Why work with Ansible to deliver software in a secure and reliable way? Gain insight quickly, this deck shows the strenghts of the IT automation tool that does it all.
Bas Meijer is an Ansible Ambassador co-hosting the Ansible Benelux Meetup since 2014. He introduced the tool to major corporate clients for use in mission critical infrastructure provisioning, application construction, container orchestration, security operations, and more.
4. - Human readable text
- System abstraction
- Top to bottom tasks
- Minimal requirements
- Easy to audit
- Easy to share
SIMPLE
- API equal to CLI
- Batteries included
- Parallel execution
- Multi-tier orchestration
- Pluggable and embeddable
- Works with lots of stuff
- Really scalable
POWERFUL
- Codified knowledge
- Reproducable systems
- Equivalent environments
- Encrypted variables
- Secure transport
- Idempotency
- No daemons
SECURE
Advantages
9. Tools
ansible-doc built-in documentation
ansible-vault encryption
Ansible-lint validation against ruleset (customizable)
Molecule testing suite for roles
Ansible Galaxy repository for roles
ARA Ansible run analysis & logging
AWX/Tower visual dashboard, encryption, role-based access control, job
scheduling, integrated notifications and graphical inventory
management
Jenkins CI/CD visual dashboard, role-based access control, job scheduling
10. • Have a dead simple setup process and a minimal learning curve
• Manage machines very quickly and in parallel
• Avoid custom-agents and additional open ports, be agentless by leveraging
the existing SSH daemon
• Describe infrastructure in a language that is both machine and human
friendly
• Focus on security and easy auditability/review/rewriting of content
• Manage new remote machines instantly, without bootstrapping any software
• Allow module development in any dynamic language, not just Python
• Be usable as non-root
• Be the easiest IT automation system to use, ever.
!10
Design principles
12. Cloud Files Monitoring Source Control
Clustering Identity Net Tools Storage
Commands Infrastructure Network System
Crypto Inventory Notification Utilities
Database Messaging Packaging Windows
Batteries included
13. • Ansible is written in Python (2.6-3.x)
• Dependencies only on control host
• RedHat Linux relies on Python
• Docker API is in Python
• Many other API's have Python libraries
• mitogen library adds speed
!13
Python
14. • SSH for an interactive terminal connection
• SSH can transport files to a server
• SSH can execute commands on a server
• Ansible sends and executes molules with
parameters to many machines in parallel as
the ansible_user
!14
2/3 Secure shell features
16. $ ansible all -a 'df -h /data'
www.example.com | CHANGED | rc=0 >>
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-VarLV 6281216 1044244 5236972 17% /var
api.example.com | CHANGED | rc=0 >>
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-VarLV 6281216 1046540 5234676 17% /var
db.example.com | CHANGED | rc=0 >>
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-VarLV 4184064 2642860 1541204 64% /var
logs.example.com | CHANGED | rc=0 >>
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-VarLV 4184064 1034356 3149708 25% /var
jump.example.com | CHANGED | rc=0 >>
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-VarLV 4184064 1036208 3147856 25% /var
$
Ad-hoc commands
17. • layout for distributed systems
• classification of servers in groups
• clusters, datacenters, regions
• environment segregation
!17
Ansible inventories
18. • Don't ever login as the root user
• Settle on become_method: sudo/su/doas
• Don't use service accounts interactively
echo logout > ~/.bash_profile
• Separate privileged & non-privileged playbooks
• Consider to use signed ssh keys
TrustedUserCAKeys /etc/ssh/ca_key.pub
AuthorizedKeysFile /dev/null
ansible_user
20. !20
Idempotency
What is idempotence?
Idempotence is the property of certain
operations in mathematics and computer
science, that can be applied multiple times
without changing the result beyond the
initial application
21. • Config Management that lacks idempotency introduces doubt!
• Ensure no changes unless things actually change
• Some idempotency issues can be big issues (> versus >>)
• Hides the real changes in a cloud of doubt
• Reduction in speed if changes are consistently made
• Testing becomes increasingly difficult
!21
Importance of idempotency
22. $ ansible-playbook motd.yml
PLAY [server]
******************************************************************************
TASK [motd : create /etc/motd]
******************************************************************************
changed: [server]
PLAY RECAP
******************************************************************************
server : ok=1 changed=1 unreachable=0 failed=0
Idempotency
23. $ ansible-playbook motd.yml
PLAY [server]
******************************************************************************
TASK [motd : create /etc/motd]
******************************************************************************
ok: [server]
PLAY RECAP
******************************************************************************
server : ok=1 changed=0 unreachable=0 failed=0
Idempotency
24. ansible.cfg # parameters that affect running ansible
inventory/ # an inventory defines an environment
hosts # defines the hosts in an inventory
group_vars/ # here we assign variables to particular groups
all # global variables for all groups
dbservers/ # directory for dbservers group
secrets # -- encrypted variables for dbservers group
vars # -- plaintext variables for dbservers group
group2 # plaintext variables for group2
host_vars/ # here we assign variables to particular hosts
hostname1 # if systems need specific variables, put them here
hostname2 # “”
site.yml # master playbook
webservers.yml # playbook for webserver tier
dbservers.yml # playbooke for database tier
galaxy_roles/ # roles imported from galaxy
roles/ # in-house roles
common/ # this hierarchy represents a “role"
tasks/ # 'tasks' contains the actions that implement role
main.yml # -- main.yml could include other files if warranted
handlers/ # 'handlers' can be notified by tasks on change
main.yml # -- handlers file often defines service actions
templates/ # files for use with the template module
hosts # templates edit better with own extension, or j2
files/ # 'files' is the start for relative paths
Directory layout
25. #!/usr/bin/env ansible-playbook
- name: 'install.yml' # quote names for syntax highlighting
hosts: localhost # scope the play appropriately
connection: local #
gather_facts: False # booleans: /^(y|yes|n|no|true|false|on|off)$/i
tags: # use tags for plays, and actions
- preparation
vars: # use group_vars for environment specifics
- url: "https://galaxy.ansible.com" # quote when value has ':'
tasks: # list tasks, but consider using a role
- name: 'check network' # format parameters for small terminal size
uri: # the best way is to use 'Native YML' format
url: "{{ url }}"
method: HEAD
return_content: no
status_code: 200
timeout: 60
follow_redirects: all
- name: 're-import roles from Galaxy'
command: ansible-galaxy install --force -r roles/requirements.yml
Playbook.yml
26. • Tags help organize execution of playbooks.
roles:
- { role: motd, tags: 'motd' }
• You can even run or skip parts of playbooks:
--tags=only,run,these,tags
--skip-tags=tags,to,skip
• Tags can help in testing/debugging
Tags
31. Jinja2Jinja2 – An Introduction
• Python templating language
• Many filters available
(to_nice_json, to_nice_yaml, sort)
• Conditional evaluation on task result
(success, changed, failed, skipped)
Additional Information:
http://docs.ansible.com/playbooks_variables.html#using-variables-about-jinja2
http://jinja.pocoo.org/docs/templates/#builtin-filters
32. Jinja2More with Jinja2
• Simple file templating with loops
• Simple file templating with if/else
• Even use variables for file names!
• Iterate through items, globs, and
hashes