Upload
tim-fairweather
View
177
Download
4
Embed Size (px)
Citation preview
Ansible:Automation to Rule
them ALL!
//live event Mar 1, 2017
//today’s expeditionIntroductions
Ansible - What is it?Orchestration/Integration Demo
Ansible TowerTower and Lifecycle Demo
Ansible + WindowsAnsible for Networks
What’s Next?
//arctiq’s wheelhouse
//arctiq’s focus - mvp and business value
Trending, Visibility, and Feedback Loops
Security Hardening and Access Management
Automation and Orchestration
Standardization, Hardened Imaging, Centralized Management, and Audit Reporting
DEVELOPERS
Self-ServiceManaged Container PlatformFail-Fast + Fix-Fast Mindset
Freedom to Focus on Development
THE BUSINESS
Time-to-Market AdvantagesOperational Efficiencies
Quality SoftwareSpeed and Agility
IT OPERATIONS
Standardized FrameworksAutomated Repeatable Tasks
Simplified InfrastructureImproved Security
//ansible automation
MODERNIZE
DEVOPS
MIGRATEAutomate existing
processes
Manage legacy like DevOps
Model everythingDeploy continuously
Define applications
once
Re-deploy anywhere
//ansible for everyone
SIMPLE POWERFUL AGENTLESSApp deployment
Configuration management
Workflow orchestration
Orchestrate the app lifecycle
Human readable automation
No special coding skills needed
Tasks executed in order
Get productive quickly
Agentless architecture
Uses OpenSSH & WinRM
No agents to exploit or update
More efficient & more secure
//how ansible works
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
PUBLIC / PRIVATECLOUD
CMDB
USERS
INVENTORYHOSTS
NETWORKINGPLUGINS
API
MODULES
//how ansible worksPUBLIC / PRIVATE
CLOUD
CMDB
USERS
INVENTORYHOSTS
NETWORKINGPLUGINS
API
MODULES
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
PLAYBOOKS ARE WRITTEN IN YAML
Tasks are executed sequentially
Invokes Ansible modules
//how ansible worksPUBLIC / PRIVATE
CLOUD
CMDB
USERS
INVENTORYHOSTS
NETWORKINGPLUGINS
API
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
MODULES
MODULES ARE “TOOLS IN THE TOOLKIT”
Python, Powershell, or any language
Extend Ansible simplicity to entire stack
//how ansible works
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
PUBLIC / PRIVATECLOUD
CMDB
USERS
HOSTS
NETWORKINGPLUGINS
API
MODULES
INVENTORY
[web]webserver1.example.comwebserver2.example.com
[db]dbserver1.example.com
//how ansible works
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
PUBLIC / PRIVATECLOUD
USERS
INVENTORYHOSTS
NETWORKINGPLUGINS
API
MODULES
CMDB
CLOUD:OpenStack, VMware, EC2, Rackspace, GCE,
Azure, Spacewalk, Hanlon, Cobbler
CUSTOM CMDB
//playbook example
---
- name: install and start apache
hosts: all
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: install httpd
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd
service: name=httpd state=running
//playbook example
---
- name: install and start apache hosts: all
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: install httpd yum: pkg=httpd state=latest
- name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd service: name=httpd state=running
//playbook example
---
- name: install and start apache
hosts: all vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: install httpd
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd
service: name=httpd state=running
//playbook example
---
- name: install and start apache
hosts: all
vars: http_port: 80 max_clients: 200 remote_user: root
tasks:
- name: install httpd
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd
service: name=httpd state=running
//playbook example
---
- name: install and start apache
hosts: all
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: install httpd
yum: pkg=httpd state=latest
- name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd
service: name=httpd state=running
//playbook example
---
- name: install and start apache
hosts: all
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: install httpd
yum: pkg=httpd state=latest - name: write the apache config file
template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd
service: name=httpd state=running
//demo
//automation for everyone … what’s new in Tower 3.1?
