Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ansible Automation to Rule Them All

981 views

Published on

A presentation delivered by Arctiq, onsite in Toronto, on Mar 1, 2017. The presentation discusses Ansible as an automation tool for Linux, Windows, and network devices. Reach out if you would like more information www.arctiq.ca

Published in: Technology
  • Be the first to comment

Ansible Automation to Rule Them All

  1. 1. Ansible: Automation to Rule them ALL! //live event Mar 1, 2017
  2. 2. //today’s expedition Introductions Ansible - What is it? Orchestration/Integration Demo Ansible Tower Tower and Lifecycle Demo Ansible + Windows Ansible for Networks What’s Next?
  3. 3. //arctiq’s wheelhouse
  4. 4. //arctiq’s focus - mvp and business value Trending, Visibility, and Feedback Loops Security Hardening and Access Management Automation and Orchestration Standardization, Hardened Imaging, Centralized Management, and Audit Reporting DEVELOPERS Self-Service Managed Container Platform Fail-Fast + Fix-Fast Mindset Freedom to Focus on Development THE BUSINESS Time-to-Market Advantages Operational Efficiencies Quality Software Speed and Agility IT OPERATIONS Standardized Frameworks Automated Repeatable Tasks Simplified Infrastructure Improved Security
  5. 5. //ansible automation MODERNIZE DEVOPS MIGRATE Automate existing processes Manage legacy like DevOps Model everything Deploy continuously Define applications once Re-deploy anywhere
  6. 6. //ansible for everyone SIMPLE POWERFUL AGENTLESS App deployment Configuration management Workflow orchestration Orchestrate the app lifecycle Human readable automation No special coding skills needed Tasks executed in order Get productive quickly Agentless architecture Uses OpenSSH & WinRM No agents to exploit or update More efficient & more secure
  7. 7. //how ansible works ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PUBLIC / PRIVATE CLOUD CMDB USERS INVENTORY HOSTS NETWORKING PLUGINS API MODULES
  8. 8. //how ansible works PUBLIC / PRIVATE CLOUD CMDB USERS INVENTORY HOSTS NETWORKING PLUGINS API MODULES ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PLAYBOOKS ARE WRITTEN IN YAML Tasks are executed sequentially Invokes Ansible modules
  9. 9. //how ansible works PUBLIC / PRIVATE CLOUD CMDB USERS INVENTORY HOSTS NETWORKING PLUGINS API ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK MODULES MODULES ARE “TOOLS IN THE TOOLKIT” Python, Powershell, or any language Extend Ansible simplicity to entire stack
  10. 10. //how ansible works ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PUBLIC / PRIVATE CLOUD CMDB USERS HOSTS NETWORKING PLUGINS API MODULES INVENTORY [web] webserver1.example.com webserver2.example.com [db] dbserver1.example.com
  11. 11. //how ansible works ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PUBLIC / PRIVATE CLOUD USERS INVENTORY HOSTS NETWORKING PLUGINS API MODULES CMDB CLOUD: OpenStack, VMware, EC2, Rackspace, GCE, Azure, Spacewalk, Hanlon, Cobbler CUSTOM CMDB
  12. 12. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  13. 13. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  14. 14. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  15. 15. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  16. 16. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  17. 17. //playbook example --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
  18. 18. //demo
  19. 19. //automation for everyone … what’s new in Tower 3.1?
  20. 20. //ansible tower CONTROL SIMPLE POWERFUL AGENTLESS KNOWLEDGE DELEGATION TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE. AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. Scheduled and centralized jobs Visibility and compliance Role-based access and self-service Everyone speaks the same language Designed for Multi-tier deployments Predictable, reliable, and secure
  21. 21. //what is ansible tower? Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and RESTful API. • Role-based access control keeps environments secure, and teams efficient. • Non-privileged users can safely deploy entire applications with push-button deployment access. • All Ansible automations are centrally logged, ensuring complete auditability and compliance.
  22. 22. //control your ansible deployment SITUATIONAL AWARENESS IS THE KEY TO DEVOPS ● Dashboard and real-time automation updates ● Integrated RBAC with credential management ● Job scheduling ● Graphical inventory management ● Built-in notifications to keep teams informed ● Stabilized API to plumb into existing tooling and processes ● Model entire processes with new Workflows
  23. 23. //tower workflows MIX AND RE-USE AUTOMATIONS WITHOUT WRITING A PLAYBOOK ● Combine any number of Playbooks into a Workflow ● Delegate access just like any other Tower automation ● Launchable with customizable parameters ● Easily build in-app workflows Provision Configure Deploy Scale Build Test Promote Verify Deploy
  24. 24. //delegation EMPOWER YOUR TEAMS INSIDE AND OUTSIDE OF OPERATIONS ● Connect to your LDAP, AD, SAML and other directories ● Full role-based access control engine ● Store credentials for use without exposure ● Enable users to automate without previous Ansible knowledge ● Find relevant information more quickly with new Smart Search ● Simple surveys configure automation at run-time ● REST API allows integration into your existing processes and tools ● Add capacity with new Tower Clusters
