SlideShare a Scribd company logo
1 of 26
Download to read offline
Tips & Tricks
Not your usual usage
Ansible Fest NYC 2015
#>whoami
● currently: ansible core team member (bcoca)
● helpdesk/application support
● programmer/analyst/software engineer
● QA, systems & network administrator
● release manager, DBA, information security,
● “Tech Janitor”
#>apropos ansible
● Configuration management
● Release management
● Automation framework
● Orchestration system
● Distributed batch executor
____________________
/ It runs a TASK * x 
 on a HOST * x /
--------------------
 ^__^
 (oo)_______
(__) )/
||----w |
|| ||
#LIVE>multiply_shell
● allows you to reuse your shell magic
● must be non interactive
● plays well with traditional unix tools
● just multiply by ### hosts
● requires some work for nicer outputs
● -t == json file database per host
#LIVE>ansible_shell
#>ansible webs -m shell -a "awk '{print $9}'
/var/log/nginx/access.log|sort |uniq -c |sort -k1,1nr
2>/dev/null|column -t"
web1 | success | rc=0 >>
204417 200
48108 304
8550 302
6541 301
1696 404
269 206
web2 | success | rc=0 >>
205807 200
43762 304
...
#LIVE>procmail
-- procmail
:0 #send back http code live report
* ^From.*@example.com
* ^Subject:.*500 report
|ansible-playbook ~/plays/report.yml
--- #report.yml
…
- shell: "awk '{print $9}' …
register: report
- mail: to={{lookup(‘env’,’FROM’)}} body={{report}} …
______________
< you got mail >
--------------
 , ,
 /( )`
  ___ / |
/- _ `-/ '
(//   /
/ / | ` 
O O ) / |
`-^--'`< '
(_.) _ ) /
`.___/` /
`-----' /
<----. __ / __ 
<----|====O)))==) ) /====
<----' `--' `.__,' 
| |
 /
______( (_ / ______
,' ,-----' | 
`--{__________) /
#UTIL>small_scripts
● tries not to be a programming language
● but … sometimes its very useful as such
● plays can wrap existing roles/task lists
● vars_prompt/pause allow for interactivity
● -e “var=val” for completely batch
● -e @file.json: you can use json data files
#UTIL>/sbin/departed
#!/usr/bin/ansible-playbook
---
- name: Ensure only valid users
hosts: all
gather_facts: False
sudo: True
vars_files:
#departed: [ alan, bcoca, isaac, mathew, willy ]
- /etc/departed_users.yml
tasks:
- name: Delete departed user and all it’s files
user: name={{item}} state=absent remove=yes
with_items: “{{departed}}”
#UTIL>/bin/release_apps
#!/usr/bin/ansible-playbook
- hosts: localhost
vars_prompt:
- name: app_name
prompt: “Which app do you want to deploy?”
- name: app_version
prompt: “Choose version/tag (default HEAD)”
default: ‘HEAD’
tasks:
- git: repo=git@myreposerver/{{app_version}} version={{app_version}} ...
...
- hosts: app_servers
serial: 1
tasks:
- pause: "are you sure you want to stop all services?"
- name: shush nagios
nagios: action=silence host={{inventory_hostname}}
delegate_to: {{monitor}}
- name: nginx graceful stop
service: name=nginx state=stopped
- name: stop uwsgi
service name=uwsgi state=stopped …
...
______________________
/ for reusability, use 
 includes and roles /
----------------------

 __
UooU.'@@@@@@`.
__/(@@@@@@@@@@)
(@@@@@@@@)
`YY~~~~YY'
|| ||
#QA>verify
● The same way I do things , I can check them
● Gentle learning curve for your test creator
● Checks don’t normally need root
● check_mode and diff_mode
● assert/fail, no need to read the output!
#QA>check_server
- hosts: app_server
tasks:
- users: name=appuser state=present
name: verify that app user is present
- file: path=/to/app/dir owner=appuser mode=0700
name: check that app dir has proper permissions
- service: name={{item}} state=started
name: check that services are running
with_items: [‘nginx’, ‘uwsgi’]
- postgres_user: name=dbapp1 password=secretrole_attr_flags=NOSUPERUSER
name: check app user is accessible via app server
____________________________________
/ or if your playbook is idempotent, 
 just run it again Sam! /
------------------------------------

