Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=47 Serge van Ginderachter
December 12, 2015
How-to & DIY
3
2.7k

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=128

Serge van Ginderachter

December 12, 2015
Tweet

More Decks by Serge van Ginderachter

See All by Serge van Ginderachter
0023cde5ac7c71e5c0c0c1f5fae87b82?s=48 svg
3
800

Other Decks in How-to & DIY

See All in How-to & DIY
F1314de460723806a84096945372f823?s=48 mapgive
0
120
99302b39c43015983665d69397695734?s=48 gaines
3
120
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
1
260
51198d0c7643e9c6d8d491533eead6c9?s=48 myasu
1
830
61e3dc6d612dcbef28f580e2488dd3f2?s=48 totuworld
1
360
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
1
2.2k
A4279da93d5e574c797061134aa42dbb?s=48 wyamazak
0
240
6f36658ea42f570474a8558ba265b795?s=48 exilias
1
1.5k
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
0
260
73a5f95133889e0846ae38321686368b?s=48 matsuoshi
0
300
290d23a135ce1e2256fc191b0625ae00?s=48 arimuri
1
6.3k
Fea82780e38327ac1ca80e371f740537?s=48 tnk1987
2
450

Featured

See All Featured
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
770
190k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
71
3.5k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
86
3.8k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
446
36k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
144
6.5k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
336
16k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
53
1.8k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
325
15k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
775
240k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
90
13k

Transcript

  1. (Some) Ansible Best Practices according to @svg Ansible Meetup Berchem

    12/12/2015

  2. Hi! My name is Serge and I’m an Ansible User

    Serge van Ginderachter @svg github.com/srvg ops consultant @ ginsys.eu github.com/ginsys serge@ginsys.eu

  3. do one thing and do it well roles are the

    <body> of ansible focus on small roles that do one specific thing

  4. DON’T DO BIG SILO ROLES: SPLIT IN SMALL ROLES:

  5. provide small roles with extensive parameterization your role variables are

    your API

  6. assumptions are bad deploying on some public cloud? or high

    secure private banking datacenter? direct internet connection? internet repository or local mirror? proxy access? Allow for flexible options when writing your role.

  7. generic galaxy role assume remote_user is root? or assume sudo

    is needed?

  8. privilege escalation in roles explicit is better than implicit -

    if task needs root, explicitly use become: true and become_user: root - or become_user: myapp - cumbersome for all tasks - use blocks in v2

  9. Use full YAML notation instead of key=value http://blog.bandwidth.com/why-you-should-use-yaml-as- yaml-with-ansible/

  10. action: or modulename: ? - action: module: file dest: /blah/foo

  11. mention all module parameters explicitly if not, owner and group

    depend on remote_user OR become_user mode depends on some default os/user setting

  12. beware of defaults! defaults are bad!

  13. defaults change over time Java 8 is the new stable

    for now don’t build an app depending on the ‘latest stable’ of that library do not rely on group_vars/all {{role}}/defaults/main.yml is for providing a sane default example, not for running values explicit is better than implicit what if a role changes a default?

  14. all the things at once?

  15. update the default? group_vars/all ? group_vars/development ? group_vars/my_fancy_app ? upgrade

    all your Java 8 based apps at once, when changing the default to 9? … in all that application’s environments like dev, test and prod, at once? when java 9 is the new 8

  16. Code and Data separation ideally: code = ansible playbooks, plays,

    roles data = ansible inventory

  17. Constants, Variables, Parameters role/vars are constants play vars are constants

    too, but roles are better role/defaults are nothing more than examples group_vars and host_vars exist at both inventory level and playbook level most logical would be to override playbook vars with inventory vars keep things simple, don’t mix $ grep $ -r playbook/play.yml:- hosts: all playbook/play.yml: tasks: playbook/play.yml: - debug: var=myvar inventory/hosts:localhost inventory/group_vars/all:myvar: inventory playbook/group_vars/all:myvar: playbook $ ansible-playbook -i inventory/hosts playbook/play.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [debug var=myvar] ********************************************************* ok: [localhost] => { "changed": false, "myvar": "playbook" } PLAY RECAP ********************************************************************* localhost : ok=2 changed=0 unreachable=0 failed=0 [2.1.0 (devel bd0f9a4afc)] serge@goldorak:~/Temp/ansible2$

  18. Variables inventory group_vars are powerful - also complex when lots

    of groups and childs keep it explicit at runtime, ansible only cares about vars per host, no reason why dynamic inventory script could not return only host vars and do the merging for you ansible.cfg: hash_behaviour=merge sounds cool for fancy dictionary things is not portable

  19. -- tags keep tags high level playbook role perhaps 1

    role ~ 1 tag do not overuse tags what do you want to achieve with tags? many tags within a role? perhaps you need smaller roles avoid. again, explicit is better than implicit role dependencies

  20. other resources https://www.theodo.fr/blog/2015/10/best-practices-to-build-great-ansible-playbooks/ https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

  21. Questions?