Ansible Presentation @ iSense

Transcript

1. Ansible Why and how I use it! Ton Kersten Nijmegen

   / The Netherlands / 2016

2. Agenda 1 Introduction 2 Why 3 How 4 Recap 5

   Resources 6 Question Time! ans-v1.9-2

3. $ who am i UNIX/Linux consultant and Trainer @ AT

   Computing UNIX Nerd (started in 1986 with SunOS 3) Linux Geek (started in 1992 with 0.96α) Scripting Nerd Configuration Management addict Free and Open Source Software enthusiast HAM Operator (pa1ton) Programming Plain text aficionado Big fan of things that just work Ansible user and contributor since 2012 · · · ans-v1.9-3

4. Long ago Shell scripts SSH loops Parallel SSH Cluster SSH

   Screen synchronized windows tmux synchronized panes · · · Things got out of control ans-v1.9-4

5. Next CF Engine 1993 ⇒ The first Config Management tool

   Puppet 2005 ⇒ Widely used, master / slave Chef 2009 ⇒ Puppet lookalike, configured with Ruby Salt Stack 2011 ⇒ master / slave Ansible 2012 ⇒ Easy to use, configured through yaml Propellor 2014 ⇒ master / slave, configured with Haskell Capistrano 2006 ⇒ Scripting in Ruby Paver 2007 ⇒ Fabric alternative for Python 3 Fabric 2008 ⇒ Python Library for CM (Only Python 2) Invoke 2012 ⇒ Python 3 successor of Fabric Juju 2011 ⇒ Ubuntu, designed for the cloud · · · Invoke seems to be the successor of Fabric, but is still in beta. They do have the same author ans-v1.9-5

6. What I want Simple command root@master1 # some-kind-of-simple-command install_database PLAY

   [dbservers] **************************************** TASK: [install package dbase] *************************** TASK: [deploy dbase config] ***************************** TASK: [ensure dbased is running] ************************ NOTIFIED: [restart dbased] ****************************** PLAY RECAP ********************************************** db1 : ok=1 changed=4 unreachable=0 failed=0 ans-v1.9-6

7. Why Ansible No master server No more daemons on the

   master No more agents on the nodes No databases No separate PKI Uses standard SSH functionality Very, very powerful Configuration, deployment, ad-hoc, continuous delivery Simple configuration files (yaml) Idempotent ⇒ f(x) = f(f(x)) No convergence ans-v1.9-7

8. Easy From nothing to production in a jiffy Python 2.6

   + Paramiko, PyYAML, Jinja2 on master Python 2.4 + simplejson on nodes Can run in Python virtualenv Can run from git checkout Uses SSH for transport and login No root needed, can use sudo, pbrun, pfexec, etc. ans-v1.9-8

9. Simple components (Commands) Ansible commands ansible ⇒ The main Ansible

   command ansible-playbook ⇒ Command to run playbooks ansible-pull ⇒ The main Ansible pull command ansible-doc ⇒ Ansible documentation program ansible-galaxy ⇒ Command to interact with Galaxy ansible-vault ⇒ The Ansible password vault ansible-console ⇒ The Ansible interactive console ans-v1.9-9

10. Simple components (Modules) A lot of modules Ansible version 1

    ⇒ 250+ Ansible version 2 ⇒ 600+ Commands Files / templating Users Packages (yum, apt, zypper, …) Services Version control Databases · · · (See: ansible-doc) Or, write your own ans-v1.9-10

11. Easy install On all operating systems Create a Python virtualenv

    # pip install ansible On CentOS / RHEL / Scientific Linux Enable the EPEL repository # yum install ansible On Debian / Ubuntu Available in standard repository # apt-get install ansible From github (Bleeding edge) Install and configure git $ git clone http://github.com/ansible/ansible.git $ cd ansible $ sudo make install ans-v1.9-11

12. How it works Module(s) Management node Node Node Node Playbooks

    or roles Hosts no agents communication over SSH or WinRM ans-v1.9-12

13. My example network Management node Windows server DB server Web

    server master1.example.net 192.168.56.101/24 web1.example.net 192.168.56.102/24 db1.example.net 192.168.56.103/24 win1.example.net 192.168.56.110/24 DNS server dns1.example.net 192.168.56.105/24 Web server web2.example.net 192.168.56.104/24 ans-v1.9-13

