Automation day red hat ansible

Automação do físico ao NetSecDevOps
Introdução e visão
Rodrigo Missiaggia
rmissiaggia@redhat.com
Principal Solutions Architect
Red Hat Brasil

2
INTRODUÇÃO
Como a Red Hat vê o valor da
Automação?

4
SIMPLES PODEROSO AGENTLESS
Deployment de aplicações
Gerenciamento de
configurações
Network automation
Orquestração do ciclo de vida
Automação legível por humanos
Não são necessárias habilidades
especiais de programação
Tarefas executadas em ordem
Permite que toda equipe utilize e
contribua
Seja produtivo rapidamente
Arquitetura sem Agentes
Utiliza OpenSSH, WinRM, API
ou Netconf
Sem agentes para instalar,
gerenciar ou explorar
vulnerabilidades
Início imediato!!
Maior Eficiência & mais
segurança
POR QUE ANSIBLE?

5
CROSS PLATAFORMA
Suporte sem agente para todas as
principais variantes do sistema
operacional, dispositivos físicos,
virtuais, em nuvem e de rede.
HUMAN READABLE
Descreva e documenta
perfeitamente todos os aspectos do
seu ambiente de aplicativos.
DESCRIÇÃO PERFEITA DA
APLICAÇÃO
Cada mudança pode ser feita por
Playbooks, garantindo que todos
estejam na mesma página.
CONTROLE DE VERSÃO
Playbooks são texto simples.Trate-os
como código em seu controle de
versão existente.
INVENTÁRIOS DINÂMICOS
Capture,,descubra todos os
servidores 100% do tempo,
independentemente da
infraestrutura, localização, ...
ORQUESTRAÇÃO COM
OUTRAS PLATAFORMAS
Cada mudança pode ser feita por
Playbooks, garantindo que todos na
organização estejam na mesma
página.
THE ANSIBLE WAY

6
O QUE PODEMOS FAZER COM ANSIBLE?
Automatize a implante o gerenciamento de todo o seu TI.
Orquestração
Permite...
Firewalls
Gerenciamento
de configuração
Entrega de
aplicações
Provisionamento
Continuous
Delivery
Segurança e
compliance
Com...
Load Balancers Aplicações Containers Clouds
Servers Infraestrutura Storage E mais...Network Devices

7
CLOUD
AWS
Azure
CenturyLink
CloudScale
Digital Ocean
Docker
Google
Linode
OpenStack
Rackspace
E mais…
WINDOWS
ACLs
Files
Commands
Packages
IIS
Regedits
Shell
Shares
Services
DSC
Users
Domains
E mais…
VIRTUALIZAÇÂO
E CONTAINER
Docker
VMware
RHV
OpenStack
OpenShift
Atomic
CloudStack
E mais…
NETWORK
Arista
A10
Cumulus
Big Switch
Cisco
Cumulus
Dell
F5
Juniper
Palo Alto
OpenSwitch
E mais…
NOTIFICAÇÃO
HipChat
IRC
Jabber
Email
RocketChat
Sendgrid
Slack
Twilio
E mais…
ANSIBLE INCLUI MAIS DE 1650 MÓDULOS

8
ANSIBLE’S AUTOMATION ENGINE
CMDB
USERS
INVENTORY
HOSTS
NETWORK
DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATE
CLOUD
PUBLIC / PRIVATE
CLOUD
ANSIBLE
PLAYBOOK
CMDB
INVENTORY
HOSTS
NETWORK
DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATE
CLOUD
PUBLIC / PRIVATE
CLOUD
USERS
ANSIBLE
PLAYBOOK
PLAYBOOKS
• Written in YAML
• Tasks are executed sequentially
• Invokes Ansible modules
MODULES
• Tools in the toolkit
• Python, Powershell or
any language
• Extend Ansible simplicity
to entire stack
CMDB
INVENTORY
HOSTS
NETWORK
DEVICES
PLUGINS
API
PUBLIC / PRIVATE
CLOUD
PUBLIC / PRIVATE
CLOUD
USERS
ANSIBLE
PLAYBOOK
MODULES
COMO O ANSIBLE TRABALHA
CMDB
PUBLIC / PRIVATE
CLOUD
PLUGINS
• Gears in the engine
• Python that plugs into the
core engine
• Adaptability for various uses
& platforms
USERS
ANSIBLE
PLAYBOOK
HOSTS
NETWORK
DEVICES
API
MODULES
PUBLIC / PRIVATE
CLOUD
INVENTORY
PLUGINS
USERS
ANSIBLE
PLAYBOOK
[web]
webserver1.example.com
webserver2.example.com
[db]
dbserver1.example.com
CMDB
HOSTS
NETWORK
DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATE
CLOUD
PUBLIC / PRIVATE
CLOUD
INVENTORY
CLOUD
OpenStack, VMware, EC2,
Rackspace, GCE, Azure,
Spacewalk, Hanlon, Cobbler
CUSTOM CMDBUSERS
ANSIBLE
PLAYBOOK
HOSTS
NETWORK
DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATE
CLOUD
INVENTORY
CMDB
PUBLIC / PRIVATE
CLOUD

