Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploying PHP applications with Ansible, Ansible Vault and Ansistrano

Oliver Davies
April 23, 2021
Technology
0
4.8k

Deploying PHP applications with Ansible, Ansible Vault and Ansistrano

https://www.oliverdavies.uk/talks/ansible-ansistrano

Oliver Davies

April 23, 2021
Tweet

More Decks by Oliver Davies

See All by Oliver Davies
Taking Flight with Tailwind CSS
opdavies
0
3.2k
Things you should know about PHP
opdavies
1
500
An Introduction to Mob Programming
opdavies
0
28
Building Static Websites with Sculpin
opdavies
0
980
Upgrading to Drupal 9
opdavies
0
450
Soaring with utility-first CSS and Tailwind
opdavies
0
150
Working with Workspace
opdavies
0
430
Building and presenting slide decks with rst2pdf
opdavies
0
350
TDD - Test Driven Drupal
opdavies
0
1.8k

Other Decks in Technology

See All in Technology
QMファンネルとQAキャリア
gen519
PRO
1
130
sue445とOSSと社内ツール #subcul_dev
sue445
PRO
0
460
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher" エラーが発生する原因と対策
superbrothers
0
370
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
220
開幕LT
makamaka
0
360
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
250
ロケーターを学んでテスト自動化上級者を目指そう
nozomiito
0
660
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k
ローコード自動テストを1ヶ月半で導入した話
sumiren
0
110
ジョブキューシステムFireworqのアーキテクチャ設計と運用時のベストプラクティス
tarao
1
770
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
1
270
軟體品質不只測試: LINE QA團隊分享
line_developers_tw
PRO
0
5k

Featured

See All Featured
Designing for humans not robots
tammielis
245
24k
Into the Great Unknown - MozCon
thekraken
4
380
Designing with Data
zakiwarfel
91
4.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
A Modern Web Designer's Workflow
chriscoyier
689
180k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
BBQ
matthewcrist
75
8.2k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Music & Morning Musume
bryan
37
4.7k
Building a Scalable Design System with Sketch
lauravandoore
451
31k

Transcript

  1. Deploying PHP with
    Ansible, Ansible Vault,
    and Ansistrano
    Oliver Davies, Inviqa

    View Slide

  2. @opdavies

    View Slide

  3. Things we'll be looking at
    • Ansible crash course
    • Keeping secrets with Ansible Vault
    • Deployments with Ansistrano
    @opdavies

    View Slide

  4. @opdavies

    View Slide

  5. @opdavies

    View Slide

  6. What is Ansible?
    Ansible is an open-source software provisioning, configuration
    management, and application-deployment tool.
    https://en.wikipedia.org/wiki/Ansible_(software)
    @opdavies

    View Slide

  7. What is Ansible?
    • CLI tool
    • Configured with YAML
    • Agentless, connects via SSH
    • Jinja2 for templating
    • Executes ad-hoc remote commands
    • Installs software packages
    • Performs deployment steps
    • Batteries included
    @opdavies

    View Slide

  8. Why Ansible?
    • Familiar syntax (Drupal 8, Symfony, Sculpin)
    • Easily readable
    • No server dependencies
    • Easy to add to an existing project
    • Includes relevant modules (Git, Composer)
    • Idempotency, resulting in cleaner scripts
    @opdavies

    View Slide

  9. Hosts / Inventories
    @opdavies

    View Slide

  10. hosts.ini
    [webservers]
    192.168.33.10
    [webservers:vars]
    ansible_ssh_port=22
    ansible_ssh_user=opdavies
    @opdavies

    View Slide

  11. hosts.yml
    ---
    all:
    children:
    webservers:
    hosts:
    192.168.33.10:
    vars:
    ansible_ssh_port: 22
    ansible_ssh_user: opdavies
    @opdavies

    View Slide

  12. Ad-hoc Commands
    @opdavies

    View Slide

  13. ansible all -i hosts.yml
    -m ping
    @opdavies

    View Slide

  14. webservers | SUCCESS => {
    "ansible_facts": {
    "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
    }
    @opdavies

