning • deployment & remote execution 5
Get organized • Try to schedule provisioning and deployment as early and often as possible. • Roll-out changes, in stages, to all environments using a CI server and Tower. • Use the same playbooks in each environment. • Create playground environments to test things. 6
Be Idempotent • Same operation? Same result, again & again. • Ensure no changes unless things change. • No uncertainty: describe desired state. • System life cycle as transaction log, accounts for all changes done on purpose. 7
Use version control • Collaboration and preservation. • Local validation, merge-requests, tests. • git-flow: audit trail / 4 eyes. • Role sharing / joy of modular playbooks. • Galaxy & GitHub have a wealth of stuff. 8
Git version control • git init • git add playbook.yml inventory • git commit -m "why I made changes" -a • git push, after you tested those changes • echo ansible.cfg >> .gitignore 9
Keep it simple • If you can make it simple, make it simple. • If something feels complicated, it probably is. • Do one thing at a time, commit related changes. • Make it readable for your succesor. • Always define state. 10
Organize your content • Format playbooks: with native YAML style. • Magic happens when you put your files in the right locations. • Editors use file extensions for syntax coloring. • Version control and Ansible go hand in hand. 11
Whitespace and comments • # comments start with a hash-mark. • Yml indents with 2 spaces. • White space helps readability. • Add a blank line before vars, roles, tasks, handlers. 12
Directory layout • group_vars • host_vars • roles 13 ansible.cfg # parameters that affect running ansible inventory/ # an inventory defines an environment hosts # defines the hosts in an inventory group_vars/ # here we assign variables to particular groups all # global variables for all groups dbservers/ # directory for dbservers group secrets # -- encrypted variables for dbservers group vars # -- plaintext variables for dbservers group group2 # plaintext variables for group2 host_vars/ # here we assign variables to particular hosts hostname1 # if systems need specific variables, put them here hostname2 # “” site.yml # master playbook webservers.yml # playbook for webserver tier dbservers.yml # playbooke for database tier galaxy_roles/ # roles imported from galaxy roles/ # in-house roles common/ # this hierarchy represents a “role" tasks/ # 'tasks' contains the actions that implement role main.yml # -- main.yml could include other files if warranted handlers/ # 'handlers' can be notified by tasks on change main.yml # -- handlers file often defines service actions templates/ # files for use with the template module hosts.j2 # -- Jinja templates, should end in .j2 files/ # 'files' is the start for relative paths
Format your playbooks • shebang #! • use a name • tags in header • blank lines • linebreak=80 • align args 14 #!/usr/bin/env ansible-playbook - name: 'install.yml' # quote names for syntax highlighting hosts: localhost # scope the play appropriately connection: local # gather_facts: False # booleans: /^(y|yes|n|no|true|false|on|off)$/i tags: # use tags for plays, and actions - preparation vars: # use group_vars for environment specifics - url: "https://galaxy.ansible.com" # quote when value has ':' tasks: # list tasks, but consider using a role - name: 'check network' # format parameters for small terminal size uri: # the best way is to use 'Native YML' format url: "{{ url }}" method: HEAD return_content: no status_code: 200 timeout: 60 follow_redirects: all - name: 're-import roles from Galaxy' command: ansible-galaxy install --force -r roles/requirements.yml
Tag all the things • Tags help organizing playbooks. • Tags can help in testing. • You can run or skip parts of playbooks: --tags=only,run,these,tags --skip-tags=tags,to,skip 15
Deployment vs configuration • Deploy all? • --tags • --limit • Ad-Hoc • playbooks/ 16 ansible-playbook -i production site.yml -vv ansible-playbook -i production site.yml --limit webservers ansible-playbook -i production site.yml --tags ntp ansible-playbook -i acceptance dbservers.yml --tags restore
Start your model with the inventory • Hosts used in infrastructure/ cloud • Arbitrary grouping • Can be used for staging (vagrant, int, acc, prod). 17 [local] 127.0.0.1 ansible_connection=local [vagrant:children] control dbservers webservers [control] control.example.com [dbservers] sql.example.com [webservers] web.example.com 
 [vagrant:vars] ansible_ssh_user=vagrant
 ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key
Inventories • Ansible Tower keeps inventories and credentials securely. • If you have another system maintaining a list of systems in your infrastructure, use it for your dynamic inventory. • Executable inventory file must emit JSON. • Use .ini files for static inventories. 18
Stage your environments • Use separate inventories for stages like 'test' and 'production'. • Target an environment with the -i flag. • Test things first in a stage environment before running them in 'production'. • Use group_vars to manage differences. 19
Import Ansible inventories To import an existing static inventory and the accompanying host and group vars into Tower, your inventory should be in a structure that looks similar to the following (don’t use subdirs): inventory/ group_vars mygroup host_vars myhost hosts 20
Import Ansible inventories 1.076 INFO Group "webservers" added 1.108 INFO Host "127.0.0.1" added 1.120 INFO Host "control" added 1.127 INFO Host "sql" added 1.134 INFO Host "web" added 1.158 INFO Group "webservers" added as child of "vagrant" 1.203 INFO Host "control" added to group "control" 1.223 INFO Host "sql" added to group "dbservers" 1.238 INFO Host "127.0.0.1" added to group "local" 1.257 INFO Host "web" added to group "webservers" 1.362 INFO Inventory import completed for "imported" (id=3) in 0.5s 21 tower-manage inventory_import —source=inventory --inventory-name="inventory"
Variables • All systems are not exactly alike, use variables to deal with differences. • Separate environment/staging data from configuration. • Use the template language Jinja2. 22 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 {% for item in groups['vagrant'] %} {{ hostvars[item]['ansible_ssh_host'] }} {{ item }} {% endfor %}
Group variables • Hosts are listed in the inventory under [groups] • The group_vars directory has the configuration data in files and folders. • Use a file for each group with its variable values. • Check and compare group_vars files often. 23
Use vars to define your values • Roles have defaults. • group_vars is for overrides. • 'all' is for globals 24 --- # file: group_vars/all
 # here we assign variables to all groups ansible_user: ansible google_nameserver: 8.8.4.4 dns_nameserver: "{{ google_nameserver }}" pg_host: sql pg_ip: 192.168.20.22 pg_subnet: 192.168.20.0/24 log_host: sql log_host_ip: 192.168.20.22
Use ansible-vault for secrets • Use ansible- vault to store secrets safely. • Use subdirs in group_vars • vars + secrets 25 $ touch group_vars/dbservers/secrets $ ansible-vault encrypt group_vars/dbservers/secrets Vault password: Confirm Vault password: Encryption successful $ ansible-vault edit group_vars/dbservers/secrets Vault password: $ cat group_vars/dbservers/secrets $ANSIBLE_VAULT;1.1;AES256 3062316463633730306431356539336165643734373939623564386133626537313865396530386 3933306333636164353330393137633061653230366664310a31373432336330626135333930643 3162373237393333366665666564613565663735636664623133616132383831366163623261336 6431636132373036300a66663333613537636132616363396162623139643339353366306430633 65306365323836633838306639336230383039353035343239306432313535326633
Variable precendence 26
ansible_ssh_user • Don't login as root • Don't use service account interactively
 echo logout > ~/.bash_profile • Settle on become_method: sudo/su/doas • Consider to use signed ssh keys. TrustedUserCAKeys /etc/ssh/ca_key.pub
 AuthorizedKeysFile /dev/null 27
Ansible modules • Ansible comes with hundreds of modules. • Avoid using command as much as possible. • Modules return JSON data that you can use. • Modules report about state, about change. • Modules deal with the corner cases. • Write a module for a resource if there is none. 28
Use this file: ansible.cfg • current directory • home directory • /etc/ansible/ ansible.cfg
 Has/hides ansible- playbook options so your commands can be short. 29 [defaults] hostfile = vagrant.ini host_key_checking = False ask_vault_pass = True retry_files_enabled = False executable = sh remote_tmp= log_path = /tmp/ansible_run.log gather_facts = smart roles_path = galaxy_roles:roles:/etc/ansible/roles [privilege_escalation] become_method = sudo [ssh_connection] scp_if_ssh = True pipelining = True
Blocks • Error handling 30 --- - name: 'blocks.yml' hosts: localhost connection: local tasks: - block: - debug: msg: 'i execute normally' - command: /usr/bin/false - debug: msg: 'i never execute, cause ERROR!' rescue: - debug: msg: 'I caught an error' - command: /usr/bin/false - debug: msg: 'I also never execute :-(' always: - debug: msg: "this always executes"
Add tests to your playbooks • --tags test • fail early. • keep adding test cases. 31 - name: 'verify listening on port 9200' wait_for: port: 9200 host: "{{ inventory_hostname }}” timeout: 5 tags: - test - name: 'query cluster health' uri: url: "http://{{inventory_hostname}}:9200/_cluster/health?pretty" register: cluster tags: - test - name: 'verify that nodes have joined the cluster' assert: that: - cluster.json.number_of_data_nodes != 0 tags: - test
Manage your dependencies requirements.txt:
 extra Python packages for modules.
 
