SlideShare a Scribd company logo

Ansible best practices

S
StephaneFlotat1

This document provides best practices for using Ansible effectively and efficiently. It discusses organizing Ansible code through roles and playbooks with proper structure and naming. It emphasizes using Ansible modules over shell/command modules whenever possible. Other tips include separating configuration from provisioning, optimizing templates, and using variables and groups to simplify automation. The overall message is to strive for readability, reusability and maintainability in Ansible workflows.

Internet
1 of 38
Download to read offline
Timothy Appnel Senior Product Manager, Ansible GitHub: tima Twitter: appnelgroup ANSIBLE BEST PRACTICES: THE ESSENTIALS
2 THE ANSIBLE WAY
3 COMPLEXITY KILLS PRODUCTIVITY That's not just a marketing slogan. We really mean it and believe that. We strive to reduce complexity in how we've designed Ansible tools and encourage you to do the same. Strive for simplification in what you automate.
4 OPTIMIZE FOR READABILITY If done properly, it can be the documentation of your workflow automation.
5 Principal 3 THINK DECLARATIVELY Ansible is a desired state engine by design. If you're trying to "write code" in your plays and roles, you're setting yourself up for failure. Our YAML-based playbooks were never meant to be for programming.
Treat your Ansible content like code ● Version control your Ansible content ● Start as simple as possible and iterate ○ Start with a basic playbook and static inventory ○ Refactor and modularize later WORKFLOW 6
Do It with Style ● Create a style guide for developers ● Consistency in: ○ Tagging ○ Whitespace ○ Naming of Tasks, Plays, Variables, and Roles ○ Directory Layouts ● Enforce the style WORKFLOW 7
basic-project ├── inventory │ ├── group_vars │ │ └── web.yml │ ├── host_vars │ │ └── db1.yml │ └── hosts └── site.yml PROJECT LAYOUTS: BASIC 8
myapp ├── roles │ ├── myapp │ │ ├── tasks │ │ │ └── main.yml │ │ └── ... │ ├── nginx │ │ └── ... │ └── proxy │ └── ... └── site.yml PROJECT LAYOUTS: ORGANIZATIONAL ROLES 9
myapp ├── config.yml ├── provision.yml ├── roles │ └── requirements.yml └── site.yml PROJECT LAYOUTS: SHARED ROLES 10
Give inventory nodes human-meaningful 10.1.2.75 10.1.5.45 10.1.4.5 10.1.0.40 w14301.example.com w17802.example.com w19203.example.com w19304.example.com INVENTORY 11 db1 ansible_host=10.1.2.75 db2 ansible_host=10.1.5.45 db3 ansible_host=10.1.4.5 db4 ansible_host=10.1.0.40 web1 ansible_host=w14301.example.com web2 ansible_host=w17802.example.com web3 ansible_host=w19203.example.com web4 ansible_host=w19203.example.com EXHIBIT A EXHIBIT B
Group hosts for easier inventory selection and less conditional tasks -- the more groups the better. WHAT [db] db[1:4] [web] web[1:4] db1 = db, east, dev INVENTORY 12 WHEN [dev] db1 web1 [test] db3 web3 [prod] db2 web2 db4 web4 WHERE [east] db1 web1 db3 web3 [west] db2 web2 db4 web4
Use a single source of truth if you have it -- even if you have multiple sources, Ansible can unify them. ● Stay in sync automatically ● Reduce human error INVENTORY 13 PUBLIC / PRIVATE CLOUD CMDB
Proper variable naming can make plays more readable and avoid variable name conflicts ● Use descriptive, unique human-meaningful variable names ● Prefix role variables with its “owner” such as a role name or package apache_max_keepalive: 25 apache_port: 80 tomcat_port: 8080 VARIABLES 14
Make the most of variables ● Find the appropriate place for your variables based on what, where and when they are set or modified ● Separate logic (tasks) from variables to reduce repetitive patterns and provided added flexibility. VARIABLES 15
- name: Clone student lesson app for a user host: nodes tasks: - name: Create ssh dir file: state: directory path: /home/{{ username }}/.ssh - name: Set Deployment Key copy: src: files/deploy_key dest: /home/{{ username }}/.ssh/id_rsa - name: Clone repo git: accept_hostkey: yes clone: yes dest: /home/{{ username }}/exampleapp key_file: /home/{{ username }}/.ssh/id_rsa repo: git@github.com:example/apprepo.git SEPARATE LOGIC FROM VARIABLES 16 EXHIBIT A ● Embedded parameter values and repetitive home directory value pattern in multiple places ● Works but could be more clearer and setup to be more flexible and maintainable
- name: Clone student lesson app for a user host: nodes vars: user_home_dir: /home/{{ username }} user_ssh_dir: "{{ user_home_dir }}/.ssh" deploy_key: "{{ user_ssh_dir }}/id_rsa" app_dir: "{{ user_home_dir }}/exampleapp" tasks: - name: Create ssh dir file: state: directory path: "{{ user_ssh_dir }}" - name: Set Deployment Key copy: src: files/deploy_key dest: "{{ deploy_key }}" - name: Clone repo git: dest: "{{ app_dir }}" key_file: "{{ deploy_key }}" repo: git@github.com:example/exampleapp.git accept_hostkey: yes clone: yes SEPARATE LOGIC FROM VARIABLES 17 EXHIBIT B ● Parameters values are set thru values away from the task and can be overridden. ● Human meaningful variables “document” what’s getting plugged into a task parameter ● More easily refactored into a role
Use native YAML syntax to maximize the readability of your plays ● Vertical reading is easier ● Supports complex parameter values ● Works better with editor syntax highlighting in editors PLAYS & TASKS 18
- name: install telegraf yum: name=telegraf-{{ telegraf_version }} state=present update_cache=yes disabl notify: restart telegraf - name: configure telegraf template: src=telegraf.conf.j2 dest=/etc/telegraf/telegraf.conf - name: start telegraf service: name=telegraf state=started enabled=yes NO! USE NATIVE YAML SYNTAX 19