    View Slide

  15. ansible all -i hosts.yml
    -m command
    -a "git pull --chdir=/app"
    @opdavies

    View Slide

  16. ansible all -i hosts.yml -m git
    -a "repo=https://github.com
    /opdavies/dransible
    --chdir=/app"
    @opdavies

    View Slide

  17. Playbooks
    @opdavies

    View Slide

  18. ---
    - hosts: webservers
    vars:
    git_repo: https://github.com/opdavies/dransible
    project_root_dir: /app
    tasks:
    - name: Update the code
    git:
    repo: '{{ git_repo }}'
    dest: '{{ project_root_dir }}'
    @opdavies

    View Slide

  19. ansible-playbook main.yml
    -i hosts.yml
    @opdavies

    View Slide

  20. Roles: configuring a LAMP stack
    @opdavies

    View Slide

  21. requirements.yml
    ---
    - src: geerlingguy.apache
    - src: geerlingguy.composer
    - src: geerlingguy.mysql
    - src: geerlingguy.php
    - src: geerlingguy.php-mysql
    @opdavies

    View Slide

  22. ansible-galaxy install
    -r requirements.yml
    @opdavies

    View Slide

  23. # playbook.yml
    ---
    - hosts: webservers
    roles:
    - geerlingguy.apache
    - geerlingguy.mysql
    - geerlingguy.php
    - geerlingguy.php-mysql
    - geerlingguy.composer
    @opdavies

    View Slide

  24. # playbook.yml
    ---
    vars:
    apache_vhosts:
    - servername: dransible
    documentroot: /app/web
    @opdavies

    View Slide

  25. # playbook.yml
    ---
    vars:
    php_version: 7.4
    php_packages_extra:
    - libapache2-mod-php{{ php_version }}
    - libpcre3-dev
    @opdavies

    View Slide

  26. # playbook.yml
    ---
    vars:
    mysql_databases:
    - name: main
    mysql_users:
    - name: user
    password: secret
    priv: main.*:ALL
    @opdavies

    View Slide

  27. ansible-playbook provision.yml
    -i hosts.yml
    @opdavies

    View Slide

  28. PLAY [Provision the webserver machines] ********************************************************************************
    TASK [Gathering Facts] *************************************************************************************************
    ok: [webservers]
    TASK [geerlingguy.apache : Include OS-specific variables.] *************************************************************
    ok: [webservers]
    TASK [geerlingguy.apache : Include variables for Amazon Linux.]
    skipping: [webservers]
    TASK [geerlingguy.apache : Define apache_packages.] ********************************************************************
    ok: [webservers]
    TASK [geerlingguy.apache : include_tasks] ******************************************************************************
    included: /Users/opdavies/.ansible/roles/geerlingguy.apache/tasks/setup-Debian.yml for webservers
    TASK [geerlingguy.apache : Update apt cache.] **************************************************************************
    changed: [webservers]
    @opdavies

    View Slide

  29. TASK [geerlingguy.composer : Ensure composer directory exists.] ********************************************************
    ok: [webservers]
    TASK [geerlingguy.composer : include_tasks] ****************************************************************************
    skipping: [webservers]
    TASK [geerlingguy.composer : include_tasks] ****************************************************************************
    skipping: [webservers]
    RUNNING HANDLER [geerlingguy.apache : restart apache] ******************************************************************
    changed: [webservers]
    RUNNING HANDLER [geerlingguy.mysql : restart mysql] ********************************************************************
    changed: [webservers]
    RUNNING HANDLER [geerlingguy.php : restart webserver] ******************************************************************
    changed: [webservers]
    RUNNING HANDLER [geerlingguy.php : restart php-fpm] ********************************************************************
    skipping: [webservers]
    PLAY RECAP *************************************************************************************************************
    webservers : ok=111 changed=32 unreachable=0 failed=0 skipped=78 rescued=0 ignored=0
    @opdavies