 requirements.yml:
 list of extra roles to import. 32 apache-libcloud azure boto ConfigParser cs django docker-py dopy httplib2 linode-python netaddr psycopg2 pycrypto pycurl pysphere python-keyczar python-keystoneclient python-novaclient python-quantumclient pretty pyrax requests shade wsgiref zmq @ roles/requirements.yml # galaxy role - src: hostclick.tomcat # role in git - src: https://github.com/bbaassssiiee/RHEL6-STIG.git version: devel
Separate top level playbooks by role • --limit 33 #!/usr/bin/env ansible-playbook # master playbook - name: 'site.yml' hosts: all:!local remote_user: "{{ ansible_user }}" - include: dbservers.yml - include: webservers.yml #!/usr/bin/env ansible-playbook # playbook for dbserver tier - name: 'dbservers.yml' hosts: dbservers become: yes gather_facts: True roles: - common - postgres
Decouple roles • Roles are ways of automatically loading certain vars_files, tasks, and handlers based on a known file structure. • Grouping content by roles also allows easy sharing of roles with other users. • http://galaxy.ansible.com 34 ssh |-- files | `-- bash_profile |-- handlers | `-- main.yml |-- tasks | `-- main.yml `-- templates |-- ssh_config.j2 `-- sshd_config.j2
Roles precendence • Separate your own roles and Galaxy roles. • Leave room for “corporate roles”. • Configure roles_path to search for roles. • galaxy_roles:roles:/etc/ansible/roles 35
Organization of a role • defaults • files • handlers • library • meta • tasks/main.yml • templates • tests • vars 36 --- - name: 'ensure package ntp is installed' package: name: ntp state: latest tags: - ntp - name: 'build and write /etc/ntp.conf file' template: src: ntp.conf.j2 dest: /etc/ntp.conf owner: root group: root mode: 0644 notify: - restart ntpd tags: - ntp
Handlers for a role • defaults • files • handlers • library • meta • tasks • templates • tests • vars 37 --- - name: restart ntpd service: name: ntpd state: restarted
Templates for a role • defaults • files • handlers • library • meta • tasks • templates • tests • vars 38 tinker panic 0 restrict 127.0.0.1 restrict default kod nomodify notrap # NTP server pool, use 3 minimally {% for server in ntp_servers %} server {{ server }} {% endfor %} driftfile /var/lib/ntp/drift # Avoid using the local clock server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10
Default vars for a role • defaults/main.yml • files • handlers • library • meta • tasks • templates • tests • vars 39 --- # ntp ntp_servers: # use nearby ntp servers if available - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org
Bundling modules with a role • defaults • files • handlers • library/pam.py • meta • tasks/main.yml • templates • tests • vars 40 --- - name: 'Disable accounts after three login failures in a 15-minute interval.' pam: service: "{{ item }}" type: auth control: required pam_module: pam_faillock.so before_line: auth sufficient pam_unix.so try_first_pass arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 state: present with_items: - password-auth - system-auth tags: - pam
Management 41 • Is the team applying best practice and common principles when building / configuring applications and environments? • Is the team automating the deployment and promotion process for applications and environments? • Is the team validating functional and non-functional requirements (automatically) before promoting applications to Production environments? • Is the team providing and receiving the feedback needed to be in control of the solutions they are responsible for? • Is the team pro-actively collaborating with other teams to integrate applications and environments and share technical knowledge?
Benchmarks 42 A good Config Management Strategy should allow to answer all of the following questions with „yes“: • Can I exactly reproduce any of my environments, including the version of the operating system, its patch level, the network configuration, the SW stack, the application deployed into it, and their configuration? • Can I easily make an incremental change to any of these individual items and deploy the change to any, and all, of my environments? • Can I easily see each change that occurred to a particular environment and trace it back to see exactly what the change was, who made it, and when? • Can I satisfy all of the compliance regulations that I am subject to? • Is it easy for every member of the team to get the information that they need, and to make the changes that they need to make? Or does the strategy get in the way of efficient delivery, increasing cycle time and decreasing feedback?
Download final project brew install python ansible
 
