Ansible Why and how I use it! Ton Kersten TechTrack Utrecht / The Netherlands / 2016 

Agenda 1 Introduction 2 Why 3 How 4 Recap 5 Resources 6 Question Time! ans-v1.8-2 

$ who am i UNIX/Linux consultant and Trainer @ AT Computing UNIX Nerd (started in 1986 with SunOS 3) Linux Geek (started in 1992 with 0.96α) Scripting Nerd Configuration Management addict Free and Open Source Software enthusiast HAM Operator (pa1ton) Programming Plain text aficionado Big fan of things that just work · · · ans-v1.8-3 

Long ago Shell scripts SSH loops Parallel SSH Cluster SSH Screen synchronized windows tmux synchronized panes · · · Things got out of control ans-v1.8-4 

Next CF Engine ⇒ The first Config Management tool Puppet ⇒ Widely used, master / slave Chef ⇒ Puppet lookalike, configured through Ruby Ansible ⇒ Easy to use, configured through yaml Salt Stack ⇒ master / slave Propellor ⇒ master / slave, configured through Haskell Juju ⇒ Ubuntu, designed for the cloud Capistrano ⇒ Scripting in Ruby Fabric ⇒ Python Library for CM (Only Python 2) Invoke ⇒ Python 3 successor of Fabric1 Paver ⇒ Fabric alternative for Python 3 · · · 1Seems to be the successor, but still beta. Has the same author ans-v1.8-5 

What I want Simple command root@master1 # easy-command install_database PLAY [dbservers] **************************************** TASK: [install package dbase] *************************** TASK: [deploy dbase config] ***************************** TASK: [ensure dbased is running] ************************ NOTIFIED: [restart dbased] ****************************** PLAY RECAP ********************************************** db1 : ok=1 changed=4 unreachable=0 failed=0 ans-v1.8-6 

Why Ansible No master server No more daemons on the master No more agents on the nodes No databases No separate PKI Uses standard SSH functionality Very, very powerful Configuration, deployment, ad-hoc, continuous delivery Simple configuration files (yaml) Idempotent ⇒ f(x) = f(f(x)) No convergence ans-v1.8-7 

Easy From nothing to production in a jiffy Python 2.6 + Paramiko, PyYAML, Jinja2 on master Python 2.4 + simplejson on nodes Can run in Python virtualenv Can run from git checkout Uses SSH for transport and login No root needed, can use sudo, pbrun, pfexec, etc. ans-v1.8-8 

Simple components (Commands) Ansible commands ansible ⇒ The main Ansible command ansible-playbook ⇒ Command to run playbooks ansible-pull ⇒ The main Ansible pull command ansible-doc ⇒ Ansible documentation program ansible-galaxy ⇒ Command to interact with Galaxy ansible-vault ⇒ The Ansible password vault ans-v1.8-9 

Simple components (Modules) A lot of modules Ansible version 1 ⇒ 250+ Ansible version 2 ⇒ 450+ Commands Files / templating Users Packages (yum, apt, zypper, …) Services Version control Databases · · · (See: ansible-doc) Or, write your own ans-v1.8-10 

Easy install On all operating systems Create a Python virtualenv # pip install ansible On CentOS / RHEL / Scientific Linux Enable the EPEL repository # yum install ansible On Debian / Ubuntu Available in standard repository # apt-get install ansible From github (Bleeding edge) Install and configure git $ git clone http://github.com/ansible/ansible.git $ cd ansible $ sudo make install ans-v1.8-11 

How it works Module(s) Management node Node Node Node Playbooks or roles Hosts no agents communication over SSH ans-v1.8-12 

My example network Management node Web server DB server Web server master1.example.net 192.168.56.101/24 web1.example.net 192.168.56.102/24 db1.example.net 192.168.56.103/24 web2.example.net 192.168.56.104/24 DNS server dns1.example.net 192.168.56.105/24 ans-v1.8-13 

Inventory file # cat /etc/ansible/hosts dns1 ansible_ssh_port=5555 ansible_ssh_user=ford web[1:9] [dnsservers] dns1 [webservers] web[1:9] ansible_ssh_port=7856 ansible_ssh_user=zaphod [dbservers] db1 db_port=3501 default_db=vogon_poetry ans-v1.8-14 

Site playbook # cat /etc/ansible/site.yml - hosts: all user: ansible become: true become_user: root roles: - common - sudo - include: playbooks/dbase/main.yml ans-v1.8-15 

Running Ansible General ansible command form: ansible -m -a # ansible all -m ping -o web2 | success >> {"changed": false, "ping": "pong"} db1 | success >> {"changed": false, "ping": "pong"} web1 | success >> {"changed": false, "ping": "pong"} dns1 | success >> {"changed": false, "ping": "pong"} ans-v1.8-16 