    View Slide

  30. @opdavies

    View Slide

  31. @opdavies

    View Slide

  32. Basic deployment
    @opdavies

    View Slide

  33. # deploy.yml
    ---
    tasks:
    - name: Creating project directory
    file:
    path: /app
    state: directory
    - name: Uploading application
    synchronize:
    src: '{{ playbook_dir }}/../'
    dest: /app
    @opdavies

    View Slide

  34. - name: Installing Composer dependencies
    composer:
    command: install
    working_dir: /app
    @opdavies

    View Slide

  35. ansible-playbook deploy.yml
    -i hosts.yml
    @opdavies

    View Slide

  36. @opdavies

    View Slide

  37. Disadvantages
    • Sensitive data stored in plain text
    • Single point of failure
    • No ability to roll back
    @opdavies

    View Slide

  38. Keeping secrets with Ansible
    Vault
    @opdavies

    View Slide

  39. ---
    vars:
    mysql_databases:
    - name: main
    mysql_users:
    - name: user
    password: secret
    priv: main.*:ALL
    @opdavies

    View Slide

  40. # provision_vault.yml
    ---
    vault_database_name: main
    vault_database_user: user
    vault_database_password: secret
    @opdavies

    View Slide

  41. ansible-vault encrypt
    provision_vault.yml
    @opdavies

    View Slide

  42. New Vault password:
    Confirm New Vault password:
    Encryption successful
    @opdavies

    View Slide

  43. $ANSIBLE_VAULT;1.1;AES256
    63656632326165643137646334343537396533656565313032363262623962393861666438393539
    6366336638316133373061306332303761383565343035330a373637373830356430353630356161
    32313831663039343733343539636365386333303862363635323138346137666166356639323338
    3264636538356634390a343766353661386666376362376439386630363664616166643364366335
    62373530393933373830306338386539626565313364643133666131613138383431353638636334
    39376437633462373934313236363662633832643138386433646230313465383337373031373137
    61353963623364393134386335373731356337366464633531656435383161656435313530363234
    37373865393839616534353165656463313961333532363537383263343364646534333032336337
    3235
    @opdavies

    View Slide

  44. # provision_vars.yml
    ---
    database_name: '{{ vault_database_name }}'
    database_user: '{{ vault_database_user }}'
    database_password: '{{ vault_database_password }}'
    @opdavies

    View Slide

  45. # provision.yml
    ---
    vars_files:
    - vars/provision_vault.yml
    - vars/provision_vars.yml
    vars:
    mysql_databases:
    - '{{ database_name }}'
    mysql_users:
    - name: '{{ database_user }}'
    password: '{{ database_password }}'
    priv: '{{ database_name }}.*:ALL'
    @opdavies

    View Slide

  46. ansible-playbook deploy.yml
    -i hosts.yml --ask-vault-pass
    @opdavies

    View Slide

  47. ansible-playbook deploy.yml
    -i hosts.yml --vault-password-f
    ile secret.txt
    @opdavies

    View Slide

  48. Better deployments with
    Ansistrano
    @opdavies

    View Slide

  49. @opdavies

    View Slide

  50. Features
    • Multiple release directories
    • Shared paths and files
    • Customisable
    • Multiple deployment strategies
    • Multi-stage environments
    • Prune old releases
    • Rollbacks
    @opdavies

    View Slide

  51. # requirements.yml
    ---
    - src: ansistrano.deploy
    - src: ansistrano.rollback
    @opdavies

    View Slide

  52. # deploy.yml
    ---
    - hosts: all
    roles:
    - ansistrano.deploy
    @opdavies

    View Slide

  53. # deploy.yml
    ---
    vars:
    project_deploy_dir: /app
    ansistrano_deploy_to: '{{ project_deploy_dir }}'
    ansistrano_deploy_via: git
    ansistrano_git_branch: master
    ansistrano_git_repo: '[email protected]:opdavies/dransible'
    @opdavies