  25. 25. //tower clusters ADD TOWER CAPACITY AND REDUNDANCY WITH EASE ● Add new Tower nodes to scale out Tower job capacity ● Tower node fails? No problem ● Individual Tower jobs will run on any node with available capacity ○ Jobs are not spanned across multiple Tower nodes ● Cluster stays in sync with in-Tower configuration
  26. 26. //enterprise log integration ANALYZE YOUR AUTOMATION RESULTS ● Log all Tower activity to central enterprise logging ● Cross-reference automation with events and application logs ● Use Tower’s API to perform remediation if needed ● Support for: ○ Elastic ○ Splunk ○ Sumologic ○ Loggly ○ Custom (Via WebHook/RESTful API)
  27. 27. //automate everything USE CASES USERS ANSIBLE PYTHON CODEBASE OPEN SOURCE MODULE LIBRARY PLUGINS CLOUD AWS, GOOGLE CLOUD, AZURE … INFRASTRUCTURE LINUX, WINDOWS, UNIX … NETWORKS ARISTA, CISCO, JUNIPER … CONTAINERS DOCKER, LXC … SERVICES DATABASES, LOGGING, SOURCE CONTROL MANAGEMENT TRANSPORT SSH, WINRM, ETC. AUTOMATE YOUR ENTERPRISE ADMINS ANSIBLE CLI & CI SYSTEMS ANSIBLE PLAYBOOKS …. ANSIBLE TOWER SIMPLE USER INTERFACE TOWER API ROLE-BASED ACCESS CONTROL KNOWLEDGE & VISIBILITY SCHEDULED & CENTRALIZED JOBS CONFIGURATION MANAGEMENT APP DEPLOYMENT CONTINUOUS DELIVERY SECURITY & COMPLIANCE ORCHESTRATIONPROVISIONING
  28. 28. //demo
  29. 29. //ansible and windows
  30. 30. ● Linux ○ Ansible manages Linux/Unix machines using SSH ● Windows ○ Uses PowerShell remoting rather than SSH ○ Ansible still runs from a Linux control machine and uses ○ WinRM python module to talk to the windows host //how it works
  31. 31. ● Gather facts on Windows hosts ● Install and uninstall MSIs ● Enable and disable Windows Features ● Start, stop, and manage Windows services ● Create and manage local users and groups ● Manage Windows packages via the Chocolatey package manager ● Manage and install Windows updates ● Fetch files from remote sites ● Push and execute PowerShell scripts //native windows support
  32. 32. # Execute a command in the remote shell; stdout outputs to the specified file --- - name: Run win_shell hosts: all gather_facts: false tasks: - name: Run some script win_shell: C:somescript.ps1 >> c:somelog.txt //win_shell module
  33. 33. ● fetch ● raw ● script ● slurp ● template ● add_host ● assert //ansible core modules for windows ● pause ● set_fact ● debug ● fail ● group_by ● include_vars ● meta
  34. 34. --- # This playbook tests the script module on Windows hosts - name: Run powershell script hosts: all gather_facts: false tasks: - name: Run powershell script script: files/helloworld.ps1 //script module
  35. 35. ● Active Directory ○ Kerberos is the preferred option when using AD ○ Requirement to install ‘python-kerberos’ module on the control host # yum -y install python-devel krb5-devel krb5-libs krb5-workstation //authentication
  36. 36. ● Configure Kerberos # vi /etc/krb5.conf [realms] MY.DOMAIN.COM = { kdc = domain-controller1.my.domain.com kdc = domain-controller2.my.domain.com } [domain_realm] .my.domain.com = MY.DOMAIN.COM //authentication
  37. 37. ● runas ○ There is upcoming support to execute actions as the administrator with Windows ‘runas’ ○ Presently, connect and automate Windows using local or domain users //coming soon
  38. 38. //demo
  39. 39. //ansible for network automation
  40. 40. //ansible for networks COMPLIANCE AND DRIFT Improved Security Troubleshooting Efficiencies Visibility Desired State Processes CONFIG AUTOMATION Time-to-Market Advantages Operational Efficiencies Quality Configurations MOPs? TEST AND VALIDATE Speed and Agility Automated Repeatable Tasks Simplified Infrastructure Ansible Tower for networks: Security: Store Network Credentials Delegation: Using Role-Based Access Control (RBAC) Power: Leverage the Ansible Tower API Control: Schedule Jobs for Automated Playbook Runs Flexibility: Launch Job Templates Using Surveys Integrations: Leverage Tower Integrations like Version Control Compliance: Run Jobs in Check Mode for Audits
  41. 41. //core network modules cloudflare_dns - manage Cloudflare DNS records dnsimple - Interface with dnsimple.com (a DNS hosting service). dnsmadeeasy - Interface with dnsmadeeasy.com (a DNS hosting service). haproxy - Enable, disable, and set weights for HAProxy backend servers using socket commands. ipify_facts - Retrieve the public IP of your internet gateway. ipinfoio_facts - Retrieve IP geolocation facts of a host’s IP address ldap_attr - Add or remove LDAP attribute values. ldap_entry - Add or remove LDAP entries. lldp - get details reported by lldp nmcli - Manage Networking nsupdate - Manage DNS records. omapi_host - Setup OMAPI hosts. snmp_facts - Retrieve facts for a device using SNMP. wakeonlan - Send a magic Wake-on-LAN (WoL) broadcast packet
  42. 42. //core vendors From MOPs to Playbooks!! 175 included network modules + community
  43. 43. //mops to playbooks Variables Templates + Declarative State - Network Infrastructure as Data
  44. 44. //playbook example --- - hosts: ios_devices gather_facts: no connection: local vars_prompt: - name: "mgmt_username" prompt: "Username" private: no - name: "mgmt_password" prompt: "Password" tasks: - name: SYS | Define provider set_fact: provider: host: "{{ inventory_hostname }}" username: "{{ mgmt_username }}" password: "{{ mgmt_password }}" - name: IOS | Show clock ios_command: provider: "{{ provider }}" commands: - show clock register: clock - debug: msg="{{ clock.stdout }}"
  45. 45. //what’s next? POCs Upcoming Arctiq-run demos and Blogs Use-case workshops and consulting Training Workshops We are HIRING //take the first step - www.arctiq.ca

×