 
 /
( )
.( o ).
#QA>check_app
- hosts: app_servers
tasks:
- stat: path=/var/run/tomcat/webapps/myapp.jar
register: jar
- assert:
that:
- jar.checksum == lookup(‘consul_kv’,‘myapp_csum’)
- stat: path=/var/run/app2.pid
- wait_for: port=8080
- uri: return_content=’app1 OK’
#AUDIT>verify --- qa?
● The same way I do, I can check
● Gentle learning curve for your auditor
● Checks don’t normally need root
● check_mode and diff_mode
#AUDIT>check_firewall
# verify firewall after manual config
- wait_for:
port: “{{item}}”
host: prod.example.com
delegate_to: outside.host.com
with_items: [‘80, ‘443’]
- wait_for: port={{item}} host=prod.example.com
delegate_to: outside.host.com
failed_when: not left_door_open|failed
register: left_door_open
when: item not in [‘80’, ‘443’]
with_sequence: start=1 end=1024
______________
< or call nmap >
--------------


___
{~._.~}
( Y )
()~*~()
(_)-(_)
#AUDIT>check_file_changes
# from vars today_file: checks/{{inventory_hostname}}/{{today}}.txt
- find: paths=/etc recurse=Y size=1 age=1d
registered: fchanged
- assert:
that:
- fchanged|length == 0
- assert:
that:
- item.checksum == lookup(‘pipe’, ‘grep ‘ + item + ‘ /checks/latest| cut -f2’)
with_items: “{{fchanged}}”
- local_action: template src=checksums.j2 dest={{today_file}}
- local_action: file src={{today_file}} path=/checks/latest state=link
______________________
/ Just until you setup 
 aide|osiris|tripwire /
----------------------


/_)o<
| 
| O . O|
_____/
#AUDIT>facts_drift
● set fact caching to use jsonfile
● make git repo or checkout in cache dir
● set incron to commit when file changes
● now git log shows facts change over time
● filter out time facts (or not)
● … so ... tower will do this for me?
#AUDIT>file_changes_xattr
● {{ansible_managed}} (changed or lack info)
● use xattr to keep metadata with the file
● requires user_xattr on mount
● great ETL, can keep correct file transforms
● does not affect copy/template ‘changed’
#HACK>expand_ansible
● roles: as shared libraries
● plugins: there are more than modules
● callbacks: send events
● notification modules: specific events
● dynamic modules: if you crave abstraction
#HACK>tidy
# tidy_expected: [‘conf1.cfg’, conf2.cfg’]
- find: paths={{tidy_path}} #/etc/myapp
register: existing
- file: path={{item.path}} state=absent
when: item.path|basename not in tidy_expected
with_items: “{{existing.files|default([ ])}}”
register: removed
- mail: body=“{{removed}}”
#HACK>ansible_events
syslog_json callback plugin
def __init__(self):
self.logger = logging.getLogger('ansible logger')
self.logger.setLevel(logging.DEBUG)
self.handler = logging.handlers.SysLogHandler(
address = (os.getenv('SYSLOG_SERVER','locahost'),
os.getenv('SYSLOG_PORT',514)),
facility=logging.handlers.SysLogHandler.LOG_USER
)
self.logger.addHandler(handler)
....
def runner_on_ok(self, host, res):
self.logger.info('RUNNER_ON_OK ' + host + ' ' 
+ json.dumps(res, sort_keys=True))
def runner_on_skipped(self, host, item=None):
self.logger.info('RUNNER_ON_SKIPPED ' + host)
#HACK>ansible_events
osx_say callback plugin
def say(msg, voice):
subprocess.call([SAY_CMD, msg, "--voice=%s" % (voice)])
def __init__(self):
# plugin disable itself if say is not present
if not os.path.exists(SAY_CMD):
self.disabled = True
print "%s does not exist, plugin %s disabled" % 
(SAY_CMD, os.path.basename(__file__))
…
def runner_on_failed(self, host, res, ignore_errors=False):
say("Failure on host %s" % host, FAILED_VOICE)
def runner_on_ok(self, host, res):
say("pew", LASER_VOICE)
________________________________________________
/ https://github.com/mpdehaan/ansible-and-juliet 
 /
------------------------------------------------


