Ansible: A Puppet User's Perspective (DevOps Sydney, 2014)

ANSIBLE A Puppet User's Perspective

What Ansible is.

Ansible is an  open-source software platform for [remotely] conﬁguring and
managing computers. “

Basic Bits

Basic Bits • "Push" model;  Control Machine  talking to  Dumb
Clients  via SSH.

Basic Bits • "Push" model;  Control Machine  talking to  Dumb
Clients  via SSH. ➡ "Pull" model; Puppet Agents  talking back to  Puppet Master  via SSL.

Basic Bits • Tasks • Inventories • Variables • Handlers
• Playbooks • Roles

Basic Bits • Tasks • Inventories • Variables • Handlers
• Playbooks • Roles ➡ Tasks ➡ Nodes + Roles ➡ Variables (Hiera) ➡ notify => ... ➡ Manifests (ish) ➡ Classes + Proﬁles

Tasks -‐ apt: pkg: nginx
state: present package { "nginx":  ensure => present,  }

Tasks -‐ service: name: nginx
enabled: yes state: started service { "nginx":  ensure => started,  requires =>  Package["nginx"],  }

Tasks -‐ authorized_key: user: "bert" comment:
"laptop"  key: >  ssh-‐rsa AAA...== ssh_authorized_key{  "laptop":  type => "ssh-‐rsa",  key => "AAA...==",  user =>  User["bert"],  requires =>  User["bert"],  }

Inventories [nameservers]  ns01  ns02    [apps]  app01  app02    [staging:children] 
nameservers  apps

Inventories [nameservers]  ns01  ns02    [apps]  app01  app02    [staging:children] 
nameservers  apps • Node definition blocks • Node classifiers / Roles • Node definitions + Environments

Variables # group_vars/all  prompt_colour: "black"    # group_vars/staging  prompt_colour: "green" 
  # group_vars/prod  prompt_colour: "red"    # host_vars/ns01  prompt_colour: >  special snowflake

Variables # group_vars/all  prompt_colour: "black"    # group_vars/staging  prompt_colour: "green" 
  # group_vars/prod  prompt_colour: "red"    # host_vars/ns01  prompt_colour: >  special snowflake # hiera/data/global  prompt::colour: "black"    # hiera/data/env/staging  prompt::colour: "green"    # hiera/data/env/prod  prompt::colour: "red"    # hiera/data/hosts/ns01 prompt::colour: >  special snowflake

Handlers -‐ template: src: "hosts.j2"
dest: /etc/hosts" notify: >  restart dnsmasq ! # ... ! -‐ name: restart dnsmasq service: name: dnsmasq  state: restarted file { "/etc/hosts":  # ...  notify =>  Service['dnsmasq']  }

Playbooks -‐ apt: pkg: nginx
state: present    -‐ service: name: nginx enabled: yes state: started package { "nginx":  ensure => present,  }    service { "nginx":  ensure => started,  requires =>  Package["nginx"],  }

Playbooks -‐ apt: pkg: nginx
state: present    -‐ service: name: nginx enabled: yes state: started package { "nginx":  ensure => present,  }  -‐>  service { "nginx":  ensure => started,  }

Playbooks -‐ hosts: all roles: -‐
common    -‐ include: blah.yml    -‐ hosts: nameservers  roles:  -‐ nameserver node /^ns\d+/ {  include common  include  profiles::nameservers  }

Roles roles/  '-‐nameserver/  |-‐tasks/ 
| |-‐main.yml  | '-‐dnsmasq.yml  |-‐handlers/  |-‐templates  |-‐files  '-‐meta    -‐ hosts: ns01  roles:  -‐ nameserver # manifests/profiles/...  class profiles::nameserver {  include foo::dnsmasq    Blah { "etc": ... }  # ...  }    node ns01 {  include profiles::nameserver  }

Stick it Together # Vars  my_keys:  -‐ "ssh-‐rsa AA..."  -‐
"ssh-‐rsa BB..."    # Task  -‐ authorized_keys: user: "app"  key: "{{ item }}"  with_items: my_keys

Stick it Together # Vars  my_keys:  -‐ "ssh-‐rsa AA..."  -‐
"ssh-‐rsa BB..."    # Task  -‐ authorized_keys: user: "app"  key: "{{ item }}"  with_items: my_keys # Hiera Data  my_keys:  -‐ "ssh-‐rsa AA..."  -‐ "ssh-‐rsa BB..."    # Manifest  create_resources(  'ssh_authorized_key',  hiera('my_keys'),  { user => 'app' }  )

Back to Playbooks -‐ apt: pkg:
nginx state: present    -‐ service: name: nginx enabled: yes state: started package { "nginx":  ensure => present,  }    service { "nginx":  ensure => started,  requires =>  Package["nginx"],  }

Back to Playbooks -‐ apt: pkg:
nginx state: present    -‐ service: name: nginx enabled: yes state: started package { "nginx":  ensure => present,  }  -‐>  service { "nginx":  ensure => started,  }

Dependencies:  Implicit vs Explicit

Dependencies:  Implicit vs Explicit (Ansible) (Puppet)

Ordering:  Implicit vs Explicit

Ordering:  Implicit vs Explicit (Puppet) (Ansible)

What Ansible isn't.