9
POR QUE AUTOMAÇÃO É IMPORTANTE?
Os aplicativos e sistemas são mais do que apenas software
e suas configurações. Eles também são resultado de
conhecimento, e procedimentos operacionais, muitas
vezes, bem documentados, outras nem tanto …
Que resultam em uma lista de atividades e processos
necessários para entregar a solução dentro dos
parâmetros desejados para atender as áreas de
compliance, segurança, operação, arquitetura e
performance...
Ansible pode fazer tudo:
• Provisionamento
• Implantação de aplicativos
• Gerenciamento de configurações
• Orquestração multicamada

10
Ansible é a primeira linguagem de automação que pode ser utilizada em todas as áreas de TI.
Ansible é a única automation engine que pode automatizar o ciclo completo de vida das aplicações e o pipeline de delivery
Do desenvolvimento... …para produção.
ANSIBLE PLAYBOOK
DEV/TEST Q/A OPERAÇÕES GERENCIAMENTO OUTSOURCERS
COMUNICAÇÃO É A CHAVE PARA DEVOPS

11
EXEMPLO DE PLAYBOOK: LINUX
---
- name: install and start apache
hosts: web
become: yes
vars:
http_port: 80
tasks:
- name: httpd package is present
yum:
name: httpd
state: latest
- name: latest index.html file is present
copy:
src: files/index.html
dest: /var/www/html/
- name: httpd is started
service:
name: httpd
state: started
---
hosts: web
become: yes
vars:
http_port: 80
tasks:
yum:
name: httpd
state: latest
copy:
service:
name: httpd
state: started
---
hosts: web
become: yes
vars:
http_port: 80
tasks:
yum:
name: httpd
state: latest
copy:
service:
name: httpd
state: started
---
hosts: web
become: yes
vars:
http_port: 80
tasks:
yum:
name: httpd
state: latest
copy:
service:
name: httpd
state: started
---
hosts: web
become: yes
vars:
http_port: 80
tasks:
yum:
name: httpd
state: latest
copy:
service:
name: httpd
state: started
---
hosts: web
become: yes
vars:
http_port: 80
tasks:
yum:
name: httpd
state: latest
copy:
service:
name: httpd
state: started

12
- hosts: new_servers
tasks:
- name: ensure common OS updates are current
win_updates:
register: update_result
- name: ensure domain membership
win_domain_membership:
dns_domain_name: contoso.corp
domain_admin_user: '{{ domain_admin_username }}'
domain_admin_password: '{{ domain_admin_password }}'
state: domain
register: domain_result
- name: reboot and wait for host if updates or domain change require it
win_reboot:
when: update_result.reboot_required or domain_result.reboot_required
- name: ensure local admin account exists
win_user:
name: localadmin
password: '{{ local_admin_password }}'
groups: Administrators
- name: ensure common tools are installed
win_chocolatey:
name: '{{ item }}'
with_items: ['sysinternals', 'googlechrome']
EXEMPLO DE PLAYBOOK: WINDOWS

ANSIBLE NETWORK AUTOMATION
ansible.com/networking
570+
Módulos de
rede
40
Plataformas
de rede