- name: install telegraf yum: > name=telegraf-{{ telegraf_version }} state=present update_cache=yes disable_gpg_check=yes enablerepo=telegraf notify: restart telegraf - name: configure telegraf template: src=telegraf.conf.j2 dest=/etc/telegraf/telegraf.conf - name: start telegraf service: name=telegraf state=started enabled=yes Better, but no USE NATIVE YAML SYNTAX 20
Yes! - name: install telegraf yum: name: telegraf-{{ telegraf_version }} state: present update_cache: yes disable_gpg_check: yes enablerepo: telegraf notify: restart telegraf - name: configure telegraf template: src: telegraf.conf.j2 dest: /etc/telegraf/telegraf.conf notify: restart telegraf - name: start telegraf service: name: telegraf state: started enabled: yes USE NATIVE YAML SYNTAX 21
Names improve readability and user feedback ● Give all your playbooks, tasks and blocks brief, reasonably unique and human-meaningful names PLAYS & TASKS 22
- hosts: web tasks: - yum: name: httpd state: latest - service: name: httpd state: started enabled: yes PLAYS & TASKS 23 PLAY [web] ******************************** TASK [setup] ******************************** ok: [web1] TASK [yum] ******************************** ok: [web1] TASK [service] ******************************** ok: [web1] EXHIBIT A
- hosts: web name: install and start apache tasks: - name: install apache packages yum: name: httpd state: latest - name: start apache service service: name: httpd state: started enabled: yes PLAYS & TASKS 24 PLAY [install and start apache] ******************************** TASK [setup] ******************************** ok: [web1] TASK [install apache packages] ******************************** ok: [web1] TASK [start apache service] ******************************** ok: [web1] EXHIBIT B
Focus avoids complexity ● Keep plays and playbooks focused. Multiple simple ones are better than having a huge single playbook full of conditionals ● Follow Linux principle of do one thing, and one thing well PLAYS & TASKS 25
Clean up your debugging tasks ● Make them optional with the verbosity parameter so they’re only displayed when they are wanted. - debug: msg: "This always displays" - debug: msg: "This only displays with ansible-playbook -vv+" verbosity: 2 PLAYS & TASKS 26
Don’t just start services -- use smoke tests - name: check for proper response uri: url: http://localhost/myapp return_content: yes register: result until: '"Hello World" in result.content' retries: 10 delay: 1 PLAYS & TASKS 27
Use command modules sparingly ● Use the run command modules like shell and command as a last resort ● The command module is generally safer ● The shell module should only be used for I/O redirect PLAYS & TASKS 28
Always seek out a module first - name: add user command: useradd appuser - name: install apache command: yum install httpd - name: start apache shell: | service httpd start && chkconfig httpd on PLAYS & TASKS 29 - name: add user user: name: appuser state: present - name: install apache yum: name: httpd state: latest - name: start apache service: name: httpd state: started enabled: yes
Still using command modules a lot? - hosts: all vars: cert_store: /etc/mycerts cert_name: my cert tasks: - name: check cert shell: certify --list --name={{ cert_name }} --cert_store={{ cert_store }} | grep "{{ cert_name }}" register: output - name: create cert command: certify --create --user=chris --name={{ cert_name }} --cert_store={{ cert_store }} when: output.stdout.find(cert_name)" != -1 register: output - name: sign cert command: certify --sign --name={{ cert_name }} --cert_store={{ cert_store }} when: output.stdout.find("created")" != -1 PLAYS & TASKS 30
Develop your own module - hosts: all vars: cert_store: /etc/mycerts cert_name: my cert tasks: - name: create and sign cert certify: state: present sign: yes user: chris name: "{{ cert_name }}" cert_store: "{{ cert_store }}" PLAYS & TASKS 31 ● Understandable by non-technical people ● CRUD (Create, read, update and delete)
Separate provisioning from deployment and configuration tasks acme_corp/ ├── configure.yml ├── provision.yml └── site.yml $ cat site.yml --- - import_playbook: provision.yml - import_playbook: configure.yml PLAYS & TASKS 32
Jinja2 is powerful but you needn't use all of it ● Templates should be simple: ○ Variable substitution ○ Conditionals ○ Simple control structures/iterations ○ Design your templates for your use case, not the world's ● Things to avoid: ○ Anything that can be done directly in Ansible ○ Managing variables in a template ○ Extensive and intricate conditionals ○ Conditional logic based on embedded hostnames ○ Complex nested iterations TEMPLATES 33
Careful when mixing manual and automated configuration ● Label template output files as being generated by Ansible {{ ansible_managed | comment }} TEMPLATES 34
● Like playbooks -- keep roles purpose and function focused ● Use a roles/ subdirectory for roles developed for organizational clarity in a single project ● Follow the Ansible Galaxy pattern for roles that are to be shared beyond a single project ● Limit role dependencies ROLES 35
● Use ansible-galaxy init to start your roles... ● ...then remove unneeded directories and stub files ● Use ansible-galaxy to install your roles -- even private ones ● Use a roles files (i.e. requirements.yml) to manifest any external roles your project is using ● Always peg a role to a specific version such as a tag or commit ROLES 36
● Coordination across a distributed teams & organization… ● Controlling access to credentials... ● Track, audit and report automation and management activity... ● Provide self-service or delegation… ● Integrate automation with enterprise systems... SCALING YOUR ANSIBLE WORKFLOW 37 Command line tools have their limitations
38 Complexity Kills Productivity Optimize For Readability Think Declaratively Thank you

