A tour of Ansible

Transcript

1. Provisioning, Config, Execution, (more) Fun

2. Steve Pereira 18 years in IT Startups and Enterprise Love

   learning about, teaching and talking about: • DevOps • CI/CD • Automation • Scale WHO AM I?

3. ANSIBLE FEATURES • Automation for local and remote system provisioning

   • Automation for local and remote applications deployment • No agents to install on remote systems • Using existing SSHd on remote systems and native SSH on host • Parallel by default - scale to 6000 targets with single master • Language that approaches plain english

4. ANSIBLE CONVENTIONS Playbooks - contain required tasks to configure systems

   and deploy Tasks - individual actions to perform on remote or local machines Roles - modular, single-purpose configurations for systems Inventory - files containing address information of target machines Handlers - actions triggered by tasks Templates - customizable files destined for managed machines

5. MINIMUM VIABLE ANSIBLE $ ansible all -i 'localhost,' -c local

   -m ping localhost | success >> { "changed": false, "ping": "pong" }

6. WHAT ELSE? • ansible webservers -m setup • ansible lb

   -m copy -a "src=hosts dest=/tmp/hosts” • ansible webservers -m yum -a "name=curl state=installed” • ansible webservers -m service -a "name=nginx state=restarted” • ansible-doc -l

7. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

   remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

8. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

   remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

9. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

   remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

10. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

    remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

11. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

    remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

12. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

    remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

13. PLAYBOOKS --- - hosts: webservers vars: http_port: 80 max_clients: 200

    remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted example_playbook.yml

14. ROLES my_role/ README.md (readme) defaults/ (default values) meta/ (role metadata)

    files/ (binaries) templates/ (file templates) handlers/ (operation handlers) tasks/ (playbook files) vars/ (custom variables) • Easily packaged and shared • Download community roles • Mix and match

15. INVENTORY • Define how ansible will interact with remote hosts

    • Define logical groups of managed nodes • One file for each environment • Default location : /etc/ansible/hosts • INI format, variable overrides sample_inventory.ini [loadbalancers] 10.20.30.41 10.20.30.42 [webservers] 10.20.30.51 hostname=artemis 10.20.30.52 hostname=apollo

16. TEMPLATES • Use Jinja2 templating and variables to customize •

    Defaults available when variables not provided (dev default with prod override) etc_logrotate.d.j2 {{ logfile }} { rotate {{ 7 | rotate_max }} {{ daily | frequency }} compress missingok notifempty }

17. IT CAN GET FANCY tasks: - name: install packages in

    a users virtualenv shell: su - c {{ item[0] }} '(. ./bin/activate && pip install {{ item[1] }})' with_nested: - [ 'jim', 'joe', 'jack' ] - [ package1==1.1, package2==1.2, package3==1.3 ] There are several types of loops: Hashes, Fileglobs, Sequence, Subelements, First match, Command results, Random and more but there’s a builtin pip module, anyways.

18. CONDITIONALS tasks: - command: /bin/false register: result ignore_errors: True -

    command: /bin/something when: result|failed - command: /bin/something_else when: result|success - command: /bin/still/something_else when: result|skipped The result of a play can depend on the value of a variable, fact (something learned about the remote system), or previous task result.

19. MORE CONDITIONALS! tasks: - shell: echo "I've got '{{ foo

    }}'" when: foo is defined - fail: msg="This play requires 'bar'" when: bar is not defined - command: echo {{ item }} with_items: [ 0, 2, 4, 6, 8, 10 ] when: item > 5 If a required variable has not been set, you can skip or fail using Jinja2’s defined test. For example:

20. SIMPLE, POWERFUL BUILTINS • 261 built-in modules • Many cloud

    providers, packages and tools are integrated • Easily add your own in any language examples: • ec2 - Create, terminate, start/stop an instance • docker - Manage docker containers • hipchat Send a message to hipchat • s3 - manage objects in S3 • twilio - Sends a text message to a phone • win_service - Manages Windows services • zfs - Manage zfs

21. SMOOTH OPERATION • Get and set variables easily • Simple

    variable precedence • Ordered, predictable execution • Tagged, resumable execution • ansible doc [foo]

22. SECURITY •Can be centralized and locked down via Ansible Tower

    •Can be run from a centralized bastion server •Vault encrypts sensitive data •Uses ordinary SSH, paramiko or custom transport plugins •No extra open ports, use your own user account, sudo! •No agents to update or risk vulnerabilities

23. ENTERPRISE GRADE •Tower integration with LDAP and AD for RBAC

    •Manage any number of servers across many Tower instances •Portal and dashboard views, pushbutton interaction •Job scheduling •Audit trail •High availability

24. ENTERPRISE USE

25. ADVANCED CAPABILITIES •Rolling updates/deployment/orchestration (1, 5, n at a time)

    •Canary testing (check for page content or response code) •Custom execution paths based on response/error/environment •Variable timeouts and parellelism •Ansible-pull to invert execution - nodes check in to a master

26. MORE INFORMATION https://docs.ansible.com http://www.ansible.com/tower https://docs.ansible.com/playbooks_best_practices.html https://galaxy.ansible.com https://github.com/ansible/ansible-examples

27. QUESTIONS? @steveElsewhere [email protected] http://linkedin.com/in/devopsto

28. THANK YOU! http://devopsdays.org/events/2015-toronto (shameless plug)