● A10
● Apstra AOS
● Arista EOS (cli, eAPI), CVP
● Aruba Networks
● AVI Networks
● Big Switch Networks
● Brocade Ironware
● Cisco ACI, AireOS, ASA, IOS,
IOS-XR, NSO, NX-OS
● Citrix Netscaler
● Cumulus Linux
● Dell OS6, OS9, OS10
● Exoscale
● F5 BIG-IP
● Fortinet FortIOS, FMGR
● Huawei
● Illumos
● Infoblox NIOS
● Juniper Junos
● Lenovo CNOS, ENOS
● Mellanox ONYX
● Ordnance
● NETCONF
● Netvisor
● Openswitch
● Open vSwitch (OVS)
● Palo Alto PAN-OS
● Nokia NetAct, SR OS
● VyOS
NETWORK MODULES: BUILT-IN DEVICE ENABLEMENT

15
---
- name: configure ios interface
hosts: ios01
tasks:
- name: collect device running-config
ios_command:
commands: show running-config interface GigabitEthernet0/2
provider: “{{ cli }}”
register: config
- name: administratively enable interface
ios_config:
lines: no shutdown
parents: interface GigabitEthernet0/2
when: ‘”shutdown” in config.stdout[0]‘
- name: verify operational status
ios_command:
commands:
- show interfaces GigabitEthernet0/2
- show cdp neighbors GigabitEthernet0/2 detail
waitfor:
- result[0] contains ‘line protocol is up’
- result[1] contains ‘iosxr03’
- result[1] contains ’10.0.0.42’
EXEMPLO DE PLAYBOOK: AUTOMAÇÃO DE REDES

---
- name: system node properties
hosts: all
tasks:
- name: configure eos system properties
eos_system:
domain_name: ansible.com
vrf: management
when: network_os == 'eos'
- name: configure nxos system properties
nxos_system:
vrf: management
when: network_os == 'nxos'
- name: configure ios system properties
ios_system:
lookup_enabled: yes
when: network_os == 'ios'
● Per Platform Implementation
● Declarative by design
● Abstracted over the connection
● Violates DRY principals
● Makes platforms happy
● … Not so much for operators
RESOURCE MODULES

- name: configure network interface
net_interface:
name: “{{ interface_name }}”
description: “{{ interface_description }}”
enabled: yes
mtu: 9000
state: up
- name: configure bgp neighbors
net_bgp_neighbor:
peers: “{{ item.peer }}”
remote_as: “{{ item.remote_as }}”
update_source: Loopback0
send_community: both
enabled: yes
state: present
- iosxr_interface:
...
- iosxr_bgp_neighbor:
...
- nxos_interface:
...
- nxos_bgp_neighbor:
...
- junos_interface:
...
- junos_bgp_neighbor:
...
- eos_interface:
...
- eos_bgp_neighbor:
...
- ios_interface:
...
- ios_bgp_neighbor:
...
MINIMUM VIABLE PLATFORM AGNOSTIC (MVPA)

- name: configure interface
net_interface:
aggregate:
name: GigabitEthernet0/2
description: public interface configuration
enabled: yes
state: present
status:
state: connected
tx_rate: ge(7Gbps)
rx_rate: ge(2Gbps)
delay: 30
neighbors:
- host: core-01
port: Ethernet5/2/6
Declaração da
Configuração
Estado
Desejado
DECLARATIVO...

- name: validate bgp neighbor
net_bgp_neighbor:
peer: 1.1.1.1
nbr_state: established
pfx_rx: 16593
pfx_tx: 132
DECLARATIVE INTENTCONFIGURAÇÃO
VALIDAÇÃO DO ESTADO
- name: configure bgp neighbor
net_bgp_neighbor:
peer: 1.1.1.1
remote_as: 65000
enabled: yes
Somente realiza a configuração
Ignora o estado do recurso no dispositivo
Somente realiza a validação do estado
Ignora a configuração do dispositivo
DECLARATIVO...