Recommended

Ansible 2.2
Ansible 2.2Ansible 2.2
Ansible 2.2
Scott van Kalken
 
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to Ansible
Dan Vaida
 
Introducing Ansible
Introducing AnsibleIntroducing Ansible
Introducing Ansible
Francesco Pantano
 
Ansible intro
Ansible introAnsible intro
Ansible intro
Hsi-Kai Wang
 
Ansible : what's ansible & use case by REX
Ansible : what's ansible & use case by REXAnsible : what's ansible & use case by REX
Ansible : what's ansible & use case by REX
Saewoong Lee
 
Ansible for beginners
Ansible for beginnersAnsible for beginners
Ansible for beginners
Kuo-Le Mei
 
Ansible container
Ansible containerAnsible container
Ansible container
Scott van Kalken
 

Recommended

Ansible 2.2
Ansible 2.2Ansible 2.2
Ansible 2.2
Scott van Kalken
 
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to Ansible
Dan Vaida
 
Introducing Ansible
Introducing AnsibleIntroducing Ansible
Introducing Ansible
Francesco Pantano
 
Ansible intro
Ansible introAnsible intro
Ansible intro
Hsi-Kai Wang
 
Ansible : what's ansible & use case by REX
Ansible : what's ansible & use case by REXAnsible : what's ansible & use case by REX
Ansible : what's ansible & use case by REX
Saewoong Lee
 
