Introducing Ansible

Introducing Ansible

Francesco [email protected]

March 7, 2016

#Outline

1 A day in the life of a sysadmin

2 Automation

3 Introducing Ansible

4 Ansible Playbooks: beyond the Basics

5 Roles and Includes

6 Automating Your Automation

A day in the life of a sysadmin 2/32

The timeline

”We have the misfortune to be living in the present. In the future,of course, computers will be smart enough to just figure out whatwe want, and do it. Until then, we have to spend a lot of timetelling the computer things it should already know.”


Keeping the configuration synchronized


Repeating changes across many servers

The command to create a new user account is slightly different forRed Hat Linux from the equivalent command for Ubuntu, forexample. Solaris is a little different again.

Each command is doing basically the same job, but has differencesin syntax, arguments, and default values.


Self-updating documentation

A new sysadmin joins your organization, and he needs to knowwhere all the servers are, and what they do. Even if you keepscrupulous documentation, it can’t always be relied on.

The only accurate documentation, in fact, is the serversthemselves. You can look at a server to see how it’s configured,but that only applies while you still have the machine. If somethinggoes wrong and you can’t access the machine, or the data on it,your only option is to reconstruct the lost configuration fromscratch.

Wouldn’t it be nice if you had a configuration document which wasguaranteed to be up to date?


Version control, history, continuous integration


#Outline


2 Automation





Automation 8/32

Why Automation?

Fast deployment time

It’s cheap and flexible

Scalability and support

Standard environments

Automation as a standardized approach

IT automation is a standard approach thatcombines multi-node software deployment,ad-hoc task execution and configurationmanagement.

Automation 9/32

The Automation environment

Automation 10/32

IT Automation: Terminology

Idempotence: the ability to run an operation which produces thesame result whether run once or multiple times

Inventory: hosts file that defines:I the description of the nodes that can be

accessedI the IP address or hostname of each nodeI nodes group to run a different set of

tasksI nodes parameters such as username,

password or ssh keys

Playbooks: they express configurations, deployment andorchestration in Ansible. Each Playbook maps a group of hosts toa set of roles. Each role is represented by calls to Ansible call tasks.

Automation 11/32

#Outline


2 Automation





Introducing Ansible 12/32

Quick Start

I Linux - run natively e.g. on a Fedora/RHEL/CentOS:

I yum -y install ansible

I Debian or UbuntuI sudo apt-add-repository -y ppa:ansible/ansible

I sudo apt-get update

I sudo apt-get install -y ansible

Verify your installation

$ ansible –versionansible 2.0.1.0config file = /etc/ansible/ansible.cfgconfigured module search path = Default w/o overrides


Quick Start









Quick Start









Quick Start









The inventory file

Where it is located

/etc/ansible/hosts

What is the format

[mailservers]mail.example.com

[webservers]foo.example.com ansible ssh user = user001bar.example.com ansible ssh private key file =/.ssh/ansible key001

[dbservers]one.example.comtwo.example.comdb-[a:f].example.com


The inventory file

I can define a group of machines

# Group ’multi’ with all servers[multi:children]vm01vm02

# Variables that will be applied to all servers[multi:vars]ansible ssh user=user001ansible ssh private key file = /.ssh/pkey

..available parameters

https://docs.ansible.com/ansible/intro inventory.html


The Ansible command line

I ansible-playbookExecute a playbook

I ansible-galaxyRoles management

I ansible example -a ”free -m” -u [username]Run the free command on the example domain

I ansible example -m ping -u [username]Run the ping command on the example domain

I ansible atlanta -m copy -a ”src=/etc/hostsdest=/tmp/hosts”File copy using the copy module

I ansible all -m user -a ”name=foo password=’cryptedpassword here’”User and group management


Your first Ansible playbook

Host section

It is related to a section of the inventory file described above

---

- hosts: webservers

vars:

http_port: 80

max_clients: 200

remote_user: root

tasks:

- name: ensure apache is at the latest version

yum: name=httpd state=latest

- name: write the apache config file

template: src=/srv/httpd.j2 dest=/etc/httpd.conf

notify:

- restart apache

- name: ensure apache is running (and enable it at boot)

service: name=httpd state=started enabled=yes

handlers:

- name: restart apache

service: name=httpd state=restarted

Vars Section

Variables used to the tasks in order to parametrize something


Your first Ansible playbook

Task section

Groups of tasks that are performed on a certain set of hosts toallow them to fulfill the function you want to assign to them.

Notify section

This is not an internal Ansible command, it is a reference to ahandler, which can perform certain functions when it is called fromwithin a task.

