ansible : Infrastructure automation,idempotent and more
Download as PPTX, PDF2 likes280 views
Ansible is an open source tool that uses SSH to automate and simplify configuration management across servers. It is agentless, uses Python for its language, and has a pull-based model. Ansible uses YAML files called playbooks to define automation jobs and roles. Playbooks contain tasks that are executed sequentially on managed nodes. Ansible supports variables, facts, conditionals, loops and templates to customize automation. It has features like idempotency, vault for secrets, and roles for reusability. Galaxy is a library of community roles.
![■ ~]$ ansible --version
ansible 2.3.1.0
config file = /etc/ansible/ansible.cfg
...output omitted...
Configuring Connections
■ Some of the information needed from configuration file .](https://image.slidesharecdn.com/fosscafe-ansible-180630070049/85/ansible-Infrastructure-automation-idempotent-and-more-11-320.jpg)
ansible : Infrastructure automation,idempotent and more
- 1. ANSIBLE : INFRASTRUCTURE AUTOMATION, IDEMPOTENT AND MORE By Sabarinath Gnanasekar
- 2. Ansible Overview ■ Open source model-driven configuration management tool that leverages SSH to improve security and simplify management of configuration across various O/S ,Application, Network ,Storage and Cloud platforms. ■ Designed by considering below Ease of use Low learning curve Comprehensive automation Efficiency Security 2
- 3. Bootstrap Instruction ■ https://geekcontainer.wordpress.com/2016/08/05/configuration- management-ansible-series-1/ ■ https://geekcontainer.wordpress.com/2016/08/06/configuration- management-ansible-series-2/ ■ https://geekcontainer.wordpress.com/2016/08/06/configuration- management-ansible-series-3/
- 5. Features Improved network security- it has a very low attack surface (openssh daemon or winrm and no agent) Enabling non-root level access (and sudo) Limiting transfer of potentially sensitive data Credential segregation Central server scalability Resource utilization Firewall friendly Zero bootstrapping Parallel by default Immutable infrastructure 5
- 6. Comparison with Puppet Entity Ansible Puppet Agent Excellent performance Agent less install and deploy Uses agent Components 1) OpenSSH 2) Python 1) Ruby 2) Facter 3) Puppet master 4) agent Language Based on ubiquitous Python. Ruby(written by programmers for programmers) Method Pull Push Directive language YAML with Jinja2 template Custom Bootstrap Child Need Not Needed Required Remote Execution Built-in and easy Mcollective and challenging Port 22 - Openssh 8140- Puppet Master 443 - Puppet Console 61613 - Mcollective 8142 - Orchestrator 6
- 7. Building an Ansible Inventory:Inventory File ■ defines a collection of hosts that Ansible will manage ■ Define logical groups of managed nodes ■ Default inventory file location: /etc/ansible/hosts ■ INI format Communication variables: ansible_connection : local,ssh or paramiko ansible_ssh_host : name of the host to connect ansible_ssh_user : ssh user name to use ansible_ssh_port : ssh password to use ansible_ssh_pass : ssh port number to use ansible_ssh_private_key_file : private key file used by ssh
- 8. Example for Inventory Defining Nested Groups Host Specifications with Ranges
- 9. Patterns all hosts in the inventory (all or *) a specific host name or group name (host1, webservers) wildcard configuration (192.168.1.*) OR configuration (host1:host2, webservers:dbservers) NOT configuration (webservers:dbservers:!production) AND configuration (webservers:dbservers:&staging) REGEX configuration (~(web|db).*.example.com) exclude hosts using limit flag (ansible-playbook site.yml --limit datacenter2)
- 10. Ansible Configuration Files & Precedence Low • /etc/ansible/ansible.cfg • Default a base configuration file located Medium • ~/.ansible.cfg • user's home directory High • ./ansible.cfg • If an ansible.cfg file exists in the directory in which the ansible command is executed, it is used instead of the global file or the user's personal file. Very High • $ANSIBLE_CONFIG Priority
- 11. ■ ~]$ ansible --version ansible 2.3.1.0 config file = /etc/ansible/ansible.cfg ...output omitted... Configuring Connections ■ Some of the information needed from configuration file .