 git clone https://github.com/bbaassssiiee/lunchbox
 cd lunchbox
 vagrant up --no-provision
 ansible-playbook -v install.yml
 ansible-playbook -v site.yml Requires: VirtualBox, Vagrant 43
Ansible, best practices. Bas Meijer 2016 Amsterdam

Recommended

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction Robert Reiz
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...Simplilearn
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansibleOmid Vahdaty
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with AnsibleRicardo Schmidt
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
Ansible - Hands on Training
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on TrainingMehmet Ali Aydın
 

Recommended

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction Robert Reiz
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...Simplilearn
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansibleOmid Vahdaty
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with AnsibleRicardo Schmidt
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
Ansible - Hands on Training
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on TrainingMehmet Ali Aydın
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - IntroductionStephane Manciot
 
Ansible 101
Ansible 101Ansible 101
Ansible 101Gena Mykhailiuta
 
Ansible
AnsibleAnsible
AnsibleVishal Yadav
 
Ansible
AnsibleAnsible
AnsibleKnoldus Inc.
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleCoreStack
 
ansible why ?
ansible why ?ansible why ?
ansible why ?Yashar Esmaildokht
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Ansible
AnsibleAnsible
AnsibleKamil Lelonek
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Ansible
AnsibleAnsible
AnsibleRahul Bajaj
 