14. Inventory file # cat /etc/ansible/hosts localhost ansible_connection=local [dnsservers] dns1 ansible_port=5504

    ansible_user=ford dns2 ansible_port=5505 ansible_user=arthur [webservers] web[1:9] ansible_port=7856 ansible_user=zaphod [dbservers] db1 db_port=3501 default_db=vogon_poetry [windows] win1 ansible_host=192.168.100.110 ansible_connection, ansible_user, ansible_host and ansible_port are predefined variables used as connection parameters which override the defaults as specified in ansible.cfg. ans-v1.9-14

15. Windows settings # cat /etc/group_vars/windows ansible_user: [email protected] ansible_password: MySecretPassword ansible_become:

    False ansible_port: 5986 ansible_module_lang: cp1252 ansible_connection: winrm ansible_winrm_server_cert_validation: ignore As you can imagine, these settings should be placed in the Ansible Vault. # klist -l Principal name Cache name -------------- ---------- [email protected] KEYRING:persistent:0:0 ans-v1.9-15

16. Running Ansible General ansible command form: ansible <hosts> -m <module>

    -a <params> <options> # ansible linux -m ping -o db1 | success >> {"changed": false, "ping": "pong"} web1 | success >> {"changed": false, "ping": "pong"} dns1 | success >> {"changed": false, "ping": "pong"} # ansible windows -m win_ping -o win1 | SUCCESS => {"changed": false, "ping": "pong"} ans-v1.9-16

17. Running a single command The command module is default #

    ansible webservers -a 'ls -l /etc/passwd' web1 | success | rc=0 >> -rw-r--r-- 1 root root 1906 Oct 26 19:31 /etc/passwd web2 | success | rc=0 >> -rw-r--r-- 1 root root 1810 Sep 11 8:46 /etc/passwd ans-v1.9-17

18. Running a single command on Windows # ansible windows -m

    raw -a 'CMD /C "dir /X C:\ "' win1 | SUCCESS | rc=0 >> Volume in drive C has no label. Volume Serial Number is E4E8-A132 Directory of C:\ 20-07-2016 10:54 <DIR> DFSRoots 22-08-2013 18:07 <DIR> inetpub 22-08-2013 17:52 <DIR> PerfLogs 08-08-2016 13:26 <DIR> PROGRA~1 Program Files 15-09-2016 11:47 <DIR> PROGRA~2 Program Files (x86) 20-07-2016 10:54 <DIR> SERVER~1 ServerFolders 20-07-2016 14:18 <DIR> Tools 25-07-2016 09:36 <DIR> Users 15-09-2016 12:00 <DIR> Windows 0 File(s) 0 bytes 9 Dir(s) 19.953.180.672 bytes free ans-v1.9-18

19. Installing a package # ansible dbservers -m yum -a name=dbase

    db1 | success >> { "changed": false, "msg": "", "rc": 0, "results": [ "dbase-3.0.2-1.el6.rf.x86_64 providing dbase is already installed" ] } ans-v1.9-19

20. Gathering Facts # ansible web1 -m setup web1 | success

    >> { "ansible_facts": { "ansible_all_ipv4_addresses": [ "192.168.56.102", "10.10.30.1" ], "ansible_all_ipv6_addresses": [ "2001:123:1f19:480:20c:45ff:fe61:ac8d", "fe80::20c:45ff:fe61:ab8d" ], "ansible_architecture": "x86_64", "ansible_bios_date": "04/14/2014", "ansible_bios_version": "6.00", . . . }, "changed": false } ans-v1.9-20

21. Playbooks Written in YAML Recipes of desired state, for which

    hosts Can use variables Can contain handlers When a state changes, take configured action Can be re-used ans-v1.9-21

