Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=47 Serge van Ginderachter
December 12, 2015
How-to & DIY
3
2.7k

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=128

Serge van Ginderachter

December 12, 2015
Tweet

More Decks by Serge van Ginderachter

See All by Serge van Ginderachter
0023cde5ac7c71e5c0c0c1f5fae87b82?s=48 svg
3
820

Other Decks in How-to & DIY

See All in How-to & DIY
14b18f0c03076cae90a2b9f6b139cefd?s=48 aliceorru
2
520
9260cf8a1a6dd81ac381c56547f589d5?s=48 bigtree
1
510
Aff189c04cc9a6d88fb7ff26b3e34e6e?s=48 aoim
1
140
99302b39c43015983665d69397695734?s=48 gaines
3
180
1817c3d5995710d04506a17cc9b5c9ba?s=48 runrunsan
0
180
1817c3d5995710d04506a17cc9b5c9ba?s=48 runrunsan
0
160
24b82e535177c6be997ca4ec43d8df6b?s=48 tomoyanonymous
3
660
32fc21c821f829e470225311c7530832?s=48 n0bisuke2
0
200
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
1
380
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
2.3k
88f90f23360dccfffe5d4645b6d2da3d?s=48 keicafeblack
0
280
32fc21c821f829e470225311c7530832?s=48 n0bisuke2
0
110

Featured

See All Featured
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
20
4.7k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
442
29k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
18
990
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
4
720
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
371
43k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
262
11k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
63
10k
78b475797a14c84799063c7cd073962f?s=48 holman
448
140k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
178
14k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
503
37k

Transcript

  1. (Some) Ansible Best Practices according to @svg Ansible Meetup Berchem

    12/12/2015

  2. Hi! My name is Serge and I’m an Ansible User

    Serge van Ginderachter @svg github.com/srvg ops consultant @ ginsys.eu github.com/ginsys serge@ginsys.eu

  3. do one thing and do it well roles are the

    <body> of ansible focus on small roles that do one specific thing

  4. DON’T DO BIG SILO ROLES: SPLIT IN SMALL ROLES:

  5. provide small roles with extensive parameterization your role variables are

    your API

  6. assumptions are bad deploying on some public cloud? or high

    secure private banking datacenter? direct internet connection? internet repository or local mirror? proxy access? Allow for flexible options when writing your role.

  7. generic galaxy role assume remote_user is root? or assume sudo

    is needed?

  8. privilege escalation in roles explicit is better than implicit -

    if task needs root, explicitly use become: true and become_user: root - or become_user: myapp - cumbersome for all tasks - use blocks in v2

  9. Use full YAML notation instead of key=value http://blog.bandwidth.com/why-you-should-use-yaml-as- yaml-with-ansible/

  10. action: or modulename: ? - action: module: file dest: /blah/foo

  11. mention all module parameters explicitly if not, owner and group

    depend on remote_user OR become_user mode depends on some default os/user setting

  12. beware of defaults! defaults are bad!

  13. defaults change over time Java 8 is the new stable

    for now don’t build an app depending on the ‘latest stable’ of that library do not rely on group_vars/all {{role}}/defaults/main.yml is for providing a sane default example, not for running values explicit is better than implicit what if a role changes a default?

  14. all the things at once?

  15. update the default? group_vars/all ? group_vars/development ? group_vars/my_fancy_app ? upgrade

    all your Java 8 based apps at once, when changing the default to 9? … in all that application’s environments like dev, test and prod, at once? when java 9 is the new 8

  16. Code and Data separation ideally: code = ansible playbooks, plays,

    roles data = ansible inventory

  17. Constants, Variables, Parameters role/vars are constants play vars are constants

    too, but roles are better role/defaults are nothing more than examples group_vars and host_vars exist at both inventory level and playbook level most logical would be to override playbook vars with inventory vars keep things simple, don’t mix $ grep $ -r playbook/play.yml:- hosts: all playbook/play.yml: tasks: playbook/play.yml: - debug: var=myvar inventory/hosts:localhost inventory/group_vars/all:myvar: inventory playbook/group_vars/all:myvar: playbook $ ansible-playbook -i inventory/hosts playbook/play.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [debug var=myvar] ********************************************************* ok: [localhost] => { "changed": false, "myvar": "playbook" } PLAY RECAP ********************************************************************* localhost : ok=2 changed=0 unreachable=0 failed=0 [2.1.0 (devel bd0f9a4afc)] serge@goldorak:~/Temp/ansible2$

  18. Variables inventory group_vars are powerful - also complex when lots

    of groups and childs keep it explicit at runtime, ansible only cares about vars per host, no reason why dynamic inventory script could not return only host vars and do the merging for you ansible.cfg: hash_behaviour=merge sounds cool for fancy dictionary things is not portable

  19. -- tags keep tags high level playbook role perhaps 1

    role ~ 1 tag do not overuse tags what do you want to achieve with tags? many tags within a role? perhaps you need smaller roles avoid. again, explicit is better than implicit role dependencies

  20. other resources https://www.theodo.fr/blog/2015/10/best-practices-to-build-great-ansible-playbooks/ https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

  21. Questions?