Ansible: nuovi paradigmi per l'orchestration

Transcript

1. Ansible new paradigms for orchestration Paolo Tonin Sysadmin@Ideato [email protected]

2. A quick poll ! -Chef -Puppet -Idephix -Saltstack -Fabric -All

   handmade -Mess of shell scripts

3. What this is NOT A detailed guide to Ansible A

   training course on Ansible

4. What this IS Some reason why you might consider Ansible

   Use case that works for mine usecase, MAYBE for you

5. Why

6. Ideato scenario Focus on great software development and good practices

7. In the beginning, there were sysadmins

8. and DevOps?!?

9. Ops: "Do you need $component in production?" Dev: "..."

10. None

11. Modern infrastructure management

12. None

13. You use YAML Infrastructure is not code

14. YAML vs RubyDSL user{"$user": managehome=>true, ensure => present, } file{"/home/$user":

    ensure=>directory, mode=>700, require=>User["$user"], } file{"/home/$user/.ssh": ensure=>directory, require=>File["/home/$user"], }

15. YAML vs RubyDSL - name: setup user user: name=paolo shell=/bin/bash

    password={{ password }}

16. Ansible is… (1) Pro Configuration management Application deployment (could be)

    Cloud provisioning Ad-hoc task-execution

17. Go Agentless!

18. Ansible is… (2) Pro Needs only SSH, agentless! NO extra

    programming language Idempotent Low learning curve

19. Ansible is… Pro control machine - Inventory - Playbooks SSH

    Channels

20. Installation Pro On Mac OSX is a piece of cake

    Debian/Ubuntu $ brew update $ brew install ansible $ sudo apt-add-repository -y ppa:ansible/ansible $ sudo apt-get update $ sudo apt-get -y install ansible "Windows is not official supported as controller machine"

21. Installation •Servers should be accessible via SSH using keypair authentication

    •It's reccomended to have a user with sudo permission to run the tasks in the server How to configure SSH access for running Ansible bit.ly/ansible-ssh

22. Inventories Modules Ad-hoc commands Playbooks Ansible basics

23. Ansible basics Inventories

24. None

25. - Host list, logical groups - AWS, Openstack API, Azure

26. Inventory [webservers] 173.194.113.19 web1.mydomain.com [mongo_master] mongo_mm.local [mongo_slave] mongo1.local “/etc/ansible/hosts”

27. Inventory [webservers] 173.194.113.19 web1.mydomain.com [mongo_master] mongo_mm.local [mongo_slave] mongo1.local “/etc/ansible/hosts” Groups

28. Ansible basics Ad-hoc commands (conducting an orchestra)

29. Ad-hoc commands $ ansible web1 -a “free -m” $ ansible

    webservers -a “php -v” $ ansible all -a “sudo yum -y update”

30. Ad-hoc commands 173.194.113.19 | success >> { “changed”: false, “ping”:

    “pong” } web1.mydomain.com | success >> { “changed”: false, “ping”: “pong” } $ ansible -all -m ping mongo_mm.local | success >> { “changed”: false, “ping”: “pong” } mongo1.local | success >> { “changed”: false, “ping”: “pong” }

31. Ad-hoc commands 173.194.113.19 | success | rc=0 >> PHP 5.6.13

    (cli) (built: Sep 3 2015 14:08:58) Copyright (c) 1997-2015 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies web1.mydomain.com | success | rc=0 >> PHP 5.6.13 (cli) (built: Sep 3 2015 14:08:58) Copyright (c) 1997-2015 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies $ ansible webservers -a “php -v”

32. Ansible basics Modules

33. Modules All standard modules are part of core, no abandoned

    modules All core modules are written in Python You can write custom modules in any language (eg. helper code in Ruby)

34. Modules $ ansible all -s -m shell -a 'apt-get install

    nginx' $ ansible all -s -m shell -a 'service mysqld restart'

35. Modules Batteries Included !! 200+ Ansible Modules

36. Modules •Run arbitrary commands •Copy files to and from servers

    •Install packages •Manage daemons •Manage user and groups •Gather facts

37. Modules http://docs.ansible.com/ansible/ modules_by_category.html $ ansible-doc -l Main documentation

38. Ansible basics Tasks

39. Tasks is a declaration about the state of a system

    Tasks Ansible basics

40. Tasks - name: install memcached yum: name=memcached state present -

    name: create database user mysql_user: name=bob.priv password=yaiShie8 priv=*.*:app_db state=present - name: Update apt apt: update_cache=yes

41. Tasks - name: install memcached yum: name=memcached state present -

    name: create database user mysql_user: name=bob.priv password=My_Passwd priv=*.*:app_db state=present - name: Update apt apt: update_cache=yes

42. Interesting but...

43. Where is automation?

44. Ansible basics Playbooks

45. Playbooks Plays are ordered set of tasks Written in YAML,

    declarative, no coding required Executed in the order it is written

46. BEFORE

47. #!/bin/bash if ! rpm -qa | grep -qw ntp; then

    yum install ntp fi if ps aux | grep -v grep | grep “[n]ntpd” > /dev/null then echo “ntpd is running” > /dev/null else /sbin/service ntpd restart > /dev/null echo “Started ntpd” fi chkconfig ntpd on Ansible basics