Ansible
AnsibleAnsible
AnsibleRaul Leite
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationKumar Y
 
Ansible intro
Ansible introAnsible intro
Ansible introMarcelo Quintiliano da Silva
 
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...Simplilearn
 
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with AnsibleSwapnil Jain
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...SlideTeam
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible PlaybookKnoldus Inc.
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 

More Related Content

What's hot

Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleCoreStack
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationKumar Y
 
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...Simplilearn
 
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with AnsibleSwapnil Jain
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...SlideTeam
 

What's hot (20)

Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
 
Ansible
AnsibleAnsible
Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansible
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Ansible
AnsibleAnsible
Ansible
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Ansible intro
Ansible introAnsible intro
Ansible intro
 
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
Ansible Tutorial For Beginners | What Is Ansible And How It Works? | Ansible ...
 
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible Playbook
 

Viewers also liked

docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...Irakli Nadareishvili
 
V2 and beyond
V2 and beyondV2 and beyond
V2 and beyondjimi-c
 
Ansible roles done right
Ansible roles done rightAnsible roles done right
Ansible roles done rightDan Vaida
 

Viewers also liked (6)

docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
 
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
 
Cyansible
CyansibleCyansible
Cyansible
 
V2 and beyond
V2 and beyondV2 and beyond
V2 and beyond
 
Ansible roles done right
Ansible roles done rightAnsible roles done right
Ansible roles done right
 

Similar to Ansible, best practices

ansible : Infrastructure automation,idempotent and more
ansible : Infrastructure automation,idempotent and moreansible : Infrastructure automation,idempotent and more
ansible : Infrastructure automation,idempotent and moreSabarinath Gnanasekar
 
Automated Deployment and Configuration Engines. Ansible
Automated Deployment and Configuration Engines. AnsibleAutomated Deployment and Configuration Engines. Ansible
Automated Deployment and Configuration Engines. AnsibleAlberto Molina Coballes
 
Ansible Tutorial.pdf
Ansible Tutorial.pdfAnsible Tutorial.pdf
Ansible Tutorial.pdfNigussMehari4
 
Introduction to Ansible - Jan 28 - Austin MeetUp
Introduction to Ansible - Jan 28 - Austin MeetUpIntroduction to Ansible - Jan 28 - Austin MeetUp
Introduction to Ansible - Jan 28 - Austin MeetUptylerturk
 
Ansible 101 - Presentation at Ansible STL Meetup
Ansible 101 - Presentation at Ansible STL MeetupAnsible 101 - Presentation at Ansible STL Meetup
Ansible 101 - Presentation at Ansible STL MeetupJeff Geerling
 
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)M Malai
 
Ansible is Our Wishbone
Ansible is Our WishboneAnsible is Our Wishbone
Ansible is Our WishboneMydbops
 
Ansible + WordPress - WordCamp Toronto 2016
Ansible + WordPress - WordCamp Toronto 2016Ansible + WordPress - WordCamp Toronto 2016
Ansible + WordPress - WordCamp Toronto 2016Alan Lok
 
Configuration primer
Configuration primerConfiguration primer
Configuration primerfeanil
 
Introduction to Ansible - Peter Halligan
Introduction to Ansible - Peter HalliganIntroduction to Ansible - Peter Halligan
Introduction to Ansible - Peter HalliganCorkOpenTech
 
Ansible @ WebElement 2015
Ansible @ WebElement 2015Ansible @ WebElement 2015
Ansible @ WebElement 2015Michal Maxian
 
Infrastructure testing with Molecule and TestInfra
Infrastructure testing with Molecule and TestInfraInfrastructure testing with Molecule and TestInfra
Infrastructure testing with Molecule and TestInfraTomislav Plavcic
 
Network Automation (NetDevOps) with Ansible
Network Automation (NetDevOps) with AnsibleNetwork Automation (NetDevOps) with Ansible
Network Automation (NetDevOps) with AnsibleAPNIC
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
Ansible on aws - Pop-up Loft Tel Aviv
Ansible on aws - Pop-up Loft Tel AvivAnsible on aws - Pop-up Loft Tel Aviv
Ansible on aws - Pop-up Loft Tel AvivAmazon Web Services
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of AnsibleDevOps Ltd.
 
Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
Automating with ansible (Part A)
Automating with ansible (Part A)Automating with ansible (Part A)
Automating with ansible (Part A)iman darabi
 

Similar to Ansible, best practices (20)

ansible : Infrastructure automation,idempotent and more
ansible : Infrastructure automation,idempotent and moreansible : Infrastructure automation,idempotent and more
ansible : Infrastructure automation,idempotent and more
 
Automated Deployment and Configuration Engines. Ansible
Automated Deployment and Configuration Engines. AnsibleAutomated Deployment and Configuration Engines. Ansible
Automated Deployment and Configuration Engines. Ansible
 
Ansible Tutorial.pdf
Ansible Tutorial.pdfAnsible Tutorial.pdf
Ansible Tutorial.pdf
 
Introduction to Ansible - Jan 28 - Austin MeetUp
Introduction to Ansible - Jan 28 - Austin MeetUpIntroduction to Ansible - Jan 28 - Austin MeetUp
Introduction to Ansible - Jan 28 - Austin MeetUp
 
Ansible 101 - Presentation at Ansible STL Meetup
Ansible 101 - Presentation at Ansible STL MeetupAnsible 101 - Presentation at Ansible STL Meetup
Ansible 101 - Presentation at Ansible STL Meetup
 
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
Ansible is Our Wishbone(Automate DBA Tasks With Ansible)
 
Ansible is Our Wishbone
Ansible is Our WishboneAnsible is Our Wishbone
Ansible is Our Wishbone
 
Ansible + WordPress - WordCamp Toronto 2016
Ansible + WordPress - WordCamp Toronto 2016Ansible + WordPress - WordCamp Toronto 2016
Ansible + WordPress - WordCamp Toronto 2016
 
Configuration primer
Configuration primerConfiguration primer
Configuration primer
 
Introduction to Ansible - Peter Halligan
Introduction to Ansible - Peter HalliganIntroduction to Ansible - Peter Halligan
Introduction to Ansible - Peter Halligan
 
Ansible @ WebElement 2015
Ansible @ WebElement 2015Ansible @ WebElement 2015
Ansible @ WebElement 2015
 
DevOps for database
DevOps for databaseDevOps for database
DevOps for database
 
Infrastructure testing with Molecule and TestInfra
Infrastructure testing with Molecule and TestInfraInfrastructure testing with Molecule and TestInfra
Infrastructure testing with Molecule and TestInfra
 
Network Automation (NetDevOps) with Ansible
Network Automation (NetDevOps) with AnsibleNetwork Automation (NetDevOps) with Ansible
Network Automation (NetDevOps) with Ansible
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
 
Ansible on aws - Pop-up Loft Tel Aviv
Ansible on aws - Pop-up Loft Tel AvivAnsible on aws - Pop-up Loft Tel Aviv
Ansible on aws - Pop-up Loft Tel Aviv
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of Ansible
 
Ansible at work
Ansible at workAnsible at work
Ansible at work
 
Automating with ansible (Part A)
Automating with ansible (Part A)Automating with ansible (Part A)
Automating with ansible (Part A)
 

More from Bas Meijer

Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantBas Meijer
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.Bas Meijer
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with AnsibleBas Meijer
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make ITBas Meijer
 

More from Bas Meijer (6)

Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
Packer demo
Packer demoPacker demo
Packer demo
 
Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and Vagrant
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make IT
 

Recently uploaded

Computer Graphics Introduction To Curves
Computer Graphics Introduction To CurvesComputer Graphics Introduction To Curves
Computer Graphics Introduction To CurvesChandrakantDivate1
 
Augmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptxAugmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptxMustafa Ahmed
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...ssuserdfc773
 
Path loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelPath loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelDrAjayKumarYadav4
 
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...manju garg
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Ramkumar k
 
Electromagnetic relays used for power system .pptx
Electromagnetic relays used for power system .pptxElectromagnetic relays used for power system .pptx
Electromagnetic relays used for power system .pptxNANDHAKUMARA10
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdfKamal Acharya
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfsumitt6_25730773
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...Amil baba
 
Query optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsQuery optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsmeharikiros2
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 

Recently uploaded (20)

Computer Graphics Introduction To Curves
Computer Graphics Introduction To CurvesComputer Graphics Introduction To Curves
Computer Graphics Introduction To Curves
 
Signal Processing and Linear System Analysis
Signal Processing and Linear System AnalysisSignal Processing and Linear System Analysis
Signal Processing and Linear System Analysis
 
Augmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptxAugmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptx
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
 
Path loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelPath loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata Model
 
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...
👉 Yavatmal Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top Class Call Girl S...
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
Electromagnetic relays used for power system .pptx
Electromagnetic relays used for power system .pptxElectromagnetic relays used for power system .pptx
Electromagnetic relays used for power system .pptx
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdf
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
 
Query optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsQuery optimization and processing for advanced database systems
Query optimization and processing for advanced database systems
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 

