A quick intro to Ansible

Ansible Berlin Meetup, @danvaida

Ansible Berlin meetup 01/17


STOP!Highly opinionated

content ahead!

Press any key to continue…


Some fresh GitHub stats

dated 28.01.17 @ 2PM

$ curl -s https://api.github.com/repos/ansible/ansible | grep created_at "created_at": “2012-03-06T14:58:02Z”, $ curl -s https://api.github.com/repos/saltstack/salt | grep created_at "created_at": "2011-02-20T20:16:56Z", $ curl -s https://api.github.com/repos/puppetlabs/puppet | grep created_at "created_at": “2010-09-14T19:26:44Z", $ curl -s https://api.github.com/repos/chef/chef | grep created_at "created_at": “2009-01-15T20:40:48Z",


How can Ansible help?It can:

be used for provisioning almost any part of your IT infrastructure

do configuration management on just about anything

fit right into your CI workflows for continuous-everything

orchestrate complex application deployments (yes, even of s-e-r-v-e-r-l-e-s-s apps*)

etc.

* You can provision an AWS S3 bucket and upload a NodeJS app or a static website there.


Taken from michaeldehaan.net/post/19090587784/ansible-architecture-diagram-as-posted4 years old!

http://michaeldehaan.net/post/19090587784/ansible-architecture-diagram-as-posted


Thank you Ansible• For helping me to successfully & completely bridge the gap between Devs and

SysAdmins in 4 companies, over the course of almost 4 years

• For not using XML

• For powerful ad-hoc, reusable one-liners

• For not having a DSL

• For having such a gentle learning curve and fast getting-started process

• For not using agents/daemons with SSLTLS certificates on custom ports

• For offering idempotence (i.e. ƒ(ƒ(x)) ≡ ƒ(x)) and helpful dry-runs

• For continuously expanding & improving the support for cloud providers (esp. AWS)


Tip: Configuration convergenceAlthough it can be configured, Ansible doesn’t work in pull mode by default. That means your hosts’ configuration might drift away sometimes (i.e. human intervention)

Fight for reaching 100% idempotence and dry-run support (i.e. changed_when, check_mode)

Annotate configuration files with {{ ansible_managed | comment }} to raise awareness

The days of servers having uptime measured in years or even months are long gone

Build your golden images with Ansible and decommission those VMs as often as you can (check out the Packer project by HashiCorp)


For the most cases a stable version from some package should be fine (i.e. pip install ansible==2.2)

If you run Ansible out of checkout, you might wonder what to pick from git tag —-list or git branch -r:

in general, branches are more stable than tags, so checking out origin/stable-2.2 is fine

however, sometimes a tag is more stable than a branch. for example, I prefer checking out v2.2.1.0-1 for a fresh/stable balance

it’s fairly easy to understand the micro versions and RC tags, but check out the schedule for regular meetings on IRC: github.com/ansible/community/blob/master/MEETINGS.md

Tip: What version should you use?

This is based on what I’ve gathered from some Ansible core developers many months ago but it seems to still be their release flow. See releases announcements: groups.google.com/d/forum/ansible-announce

http://github.com/ansible/community/blob/master/MEETINGS.md

http://github.com/ansible/community/blob/master/MEETINGS.md

http://groups.google.com/d/forum/ansible-announce


Configuring AnsibleANSIBLE_CONFIG (env var)

./ansible.cfg

~/.ansible.cfg

/etc/ansible/ansible.cfg

See complete list here:https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfghttps://raw.githubusercontent.com/ansible/ansible/devel/lib/ansible/constants.py

https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg

https://raw.githubusercontent.com/ansible/ansible/devel/lib/ansible/constants.py


General nomenclatureTask - calls a module or action plugin with specific parameters

Handler - a special type of task, normally triggered by a task

Block - logical grouping of tasks (very useful for treating task failures)

Play - list of tasks applied to a list of hosts

Playbook - collection of plays, executed sequentially

Role - group related, set of tasks

Module - actual code that makes Tasks happen

Inventory - list of hosts, groups and variables

Fact - information collected from targeted hosts

Plugin - can be a callback, action or other hooks


InventoryStatic - it’s a simple way to get things started and works great for simple architectures

Dynamic

comes in handy for more complex architectures

can write your own script in any language as long as it returns JSON

recursively descends in all sub-folders and uses all contained files

built-in scripts for AWS, DigitalOcean, GCE, Vagrant, Docker, SoftLayer, Spacewalk, Azure, Rackspace, OpenStack, etc.

A combination of both (i.e. static grouping of dynamic inventories)

See the add_host and group_by action plugins for creating an in-memory, ephemeral inventory


Modules

90 AWS50 OpenStack26 Rackspace

26 VMware20 Azure13 GCE

5 Digital Ocean…}≈ 770*

*Includes deprecated modules, as reported by ansible-doc —-list


since Ansible 2.1, “the copy module can now transparently use a vaulted file as source”. That’s great for things such as certificate keys.automation friendly: -—vault-password-file or ANSIBLE_VAULT_PASSWORD_FILE (env var)pip install cryptography for better performance

Sensitive data, meet Ansible Vault!


FactsGrab information from the hosts

On by default

Can use ohai (Chef) / facter (Puppet) or other custom facts modules (i.e. to gather information from network devices, etc.)

Help write resources-specific templates (i.e. nginx worker_processes, elasticsearch ES_HEAP_SIZE)

Powerful complement to the inventory facts


Hosts targetingYou can apply AND, OR, NOT on top of simple or complex inventory scripts:

ansible -m ping webservers:databases

ansible -m ping webservers:!databases

ansible -m ping webservers:&databases

ansible -m ping webservers:&databases:!loadbalancers


Ansible Binariesansible-doc

ansible-vault

ansible-playbook

ansible

ansible-galaxy

ansible-pull

ansible-container (separate tool)

https://galaxy.ansible.com/intro#role-types


Tips/GotchasDon’t forget: every task creates a new SSH connection (new ENV, etc.)

Tag all the things

Set a default for every variable

You’re not cool if you use ansible-pull, vars_prompt or the prompt parameter of the pause module

By default, every task copies the script to execute on the destination machine. Removes it after the script runs (or times out). Fire and forget. Can be changed with pipeliningIncrease the # of forks if you target >= 5 hosts

Use SSH multiplexing (ControlPersist) for improved performance


Community & ResourcesIRC (#ansible on Freenode)

Mailing lists on Google Groups

GitHub

Ansible Galaxy (the best Ansible content, shared and re-used)

Docs (nice examples of use cases)

Books

Free, live Webinars (everything from intro to complex scenarios)


Recommended reading material

Software

A quick intro to Ansible