Slide 1

Slide 1 text

(Some) Ansible Best Practices according to @svg Ansible Meetup Berchem 12/12/2015

Slide 2

Slide 2 text

Hi! My name is Serge and I’m an Ansible User Serge van Ginderachter @svg github.com/srvg ops consultant @ ginsys.eu github.com/ginsys [email protected]

Slide 3

Slide 3 text

do one thing and do it well roles are the of ansible focus on small roles that do one specific thing

Slide 4

Slide 4 text

DON’T DO BIG SILO ROLES: SPLIT IN SMALL ROLES:

Slide 5

Slide 5 text

provide small roles with extensive parameterization your role variables are your API

Slide 6

Slide 6 text

assumptions are bad deploying on some public cloud? or high secure private banking datacenter? direct internet connection? internet repository or local mirror? proxy access? Allow for flexible options when writing your role.

Slide 7

Slide 7 text

generic galaxy role assume remote_user is root? or assume sudo is needed?

Slide 8

Slide 8 text

privilege escalation in roles explicit is better than implicit - if task needs root, explicitly use become: true and become_user: root - or become_user: myapp - cumbersome for all tasks - use blocks in v2

Slide 9

Slide 9 text

Use full YAML notation instead of key=value http://blog.bandwidth.com/why-you-should-use-yaml-as- yaml-with-ansible/

Slide 10

Slide 10 text

action: or modulename: ? - action: module: file dest: /blah/foo …

Slide 11

Slide 11 text

mention all module parameters explicitly if not, owner and group depend on remote_user OR become_user mode depends on some default os/user setting

Slide 12

Slide 12 text

beware of defaults! defaults are bad!

Slide 13

Slide 13 text

defaults change over time Java 8 is the new stable for now don’t build an app depending on the ‘latest stable’ of that library do not rely on group_vars/all {{role}}/defaults/main.yml is for providing a sane default example, not for running values explicit is better than implicit what if a role changes a default?

Slide 14

Slide 14 text

all the things at once?

Slide 15

Slide 15 text

update the default? group_vars/all ? group_vars/development ? group_vars/my_fancy_app ? upgrade all your Java 8 based apps at once, when changing the default to 9? … in all that application’s environments like dev, test and prod, at once? when java 9 is the new 8

Slide 16

Slide 16 text

Code and Data separation ideally: code = ansible playbooks, plays, roles data = ansible inventory

Slide 17

Slide 17 text

Constants, Variables, Parameters role/vars are constants play vars are constants too, but roles are better role/defaults are nothing more than examples group_vars and host_vars exist at both inventory level and playbook level most logical would be to override playbook vars with inventory vars keep things simple, don’t mix $ grep $ -r playbook/play.yml:- hosts: all playbook/play.yml: tasks: playbook/play.yml: - debug: var=myvar inventory/hosts:localhost inventory/group_vars/all:myvar: inventory playbook/group_vars/all:myvar: playbook $ ansible-playbook -i inventory/hosts playbook/play.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [debug var=myvar] ********************************************************* ok: [localhost] => { "changed": false, "myvar": "playbook" } PLAY RECAP ********************************************************************* localhost : ok=2 changed=0 unreachable=0 failed=0 [2.1.0 (devel bd0f9a4afc)] serge@goldorak:~/Temp/ansible2$

Slide 18

Slide 18 text

Variables inventory group_vars are powerful - also complex when lots of groups and childs keep it explicit at runtime, ansible only cares about vars per host, no reason why dynamic inventory script could not return only host vars and do the merging for you ansible.cfg: hash_behaviour=merge sounds cool for fancy dictionary things is not portable

Slide 19

Slide 19 text

-- tags keep tags high level playbook role perhaps 1 role ~ 1 tag do not overuse tags what do you want to achieve with tags? many tags within a role? perhaps you need smaller roles avoid. again, explicit is better than implicit role dependencies

Slide 20

Slide 20 text

other resources https://www.theodo.fr/blog/2015/10/best-practices-to-build-great-ansible-playbooks/ https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

Slide 21

Slide 21 text

Questions?