Handlers section

Handlers are just like tasks, but they only run when they have beentold by a task that changes have occurred on the client system.

Run the playbook

ansible-playbook playbook.yml


#Outline


2 Automation





Ansible Playbooks: beyond the Basics 19/32

Playing with variables

---

- hosts: example

vars:

foo: bar

tasks:

# Prints "Variable ’foo’ is set to bar".

- debug: msg="’foo’ is set to {{ foo }}"

Variables always begin with a letter ([A-Za-z]), and can includeany number of underscores ( ) or numbers ([0-9]).

Variables can be passed in via the command line, when callingansible-playbook, with the –extra-vars option:

ansible-playbook example.yml –extra-vars ”foo=bar”


Registering/Accessing variables

Send a command and register the result...

name: Get the value of the environment variable we just added.shell: ”source /.bash profile && echo $ENV VAR”register: foo

..and then use it as before

- name: Print the value of the environment variable.debug: msg = ”The variable is {{ foo.stdout }}”


Per-play environment variables

# Set to ’absent ’ to disable proxy:

proxy_state: present

# In the ’tasks ’ section of the playbook:

- name: Configure the proxy.

lineinfile:

dest: /etc/environment

regexp: "{{ item.regexp }}"

line: "{{ item.line }}"

state: "{{ proxy_state }}"

with_items:

- {regexp:"^http_proxy=",line:"http_proxy=http :// example -proxy :80/"}

- {regexp:"^https_proxy=",line:"https_proxy=https :// example -proxy :443/"}

- {regexp:"^ftp_proxy=",line:"ftp_proxy=http :// example -proxy :80/"}

Doing it this way allows me to configure whether the proxy isenabled per-server, and with one play, set the http, https, and ftpproxies. You can use a similar kind of play for any other types ofenvironment variables you need to set system-wide.


#Outline


2 Automation





Roles and Includes 23/32

Roles and Includes

Ansible is very flexible when it comes to organizing your tasks inmore efficient ways so you can make your playbooks moremaintainable, reusable, and powerful. We are talking about:

I Includes

I Roles

Includes examples

handlers:

- include: included-handlers.yml

tasks:

- include: tasks/common.yml

- include: tasks/apache.yml

- include: tasks/mysql.yml


More about roles

Including playbooks inside other playbooks makes your playbookorganization a little more sane, but once you start wrapping upyour entire infrastructures configuration in playbooks, you mightend up with something resembling Russian nesting dolls. Thesolution comes with the keyword: roles.

Roles provides a way to take bits of configuration and packagesand make them flexible so we can use them throughout ourinfrastructure and we can include them in this way:

roles:

- yum-repo-setup

- firewall

- nodejs

- app-deploy


Role essentials

Instead of requiring you to explicitly include certain files andplaybooks in a role, Ansible automatically includes any main.ymlfiles inside specific directories that make up the role.

Roles structure

There are only twodirectories required tomake a working role:

role name/

meta/main.ymltasks/main.yml

Ansible will run all the tasksdefined in tasks/main.yml, youjust need to include the createdrole using following syntax:- - -- hosts: allroles:- role name

Your roles can live in a couple different placesin the default globalAnsible role path configurable in /etc/ansible/ansible.cfg.


Enter Ansible Galaxy: Be social

Wouldnt it be better if people could share roles forcommonly-installed applications and services?

Helpful Galaxy commands

Some other helpful ansible-galaxy commands you might use fromtime to time:

I ansible-galaxy list displays a list of installed roles, withversion numbers

I ansible-galaxy remove [role] removes an installed role

I ansible-galaxy init can be used to create a role templatesuitable for submission to Ansible Galaxy


#Outline


2 Automation





Automating Your Automation 28/32

Ansible tower

Continuous integration

It’s always a good practise use a continuous integration modelinside your infrastructure

Go Over the CLII The business needs detailed reporting of infrastructure

deployments and failures, especially for audit purposes.

I Team-based infrastructure management requires varying levelsof involvement in playbook management, inventorymanagement, and key and password access.

I A through visual overview of the current and historicalplaybook runs and server health helps identify potential issuesbefore they affect the bottom line.

I Playbook scheduling can help ensure infrastructure remains ina known state.


Ansible tower


Thank you! Questions?

More examples athttps://github.com/ansible/


References

Ansible for DevOpshttps://leanpub.com/ansible-for-devops

Ansible in Real Lifehttps://www.reinteractive.net/posts/167-ansible-real-life-good-practices

Ansible Towerhttps://docs.ansible.com/ansible-tower/

Official dochttps://docs.ansible.com/


Software

Introducing Ansible