Download - Am I Idempotent?
Am I Idempotent? A silly game
Dennis Rowe @shr3kst3r
Some Definitions of Idempotent
๏ Math version: f(f(x)) = f(x) ‣ example: identity function applied to x equals x
๏ CS version: Applying an action multiple times has the same result as applying the same action once. ‣ example: mkdir -p /hi
๏ Ansible version: “The concept that change commands should only be applied when they need to be applied, and that it is better to describe the desired state of a system than the process of how to get to that state.” - http://docs.ansible.com/ansible/glossary.html
What are we looking for? Repeatability
Reliability Resiliency
* The 3R’s taken from the talk “The Twelve-Factor Container” by Casey West
Why is Idempotency Important? (the CS version)
๏ Consistency among servers ‣ This removes drift in the system ‣ This removes surprises ‣ This leads to
- Repeatability
- Reliability
- Resiliency
๏ A server that can be reasoned about ‣ Cannot reliably fix problems that you don’t understand.
Game Time
Am I idempotent?
main.yml - name: ensure /etc/hosts template: src=etc/hosts dest=/etc/hosts
hosts {% for name in hosts %} {{ hosts[name] }} {{ name }} {% endfor %}
No Dictionaries are not sorted
hosts file should have a “sort” {% for name in hosts|sort %} {{ hosts[name] }} {{ name }} {% endfor %}
Am I idempotent?
Input - name: make a directory command: mkdir -p /var/tmp/test
Output TASK [make a directory] ************************ changed: [localhost]
Yes But why?
Am I idempotent?
Input - name: make a directory command: mkdir -p /var/tmp/test changed_when: False
Output TASK [make a directory] ********************** ok: [localhost]
Yes But how is it different from the previous example?
Am I idempotent?
Input - name: make a file command: touch /tmp/test_file changed_when: False
Output TASK [make a file] ******************** ok: [localhost]
Not really What happens on reboot?
Am I idempotent?
Input - file: path=/tmp/a_dir state=directory
Output TASK [file] ************** ok: [localhost]
Not really But Ansible says it is green!?
Am I idempotent?
Input - file: path=/a_dir state=directory mode=0755 - file: path=/a_dir state=directory mode=0700
Output TASK [file] *********** changed: [localhost]
TASK [file] *********** changed: [localhost]
Yes But it will always show changed to Ansible
Am I idempotent?
Input - file: path=/a_dir state=directory - file: path=/a_dir state=directory mode=0700
Output TASK [file] ************** ok: [localhost]
TASK [file] ************** ok: [localhost]
Yes
Am I idempotent?
Input - user: name=johnd comment="John Doe" uid=1040 group=admin - user: name=johnd state=absent remove=yes
Output TASK [user] ************** changed: [localhost]
TASK [user] ************** changed: [localhost]
Yes But there are consequences
Thoughts
๏ There is only a casual correlation between idempotency and Ansible’s changed notifications
๏ We are more interested in the idempotency of the playbook(s) ๏ Factors like time and reboots can affect the perceived idempotency of a playbook ๏ Don’t let the green lead you in to a false sense of security ๏ You have to understand how the systems works ๏ Side affects are hard
The End
Dennis Rowe @shr3kst3r