Ansible for beginners
Ansible for beginnersAnsible for beginners
Ansible for beginners
Kuo-Le Mei
 
Ansible container
Ansible containerAnsible container
Ansible container
Scott van Kalken
 
Ansible
AnsibleAnsible
Ansible
Raul Leite
 
Infrastructure = Code
Infrastructure = CodeInfrastructure = Code
Infrastructure = Code
Georg Sorst
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
Tim Fairweather
 
Ansible Crash Course
Ansible Crash CourseAnsible Crash Course
Ansible Crash Course
Peter Sankauskas
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
Bas Meijer
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ivan Serdyuk
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using docker
Larry Cai
 
Fun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker imagesFun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker images
abadger1999
 
Ansible intro
Ansible introAnsible intro
Ansible intro
Marcelo Quintiliano da Silva
 
DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!
Jeff Geerling
 
Ansible testing
Ansible testingAnsible testing
Ansible testing
Scott van Kalken
 
Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點
William Yeh
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
Soshi Nemoto
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
Ivan Rossi
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
Ahmed AbouZaid
 
Automating the Network
Automating the NetworkAutomating the Network
Automating the Network
Puppet
 
Cialug August 2021
Cialug August 2021Cialug August 2021
Cialug August 2021
Andrew Denner
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
Gena Mykhailiuta
 
Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
Stein Inge Morisbak
 
Getting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdfGetting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdf
ssuserd254491
 

More Related Content

What's hot

Ansible
AnsibleAnsible
Ansible
Raul Leite
 
Infrastructure = Code
Infrastructure = CodeInfrastructure = Code
Infrastructure = Code
Georg Sorst
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
Tim Fairweather
 
Ansible Crash Course
Ansible Crash CourseAnsible Crash Course
Ansible Crash Course
Peter Sankauskas
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
Bas Meijer
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ivan Serdyuk
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using docker
Larry Cai
 
Fun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker imagesFun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker images
abadger1999
 
Ansible intro
Ansible introAnsible intro
Ansible intro
Marcelo Quintiliano da Silva
 
DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!
Jeff Geerling
 
Ansible testing
Ansible testingAnsible testing
Ansible testing
Scott van Kalken
 
Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點
William Yeh
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
Soshi Nemoto
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
Ivan Rossi
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
Ahmed AbouZaid
 
Automating the Network
Automating the NetworkAutomating the Network
Automating the Network
Puppet
 
Cialug August 2021
Cialug August 2021Cialug August 2021
Cialug August 2021
Andrew Denner
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
Gena Mykhailiuta
 

What's hot (20)

Ansible
AnsibleAnsible
Ansible
 
Infrastructure = Code
Infrastructure = CodeInfrastructure = Code
Infrastructure = Code
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
Ansible Crash Course
Ansible Crash CourseAnsible Crash Course
Ansible Crash Course
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using docker
 
Fun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker imagesFun with containers: Use Ansible to build Docker images
Fun with containers: Use Ansible to build Docker images
 
Ansible intro
Ansible introAnsible intro
Ansible intro
 
DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!DevOps for Humans - Ansible for Drupal Deployment Victory!
DevOps for Humans - Ansible for Drupal Deployment Victory!
 
Ansible testing
Ansible testingAnsible testing
Ansible testing
 
Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
 
Automating the Network
Automating the NetworkAutomating the Network
Automating the Network
 
Cialug August 2021
Cialug August 2021Cialug August 2021
Cialug August 2021
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
 

Similar to Ansible best practices

Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
Stein Inge Morisbak
 
Getting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdfGetting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdf
ssuserd254491
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year later
Christian Ortner
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of Ansible
DevOps Ltd.
 