Ansible, best practices

  • 1. Ansible, best practices. Bas Meijer 2016 Amsterdam
  • 2. Topics in this workshop • Ansible. • Get organized. • Format with style. • Inventories and
 environments. • Variable precendence. • A vault with secrets. • Build quality in. • Roles in detail. • Managing efforts. • Benchmarking where you are. 2
  • 3. What is Ansible? • A radically simple IT automation engine for: • cloud provisioning • configuration management • application construction and deployment • intra-service orchestration • many other IT needs 3
  • 4. Why Ansible? • Simple to learn and share. Easy to audit. • Global open source community. • Minimal requirements. • Secure, only SSH. • Integrates really well with cloud, Docker, etc. • Role-based access & delegation in Tower. 4
  • 5. Application Construction • vagrant, local mode • packer, image creation • docker build • cloud & bare metal provisioning • deployment & remote execution 5
  • 6. Get organized • Try to schedule provisioning and deployment as early and often as possible. • Roll-out changes, in stages, to all environments using a CI server and Tower. • Use the same playbooks in each environment. • Create playground environments to test things. 6
  • 7. Be Idempotent • Same operation? Same result, again & again. • Ensure no changes unless things change. • No uncertainty: describe desired state. • System life cycle as transaction log, accounts for all changes done on purpose. 7
  • 8. Use version control • Collaboration and preservation. • Local validation, merge-requests, tests. • git-flow: audit trail / 4 eyes. • Role sharing / joy of modular playbooks. • Galaxy & GitHub have a wealth of stuff. 8
  • 9. Git version control • git init • git add playbook.yml inventory • git commit -m "why I made changes" -a • git push, after you tested those changes • echo ansible.cfg >> .gitignore 9
  • 10. Keep it simple • If you can make it simple, make it simple. • If something feels complicated, it probably is. • Do one thing at a time, commit related changes. • Make it readable for your succesor. • Always define state. 10
  • 11. Organize your content • Format playbooks: with native YAML style. • Magic happens when you put your files in the right locations. • Editors use file extensions for syntax coloring. • Version control and Ansible go hand in hand. 11
  • 12. Whitespace and comments • # comments start with a hash-mark. • Yml indents with 2 spaces. • White space helps readability. • Add a blank line before vars, roles, tasks, handlers. 12
  • 13. Directory layout • group_vars • host_vars • roles 13 ansible.cfg # parameters that affect running ansible inventory/ # an inventory defines an environment hosts # defines the hosts in an inventory group_vars/ # here we assign variables to particular groups all # global variables for all groups dbservers/ # directory for dbservers group secrets # -- encrypted variables for dbservers group vars # -- plaintext variables for dbservers group group2 # plaintext variables for group2 host_vars/ # here we assign variables to particular hosts hostname1 # if systems need specific variables, put them here hostname2 # “” site.yml # master playbook webservers.yml # playbook for webserver tier dbservers.yml # playbooke for database tier galaxy_roles/ # roles imported from galaxy roles/ # in-house roles common/ # this hierarchy represents a “role" tasks/ # 'tasks' contains the actions that implement role main.yml # -- main.yml could include other files if warranted handlers/ # 'handlers' can be notified by tasks on change main.yml # -- handlers file often defines service actions templates/ # files for use with the template module hosts.j2 # -- Jinja templates, should end in .j2 files/ # 'files' is the start for relative paths
  • 14. Format your playbooks • shebang #! • use a name • tags in header • blank lines • linebreak=80 • align args 14 #!/usr/bin/env ansible-playbook - name: 'install.yml' # quote names for syntax highlighting hosts: localhost # scope the play appropriately connection: local # gather_facts: False # booleans: /^(y|yes|n|no|true|false|on|off)$/i tags: # use tags for plays, and actions - preparation vars: # use group_vars for environment specifics - url: "https://galaxy.ansible.com" # quote when value has ':' tasks: # list tasks, but consider using a role - name: 'check network' # format parameters for small terminal size uri: # the best way is to use 'Native YML' format url: "{{ url }}" method: HEAD return_content: no status_code: 200 timeout: 60 follow_redirects: all - name: 're-import roles from Galaxy' command: ansible-galaxy install --force -r roles/requirements.yml
  • 15. Tag all the things • Tags help organizing playbooks. • Tags can help in testing. • You can run or skip parts of playbooks: --tags=only,run,these,tags --skip-tags=tags,to,skip 15
  • 16. Deployment vs configuration • Deploy all? • --tags • --limit • Ad-Hoc • playbooks/ 16 ansible-playbook -i production site.yml -vv ansible-playbook -i production site.yml --limit webservers ansible-playbook -i production site.yml --tags ntp ansible-playbook -i acceptance dbservers.yml --tags restore
  • 17. Start your model with the inventory • Hosts used in infrastructure/ cloud • Arbitrary grouping • Can be used for staging (vagrant, int, acc, prod). 17 [local] 127.0.0.1 ansible_connection=local [vagrant:children] control dbservers webservers [control] control.example.com [dbservers] sql.example.com [webservers] web.example.com 