22. Simple playbook # cat /etc/ansible/playbooks/dbase/main.yml - hosts: dbservers tasks: -

    name: install package dbase yum: pkg=dbase state=present tags: - package - name: deploy dbase config template: src=dbased.conf.j2 dest=/etc/dbased.conf owner=root group=root mode=0400 notify: - restart dbased - name: ensure dbased is running service: name=dbased state=started enabled=yes handlers: - name: restart dbased service: name=dbased state=restarted ans-v1.9-22

23. Playbook run # ansible-playbook playbooks/dbase/main.yml PLAY [dbservers] **************************************** TASK: [install

    package dbase] *************************** ok: [db1] TASK: [deploy dbase config] ***************************** ok: [db1] TASK: [ensure dbased is running] ************************ ok: [db1] NOTIFIED: [restart dbased] ****************************** changed: [db1] PLAY RECAP ********************************************** db1 : ok=1 changed=4 unreachable=0 failed=0 ans-v1.9-23

24. Site playbook # cat /etc/ansible/site.yml - hosts: linux user: ansible

    become: true become_user: root roles: - common - sudo - include: playbooks/dbase/main.yml # For the Windows hosts - include: playbooks/nsclient/main.yml ans-v1.9-24

25. Templates Ansible uses the Jinja2 templating engine Variable substitution Loops

    Comments Conditionals Filters Ansible facts are available Puppet Facter facts are available (if installed) Chefs Ohai facts are available (if installed) ans-v1.9-25

26. Template deployment # cat playbooks/dbase/main.yml --- - name: deploy dbase

    config template: src: dbase.conf.j2 dest: /etc/dbase/dbase.conf owner: root group: root mode: 0400 Convention: Use the “.j2” extension to identify templates ans-v1.9-26

27. Templates # cat playbooks/dbase/dbase.conf.j2 # Ansible information: # Filename :

    {{ template_path | replace("/etc/ansible", "...") }} # Filedate : {{ template_mtime | regex_replace("\..*$", "") }} # Hostname : {{ template_host }} # dbase { passwd {{ secretpassword }}; {% if ansible_os_family == "RedHat" -%} port 9910; # Database port {% else -%} port 29910; # Database port {% endif -%} host localhost; # Database host } # (c) 2012-{{ ansible_date_time.year }} by {{ name }} ans-v1.9-27

28. Roles Playbooks grow large and become unreadable A standard way

    of organizing things Can easily be shared with others (Through Galaxy) Ansible role directory structuur thisrole.............................................................Top of the role files..................................................................Role files handlers..........................................................Role handlers main.yml.............................................Role handlers start tasks..................................................................Role tasks main.yml.............................................Role starting point templates........................................................Role templates vars..............................................................Role variables main.yml............................................Role variables start ans-v1.9-28

29. Roles in playbooks Using roles in playbooks - hosts: all

    roles: - common - users - sudo - hosts: webservers roles: - python-django - { role: nginx, when: ansible_os_family == 'RedHat' } - hosts: dbservers roles: - dbase ans-v1.9-29

30. Recap Entire Ansible configuration is in a git repo Use

    become for root commands Configure authorized_keys for connections Run ansible script every hour Log playbook runs to /var/log/ansible.log Use Ansible callbacks to give feedback Use roles as much as possible Make roles generic Define variables for site configuration ans-v1.9-30

31. Resources Website: http://www.ansible.com Documentation: http://docs.ansible.com IRC on Freenode: #ansible and

    #ansibleu Meetups: http://meetup.com/Ansible-Benelux Twitter:  @ansible and @AnsibleBenelux Reddit: http://www.reddit.com/r/ansible Google Group:  https://groups.google.com Twice a month DevOps newsletter: https://valdhaus.co Checkout and study the source from Github ans-v1.9-31

32. Please!!!! Contribute to Ansible code Contribute to Ansible documentation Use

    roles from Galaxy Share roles on Galaxy Visit Ansible Meetups Spread the Ansible word. . . ans-v1.9-32

33. Question Time! Questions?? Contact me [email protected] http://www.atcomputing.nl https://github.com/tonk https://speakerdeck.com/tonk @TonKersten

    on Twitter TKersten on IRC Created with L A TEX Beamer Vim Poppler Tools LibreOffice ImageMagick Evince ans-v1.9-33