Ansible with oci
Ansible with ociAnsible with oci
Ansible with oci
DonghuKIM2
 
May The Nodejs Be With You
May The Nodejs Be With YouMay The Nodejs Be With You
May The Nodejs Be With You
Dalibor Gogic
 
Introduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command lineIntroduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command line
Behzod Saidov
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
Andrii Soldatenko
 
Ansible for Beginners
Ansible for BeginnersAnsible for Beginners
Ansible for Beginners
Arie Bregman
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
Stein Inge Morisbak
 
Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)
Jude A. Goonawardena
 
Generators
GeneratorsGenerators
Generators
Allan Davis
 
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
Puppet
 
Challenges of container configuration
Challenges of container configurationChallenges of container configuration
Challenges of container configuration
lutter
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
tastedone
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Deploying Symfony | symfony.cat
Deploying Symfony | symfony.catDeploying Symfony | symfony.cat
Deploying Symfony | symfony.cat
Pablo Godel
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
OKLABS
 

Similar to Ansible best practices (20)

Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
 
Getting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdfGetting Started with Ansible - Jake.pdf
Getting Started with Ansible - Jake.pdf
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year later
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of Ansible
 
Ansible with oci
Ansible with ociAnsible with oci
Ansible with oci
 
May The Nodejs Be With You
May The Nodejs Be With YouMay The Nodejs Be With You
May The Nodejs Be With You
 
Introduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command lineIntroduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command line
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
 
Ansible for Beginners
Ansible for BeginnersAnsible for Beginners
Ansible for Beginners
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
 
Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)Introduction to Ansible - (dev ops for people who hate devops)
Introduction to Ansible - (dev ops for people who hate devops)
 
Generators
GeneratorsGenerators
Generators
 
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
 
Challenges of container configuration
Challenges of container configurationChallenges of container configuration
Challenges of container configuration
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Deploying Symfony | symfony.cat
Deploying Symfony | symfony.catDeploying Symfony | symfony.cat
Deploying Symfony | symfony.cat
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 