- 12. Setting Description inventory The location of the Ansible inventory. remote_user The remote user account used to establish connections to managed hosts ask_pass Prompt for a password to use when connecting as the remote user. become Enable or disable privilege escalation for operations on managed hosts. become_method The privilege escalation method to use on managed hosts. become_user The user account to escalate privileges to on managed hosts. become_ask_pass Defines whether privilege escalation on managed hosts should prompt for a password.
- 13. Ad-Hoc commands ■ Would be something that you might type in to do something really quick, but don’t want to save for later
- 14. Playbooks ■ Series of ansible commands(tasks),that are targeted at a specific set of hosts/groups ■ Expressed in YAML format ■ Each playbooks is composed of one or more ‘plays’ in a list. ■ Playbook goal is to map a group of hosts to well defined plays or roles. Tasks: Are executed in order ,one at a time, against all machines matched by the host pattern, before moving on to the next task. Handlers: "sleeping" tasks that can be invoked by a task upon completion (e.g. when config file change, restart service)
- 16. Variables ■ Ansible supports variables that can be used to store values that can be reused throughout files in an entire Ansible project. ■ Variables provide a convenient way to manage dynamic values for a given environment in your Ansible project. Three basic scope levels: • Global scope: Variables set from the command line or Ansible configuration • Play scope: Variables set in the play and related structures • Host scope: Variables set on host groups and individual hosts by the inventory, fact gathering, or registered tasks
- 17. Facts ■ Ansible facts are variables that are automatically discovered by Ansible on a managed host. ■ Facts contain host-specific information that can be used just like regular variables in plays, conditionals, loops, or any other statement that depends on a value collected from a managed host. $ ansible demo1.example.com -m setup $ ansible demo1.example.com -m setup -a 'filter=ansible_eth0'
- 18. Task control ■ Loops ■ When statement ■ Handlers ■ Tags ■ Handling Errors ■ block, rescue, always (https://www.pandastrike.com/posts/20160308-ansible-blocks-examples/)
- 19. Jinja2 Template ■ Ansible uses the Jinja2 templating system to modify files before they are distributed to managed hosts. Generally speaking, it is preferable to avoid modifying configuration files through logic in templates. However, templates can be useful when systems need to have slightly modified versions of the same file.
- 20. roles ■ Necessary comes as we add more and more functionality to our playbook. ■ It allows to create very minimal playbook that then look to a directory structure to determine the actual configuration steps they need to perform. ■ Enforces modularity so that we can reuse commonly used tasks(roles) again.
- 21. Ansible-galaxy ■ a public library of Ansible roles written by a variety ■ of Ansible administrators and users. It is an archive that contains thousands of Ansible roles ■ and it has a searchable database that helps Ansible users identify roles that might help them ■ accomplish an administrative task. ansible-galaxy init --offline -p roles db
- 22. Vault ■ Allows keeping encrypted data in source control ■ Created encrypted files $ ansible-vault create foo.yml ■ Editing encrypted files $ ansible-vault edit foo.yml Encrypting unencrypted files $ ansible-vault encrypt foo.yml Decrypting encrypted files $ ansible-vault decrypt foo.yml Running ad-hoc or playbook with vault Ansible-playbook site.yml –vault-password-file ~/.vault_pass.txt
- 23. Idempotency An operation is idempotent if the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions. Idempotency principle is not applied by default to the command module. In order to achieve idempotence, you could use the attribute creates. When present, Ansible will only run the command task if the file specified by the pattern does not exists.
- 24. Every time you run it, it will be detected as “changed” even though nothing actually changes. An important line there is the changed_when: false line. Typically ansible assumes that a command changes the state of the host, but changed_when lets you set a Jinja2 conditional to specify a different condition. This stops false alarms from runs that change nothing on the host, which is good for idempotency. - name: ensure postgresql hstore extension is created sudo: yes sudo_user: postgres shell: "psql my_database -c 'CREATE EXTENSION hstore;'" register: psql_result failed_when: > psql_result.rc != 0 and ("already exists" not in psql_result.stderr) changed_when: "psql_result.rc == 0"
- 25. 3-Tier Architecture and Deployment
- 26. 26 Source Build Test Deploy Ops Process tools Bitbucket