 [vagrant:vars] ansible_ssh_user=vagrant
 ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key
  • 18. Inventories • Ansible Tower keeps inventories and credentials securely. • If you have another system maintaining a list of systems in your infrastructure, use it for your dynamic inventory. • Executable inventory file must emit JSON. • Use .ini files for static inventories. 18
  • 19. Stage your environments • Use separate inventories for stages like 'test' and 'production'. • Target an environment with the -i flag. • Test things first in a stage environment before running them in 'production'. • Use group_vars to manage differences. 19
  • 20. Import Ansible inventories To import an existing static inventory and the accompanying host and group vars into Tower, your inventory should be in a structure that looks similar to the following (don’t use subdirs): inventory/ group_vars mygroup host_vars myhost hosts 20
  • 21. Import Ansible inventories 1.076 INFO Group "webservers" added 1.108 INFO Host "127.0.0.1" added 1.120 INFO Host "control" added 1.127 INFO Host "sql" added 1.134 INFO Host "web" added 1.158 INFO Group "webservers" added as child of "vagrant" 1.203 INFO Host "control" added to group "control" 1.223 INFO Host "sql" added to group "dbservers" 1.238 INFO Host "127.0.0.1" added to group "local" 1.257 INFO Host "web" added to group "webservers" 1.362 INFO Inventory import completed for "imported" (id=3) in 0.5s 21 tower-manage inventory_import —source=inventory --inventory-name="inventory"
  • 22. Variables • All systems are not exactly alike, use variables to deal with differences. • Separate environment/staging data from configuration. • Use the template language Jinja2. 22 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 {% for item in groups['vagrant'] %} {{ hostvars[item]['ansible_ssh_host'] }} {{ item }} {% endfor %}
  • 23. Group variables • Hosts are listed in the inventory under [groups] • The group_vars directory has the configuration data in files and folders. • Use a file for each group with its variable values. • Check and compare group_vars files often. 23
  • 24. Use vars to define your values • Roles have defaults. • group_vars is for overrides. • 'all' is for globals 24 --- # file: group_vars/all
 # here we assign variables to all groups ansible_user: ansible google_nameserver: 8.8.4.4 dns_nameserver: "{{ google_nameserver }}" pg_host: sql pg_ip: 192.168.20.22 pg_subnet: 192.168.20.0/24 log_host: sql log_host_ip: 192.168.20.22
  • 25. Use ansible-vault for secrets • Use ansible- vault to store secrets safely. • Use subdirs in group_vars • vars + secrets 25 $ touch group_vars/dbservers/secrets $ ansible-vault encrypt group_vars/dbservers/secrets Vault password: Confirm Vault password: Encryption successful $ ansible-vault edit group_vars/dbservers/secrets Vault password: $ cat group_vars/dbservers/secrets $ANSIBLE_VAULT;1.1;AES256 3062316463633730306431356539336165643734373939623564386133626537313865396530386 3933306333636164353330393137633061653230366664310a31373432336330626135333930643 3162373237393333366665666564613565663735636664623133616132383831366163623261336 6431636132373036300a66663333613537636132616363396162623139643339353366306430633 65306365323836633838306639336230383039353035343239306432313535326633
  • 27. ansible_ssh_user • Don't login as root • Don't use service account interactively
 echo logout > ~/.bash_profile • Settle on become_method: sudo/su/doas • Consider to use signed ssh keys. TrustedUserCAKeys /etc/ssh/ca_key.pub
 AuthorizedKeysFile /dev/null 27
  • 28. Ansible modules • Ansible comes with hundreds of modules. • Avoid using command as much as possible. • Modules return JSON data that you can use. • Modules report about state, about change. • Modules deal with the corner cases. • Write a module for a resource if there is none. 28
  • 29. Use this file: ansible.cfg • current directory • home directory • /etc/ansible/ ansible.cfg
 Has/hides ansible- playbook options so your commands can be short. 29 [defaults] hostfile = vagrant.ini host_key_checking = False ask_vault_pass = True retry_files_enabled = False executable = sh remote_tmp= log_path = /tmp/ansible_run.log gather_facts = smart roles_path = galaxy_roles:roles:/etc/ansible/roles [privilege_escalation] become_method = sudo [ssh_connection] scp_if_ssh = True pipelining = True
  • 30. Blocks • Error handling 30 --- - name: 'blocks.yml' hosts: localhost connection: local tasks: - block: - debug: msg: 'i execute normally' - command: /usr/bin/false - debug: msg: 'i never execute, cause ERROR!' rescue: - debug: msg: 'I caught an error' - command: /usr/bin/false - debug: msg: 'I also never execute :-(' always: - debug: msg: "this always executes"
  • 31. Add tests to your playbooks • --tags test • fail early. • keep adding test cases. 31 - name: 'verify listening on port 9200' wait_for: port: 9200 host: "{{ inventory_hostname }}” timeout: 5 tags: - test - name: 'query cluster health' uri: url: "http://{{inventory_hostname}}:9200/_cluster/health?pretty" register: cluster tags: - test - name: 'verify that nodes have joined the cluster' assert: that: - cluster.json.number_of_data_nodes != 0 tags: - test
  • 32. Manage your dependencies requirements.txt:
 extra Python packages for modules.
 