Recently uploaded (11)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 

Ansible best practices

  • 1. Timothy Appnel Senior Product Manager, Ansible GitHub: tima Twitter: appnelgroup ANSIBLE BEST PRACTICES: THE ESSENTIALS
  • 3. 3 COMPLEXITY KILLS PRODUCTIVITY That's not just a marketing slogan. We really mean it and believe that. We strive to reduce complexity in how we've designed Ansible tools and encourage you to do the same. Strive for simplification in what you automate.
  • 4. 4 OPTIMIZE FOR READABILITY If done properly, it can be the documentation of your workflow automation.
  • 5. 5 Principal 3 THINK DECLARATIVELY Ansible is a desired state engine by design. If you're trying to "write code" in your plays and roles, you're setting yourself up for failure. Our YAML-based playbooks were never meant to be for programming.
  • 6. Treat your Ansible content like code ● Version control your Ansible content ● Start as simple as possible and iterate ○ Start with a basic playbook and static inventory ○ Refactor and modularize later WORKFLOW 6
  • 7. Do It with Style ● Create a style guide for developers ● Consistency in: ○ Tagging ○ Whitespace ○ Naming of Tasks, Plays, Variables, and Roles ○ Directory Layouts ● Enforce the style WORKFLOW 7
  • 8. basic-project ├── inventory │ ├── group_vars │ │ └── web.yml │ ├── host_vars │ │ └── db1.yml │ └── hosts └── site.yml PROJECT LAYOUTS: BASIC 8
  • 9. myapp ├── roles │ ├── myapp │ │ ├── tasks │ │ │ └── main.yml │ │ └── ... │ ├── nginx │ │ └── ... │ └── proxy │ └── ... └── site.yml PROJECT LAYOUTS: ORGANIZATIONAL ROLES 9
  • 10. myapp ├── config.yml ├── provision.yml ├── roles │ └── requirements.yml └── site.yml PROJECT LAYOUTS: SHARED ROLES 10
  • 11. Give inventory nodes human-meaningful 10.1.2.75 10.1.5.45 10.1.4.5 10.1.0.40 w14301.example.com w17802.example.com w19203.example.com w19304.example.com INVENTORY 11 db1 ansible_host=10.1.2.75 db2 ansible_host=10.1.5.45 db3 ansible_host=10.1.4.5 db4 ansible_host=10.1.0.40 web1 ansible_host=w14301.example.com web2 ansible_host=w17802.example.com web3 ansible_host=w19203.example.com web4 ansible_host=w19203.example.com EXHIBIT A EXHIBIT B
  • 12. Group hosts for easier inventory selection and less conditional tasks -- the more groups the better. WHAT [db] db[1:4] [web] web[1:4] db1 = db, east, dev INVENTORY 12 WHEN [dev] db1 web1 [test] db3 web3 [prod] db2 web2 db4 web4 WHERE [east] db1 web1 db3 web3 [west] db2 web2 db4 web4
  • 13. Use a single source of truth if you have it -- even if you have multiple sources, Ansible can unify them. ● Stay in sync automatically ● Reduce human error INVENTORY 13 PUBLIC / PRIVATE CLOUD CMDB
  • 14. Proper variable naming can make plays more readable and avoid variable name conflicts ● Use descriptive, unique human-meaningful variable names ● Prefix role variables with its “owner” such as a role name or package apache_max_keepalive: 25 apache_port: 80 tomcat_port: 8080 VARIABLES 14
  • 15. Make the most of variables ● Find the appropriate place for your variables based on what, where and when they are set or modified ● Separate logic (tasks) from variables to reduce repetitive patterns and provided added flexibility. VARIABLES 15
  • 16. - name: Clone student lesson app for a user host: nodes tasks: - name: Create ssh dir file: state: directory path: /home/{{ username }}/.ssh - name: Set Deployment Key copy: src: files/deploy_key dest: /home/{{ username }}/.ssh/id_rsa - name: Clone repo git: accept_hostkey: yes clone: yes dest: /home/{{ username }}/exampleapp key_file: /home/{{ username }}/.ssh/id_rsa repo: git@github.com:example/apprepo.git SEPARATE LOGIC FROM VARIABLES 16 EXHIBIT A ● Embedded parameter values and repetitive home directory value pattern in multiple places ● Works but could be more clearer and setup to be more flexible and maintainable
  • 17. - name: Clone student lesson app for a user host: nodes vars: user_home_dir: /home/{{ username }} user_ssh_dir: "{{ user_home_dir }}/.ssh" deploy_key: "{{ user_ssh_dir }}/id_rsa" app_dir: "{{ user_home_dir }}/exampleapp" tasks: - name: Create ssh dir file: state: directory path: "{{ user_ssh_dir }}" - name: Set Deployment Key copy: src: files/deploy_key dest: "{{ deploy_key }}" - name: Clone repo git: dest: "{{ app_dir }}" key_file: "{{ deploy_key }}" repo: git@github.com:example/exampleapp.git accept_hostkey: yes clone: yes SEPARATE LOGIC FROM VARIABLES 17 EXHIBIT B ● Parameters values are set thru values away from the task and can be overridden. ● Human meaningful variables “document” what’s getting plugged into a task parameter ● More easily refactored into a role
  • 18. Use native YAML syntax to maximize the readability of your plays ● Vertical reading is easier ● Supports complex parameter values ● Works better with editor syntax highlighting in editors PLAYS & TASKS 18
  • 19. - name: install telegraf yum: name=telegraf-{{ telegraf_version }} state=present update_cache=yes disabl notify: restart telegraf - name: configure telegraf template: src=telegraf.conf.j2 dest=/etc/telegraf/telegraf.conf - name: start telegraf service: name=telegraf state=started enabled=yes NO! USE NATIVE YAML SYNTAX 19
  • 20. - name: install telegraf yum: > name=telegraf-{{ telegraf_version }} state=present update_cache=yes disable_gpg_check=yes enablerepo=telegraf notify: restart telegraf - name: configure telegraf template: src=telegraf.conf.j2 dest=/etc/telegraf/telegraf.conf - name: start telegraf service: name=telegraf state=started enabled=yes Better, but no USE NATIVE YAML SYNTAX 20