,;;;;;;;,
;;;;;;;;;;;,
;;;;;'_____;'
;;;(/))))|((
_;;((((((|))))
/ |_
.--~(  ~))))))))))))
/  `-(((((((((((
| | ` ) | /|)
| | `. _/ _____/ |
| , `~ /
|   /
| `. `| /
| ~- ` /
____~._/~ -_, (
|-----|  ';;
| | :;;;' 
| / | |
| | |
#HACK>executing tasks
- action:
module: <module name>
- action: <module name>
- <module name>:
● optionally ‘local_action’ instead of ‘action’
● module name as a variable {{mymodule}}
#HACK>abstract package
- include_vars: “{{ansible_os_distribution|default
(‘default’)}}.yml”
- name: install apache
action: “{{ansible_pkg_mgr}} name={{item}}
state=present”
with_items: “{{apache_pkgs}}”
- template:
src: “{{apache_config}}.j2”
dest: /etc/{{apache_config}}
owner: “{{apache_user}}”
group: “{{apache_group}}”
notify: “apache_restart”
#HACK>abstract package
Redhat.yml
---
apache_user: httpd
apache_group: httpd
apache_config: /etc/httpd/conf/httpd.conf
apache_pkgs:
- httpd
- mod_ssl
- php-fpm
apache_service: httpd
#HACK>abstract package
Debian.yml
---
apache_user: www-data
apache_group: www-data
apache_config: /etc/apache2/httpd.conf
apache_pkgs:
- apache2-mpm
- libapache2-mod-ssl
- php5-fpm
apache_service: apache2
__________________
/ can break 
 apachectl utils /
------------------


.--.
|o_o |
|:_/ |
//  
(| | )
/'_ _/`
___)=(___/
#THE END>wait 6 && exit
● Ansible was born to play well with Unix
● Roles allow for reuse and sharing
● Plugins are where you code
● Plugins are useful to non programmers.
● callbacks, lookups, filters, etc are also plugins
● Many ways to make Ansible work for you
__________
< goodbye! >
----------
 ^__^
 (oo)_______
(__) )/
||----w |
|| ||

More Related Content

What's hot

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with AnsibleSwapnil Jain
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...Simplilearn
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
DevOps Meetup ansible
DevOps Meetup   ansibleDevOps Meetup   ansible
DevOps Meetup ansiblesriram_rajan
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...SlideTeam
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationKumar Y
 
Unix shell scripting basics
Unix shell scripting basicsUnix shell scripting basics
Unix shell scripting basicsManav Prasad
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentationnishantsri
 

What's hot (20)

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
DevOps Meetup ansible
DevOps Meetup   ansibleDevOps Meetup   ansible
DevOps Meetup ansible
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansible
 
Ansible
AnsibleAnsible
Ansible
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
Powershell Demo Presentation
Powershell Demo PresentationPowershell Demo Presentation
Powershell Demo Presentation
 
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...Hands On Introduction To Ansible Configuration Management With Ansible Comple...
Hands On Introduction To Ansible Configuration Management With Ansible Comple...
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Ansible intro
Ansible introAnsible intro
Ansible intro
 