//ansible tower
CONTROL
SIMPLE POWERFUL AGENTLESS
KNOWLEDGE DELEGATION
TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE.
AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.
Scheduled andcentralized jobs
Visibility and compliance
Role-based access and self-service
Everyone speaks the same language
Designed for Multi-tier deployments
Predictable, reliable,and secure
//what is ansible tower?
Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and RESTful API.
• Role-based access control keeps environments secure, and teams efficient.
• Non-privileged users can safely deploy entire applications with push-button deployment access.
• All Ansible automations are centrally logged, ensuring complete auditability and compliance.
//control your ansible deployment
SITUATIONAL AWARENESS IS THE KEY TO DEVOPS
● Dashboard and real-time automation updates
● Integrated RBAC with credential management
● Job scheduling
● Graphical inventory management
● Built-in notifications to keep teams informed
● Stabilized API to plumb into existing tooling and processes
● Model entire processes with new Workflows
//tower workflows
MIX AND RE-USE AUTOMATIONS WITHOUT WRITING A PLAYBOOK
● Combine any number of Playbooks into a Workflow
● Delegate access just like any other Tower automation
● Launchable with customizable parameters
● Easily build in-app workflows
Provision Configure Deploy Scale
Build Test Promote Verify Deploy
//delegation
EMPOWER YOUR TEAMS INSIDE AND OUTSIDE OF OPERATIONS
● Connect to your LDAP, AD, SAML and other directories
● Full role-based access control engine
● Store credentials for use without exposure
● Enable users to automate without previous Ansible knowledge
● Find relevant information more quickly with new Smart Search
● Simple surveys configure automation at run-time
● REST API allows integration into your existing processes and tools
● Add capacity with new Tower Clusters
//tower clusters
ADD TOWER CAPACITY AND REDUNDANCY WITH EASE
● Add new Tower nodes to scale out Tower job capacity
● Tower node fails? No problem
● Individual Tower jobs will run on any node with available capacity
○ Jobs are not spanned across multiple Tower nodes
● Cluster stays in sync with in-Tower configuration
//enterprise log integration
ANALYZE YOUR AUTOMATION RESULTS
● Log all Tower activity to central enterprise logging
● Cross-reference automation with events and application logs
● Use Tower’s API to perform remediation if needed
● Support for:
○ Elastic
○ Splunk
○ Sumologic
○ Loggly
○ Custom (Via WebHook/RESTful API)
//automate everything
USE CASES
USERS
ANSIBLEPYTHON CODEBASE
OPEN SOURCE MODULE LIBRARY
PLUGINS
CLOUDAWS,GOOGLE CLOUD,AZURE …
INFRASTRUCTURELINUX,WINDOWS,UNIX …
NETWORKSARISTA, CISCO, JUNIPER …
CONTAINERSDOCKER, LXC …
SERVICESDATABASES, LOGGING,SOURCE CONTROL MANAGEMENT
TRANSPORTSSH, WINRM, ETC.
AUTOMATEYOUR ENTERPRISE
ADMINS
ANSIBLE CLI & CI SYSTEMSANSIBLE PLAYBOOKS
….