48. LET’S CONVERT OLDER BASH INTO ANSIBLE PLAYBOOK !!!

49. A Simple Playbook --- - hosts: all sudo: yes tasks:

    - yum: name=ntp state=installed - service: name=ntpd state=started enabled=yes # playbook.yml Defines hosts or Groups
50. None

51. IDEMPOTENCY

52. A Simple Playbook --- - hosts: all sudo: yes tasks:

    - yum: name=ntp state=installed - service: name=ntpd state=started enabled=yes # playbook.yml

53. A Simple Playbook --- - hosts: all sudo: yes tasks:

    - yum: name=ntp state=installed - service: name=ntpd state=started enabled=yes # playbook.yml

54. Ansible basics Another playbook…

55. A Simple Playbook --- - hosts: all sudo: yes tasks:

    - name: Update apt-cache - apt: update_cache=yes - name: Install Nginx - apt: pkg=nginx state=latest # playbook.yml

56. Ansible basics Templates

57. Templates Autogenerating configurations Jinja2 Python template engine (similar to Twig

    for PHP) It can be anything (like config files, system settings etc..)

58. Templates <Virtualhost *:80> ServerName {{ domain }} ServerAlias www.{{ domain

    }} DocumentRoot {{ doc_root }} <Directory {{ doc_root }}> AllowOverride AuthConfig Require all granted </Directory> </Virtualhost> # templates/vhost.conf.j2

59. Templates Let's build a playbook !

60. -- - hosts: web1 sudo:yes vars: domain: readyfortraffic.com doc_root: /var/www/readyfortraffic.com/

    tasks: - name: Add a new virtualhost template: src=templates/vhost.conf.j2 dest=/etc/httpd/conf.d/{{ domain }}.conf notify: restart httpd - name: Add a welcome page template: src=templates/index.html dest={{ doc_root }}/index.html backup=yes handlers: - name: restart httpd service: name=httpd state=restarted

61. Ansible basics Conditions & Loops

62. Conditions & Loops - name: Install PHP packages apt: name={{

    item }} state=latest with_items: - php5-fpm - php5-cli - php5-mysql - php5-pdo - php5-mcrypt - php5-curl - php5-memcache when: ansible_distribution == 'Ubuntu'

63. Conditions & Loops - name: Install PHP packages apt: name={{

    item }} state=latest with_items: - php5-fpm - php5-cli - php5-mysql - php5-pdo - php5-mcrypt - php5-curl - php5-memcache when: ansible_distribution == 'Ubuntu'

64. Sample use cases Shellshock

65. - hosts: all gather_facts: yes remote_user: updater sudo: yes tasks:

    - name: Update Shellshock (Debian) apt: name=bash state=latest update_cache=yes when: ansible_os_family == "Debian" - name: Update Shellshock (RedHat) yum: name=bash state=latest update_cache=yes when: ansible_os_family == "RedHat"

66. Sample use cases Heartbleed

67. - hosts: all gather_facts: yes remote_user: updater sudo: yes tasks:

    - name: Update OpenSSL (Debian) apt: name={{ item }} state=latest update_cache=yes with_items: - openssl when: ansible_os_family == "Debian" - name: Update OpenSSL (RedHat) yum: name={{ item }} state=latest update_cache=yes with_items: - openssl when: ansible_os_family == "RedHat" post_tasks: - name: Reboot servers command: reboot

68. Sample use cases Let's reboot all servers ansible all -a

    "reboot"

69. Ansible basics Cloud Providers Support for most major Cloud providers;

    AWS, Rackspace, Azure, DigitalOcean etc.. Provision, configure networking, storage, manage security etc...

70. Ansible for AWS Install python module on execution host $

    yum install python-boto awscli Add localhost to inventory [local] localhost Pattern used in playbooks for provisioning - hosts: localhost connection: local gather_facts: false $ pip install python-boto

71. Ansible for AWS --- - hosts: locahost connection: local tasks:

    - name: create ec2 instance with volume that already exists action: module: ec2 zone: eu-central-1a image: ami-a1b2c3d4 instance_type: t2.medium state: present region: eu-central vpc_subnet_id: subnet-abcd1234 group: sg-ssss9999 volumes: - device_name: /dev/sda1 device_type: gp2 volume_size: 20 delete_on_termination: true

72. Ansible basics NOT ONLY for servers

73. Even for network devices!

74. Extra resources http:/ /galaxy.ansible.com

75. What we didn't talk... -Variables -Roles (many Playbooks) -Ansible-vault -Ansible

    Tower

76. Putting all together

77. Putting all together Build a environment with Vagrant for Dev

78. None

79. Putting all together

80. Links https://github.com/ideatosrl/vagrant-php-template https://github.com/ideatosrl/vagrun https://www.ideato.it/technical-articles/vagrant-configuration- automatizzare-si-puo http://docs.ansible.com/ansible/modules_by_category.html https://servercheck.in/blog/ansible-101-cluster-raspberry-pi-2s

81. None

82. Questions?!?