Ansible
AnsibleAnsible
Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
 
Ansible
AnsibleAnsible
Ansible
 
Unix shell scripting basics
Unix shell scripting basicsUnix shell scripting basics
Unix shell scripting basics
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
Jenkins CI
Jenkins CIJenkins CI
Jenkins CI
 

Viewers also liked

Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
V2 and beyond
V2 and beyondV2 and beyond
V2 and beyondjimi-c
 
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice  In Node, Using Ansible - AnsibleF...AnsibleBuilding a Docker-ized Microservice  In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...Irakli Nadareishvili
 
Ansible roles done right
Ansible roles done rightAnsible roles done right
Ansible roles done rightDan Vaida
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation WorkshopChef
 
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Software, Inc.
 
STIG Compliance and Remediation with Ansible
STIG Compliance and Remediation with AnsibleSTIG Compliance and Remediation with Ansible
STIG Compliance and Remediation with AnsibleAnsible
 
Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Chef at Large
 
Chef Delivery
Chef DeliveryChef Delivery
Chef DeliveryChef
 
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Edureka!
 
Puppet overview
Puppet overviewPuppet overview
Puppet overviewjoshbeard
 
Infrastructure Automation with Chef
Infrastructure Automation with Chef Infrastructure Automation with Chef
Infrastructure Automation with Chef REAN Cloud
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to ChefKnoldus Inc.
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Alex S
 
Introduction to puppet
Introduction to puppetIntroduction to puppet
Introduction to puppetHabeeb Rahman
 

Viewers also liked (20)

Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
V2 and beyond
V2 and beyondV2 and beyond
V2 and beyond
 
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice  In Node, Using Ansible - AnsibleF...AnsibleBuilding a Docker-ized Microservice  In Node, Using Ansible - AnsibleF...
AnsibleBuilding a Docker-ized Microservice In Node, Using Ansible - AnsibleF...
 
Ansible roles done right
Ansible roles done rightAnsible roles done right
Ansible roles done right
 
Cyansible
CyansibleCyansible
Cyansible
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation Workshop
 
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
 
STIG Compliance and Remediation with Ansible
STIG Compliance and Remediation with AnsibleSTIG Compliance and Remediation with Ansible
STIG Compliance and Remediation with Ansible
 
Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)
 
Chef Delivery
Chef DeliveryChef Delivery
Chef Delivery
 
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
 
Introduction to chef
Introduction to chefIntroduction to chef
Introduction to chef
 
Puppets
PuppetsPuppets
Puppets
 
Puppet overview
Puppet overviewPuppet overview
Puppet overview
 
Infrastructure Automation with Chef
Infrastructure Automation with Chef Infrastructure Automation with Chef
Infrastructure Automation with Chef
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to Chef
 
Ansible
AnsibleAnsible
Ansible
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015
 
Introduction to puppet
Introduction to puppetIntroduction to puppet
Introduction to puppet
 

Similar to Ansible tips & tricks

Hacking ansible
Hacking ansibleHacking ansible
Hacking ansiblebcoca
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestrationbcoca
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesLindsay Holmwood
 
Automation with Ansible and Containers
Automation with Ansible and ContainersAutomation with Ansible and Containers
Automation with Ansible and ContainersRodolfo Carvalho
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
Practical Chef and Capistrano for Your Rails App
Practical Chef and Capistrano for Your Rails AppPractical Chef and Capistrano for Your Rails App
Practical Chef and Capistrano for Your Rails AppSmartLogic
 
Puppet atbazaarvoice
Puppet atbazaarvoicePuppet atbazaarvoice
Puppet atbazaarvoiceDave Barcelo
 
A General Purpose Docker Image for PHP
A General Purpose Docker Image for PHPA General Purpose Docker Image for PHP
A General Purpose Docker Image for PHPRobert Lemke
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetOmar Reygaert
 
Javascript is your (Auto)mate
Javascript is your (Auto)mateJavascript is your (Auto)mate
Javascript is your (Auto)mateCodemotion
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for realCodemotion
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
More tips n tricks
More tips n tricksMore tips n tricks
More tips n tricksbcoca
 
Railsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slideshareRailsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slidesharetomcopeland
 

Similar to Ansible tips & tricks (20)

Hacking ansible
Hacking ansibleHacking ansible
Hacking ansible
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestration
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
 
Automation with Ansible and Containers
Automation with Ansible and ContainersAutomation with Ansible and Containers
Automation with Ansible and Containers
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
Practical Chef and Capistrano for Your Rails App
Practical Chef and Capistrano for Your Rails AppPractical Chef and Capistrano for Your Rails App
Practical Chef and Capistrano for Your Rails App
 
Puppet atbazaarvoice
Puppet atbazaarvoicePuppet atbazaarvoice
Puppet atbazaarvoice
 
Mojolicious
MojoliciousMojolicious
Mojolicious
 
A General Purpose Docker Image for PHP
A General Purpose Docker Image for PHPA General Purpose Docker Image for PHP
A General Purpose Docker Image for PHP
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
 
infra-as-code
infra-as-codeinfra-as-code
infra-as-code
 
Javascript is your (Auto)mate
Javascript is your (Auto)mateJavascript is your (Auto)mate
Javascript is your (Auto)mate
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 
Ansible 2.0 spblug
Ansible 2.0 spblugAnsible 2.0 spblug
Ansible 2.0 spblug
 
More tips n tricks
More tips n tricksMore tips n tricks
More tips n tricks
 
Railsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slideshareRailsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slideshare
 