  • 21. Yes! - name: install telegraf yum: name: telegraf-{{ telegraf_version }} state: present update_cache: yes disable_gpg_check: yes enablerepo: telegraf notify: restart telegraf - name: configure telegraf template: src: telegraf.conf.j2 dest: /etc/telegraf/telegraf.conf notify: restart telegraf - name: start telegraf service: name: telegraf state: started enabled: yes USE NATIVE YAML SYNTAX 21
  • 22. Names improve readability and user feedback ● Give all your playbooks, tasks and blocks brief, reasonably unique and human-meaningful names PLAYS & TASKS 22
  • 23. - hosts: web tasks: - yum: name: httpd state: latest - service: name: httpd state: started enabled: yes PLAYS & TASKS 23 PLAY [web] ******************************** TASK [setup] ******************************** ok: [web1] TASK [yum] ******************************** ok: [web1] TASK [service] ******************************** ok: [web1] EXHIBIT A
  • 24. - hosts: web name: install and start apache tasks: - name: install apache packages yum: name: httpd state: latest - name: start apache service service: name: httpd state: started enabled: yes PLAYS & TASKS 24 PLAY [install and start apache] ******************************** TASK [setup] ******************************** ok: [web1] TASK [install apache packages] ******************************** ok: [web1] TASK [start apache service] ******************************** ok: [web1] EXHIBIT B
  • 25. Focus avoids complexity ● Keep plays and playbooks focused. Multiple simple ones are better than having a huge single playbook full of conditionals ● Follow Linux principle of do one thing, and one thing well PLAYS & TASKS 25
  • 26. Clean up your debugging tasks ● Make them optional with the verbosity parameter so they’re only displayed when they are wanted. - debug: msg: "This always displays" - debug: msg: "This only displays with ansible-playbook -vv+" verbosity: 2 PLAYS & TASKS 26
  • 27. Don’t just start services -- use smoke tests - name: check for proper response uri: url: http://localhost/myapp return_content: yes register: result until: '"Hello World" in result.content' retries: 10 delay: 1 PLAYS & TASKS 27
  • 28. Use command modules sparingly ● Use the run command modules like shell and command as a last resort ● The command module is generally safer ● The shell module should only be used for I/O redirect PLAYS & TASKS 28
  • 29. Always seek out a module first - name: add user command: useradd appuser - name: install apache command: yum install httpd - name: start apache shell: | service httpd start && chkconfig httpd on PLAYS & TASKS 29 - name: add user user: name: appuser state: present - name: install apache yum: name: httpd state: latest - name: start apache service: name: httpd state: started enabled: yes
  • 30. Still using command modules a lot? - hosts: all vars: cert_store: /etc/mycerts cert_name: my cert tasks: - name: check cert shell: certify --list --name={{ cert_name }} --cert_store={{ cert_store }} | grep "{{ cert_name }}" register: output - name: create cert command: certify --create --user=chris --name={{ cert_name }} --cert_store={{ cert_store }} when: output.stdout.find(cert_name)" != -1 register: output - name: sign cert command: certify --sign --name={{ cert_name }} --cert_store={{ cert_store }} when: output.stdout.find("created")" != -1 PLAYS & TASKS 30
  • 31. Develop your own module - hosts: all vars: cert_store: /etc/mycerts cert_name: my cert tasks: - name: create and sign cert certify: state: present sign: yes user: chris name: "{{ cert_name }}" cert_store: "{{ cert_store }}" PLAYS & TASKS 31 ● Understandable by non-technical people ● CRUD (Create, read, update and delete)
  • 32. Separate provisioning from deployment and configuration tasks acme_corp/ ├── configure.yml ├── provision.yml └── site.yml $ cat site.yml --- - import_playbook: provision.yml - import_playbook: configure.yml PLAYS & TASKS 32
  • 33. Jinja2 is powerful but you needn't use all of it ● Templates should be simple: ○ Variable substitution ○ Conditionals ○ Simple control structures/iterations ○ Design your templates for your use case, not the world's ● Things to avoid: ○ Anything that can be done directly in Ansible ○ Managing variables in a template ○ Extensive and intricate conditionals ○ Conditional logic based on embedded hostnames ○ Complex nested iterations TEMPLATES 33
  • 34. Careful when mixing manual and automated configuration ● Label template output files as being generated by Ansible {{ ansible_managed | comment }} TEMPLATES 34
  • 35. ● Like playbooks -- keep roles purpose and function focused ● Use a roles/ subdirectory for roles developed for organizational clarity in a single project ● Follow the Ansible Galaxy pattern for roles that are to be shared beyond a single project ● Limit role dependencies ROLES 35
  • 36. ● Use ansible-galaxy init to start your roles... ● ...then remove unneeded directories and stub files ● Use ansible-galaxy to install your roles -- even private ones ● Use a roles files (i.e. requirements.yml) to manifest any external roles your project is using ● Always peg a role to a specific version such as a tag or commit ROLES 36
  • 37. ● Coordination across a distributed teams & organization… ● Controlling access to credentials... ● Track, audit and report automation and management activity... ● Provide self-service or delegation… ● Integrate automation with enterprise systems... SCALING YOUR ANSIBLE WORKFLOW 37 Command line tools have their limitations
  • 38. 38 Complexity Kills Productivity Optimize For Readability Think Declaratively Thank you