Running a single command The command module is default # ansible webservers -a 'ls -l /etc/passwd' web2 | success | rc=0 >> -rw-r--r-- 1 root root 2302 Nov 25 13:20 /etc/passwd web1 | success | rc=0 >> -rw-r--r-- 1 root root 1906 Oct 26 19:31 /etc/passwd ans-v1.8-17 

Installing a package # ansible dbservers -m yum -a name=dbase db1 | success >> { "changed": false, "msg": "", "rc": 0, "results": [ "dbase-3.0.2-1.el6.rf.x86_64 providing dbase is already installed" ] } ans-v1.8-18 

Playbooks Written in YAML Recipes of desired state, for which hosts Can use variables Can contain handlers When a state changes, take configured action Can be re-used ans-v1.8-19 

Simple playbook # cat /etc/ansible/playbooks/dbase/main.yml - hosts: dbservers tasks: - name: install package dbase yum: pkg=dbase state=present tags: - package - name: deploy dbase config template: src=dbased.conf.j2 dest=/etc/dbased.conf owner=root group=root mode=0400 notify: - restart dbased - name: ensure dbased is running service: name=dbased state=started enabled=yes handlers: - name: restart dbased service: name=dbased state=restarted ans-v1.8-20 

Playbook run # ansible-playbook playbooks/dbase/main.yml PLAY [dbservers] **************************************** TASK: [install package dbase] *************************** ok: [db1] TASK: [deploy dbase config] ***************************** ok: [db1] TASK: [ensure dbased is running] ************************ ok: [db1] NOTIFIED: [restart dbased] ****************************** changed: [db1] PLAY RECAP ********************************************** db1 : ok=1 changed=4 unreachable=0 failed=0 ans-v1.8-21 

Gathering Facts # ansible web1 -m setup web1 | success >> { "ansible_facts": { "ansible_all_ipv4_addresses": [ "192.168.56.102", "10.10.30.1" ], "ansible_all_ipv6_addresses": [ "2001:123:1f19:480:20c:45ff:fe61:ac8d", "fe80::20c:45ff:fe61:ab8d" ], "ansible_architecture": "x86_64", "ansible_bios_date": "04/14/2014", "ansible_bios_version": "6.00", . . }, "changed": false } ans-v1.8-22 

Templates Ansible uses the Jinja2 templating engine Variable substitution Loops Comments Conditionals Filters Ansible facts are available Puppet Facter facts are available (if installed) Chefs Ohai facts are available (if installed) ans-v1.8-23 

Templates # cat playbooks/dbase/dbase.conf.j2 # Ansible information: # Filename : {{ template_path|replace("/etc/ansible", "...") }} # Filedate : {{ ansible_managed }} # Hostname : {{ ansible_hostname }} dbase { passwd {{ secretpassword }}; port 9910; # Database port host localhost; # Database host } # (c) 2012-{{ ansible_date_time.year }} by {{ name }} ans-v1.8-24 

Roles Playbooks grow large and become unreadable A standard way of organizing things Can easily be shared with others (Through Galaxy) Ansible role directory structuur thisrole.............................................................Top of the role files..................................................................Role files handlers..........................................................Role handlers main.yml.............................................Role handlers start tasks..................................................................Role tasks main.yml.............................................Role starting point templates........................................................Role templates vars..............................................................Role variables main.yml............................................Role variables start ans-v1.8-25 

Roles in playbooks Using roles in playbooks - hosts: all roles: - common - users - sudo - hosts: webservers roles: - nginx - hosts: dbservers roles: - dbase ans-v1.8-26 

Recap Entire Ansible configuration is in a git repo Use become for root commands Configure authorized_keys for connections Run ansible script every hour Log playbook runs to /var/log/ansible.log Use Ansible callbacks to give feedback Use roles as much as possible Make roles generic Define variables for site configuration ans-v1.8-27 

Resources Website: http://www.ansible.com Documentation: http://docs.ansible.com IRC on Freenode: #ansible and #ansibleu Meetups: http://meetup.com/Ansible-Benelux Twitter: @ansible and @AnsibleBenelux Reddit: http://www.reddit.com/r/ansible Google Group: https://groups.google.com Weekly newsletter: https://valdhaus.com Checkout and study the source from github · · · ans-v1.8-28 

Please!!!! Contribute to Ansible code Contribute to Ansible documentation Use roles from Galaxy Share roles on Galaxy Visit Ansible Meetups Spread the Ansible word. . . ans-v1.8-29 

Question Time! Questions?? Contact me [email protected] http://www.atcomputing.nl https://github.com/tonk https://speakerdeck.com/tonk @TonKersten on Twitter TKersten on IRC Created with L A TEX Beamer Vim Poppler Tools LibreOffice ImageMagick Evince ans-v1.8-30