EC2
EC2EC2
EC2
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 

Ansible tips & tricks

  • 1. Tips & Tricks Not your usual usage Ansible Fest NYC 2015
  • 2. #>whoami ● currently: ansible core team member (bcoca) ● helpdesk/application support ● programmer/analyst/software engineer ● QA, systems & network administrator ● release manager, DBA, information security, ● “Tech Janitor”
  • 3. #>apropos ansible ● Configuration management ● Release management ● Automation framework ● Orchestration system ● Distributed batch executor ____________________ / It runs a TASK * x on a HOST * x / -------------------- ^__^ (oo)_______ (__) )/ ||----w | || ||
  • 4. #LIVE>multiply_shell ● allows you to reuse your shell magic ● must be non interactive ● plays well with traditional unix tools ● just multiply by ### hosts ● requires some work for nicer outputs ● -t == json file database per host
  • 5. #LIVE>ansible_shell #>ansible webs -m shell -a "awk '{print $9}' /var/log/nginx/access.log|sort |uniq -c |sort -k1,1nr 2>/dev/null|column -t" web1 | success | rc=0 >> 204417 200 48108 304 8550 302 6541 301 1696 404 269 206 web2 | success | rc=0 >> 205807 200 43762 304 ...
  • 6. #LIVE>procmail -- procmail :0 #send back http code live report * ^From.*@example.com * ^Subject:.*500 report |ansible-playbook ~/plays/report.yml --- #report.yml … - shell: "awk '{print $9}' … register: report - mail: to={{lookup(‘env’,’FROM’)}} body={{report}} … ______________ < you got mail > -------------- , , /( )` ___ / | /- _ `-/ ' (// / / / | ` O O ) / | `-^--'`< ' (_.) _ ) / `.___/` / `-----' / <----. __ / __ <----|====O)))==) ) /==== <----' `--' `.__,' | | / ______( (_ / ______ ,' ,-----' | `--{__________) /
  • 7. #UTIL>small_scripts ● tries not to be a programming language ● but … sometimes its very useful as such ● plays can wrap existing roles/task lists ● vars_prompt/pause allow for interactivity ● -e “var=val” for completely batch ● -e @file.json: you can use json data files
  • 8. #UTIL>/sbin/departed #!/usr/bin/ansible-playbook --- - name: Ensure only valid users hosts: all gather_facts: False sudo: True vars_files: #departed: [ alan, bcoca, isaac, mathew, willy ] - /etc/departed_users.yml tasks: - name: Delete departed user and all it’s files user: name={{item}} state=absent remove=yes with_items: “{{departed}}”
  • 9. #UTIL>/bin/release_apps #!/usr/bin/ansible-playbook - hosts: localhost vars_prompt: - name: app_name prompt: “Which app do you want to deploy?” - name: app_version prompt: “Choose version/tag (default HEAD)” default: ‘HEAD’ tasks: - git: repo=git@myreposerver/{{app_version}} version={{app_version}} ... ... - hosts: app_servers serial: 1 tasks: - pause: "are you sure you want to stop all services?" - name: shush nagios nagios: action=silence host={{inventory_hostname}} delegate_to: {{monitor}} - name: nginx graceful stop service: name=nginx state=stopped - name: stop uwsgi service name=uwsgi state=stopped … ... ______________________ / for reusability, use includes and roles / ---------------------- __ UooU.'@@@@@@`. __/(@@@@@@@@@@) (@@@@@@@@) `YY~~~~YY' || ||
  • 10. #QA>verify ● The same way I do things , I can check them ● Gentle learning curve for your test creator ● Checks don’t normally need root ● check_mode and diff_mode ● assert/fail, no need to read the output!
  • 11. #QA>check_server - hosts: app_server tasks: - users: name=appuser state=present name: verify that app user is present - file: path=/to/app/dir owner=appuser mode=0700 name: check that app dir has proper permissions - service: name={{item}} state=started name: check that services are running with_items: [‘nginx’, ‘uwsgi’] - postgres_user: name=dbapp1 password=secretrole_attr_flags=NOSUPERUSER name: check app user is accessible via app server ____________________________________ / or if your playbook is idempotent, just run it again Sam! / ------------------------------------ / ( ) .( o ).
  • 12. #QA>check_app - hosts: app_servers tasks: - stat: path=/var/run/tomcat/webapps/myapp.jar register: jar - assert: that: - jar.checksum == lookup(‘consul_kv’,‘myapp_csum’) - stat: path=/var/run/app2.pid - wait_for: port=8080 - uri: return_content=’app1 OK’
  • 13. #AUDIT>verify --- qa? ● The same way I do, I can check ● Gentle learning curve for your auditor ● Checks don’t normally need root ● check_mode and diff_mode
  • 14. #AUDIT>check_firewall # verify firewall after manual config - wait_for: port: “{{item}}” host: prod.example.com delegate_to: outside.host.com with_items: [‘80, ‘443’] - wait_for: port={{item}} host=prod.example.com delegate_to: outside.host.com failed_when: not left_door_open|failed register: left_door_open when: item not in [‘80’, ‘443’] with_sequence: start=1 end=1024 ______________ < or call nmap > -------------- ___ {~._.~} ( Y ) ()~*~() (_)-(_)