    View Slide

  54. PLAY [webservers] ******************************************************************************************************
    TASK [Gathering Facts] *************************************************************************************************
    ok: [webservers]
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    included: /Users/opdavies/.ansible/roles/ansistrano.deploy/tasks/setup.yml for webservers
    TASK [ansistrano.deploy : ANSISTRANO | Ensure deployment base path exists] *********************************************
    ok: [webservers]
    TASK [ansistrano.deploy : ANSISTRANO | Ensure releases folder exists] **************************************************
    ok: [webservers]
    TASK [ansistrano.deploy : ANSISTRANO | Ensure shared elements folder exists] *******************************************
    ok: [webservers]
    TASK [ansistrano.deploy : ANSISTRANO | Ensure shared paths exists] *****************************************************
    ok: [webservers] => (item=web/sites/default/files)
    @opdavies

    View Slide

  55. TASK [ansistrano.deploy : Update file permissions] *********************************************************************
    changed: [webservers]
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    included: /Users/opdavies/.ansible/roles/ansistrano.deploy/tasks/cleanup.yml for webservers
    TASK [ansistrano.deploy : ANSISTRANO | Clean up releases] **************************************************************
    changed: [webservers]
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    TASK [ansistrano.deploy : include_tasks] *******************************************************************************
    included: /Users/opdavies/.ansible/roles/ansistrano.deploy/tasks/anon-stats.yml for webservers
    TASK [ansistrano.deploy : ANSISTRANO | Send anonymous stats] ***********************************************************
    skipping: [webservers]
    PLAY RECAP *************************************************************************************************************
    webservers : ok=33 changed=14 unreachable=0 failed=0 skipped=7 rescued=0 ignored=0
    @opdavies

    View Slide

  56. [email protected]:/app$ ls -l
    total 8
    lrwxrwxrwx 1 26 Jul 19 00:15 current -> ./releases/20190719001241Z
    drwxr-xr-x 5 4096 Jul 22 20:30 releases
    drwxr-xr-x 4 4096 Jul 19 00:00 shared
    @opdavies

    View Slide

  57. [email protected]:/app/releases$ ls -l
    total 20
    drwxr-xr-x 5 4096 Jul 22 20:30 .
    drwxr-xr-x 4 4096 Jul 19 00:15 ..
    drwxr-xr-x 10 4096 Jul 19 00:02 20190719000013Z
    drwxr-xr-x 10 4096 Jul 19 00:14 20190719001241Z
    drwxr-xr-x 9 4096 Jul 22 20:30 20190722203038Z
    @opdavies

    View Slide

  58. # rollback.yml
    ---
    - hosts: all
    roles:
    - ansistrano.rollback
    vars:
    ansistrano_deploy_to: '{{ project_deploy_dir }}'
    @opdavies

    View Slide

  59. ansible-playbook rollback.yml
    -i hosts.yml
    @opdavies

    View Slide

  60. Customising Ansistrano: Build
    Hooks
    @opdavies

    View Slide

  61. @opdavies

    View Slide

  62. # deploy.yml
    ---
    vars:
    ansistrano_after_symlink_shared_tasks_file: >
    '{{ playbook_dir }}/deploy/after-symlink-shared.yml'
    ansistrano_after_symlink_tasks_file: >
    '{{ playbook_dir }}/deploy/after-symlink.yml'
    ansistrano_after_update_code_tasks_file: >
    '{{ playbook_dir }}/deploy/after-update-code.yml'
    release_web_path: '{{ ansistrano_release_path.stdout }}/web'
    release_drush_path: '{{ ansistrano_release_path.stdout }}/bin/drush'
    @opdavies

    View Slide

  63. # deploy/after-update-code.yml
    ---
    - name: Install Composer dependencies
    composer:
    command: install
    working_dir: '{{ ansistrano_release_path.stdout }}'
    @opdavies

    View Slide

  64. # deploy/after-symlink-shared.yml
    ---
    - name: Run database updates
    command: >
    {{ release_drush_path }}
    --root {{ release_web_path }}
    updatedb
    @opdavies

