a tour of ansible

Provisioning, Config, Execution, (more) Fun

Steve Pereira

18 years in IT Startups and Enterprise

Love learning about, teaching and talking about:

• DevOps • CI/CD • Automation • Scale

WHO AM I?

ANSIBLE FEATURES• Automation for local and remote system provisioning

• Automation for local and remote applications deployment

• No agents to install on remote systems• Using existing SSHd on remote systems and native SSH on host• Parallel by default - scale to 6000 targets with single master • Language that approaches plain english

ANSIBLE CONVENTIONSPlaybooks - contain required tasks to configure systems and deploy

Tasks - individual actions to perform on remote or local machines

Roles - modular, single-purpose configurations for systems

Inventory - files containing address information of target machines

Handlers - actions triggered by tasks

Templates - customizable files destined for managed machines

MINIMUM VIABLE ANSIBLE$ ansible all -i 'localhost,' -c local -m ping

localhost | success >> { "changed": false, "ping": "pong" }

WHAT ELSE?• ansible webservers -m setup

• ansible lb -m copy -a "src=hosts dest=/tmp/hosts”

• ansible webservers -m yum -a "name=curl state=installed”

• ansible webservers -m service -a "name=nginx state=restarted”

• ansible-doc -l

PLAYBOOKS---- hosts: webservers vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: ensure apache is at the latest version yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify: - restart apache - name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers: - name: restart apache service: name=httpd state=restarted

example_playbook.yml

ROLESmy_role/README.md (readme)defaults/ (default values)meta/ (role metadata)files/ (binaries)templates/ (file templates)handlers/ (operation handlers)tasks/ (playbook files)vars/ (custom variables)

• Easily packaged and shared

• Download community roles

• Mix and match

INVENTORY• Define how ansible will interact with remote hosts• Define logical groups of managed nodes• One file for each environment• Default location : /etc/ansible/hosts• INI format, variable overrides

sample_inventory.ini [loadbalancers]10.20.30.4110.20.30.42

[webservers]10.20.30.51 hostname=artemis10.20.30.52 hostname=apollo

TEMPLATES• Use Jinja2 templating and variables to customize• Defaults available when variables not provided (dev default with prod override)

etc_logrotate.d.j2 {{ logfile }} { rotate {{ 7 | rotate_max }} {{ daily | frequency }} compress missingok notifempty}

IT CAN GET FANCYtasks:- name: install packages in a users virtualenv shell: su - c {{ item[0] }} '(. ./bin/activate && pip install {{ item[1] }})' with_nested: - [ 'jim', 'joe', 'jack' ] - [ package1==1.1, package2==1.2, package3==1.3 ]

There are several types of loops: Hashes, Fileglobs, Sequence, Subelements, First match, Command results, Random and more

but there’s a builtin pip module, anyways.

CONDITIONALStasks: - command: /bin/false register: result ignore_errors: True - command: /bin/something when: result|failed - command: /bin/something_else when: result|success - command: /bin/still/something_else when: result|skipped

The result of a play can depend on the value of a variable, fact (something learned about the remote system), or previous task result.

MORE CONDITIONALS!tasks: - shell: echo "I've got '{{ foo }}'" when: foo is defined

- fail: msg="This play requires 'bar'" when: bar is not defined

- command: echo {{ item }} with_items: [ 0, 2, 4, 6, 8, 10 ] when: item > 5

If a required variable has not been set, you can skip or fail using Jinja2’s defined test. For example:

SIMPLE, POWERFUL BUILTINS• 261 built-in modules• Many cloud providers, packages and tools are integrated• Easily add your own in any language

examples: • ec2 - Create, terminate, start/stop an instance • docker - Manage docker containers• hipchat Send a message to hipchat• s3 - manage objects in S3• twilio - Sends a text message to a phone• win_service - Manages Windows services• zfs - Manage zfs

SMOOTH OPERATION•Get and set variables easily•Simple variable precedence•Ordered, predictable execution•Tagged, resumable execution•ansible doc [foo]

SECURITY• Can be centralized and locked down via Ansible Tower

• Can be run from a centralized bastion server

• Vault encrypts sensitive data

• Uses ordinary SSH, paramiko or custom transport plugins

• No extra open ports, use your own user account, sudo!

• No agents to update or risk vulnerabilities

ADVANCED CAPABILITIES• Rolling updates/deployment/orchestration (1, 5, n at a time)

• Canary testing (check for page content or response code)

• Variable timeouts and parellelism

• Ansible-pull to invert execution - nodes check in to a master

MORE INFORMATIONhttps://docs.ansible.com

https://docs.ansible.com/playbooks_best_practices.html

https://galaxy.ansible.com

https://github.com/ansible/ansible-examples

https://docs.ansible.com

https://docs.ansible.com/playbooks_best_practices.html

https://galaxy.ansible.com

https://github.com/ansible/ansible-examples

QUESTIONS?

@steveElsewhere

http://linkedin.com/in/devopsto

http://linkedin.com/in/devopsto

THANK YOU!

http://devopsdays.org/events/2015-toronto (shameless plug)

http://devopsdays.org/events/2015-toronto

a tour of ansible

Software