Go Faster with Ansible (AWS meetup)

Go Faster with AnsibleAWS Bath Meetup

Richard Donkin@rdonkin

$ whoami• Richard Donkin• DevOps engineer / contractor• Ansible, Packer, Vagrant, Docker,

Linux, AWS, databases, …

• Experience of sys admin, DevOps, backend dev, architecture, startups, …

@rdonkin linkedin.com/in/rdonkin www.tempohq.net

Goal: Faster Correct Setup

ServersAppsDevelopers

• Correct configuration• No snowflake servers• Dev, Test, Production

InfrastructureAs Code

Software processes and tools for

infrastructure configuration

What Ansible DoesConfiguration Management• Code that controls config

App Deployment

Orchestration• Sequence operations on servers,

APIs, etc.

Why Ansible?• Agentless & serverless• Simple• Sequential• Declarative tasks• “Ensure nginx installed” • Enables idempotence

• Easy to learn• Scales to complex cloud

orchestration

Quick InstallMac: brew install ansible

Debian/Ubuntu:sudo apt-add-repository ppa:ansible/ansiblesudo apt-get install -y ansible

RHEL/CentOS: use EPEL, then: sudo yum –y install ansible

Any Linux (latest Ansible, requires Python):sudo easy_install pipsudo pip install ansible

Hello PHPMailerPlaybooks

TasksIdempotence

Key ConceptsPlaybook = series of tasks• Targets one server or thousands• Servers defined by Inventory

Task = "ensure X is done" action

Play = set of tasks in playbook

Running a Playbook (1)

Running a Playbook (2)

Tasks will "skip" if state already OK

(Idempotence)

Writing a PlaybookPlay – hosts to process, become == sudoTasks - descriptive name- invoke module (apt) with parameters Play

Task

The Secret Life of Tasks

Each task runs SSH commands that • Upload a Module (e.g. apt)• Run module with task's

parameters• Return JSON output

Inventory and Variables

Group your servers & assign parameters[web]10.0.1.5110.0.1.52

[db]10.0.1.61

[web:vars]ansible_port=2222

$ ansible-playbook -i prod apache.yml --limit web

Ansible conditions based on groups and vars(Typically) inventory file for dev, test, prod, ...

AWS Dynamic Inventory

Generated by ec2.py from AWS API• EC2 instances, Route53, RDS, …• Many params per instance, inc. one

per tag• Groups for regions, AZs, and Tags:

ansible tag_KEY_VALUE -m ping

Apache Playbook (1)

Vars = parameters for this playbookCan be in separate include filesOr attach to hosts or host-groups in Inventory - e.g. Listening IP address should be in inventory

Apache Playbook (2)

template task runs Jinja2 on local file and copies to servernotify sends event to Handler- Each Handler runs just once, at end of whole

playbook- Restart a service, notify Slack, ...

Apache Playbook (3)

service task uses systemctl to enable start on boot- {{ apache_service }} instantiates var with Jinja2Handler restarts apache at end if any task does a notify

Apache PlaybookPlaybooksVariablesHandlers

Modules Over 840 modules "in the box"- Git, yum, apt, compose, pip, gem, …- Files: copy, template, edit, …- Permissions, ownership, SELinux- MySQL, PostgreSQL, MongoDB, ...

Targets:- Linux, Windows, Mac, Docker, VMs- AWS, Azure, GCP, network devices Anything with an API or CLI

AWS Security GroupsDefine security groups as vars in YAML• Format defined by your playbook• Each has list of rules (ingress and

egress)

AWS Security GroupsPlaybook applies all groups in a list

Roles

"Modularised playbooks"- Split playbook into folder per type of

content- defaults folder for "parameter vars"- vars folder for "role vars" – hard to

override- meta folder for role dependencies

Vars

Tasks

Handlers

Apache + PHPplaybook

Apache role

PHP role

RolesUse Roles for everything!Skinny playbooks + modular roles Ideal playbook only calls roles, not tasks

Typical roles:• create-vpc• create-instances• base, apache, php, redis• deploy-app

"Wrapper roles" to invoke third party roles

Ansible GalaxyHub for 1000s of roles: galaxy.ansible.com

Discovery: Galaxy, GitHub, blogs, …

Assess quality carefully Install the roles needed by project: ansible-galaxy install –r requirements.yml

Pin the role to a version or Git commit

Testing Infra CodeBasic testing:- Separate test playbook using Vagrant VM

- Travis CI popular for open source- Smoke test at end of playbook:

Test frameworks:- Test-Kitchen, ServerSpec, InSpec, testinfra - Run whole series of tests - easier diagnosis

Drupal VM

Create a VM with one command: vagrant upAnsible: 37 roles, 630 tasks, 7,200 lines of code

ResourcesBook: Ansible for DevOps by Jeff Geerling – regular updates

Help: Stack Overflow, Ansible IRC + email lists

Roles:• Geerlingguy roles – wide range – pragmatic & well

maintained• Ansistrano: Deploying PHP apps demo (atomic model)

Projects:• Drupal-VM – http://drupalvm.com• Trellis - https://roots.io/trellis/ - very complete WordPress

setup• Use example project – requires node, bower & gulp

Best practices: Ansible.com, blogs by Leucos and Nylas

Podcasts: Arrested DevOps – general DevOps and Infra as Code

Thank YouRichard Donkin

@rdonkin

linkedin.com/in/rdonkin

www.tempohq.net

Infrastructure as Code

Software processes for cloud resources and server configs:• Code review• Version control• Automated tests• Automated push to servers

Rapid Growth in Ansible Activity

• Google Trends• 5 years to Jan 2017

One LinersAd hoc command on single host, or group from inventory

Trellis: Modern WordPress

Near Twelve Factor WordPress• Dev to Prod• PHP 7.1, A+ SSL, HTTP/2, WP-CLI, …• Example: rightsinfo.org

Related roots.io projects: • Bedrock (WP boilerplate)• Sage (starter theme)• Some commercial add-ons

Example project (blog post):• Install node, gulp, bower, Vagrant

plugins• vagrant up• Some fixes required for Ansible 2.2

Advanced: Write a Module

Much more common to write a roleRequired for major new features:• New API• New package tool• New container format

Most modules written in PythonAny language is fine: • PHP, C, Go, Perl, PowerShell, ...