Apply the same configuration to
both members as the same time:
EXEMPLO: GERENCIAR ELEMENTOS EM ALTA DISPONIBILIDADE
port_data:
- { desc: ”Host_A", switch: ”tor1", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" }
- { desc: ”Host_A", switch: ”tor1", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" }
- { desc: ”Host_B", switch: ”tor2", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" }
- { desc: ”Host_B", switch: ”tor2", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" }
- name: Configure individual port-channel interfaces
nxos_interface:
provider: "{{ cli }}"
host: "{{ item.0.switch }}"
interface: "{{ item.1 }}"
state: present
description: "{{ item.0.desc | default(omit) }}"
mode: layer2
admin_state: up
with_subelements:
- "{{ port_data | default([]) }}"
- port_list
- skip_missing: yes
- name: Create port-channels on the ToR(s)
nxos_portchannel:
host: "{{ item.switch }}"
Playbook

GERENCIE [PORTS, VLANS, {{ RESOURCES }}]
$ ansible-playbook deploy-workload.yaml
PLAY [deploy application workload] *********************************
TASK [collect device running-config] *******************************
ok: [ios01]
ok: [ios02]
TASK [administratively enable interface] ***************************
ok: [ios01]
ok: [ios02]
TASK [deploy workloads ] *******************************************
ok: [app01]
ok: [app02]
PLAY RECAP *********************************************************
ios01 : ok=2 changed=0 unreachable=0 failed=0
ios02 : ok=2 changed=0 unreachable=0 failed=0
app01 : ok=1 changed=0 unreachable=0 failed=0
app02 : ok=1 changed=0 unreachable=0 failed=0
O MOMENTO “UH-OH @#$!@”

Problema:
• Gerenciar políticas através de
diferentes tipos de hardware e
software é uma atividade
complexa e sujeita a erros
• Implementar requerimentos de
segurança (STIG, PCI..;) na
infraestrutura é difícil de
implementar e manter
SEGURANÇA
Solução:
• Defina a política uma única vez.
Aplique-a em multiplas
infraestruturas (física, virtual, cloud,
network, sistema…)
• Aproveite políticas e diretrizes pré
definidas para implementar em toda
a infraestrutura

EXAMPLE: PERVASIVE SECURITY
Problema:
diferentes Dispositivos/Vendors requerem diferentes formatos de ACL (regras)
Solução:
Aplique a mesma regra abstraida para firewalls, routers, hosts …
EXEMPLO: SEGURAÇA PERVASIVA
fw_rules:
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 32400, proto: tcp, action: allow, comment: plex }
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 1900, proto: udp, action: allow, comment: plex }
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 3005, proto: tcp, action: allow, comment: plex }
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 5353, proto: udp, action: allow, comment: plex }
- name: Insert ASA ACL
asa_config:
lines:
- "access-list {{ item.rule }} extended {{ item.action }}{{ item.proto }}{{ item.src_ip | ipaddr('network') }}{{ item.src_ip |
ipaddr('network') }}{{ item.dst_ip | ipaddr('network') }}{{ item.dst_ip | ipaddr('network') }} eq {{ item.dst_port }}"
with_items: "{{ fw_rules }}"
- iptables:
chain: "{{ item.chain | default('INPUT') }}"
source: "{{ item.src_ip | default(omit) }}"
destination: "{{ item.src_ip }}"
destination_port: "{{ item.dst_port }}"
protocol: "{{ item.proto | default('tcp') }}"
jump: "{{ 'ACCEPT' if item.action == 'allow' else 'DENY' }}"
comment: "{{ item.comment | default(omit) }}"
with_items: "{{ fw_rules }}"

Problema:
• Clouds privadas, públicas e híbridas
aumenta o número de recursos
gerenciados
• Recursos de Clouds são diferentes de
recursos de on-premise e diferentes
nuvens aumentam ainda mais a
complexidade
Solução:
• Automatize tarefas através de
multiplos dispositivos e nuvens com
o mesmo workflow
• Defina a política uma única vez, e
aplique-a a multiplas infraestruturas
(física, virtual, cloud, network,
sistema…)
CLOUD PRIVADA, PÚBLICA OU HÍBRIDA

1. Crie os VPCs:
ansible-playbook build_aws_vpc.yml
ansible-playbook build_azure_vpc.yml
Builds “hosts” file
2. Construa um DMVPN Overlay:
ansible-playbook –i hosts build-dmvpn.yml
EXEMPLO: CLOUD ELÁSTICA
VPC
Host
Resource Group
build_aws_vpc.yml build_azure_vpc.yml
build_dmvpn.yml
Host

Problem:
• The network is not included
in most DevOps workflows
causing either a delay in
testing or less fidelity
DEVOPS
Solution:
• Include the network in the CI
workflow with Ansible. Develop
and test in the same way as the
other elements of the system.
• Increased testing provides greater
likelihood that problem will be
found/fix sooner