 requirements.yml:
 list of extra roles to import. 32 apache-libcloud azure boto ConfigParser cs django docker-py dopy httplib2 linode-python netaddr psycopg2 pycrypto pycurl pysphere python-keyczar python-keystoneclient python-novaclient python-quantumclient pretty pyrax requests shade wsgiref zmq @ roles/requirements.yml # galaxy role - src: hostclick.tomcat # role in git - src: https://github.com/bbaassssiiee/RHEL6-STIG.git version: devel
  • 33. Separate top level playbooks by role • --limit 33 #!/usr/bin/env ansible-playbook # master playbook - name: 'site.yml' hosts: all:!local remote_user: "{{ ansible_user }}" - include: dbservers.yml - include: webservers.yml #!/usr/bin/env ansible-playbook # playbook for dbserver tier - name: 'dbservers.yml' hosts: dbservers become: yes gather_facts: True roles: - common - postgres
  • 34. Decouple roles • Roles are ways of automatically loading certain vars_files, tasks, and handlers based on a known file structure. • Grouping content by roles also allows easy sharing of roles with other users. • http://galaxy.ansible.com 34 ssh |-- files | `-- bash_profile |-- handlers | `-- main.yml |-- tasks | `-- main.yml `-- templates |-- ssh_config.j2 `-- sshd_config.j2
  • 35. Roles precendence • Separate your own roles and Galaxy roles. • Leave room for “corporate roles”. • Configure roles_path to search for roles. • galaxy_roles:roles:/etc/ansible/roles 35
  • 36. Organization of a role • defaults • files • handlers • library • meta • tasks/main.yml • templates • tests • vars 36 --- - name: 'ensure package ntp is installed' package: name: ntp state: latest tags: - ntp - name: 'build and write /etc/ntp.conf file' template: src: ntp.conf.j2 dest: /etc/ntp.conf owner: root group: root mode: 0644 notify: - restart ntpd tags: - ntp
  • 37. Handlers for a role • defaults • files • handlers • library • meta • tasks • templates • tests • vars 37 --- - name: restart ntpd service: name: ntpd state: restarted
  • 38. Templates for a role • defaults • files • handlers • library • meta • tasks • templates • tests • vars 38 tinker panic 0 restrict 127.0.0.1 restrict default kod nomodify notrap # NTP server pool, use 3 minimally {% for server in ntp_servers %} server {{ server }} {% endfor %} driftfile /var/lib/ntp/drift # Avoid using the local clock server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10
  • 39. Default vars for a role • defaults/main.yml • files • handlers • library • meta • tasks • templates • tests • vars 39 --- # ntp ntp_servers: # use nearby ntp servers if available - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org
  • 40. Bundling modules with a role • defaults • files • handlers • library/pam.py • meta • tasks/main.yml • templates • tests • vars 40 --- - name: 'Disable accounts after three login failures in a 15-minute interval.' pam: service: "{{ item }}" type: auth control: required pam_module: pam_faillock.so before_line: auth sufficient pam_unix.so try_first_pass arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 state: present with_items: - password-auth - system-auth tags: - pam
  • 41. Management 41 • Is the team applying best practice and common principles when building / configuring applications and environments? • Is the team automating the deployment and promotion process for applications and environments? • Is the team validating functional and non-functional requirements (automatically) before promoting applications to Production environments? • Is the team providing and receiving the feedback needed to be in control of the solutions they are responsible for? • Is the team pro-actively collaborating with other teams to integrate applications and environments and share technical knowledge?
  • 42. Benchmarks 42 A good Config Management Strategy should allow to answer all of the following questions with „yes“: • Can I exactly reproduce any of my environments, including the version of the operating system, its patch level, the network configuration, the SW stack, the application deployed into it, and their configuration? • Can I easily make an incremental change to any of these individual items and deploy the change to any, and all, of my environments? • Can I easily see each change that occurred to a particular environment and trace it back to see exactly what the change was, who made it, and when? • Can I satisfy all of the compliance regulations that I am subject to? • Is it easy for every member of the team to get the information that they need, and to make the changes that they need to make? Or does the strategy get in the way of efficient delivery, increasing cycle time and decreasing feedback?
  • 43. Download final project brew install python ansible
 
 git clone https://github.com/bbaassssiiee/lunchbox
 cd lunchbox
 vagrant up --no-provision
 ansible-playbook -v install.yml
 ansible-playbook -v site.yml Requires: VirtualBox, Vagrant 43
  • 44. Ansible, best practices. Bas Meijer 2016 Amsterdam