Daniel Fienberg DevOps Engineer danielfi@cloudzone.io

Ansible on AWS

• Open source configuration management platform written in Python and backed by software giant RedHat

• Salt, Chef, Puppet are other CM platforms

• Scripting on a high level

• Designed to be centralized, lightweight, scalable, fast, easy to install and use

• Used for any task that you need to do more than once

• Playbooks (Ansible scripts) written in YAML

• No agent required on target hosts

What is Ansible?

How Ansible is Different from Other CM Platforms

Ansible Other CM Platforms (Chef, Puppet, Salt)

SSH (22)

Control Node

Remote HostsCM Agent

Control Node

• Ansible performs tasks on hosts and calls modules to perform them

• Ansible runs through its tasks on a set of hosts in parallel

• Modules provide wrappers for tasks

• Tasks make changes only if necessary

• Core set of modules for common SysAdmin tasks (package maintenance, filesystem maintenance etc.)

• Modules for shell commands and scripts

How does Ansible Work?

• Many cloud modules come built-in

• Can be run as a local action and perform the action from your laptop

• Covers most common cloud tasks.ec2 - create, terminate, start or stop an instance in ec2ec2_ami - create or destroy an image in ec2ec2_ami_search - Retrieve AWS AMI information for a given operating system.ec2_asg - Create or delete AWS Autoscaling Groupsec2_eip - associate an EC2 elastic IP with an instance.ec2_elb - De-registers or registers instances from EC2 ELBsec2_facts - Gathers facts about remote hosts within ec2 (aws)ec2_group - maintain an ec2 VPC security group.ec2_key - maintain an ec2 key pair.ec2_vol - create and attach a volume, return volume id and device map… and many more)

AWS Cloud Modules

How Cloud Modules Work Regular Module

Python Script Sent over SSH e.g. Install Apache

AWS Cloud Module

Control Node

Control Node

Amazon API

Boto

Provision AWS Service e.g. Add EBS

Remote Host

Local Action

Remote Host

• Ansible needs to know where to run commands

• This information is found in an inventory file

• It can be static and manually maintained localhost ansible_connection=local <——-> Host[webservers] <——-> Group 10.10.10.10 ansible_user=ec2-user ansible_ssh_private_key_file=~/.ssh/aws.pem10.10.10.20[dbservers]one.example.com

• You can include many extra details in inventory file - tags, SSH keys, aliases, login user etc.

Inventory File

• Inventory file that is generated automatically at runtime by a script

• Ansible knows to run the inventory file as a script because of executable permissions on the file

• Useful for cloud environments because hosts and their addresses change often

• Script makes API calls to cloud provider and uses information to generate inventory file

• Scripts for AWS, OpenStack etc on Ansible Github repo

Dynamic Inventory

• Defines each host as a JSON object

• Public or private IP used as host identifier (ec2.ini)

• Groups hosts according to many filters (instance type, tags, security groups, AZs)

• EC2 instance details can be referenced at runtime (e.g. tags, instance type, private key name etc.)

AWS Dynamic Inventory

• Extremely powerful Ansible module (setup) that is optionally run at the beginning of a Playbook

• Gathers LOTS of information about the host that can be accessed by Playbook at runtime

• Variables defined by facts can be referenced at run time by the Playbook

• Useful for provisioning systems based on conditions (OS, kernel, volumes, network interfaces etc.)

Get Facts

• Ansible can either be run as an ad-hoc command or as script called a Playbook (YAML format)

• Ad-hoc command is for one time command on many servers

• Ad-hoc Command Usage:# ansible <host-pattern> -m <module> -a <arguments> -i inventory [options]

Ad-hoc Command

• Ansible ping# ansible all -m ping -i static

• Ansible facts# ansible tag_Name_dev -m setup -i ec2.py --private-key =~/.ssh/private_key.pem -u ec2-user

• EC2 facts# ansible tag_Name_dev -m ec2_facts -i ec2.py -u ec2-user —private-key=“{{ ec2_key_name }}.pem”

• Install apache # ansible webservers -m yum -a "name=httpd state=present” -i static

Ad-hoc Command Examples

• The real power of Ansible are Playbooks

• Easily readable set of tasks to perform

• Include files for easy grouping of tasks

• Only perform tasks on based on instance specific info (AWS instance tags, AWS instance type, OS type, etc.)

• Playbook Command Usage:# ansible-playbook playbook.yml -i inventory [options]

Playbooks

• Comprehensive documentation on Ansible website

• Example playbooks on Ansible Github repo

• Ansible Galaxy - community repo of Playbooks (galaxy.ansible.com)

• Ansible Tower - Commercial visual dashboard

Getting Started

• Released at beginning of 2016

• Introduced code blocks

• Try-catch statements

• Extended support for Windows (winrm)

• Many more cloud modules

Ansible 2.0

1. Provision instances in AWS environment

2. Apply AWS configurations (Security Groups etc.)

3. Install LAMP services

4. Copy custom configuration files, set services to on etc.

Provision LAMP Stack

• There isn’t time to do things manually if you want to remain profitable

• Tasks that you thought were not easy to automate often are

• Ansible does not make mistakes - people do!

• Can prepare environment for Ansible with a wrapper script

Tip 1: Be Lazy

• All configuration done with SSH

• All key locations are passed as a dynamically generated path

• Boto credentials are set as environment variables with a wrapper script

• No sensitive data ever included in playbook - customer specific data stored at a separate location

Tip 2: Be Secure

• Write playbooks that can run on many OSs

• Automatically detect login user name

• Use templates, dynamic inventory variables and Ansible facts

• Dynamically locate customer specific variables

Tip 3: Be Dynamic

Thank you!By the way, we’re hiring:

Cloud engineers and DevOpscontact@cloudzone.io