Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=47 Serge van Ginderachter
December 12, 2015
How-to & DIY
3
2.7k

Some Ansible Best Practices

0023cde5ac7c71e5c0c0c1f5fae87b82?s=128

Serge van Ginderachter

December 12, 2015
Tweet

More Decks by Serge van Ginderachter

See All by Serge van Ginderachter
0023cde5ac7c71e5c0c0c1f5fae87b82?s=48 svg
3
850

Other Decks in How-to & DIY

See All in How-to & DIY
13baeabe6f414defa311a640ea09c943?s=48 taokiuhuru
0
210
32fc21c821f829e470225311c7530832?s=48 n0bisuke2
0
290
11913527a0ccdb24732f130677ae3a54?s=48 kamioka
0
140
A5bff96f8a112bbf8ecf490c869cf9a8?s=48 lonbrew
0
140
A0eb9c004aa030128cb00df1a07157bc?s=48 ozk009
1
170
7874d8fdfea58f7012ae1287da37013a?s=48 a2k3ine
0
220
4615930de72ec08f99d3227761ace0d8?s=48 yenlung
0
490
00935070a65a3e99e11c80380023cead?s=48 mkawato2525
0
260
88f90f23360dccfffe5d4645b6d2da3d?s=48 keicafeblack
0
130
C995681c00e2d2f81fbff0a635e0b5e0?s=48 mamisada
1
570
2316acb7fcd420866b7889c6b7ad7219?s=48 tiemco
0
510
32fc21c821f829e470225311c7530832?s=48 n0bisuke2
0
290

Featured

See All Featured
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
207
38k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
15
1k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
5.6k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
97
15k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
122
16k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
10
730
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
118
11k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
404
20k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
61
6.7k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
56
9.6k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
273
32k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
190
14k

Transcript

  1. (Some) Ansible Best Practices according to @svg Ansible Meetup Berchem

    12/12/2015

  2. Hi! My name is Serge and I’m an Ansible User

    Serge van Ginderachter @svg github.com/srvg ops consultant @ ginsys.eu github.com/ginsys serge@ginsys.eu

  3. do one thing and do it well roles are the

    <body> of ansible focus on small roles that do one specific thing

  4. DON’T DO BIG SILO ROLES: SPLIT IN SMALL ROLES:

  5. provide small roles with extensive parameterization your role variables are

    your API

  6. assumptions are bad deploying on some public cloud? or high

    secure private banking datacenter? direct internet connection? internet repository or local mirror? proxy access? Allow for flexible options when writing your role.

  7. generic galaxy role assume remote_user is root? or assume sudo

    is needed?

  8. privilege escalation in roles explicit is better than implicit -

    if task needs root, explicitly use become: true and become_user: root - or become_user: myapp - cumbersome for all tasks - use blocks in v2

  9. Use full YAML notation instead of key=value http://blog.bandwidth.com/why-you-should-use-yaml-as- yaml-with-ansible/

  10. action: or modulename: ? - action: module: file dest: /blah/foo

  11. mention all module parameters explicitly if not, owner and group

    depend on remote_user OR become_user mode depends on some default os/user setting

  12. beware of defaults! defaults are bad!

  13. defaults change over time Java 8 is the new stable

    for now don’t build an app depending on the ‘latest stable’ of that library do not rely on group_vars/all {{role}}/defaults/main.yml is for providing a sane default example, not for running values explicit is better than implicit what if a role changes a default?

  14. all the things at once?

  15. update the default? group_vars/all ? group_vars/development ? group_vars/my_fancy_app ? upgrade

    all your Java 8 based apps at once, when changing the default to 9? … in all that application’s environments like dev, test and prod, at once? when java 9 is the new 8

  16. Code and Data separation ideally: code = ansible playbooks, plays,

    roles data = ansible inventory

  17. Constants, Variables, Parameters role/vars are constants play vars are constants

    too, but roles are better role/defaults are nothing more than examples group_vars and host_vars exist at both inventory level and playbook level most logical would be to override playbook vars with inventory vars keep things simple, don’t mix $ grep $ -r playbook/play.yml:- hosts: all playbook/play.yml: tasks: playbook/play.yml: - debug: var=myvar inventory/hosts:localhost inventory/group_vars/all:myvar: inventory playbook/group_vars/all:myvar: playbook $ ansible-playbook -i inventory/hosts playbook/play.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [debug var=myvar] ********************************************************* ok: [localhost] => { "changed": false, "myvar": "playbook" } PLAY RECAP ********************************************************************* localhost : ok=2 changed=0 unreachable=0 failed=0 [2.1.0 (devel bd0f9a4afc)] serge@goldorak:~/Temp/ansible2$

  18. Variables inventory group_vars are powerful - also complex when lots

    of groups and childs keep it explicit at runtime, ansible only cares about vars per host, no reason why dynamic inventory script could not return only host vars and do the merging for you ansible.cfg: hash_behaviour=merge sounds cool for fancy dictionary things is not portable

  19. -- tags keep tags high level playbook role perhaps 1

    role ~ 1 tag do not overuse tags what do you want to achieve with tags? many tags within a role? perhaps you need smaller roles avoid. again, explicit is better than implicit role dependencies

  20. other resources https://www.theodo.fr/blog/2015/10/best-practices-to-build-great-ansible-playbooks/ https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

  21. Questions?