Ansible is simple because it uses YAML. “

You may as well say:   C is simple  because
it uses  letters, numbers and  some symbols.

Ansible is  "Infrastructure as Data",  not  "Infrastructure as Code". “

It's code! It's code even if you're writing it in
a markup language; it's loops, variables, conditions, and functions. It's about as declarative as my mum's Shepherd's Pie recipe.

Ansible Oddities

Dumb Syntax Tricks -‐ copy: dest=/etc/motd content="Yeah nah"

Dumb Syntax Tricks -‐ copy: >  dest=/etc/motd 
content="Yeah nah"

content={{ motd_message }}  vars:  motd_message: "Yeah nah"   # KABOOM  # Interpolated as  # dest=/etc/motd content=Yeah nah

content="{{ motd_message }}"  vars:  motd_message: "Yeah nah"

content="{{ motd_message }}"  vars:  motd_message: 'Yeah, "nah".' ! # KABOOM  # Interpolated as  # dest=/etc/motd content="Yeah, "nah"."

Dumb Syntax Tricks -‐ copy:  dest: "/etc/motd" 
content: "{{ motd_message }}"  vars:  motd_message: "Yeah, nah"

Safety: with_items -‐ copy:  dest: "/home/{{ item
}}.ssh/ authorized_keys"  content: "{{ lookup('file', "keys" + item) }}"  with_items:  -‐ "bert"  -‐ "missing"

Other Things • Reusing code is tough and inﬂexible; everything
needs to be a role that you then stick together in the meta/main.yml

Other Things • Reusing code is tough and inﬂexible; everything
needs to be a role that you then stick together in the meta/main.yml • Third-party Roles via Ansible Galaxy is great, ... but a lot of it's new or naïve; unless you're lucky, you end up modifying a lot of it.

Puppet Problems

Looping # Vars  my_keys:  -‐ user: app  key:
"..."    # Task  -‐ authorized_keys: user: "{{ item.user }}"  key: "{{ item.key }}"  with_items: my_keys

"..."    # Task  -‐ authorized_keys: user: "{{ item.user }}"  key: "{{ item.key }}"  with_items: my_keys # Hiera Data  my_keys:  -‐ "ssh-‐rsa AA..."  -‐ "ssh-‐rsa BB..."    # Manifest  create_resources(  'ssh_authorized_key',  hiera('my_keys'),  { user => 'app' }  )

"..."    # Task  -‐ authorized_keys: user: "{{ item.user }}"  key: "{{ item.key }}"  with_items: my_keys # Hiera Data  my_keys:  -‐ "ssh-‐rsa AA..."  -‐ "ssh-‐rsa BB..."    # Manifest  create_resources(  'ssh_authorized_key',  hiera('my_keys'),  { user => 'app' }  ) Structure of Heira data needs to match closely to what's consuming it (eg. SshAuthorizedKeys). Ansible is much more ﬂexible (see above), and can avoid the massive single-resource-declaration problem lurking in the bottom-right. :-)

Single Declaration Package { "ntp": ensure => present,
}    # ...    SomeThing { "foo": # ...  requires => Package['ntp'],  }

Single Declaration Package { "ntp": ensure => present,
}    # ...    SomeThing { "foo": # ...  requires => Package['ntp'],  } Single-declaration-only for resources makes writing reusable third-party Puppet modules really hard. These (long) bug threads explain it well: • https://projects.puppetlabs.com/ issues/18490 • https://tickets.puppetlabs.com/ browse/PUP-1968

• Ansible not as "simple" as touted. • Ansible has
unsafe edge-cases to skirt around. • Ansible makes you remember the dependency ordering yourself, rather than encoding it. Summin' up.

• Puppet has big problems it's going to find difficult
to solve without breaking everything. (You can't silently merge two identical Service definitions if you have globals and could- change-on-each-call state hanging around.) • Puppet makes you write the dependency information, but then squanders it. • Using generic data is tough without custom mangling or the experimental syntax engine. Summin' up.

Fin.   Rob Howard  @damncabbage https://speakerdeck.com/damncabbage/

Ansible: A Puppet User's Perspective (DevOps Sy...

Ansible: A Puppet User's Perspective (DevOps Sydney, 2014)

More Decks by Rob Howard

Other Decks in Technology

Featured

Transcript