Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=47 Serge van Ginderachter
December 12, 2015
How-to & DIY
3
2.6k

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=128

Serge van Ginderachter

December 12, 2015
Tweet

More Decks by Serge van Ginderachter

See All by Serge van Ginderachter
0023cde5ac7c71e5c0c0c1f5fae87b82?s=48 svg
3
800

Other Decks in How-to & DIY

See All in How-to & DIY
Da8695fc9f71a17e3849ae4cb29df5a0?s=48 travelpayouts
0
270
417a646c94008aeee96460ba2fba147e?s=48 niccolli
0
170
51198d0c7643e9c6d8d491533eead6c9?s=48 myasu
1
760
08d84a320a8128f6e0b00b27c201530f?s=48 yasslab
3
5.8k
B70433f478ac343d413014e5b02d33e6?s=48 kazu23pole
0
120
929e57082aee3d8acca42323a9a5c26e?s=48 joshuamauldin
2
150
E6c980b93d086e757643971b318a40a9?s=48 maepu
1
140
20b50e2c6de6182f76de48a7cdeb051f?s=48 yukuro
0
110
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
1
260
9e8f60b6676fa46400e78406af8fb7e5?s=48 ichida
3
490
9998f03d0ff1d9da73a455f4fc58f4a5?s=48 tmitsuoka0423
0
160
Dbeb15bb993e45ba8f7a7f82cf2ef978?s=48 usashirou
0
1k

Featured

See All Featured
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
183
14k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
2
390
79acae287842acf29084005533a7fb3b?s=48 hursman
103
9k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
8
1.2k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
283
110k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
325
34k
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.8k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
494
110k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
228
17k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
350k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
70
3.3k

Transcript

  1. (Some) Ansible Best Practices according to @svg Ansible Meetup Berchem

    12/12/2015

  2. Hi! My name is Serge and I’m an Ansible User

    Serge van Ginderachter @svg github.com/srvg ops consultant @ ginsys.eu github.com/ginsys serge@ginsys.eu

  3. do one thing and do it well roles are the

    <body> of ansible focus on small roles that do one specific thing

  4. DON’T DO BIG SILO ROLES: SPLIT IN SMALL ROLES:

  5. provide small roles with extensive parameterization your role variables are

    your API

  6. assumptions are bad deploying on some public cloud? or high

    secure private banking datacenter? direct internet connection? internet repository or local mirror? proxy access? Allow for flexible options when writing your role.

  7. generic galaxy role assume remote_user is root? or assume sudo

    is needed?

  8. privilege escalation in roles explicit is better than implicit -

    if task needs root, explicitly use become: true and become_user: root - or become_user: myapp - cumbersome for all tasks - use blocks in v2

  9. Use full YAML notation instead of key=value http://blog.bandwidth.com/why-you-should-use-yaml-as- yaml-with-ansible/

  10. action: or modulename: ? - action: module: file dest: /blah/foo

  11. mention all module parameters explicitly if not, owner and group

    depend on remote_user OR become_user mode depends on some default os/user setting

  12. beware of defaults! defaults are bad!

  13. defaults change over time Java 8 is the new stable

    for now don’t build an app depending on the ‘latest stable’ of that library do not rely on group_vars/all {{role}}/defaults/main.yml is for providing a sane default example, not for running values explicit is better than implicit what if a role changes a default?

  14. all the things at once?

  15. update the default? group_vars/all ? group_vars/development ? group_vars/my_fancy_app ? upgrade

    all your Java 8 based apps at once, when changing the default to 9? … in all that application’s environments like dev, test and prod, at once? when java 9 is the new 8

  16. Code and Data separation ideally: code = ansible playbooks, plays,

    roles data = ansible inventory

  17. Constants, Variables, Parameters role/vars are constants play vars are constants

    too, but roles are better role/defaults are nothing more than examples group_vars and host_vars exist at both inventory level and playbook level most logical would be to override playbook vars with inventory vars keep things simple, don’t mix $ grep $ -r playbook/play.yml:- hosts: all playbook/play.yml: tasks: playbook/play.yml: - debug: var=myvar inventory/hosts:localhost inventory/group_vars/all:myvar: inventory playbook/group_vars/all:myvar: playbook $ ansible-playbook -i inventory/hosts playbook/play.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [debug var=myvar] ********************************************************* ok: [localhost] => { "changed": false, "myvar": "playbook" } PLAY RECAP ********************************************************************* localhost : ok=2 changed=0 unreachable=0 failed=0 [2.1.0 (devel bd0f9a4afc)] serge@goldorak:~/Temp/ansible2$

  18. Variables inventory group_vars are powerful - also complex when lots

    of groups and childs keep it explicit at runtime, ansible only cares about vars per host, no reason why dynamic inventory script could not return only host vars and do the merging for you ansible.cfg: hash_behaviour=merge sounds cool for fancy dictionary things is not portable

  19. -- tags keep tags high level playbook role perhaps 1

    role ~ 1 tag do not overuse tags what do you want to achieve with tags? many tags within a role? perhaps you need smaller roles avoid. again, explicit is better than implicit role dependencies

  20. other resources https://www.theodo.fr/blog/2015/10/best-practices-to-build-great-ansible-playbooks/ https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

  21. Questions?