28
RED HAT ANSIBLE TOWER
RED HAT ANSIBLE ENGINE
Escala + operacionalização para sua automação
Suporte para suas automações em Ansilble
CONTROLE CONHECIMENTO DELEGAÇÃO
SIMPLES PODEROSO AGENTLESS
ALIMENTADO POR UMA COMUNIDADE OPEN SOURCE INOVADORA

29
USE
CASES
USERS
ANSIBLE
PYTHON CODEBASE
OPEN SOURCE MODULE LIBRARY
PLUGINS
CLOUD
AWS,
GOOGLE CLOUD,
AZURE …
INFRASTRUCTURE
LINUX,
WINDOWS,
UNIX …
NETWORKS
ARISTA,
CISCO,
JUNIPER …
CONTAINERS
DOCKER,
LXC …
SERVICES
DATABASES,
LOGGING,
SOURCE CONTROL
MANAGEMENT…
TRANSPORT
SSH, WINRM, ETC.
AUTOMATE
YOUR
ENTERPRISE
ADMINS
ANSIBLE CLI & CI SYSTEMS
ANSIBLE PLAYBOOKS
….
ANSIBLE
TOWER
SIMPLE USER INTERFACE TOWER API
ROLE-BASED
ACCESS CONTROL
KNOWLEDGE
& VISIBILITY
SCHEDULED &
CENTRALIZED JOBS
CONFIGURATION
MANAGEMENT
APP
DEPLOYMENT
CONTINUOUS
DELIVERY
SECURITY &
COMPLIANCE
ORCHESTRATIONPROVISIONING

30
Client accessing Ansible Tower
Postgre5QL
MANAGED HOSTS DOMAIN CONTROLLER
CMDB
ANSIBLE TOWER INTEGRATIONS

31
JOB STATUS UPDATE
ANSIBLE TOWER

32
ACTIVITY STREAM
ANSIBLE TOWER

33
MULTI-PLAYBOOK WORKFLOWS
ANSIBLE TOWER

34
SCALE-OUT CLUSTERING
ANSIBLE TOWER

35
MANAGE AND TRACK YOUR INVENTORY
ANSIBLE TOWER

36
SCHEDULE JOBS
ANSIBLE TOWER

37
INTEGRATED NOTIFICATIONS
ANSIBLE TOWER

38
SELF-SERVICE IT
ANSIBLE TOWER

39
REMOTE COMMAND EXECUTION
ANSIBLE TOWER

42
EXTERNAL LOGGING
ANSIBLE TOWER

43
1650+
Ansible modules
28,000+
Stars on GitHub
500,000+
Downloads por mês

44
PLAYBOOK EXAMPLES
LAMP + HAPROXY + NAGIOS
github.com/ansible/ansible-examples/tree/master/lamp_haproxy
WINDOWS
github.com/ansible/ansible-examples/tree/master/windows
SECURITY COMPLIANCE
github.com/ansible/ansible-lockdown
NETWORK
github.com/privateip/network-demo
MORE...
galaxy.ansible.com
github.com/ansible/ansible-examples

45
SELECTED ANSIBLE TOWER CUSTOMERS

47
AUTOMATION = ACCELERATION
“With Ansible Tower, we just click a button and deploy to production in 5 minutes. It
used to take us 5 hours with 6 people sitting in a room, making sure we didn’t do anything
wrong (and we usually still had errors). We now deploy to production every other day
instead of every 2 weeks, and nobody has to be up at 4am making sure it was done right.”
“Simplicity scales. If you do things in complex ways, they become very difficult to
maintain, and you end up paying a lot more for operations later.”
“Everyone in this room needs to retool around Ansible automation. All Starbucks
network changes will be scheduled using Ansible Tower by the end of 2017.”

48
10,000 ROLES AT YOUR DISPOSAL
Re-usable Roles and Container Apps that allow you to do more, faster
Built into the Ansible CLI and Tower
galaxy.ansible.com

Automation day red hat ansible

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Automation day red hat ansible

Similar to Automation day red hat ansible (20)

More from Rodrigo Missiaggia

More from Rodrigo Missiaggia (9)

Recently uploaded

Recently uploaded (20)

Automation day red hat ansible