  • 15. #AUDIT>check_file_changes # from vars today_file: checks/{{inventory_hostname}}/{{today}}.txt - find: paths=/etc recurse=Y size=1 age=1d registered: fchanged - assert: that: - fchanged|length == 0 - assert: that: - item.checksum == lookup(‘pipe’, ‘grep ‘ + item + ‘ /checks/latest| cut -f2’) with_items: “{{fchanged}}” - local_action: template src=checksums.j2 dest={{today_file}} - local_action: file src={{today_file}} path=/checks/latest state=link ______________________ / Just until you setup aide|osiris|tripwire / ---------------------- /_)o< | | O . O| _____/
  • 16. #AUDIT>facts_drift ● set fact caching to use jsonfile ● make git repo or checkout in cache dir ● set incron to commit when file changes ● now git log shows facts change over time ● filter out time facts (or not) ● … so ... tower will do this for me?
  • 17. #AUDIT>file_changes_xattr ● {{ansible_managed}} (changed or lack info) ● use xattr to keep metadata with the file ● requires user_xattr on mount ● great ETL, can keep correct file transforms ● does not affect copy/template ‘changed’
  • 18. #HACK>expand_ansible ● roles: as shared libraries ● plugins: there are more than modules ● callbacks: send events ● notification modules: specific events ● dynamic modules: if you crave abstraction
  • 19. #HACK>tidy # tidy_expected: [‘conf1.cfg’, conf2.cfg’] - find: paths={{tidy_path}} #/etc/myapp register: existing - file: path={{item.path}} state=absent when: item.path|basename not in tidy_expected with_items: “{{existing.files|default([ ])}}” register: removed - mail: body=“{{removed}}”
  • 20. #HACK>ansible_events syslog_json callback plugin def __init__(self): self.logger = logging.getLogger('ansible logger') self.logger.setLevel(logging.DEBUG) self.handler = logging.handlers.SysLogHandler( address = (os.getenv('SYSLOG_SERVER','locahost'), os.getenv('SYSLOG_PORT',514)), facility=logging.handlers.SysLogHandler.LOG_USER ) self.logger.addHandler(handler) .... def runner_on_ok(self, host, res): self.logger.info('RUNNER_ON_OK ' + host + ' ' + json.dumps(res, sort_keys=True)) def runner_on_skipped(self, host, item=None): self.logger.info('RUNNER_ON_SKIPPED ' + host)
  • 21. #HACK>ansible_events osx_say callback plugin def say(msg, voice): subprocess.call([SAY_CMD, msg, "--voice=%s" % (voice)]) def __init__(self): # plugin disable itself if say is not present if not os.path.exists(SAY_CMD): self.disabled = True print "%s does not exist, plugin %s disabled" % (SAY_CMD, os.path.basename(__file__)) … def runner_on_failed(self, host, res, ignore_errors=False): say("Failure on host %s" % host, FAILED_VOICE) def runner_on_ok(self, host, res): say("pew", LASER_VOICE) ________________________________________________ / https://github.com/mpdehaan/ansible-and-juliet / ------------------------------------------------ ,;;;;;;;, ;;;;;;;;;;;, ;;;;;'_____;' ;;;(/))))|(( _;;((((((|)))) / |_ .--~( ~)))))))))))) / `-((((((((((( | | ` ) | /|) | | `. _/ _____/ | | , `~ / | / | `. `| / | ~- ` / ____~._/~ -_, ( |-----| ';; | | :;;;' | / | | | | |
  • 22. #HACK>executing tasks - action: module: <module name> - action: <module name> - <module name>: ● optionally ‘local_action’ instead of ‘action’ ● module name as a variable {{mymodule}}
  • 23. #HACK>abstract package - include_vars: “{{ansible_os_distribution|default (‘default’)}}.yml” - name: install apache action: “{{ansible_pkg_mgr}} name={{item}} state=present” with_items: “{{apache_pkgs}}” - template: src: “{{apache_config}}.j2” dest: /etc/{{apache_config}} owner: “{{apache_user}}” group: “{{apache_group}}” notify: “apache_restart”
  • 24. #HACK>abstract package Redhat.yml --- apache_user: httpd apache_group: httpd apache_config: /etc/httpd/conf/httpd.conf apache_pkgs: - httpd - mod_ssl - php-fpm apache_service: httpd
  • 25. #HACK>abstract package Debian.yml --- apache_user: www-data apache_group: www-data apache_config: /etc/apache2/httpd.conf apache_pkgs: - apache2-mpm - libapache2-mod-ssl - php5-fpm apache_service: apache2 __________________ / can break apachectl utils / ------------------ .--. |o_o | |:_/ | // (| | ) /'_ _/` ___)=(___/
  • 26. #THE END>wait 6 && exit ● Ansible was born to play well with Unix ● Roles allow for reuse and sharing ● Plugins are where you code ● Plugins are useful to non programmers. ● callbacks, lookups, filters, etc are also plugins ● Many ways to make Ansible work for you __________ < goodbye! > ---------- ^__^ (oo)_______ (__) )/ ||----w | || ||