    View Slide

  65. # deploy/after-symlink.yml
    ---
    - name: Rebuild Drupal cache
    command: >
    {{ release_drush_path }}
    --root {{ release_web_path }}
    cache-rebuild
    @opdavies

    View Slide

  66. Demo
    @opdavies

    View Slide

  67. Generating settings files per
    deployment
    @opdavies

    View Slide

  68. # deploy_vars.yml
    ---
    drupal_settings:
    - drupal_root: /app/web
    sites:
    - name: default
    settings:
    databases:
    default:
    default:
    driver: mysql
    host: localhost
    database: '{{ database_name }}'
    username: '{{ database_user }}'
    password: '{{ database_password }}'
    hash_salt: '{{ hash_salt }}'
    config_directories:
    sync: ../config/sync
    @opdavies

    View Slide

  69. {# templates/settings.php.j2 #}
    {% for key, values in item.1.settings.databases.items() %}
    {% for target, values in values.items() %}
    $databases['{{ key }}']['{{ target }}'] = array(
    'driver' => '{{ values.driver|default('mysql') }}',
    'host' => '{{ values.host|default('localhost') }}',
    'database' => '{{ values.database }}',
    'username' => '{{ values.username }}',
    'password' => '{{ values.password }}',
    );
    {% endfor %}
    {% endfor %}
    {% if item.1.settings.base_url is defined %}
    $base_url = '{{ item.1.settings.base_url }}';
    {% endif %}
    @opdavies

    View Slide

  70. # tasks/main.yml
    ---
    - name: Ensure directory exists
    file:
    state: directory
    path: '{{ item.0.drupal_root }}/sites/{{ item.1.name|default("default") }}'
    with_subelements:
    - '{{ drupal_settings }}'
    - sites
    no_log: true
    - name: Create settings files
    template:
    src: settings.php.j2
    dest:
    '{{ item.0.drupal_root }}/sites/{{ item.1.name|default("default") }}/{{
    item.1.filename|default("settings.php") }}'
    @opdavies

    View Slide

  71. with_subelements:
    - '{{ drupal_settings }}'
    - sites
    no_log: true
    @opdavies

    View Slide

  72. Multiple environments
    development, test, production
    @opdavies

    View Slide

  73. # vars.yml
    ---
    vars:
    mysql_databases:
    - name: production
    - name: staging
    mysql_users:
    - name: production
    password: '{{ live_db_password }}'
    priv: '{{ live_db_name }}.*:ALL'
    - name: staging
    password: '{{ staging_db_password }}'
    priv: staging.*:ALL
    @opdavies

    View Slide

  74. # hosts.yml
    ---
    production:
    children:
    hosts:
    webservers:
    ansible_ssh_host: 192.168.33.10
    ansible_ssh_port: 22
    project_deploy_path: /app
    git_branch: production
    drupal_hash_salt: '{{ vault_drupal_hash_salt }}'
    drupal_install: false
    drupal_settings:
    # ...
    @opdavies

    View Slide

  75. # hosts.yml
    ---
    staging:
    children:
    hosts:
    webservers:
    ansible_ssh_host: 192.168.33.10
    ansible_ssh_port: 22
    project_deploy_path: /app-staging
    git_branch: staging
    drupal_hash_salt: '{{ vault_drupal_hash_salt }}'
    drupal_install: true
    drupal_settings:
    # ...
    @opdavies

    View Slide

  76. ansible-playbook deploy.yml
    -i hosts.yml --limit staging
    @opdavies

    View Slide

  77. ansible-playbook deploy.yml
    -i hosts.yml --limit production
    @opdavies

    View Slide

  78. Thanks!
    References:
    • https://oliverdavies.link/ansible-repos
    • https://docs.ansible.com
    • https://www.ansistrano.com
    • https://symfonycasts.com/screencast/ansistrano
    Me:
    • https://www.oliverdavies.uk
    @opdavies

    View Slide