Successfully reported this slideshow.
PATTERNS, PRACTICES & SOLUTIONS
A technology neutral view of Ansible/Salt/Chef/Puppet
RootConf 2017 Bangalore
TABLE OF CONFIGURATIONS (PUN INTENDED)....
• Evolution of Configuration Management
• Classification mechanism
• Infrastructure Data
• Data which tells a little bit about infrastructure
• Configuration Data
• Data which we build and use to
• Everything scaled with templating
• How do I deploy and test infrastructure
• That was easy with application code..
• Multi Data Center problems
• Dreams of when I grow web scale
• Secrets, events and execution patterns
• Passwords & failure events
CTO & Founder at
infraCloud technologies (www.infracloud.io )
Java, PLM, JSP,
eMatrix, PLM, J2EE,
Shell, Windchill, jUnit,
2010 - 2013: Spring,
Google App Engine, APIs, CI
2013: Puppet, Chef, Ansible,
CD/CI, DevOps Coach, Docker,
API Mgmt, Microservices, Infra
as code, Artifactory, Nexuus,
Integration as a Service
WE USED TO MANAGE THIS
AND NOW IT IS … … WEB SCALE
SO WERE BORN THESE
A WHOLE NEW VOCABULARY
Term Puppet Chef Ansible Salt
The smallest packaging
Module Cookbook Playbook Formula
Node side data Facts Attributes (From Ohai) Facts Grains
Configuration data Configuratiom data databag Host vars and Group
Role Class Run Lists Role Grain: Roles
The master node Puppet Master Chef Server Control Server Salt Master
Agent name Puppet Agent Chef Client NA (SSH based) Salt Minion
Built in modules Resources Module State/Module
Templating Engine Ruby like ERB (Embedded Ruby) Jinja Jinja
Secrets Using Databag Databag Vault
Events Report Processor Beacons, Reactor
Community Modules Puppet Forge Chef Supermarket Galaxy Github
AND SIMILAR PROBLEMS, IN ALL STACKS
• How do I best split roles?
• How to organize, version control & secure the configuration data?
• How can I test changes in infra code before deploying to prod?
• Can I re-create the whole infrastructure stack for testing?
• Should I execute my playbooks every hour?
ROLES - INTRODUCTION
• Roles are “labels” we give to nodes - and they can be multiple. Primarily a
• They are composed of multiple playbooks/modules/formulas
• Think of role as responsibilities on that server - a “web server” role, a
“firewall rules” role
• Enable you to query infrastructure: Give me all web servers which are
running Ubuntu 14.04 or CentOS 6
ROLES - BEST PRACTICES
• Keep them small & modular. You can
always compose smaller once to build
• They should enable you to slice & dice
your infrastructure easily
• Some roles will be used by clustered apps
(Kafka, Elastic) - design for that
Mesos Agent Role
(Firewall + NTP)
Mesos Agent Role
INFRA DATA - WHAT IS IT?
• Data which the CM systems can derive from machine by themselves
• Might contain some attributed assigned by humans - like role
• Is mostly system data - also helpful for classification
• For ex. You can get info of OS, Kernel version, Region, services list etc.
INFRA DATA - BEST PRACTICES
• As much you can - use infra data instead of configuration data in code
• Updating of infra data can be optimized based on churn rate of servers
• Data which infrastructure engineers define and use in code but stored
separate from data
• Typically stored in a hierarchy/tree structure
• Can use infra data, roles etc. as variabled to build config data
CONFIG DATA - BEST PRACTICES
• Version control the configuration data - it can grow real fast.
• Secrets in configuration data need to be handled separately (We will
• Structure configuration data to tame complexity over time
INFRA & CONFIG DATA - SAMPLES
TEMPLATES - THE SCALING FACTOR
• Everything - from code to config data will use templates.
• Templates enable programming constructs - loops, decisions, variables
• Puppet & Chef are primarily ruby based, Ansible & Salt use
• Templates/code allow querying infra, config data and infra data - which
makes them super powerful.
• Unit test: Simulate with Vagrant/Containers
• How to test Docker/Mesos playbooks?
• Integration test: How to get as close to real infrastructure as you can?
• Can you really test all practical scenarios?
• Test frameworks: TestInfra, ServerSpec, Test Kitchen etc
• Deployment is easy - but execution of playbooks needs watching
• Usual tools can be used for deploy (Jenkins/Bamboo etc.)
• Should deploy many changes at once, or smaller once at a time?
• Some CM systems offer in built secrets management (Ansible has
• For others best to use something like Hashicorp Vault
• Secrets are refered in Config data but actual details reside in external
• One master per DC or one master for multiple DCs?
• Latency between DCs for execution
• Code & Config data - central or per DC? Pull from Git or Rsync from
EVENTS & ORCHESTRATION
• Events need action/reporting etc.
• Events can be too verbose depending on configuration
• Orchestration in infrastructure is harder to build & debug
Je vous remercie!
Thanks to HasGeek
for doing all they
they do for us!
Thanks a lot to you
the audience who
made this possible