ANSIBLETOWER
SIMPLE USER INTERFACE TOWER API
ROLE-BASEDACCESS CONTROL
KNOWLEDGE& VISIBILITY
SCHEDULED &CENTRALIZED JOBS
CONFIGURATIONMANAGEMENT
APP DEPLOYMENT
CONTINUOUSDELIVERY
SECURITY &COMPLIANCE
ORCHESTRATIONPROVISIONING
//demo
//ansible and windows
● Linux○ Ansible manages Linux/Unix machines using SSH
● Windows○ Uses PowerShell remoting rather than SSH○ Ansible still runs from a Linux control machine and uses○ WinRM python module to talk to the windows host
//how it works
● Gather facts on Windows hosts● Install and uninstall MSIs● Enable and disable Windows Features● Start, stop, and manage Windows services● Create and manage local users and groups● Manage Windows packages via the Chocolatey
package manager● Manage and install Windows updates● Fetch files from remote sites● Push and execute PowerShell scripts
//native windows support
# Execute a command in the remote shell; stdout outputs to the specified file
---- name: Run win_shell hosts: all gather_facts: false tasks: - name: Run some script win_shell: C:\somescript.ps1 >> c:\somelog.txt
//win_shell module
● fetch● raw● script● slurp● template● add_host● assert
//ansible core modules for windows
● pause● set_fact● debug● fail● group_by● include_vars● meta
---# This playbook tests the script module on Windows hosts- name: Run powershell script hosts: all gather_facts: false tasks: - name: Run powershell script script: files/helloworld.ps1
//script module
● Active Directory○ Kerberos is the preferred option when using AD○ Requirement to install ‘python-kerberos’ module on the
control host
# yum -y install python-devel krb5-devel krb5-libs krb5-workstation
//authentication
● Configure Kerberos# vi /etc/krb5.conf
[realms]
MY.DOMAIN.COM = { kdc = domain-controller1.my.domain.com kdc = domain-controller2.my.domain.com }
[domain_realm] .my.domain.com = MY.DOMAIN.COM
//authentication
● runas ○ There is upcoming support to execute actions as the
administrator with Windows ‘runas’○ Presently, connect and automate Windows using local
or domain users
//coming soon
//demo
//ansible for network automation
//ansible for networks
COMPLIANCE AND DRIFT
Improved Security
Troubleshooting Efficiencies
Visibility
Desired State Processes
CONFIG AUTOMATION
Time-to-Market Advantages
Operational Efficiencies
Quality Configurations
MOPs?
TEST AND VALIDATE
Speed and Agility
Automated Repeatable Tasks
Simplified Infrastructure
Ansible Tower for networks:Security: Store Network CredentialsDelegation: Using Role-Based Access Control (RBAC)Power: Leverage the Ansible Tower APIControl: Schedule Jobs for Automated Playbook RunsFlexibility: Launch Job Templates Using SurveysIntegrations: Leverage Tower Integrations like Version ControlCompliance: Run Jobs in Check Mode for Audits
//core network modules
cloudflare_dns - manage Cloudflare DNS recordsdnsimple - Interface with dnsimple.com (a DNS hosting service).dnsmadeeasy - Interface with dnsmadeeasy.com (a DNS hosting service).haproxy - Enable, disable, and set weights for HAProxy backend servers using socket commands.ipify_facts - Retrieve the public IP of your internet gateway.ipinfoio_facts - Retrieve IP geolocation facts of a host’s IP addressldap_attr - Add or remove LDAP attribute values.ldap_entry - Add or remove LDAP entries.lldp - get details reported by lldpnmcli - Manage Networkingnsupdate - Manage DNS records.omapi_host - Setup OMAPI hosts.snmp_facts - Retrieve facts for a device using SNMP.wakeonlan - Send a magic Wake-on-LAN (WoL) broadcast packet
//core vendors
From MOPs to Playbooks!!175 included network modules + community
//mops to playbooks
Variables Templates
+
Declarative State - Network Infrastructure as Data
//playbook example
---- hosts: ios_devices gather_facts: no connection: local vars_prompt: - name: "mgmt_username" prompt: "Username" private: no - name: "mgmt_password" prompt: "Password"
tasks:
- name: SYS | Define provider set_fact: provider: host: "{{ inventory_hostname }}" username: "{{ mgmt_username }}" password: "{{ mgmt_password }}"
- name: IOS | Show clock ios_command: provider: "{{ provider }}" commands: - show clock register: clock
- debug: msg="{{ clock.stdout }}"
//what’s next?POCs
Upcoming Arctiq-run demos and BlogsUse-case workshops and consulting
Training WorkshopsWe are HIRING
//take the first step - www.arctiq.ca