introduction to ansible (pycon7 2016)

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible: automazione IT vocata al Cloud

Ivan Rossi (BioDec.com)

Pycon sette, 2016-04-16

Ivan Rossi (BioDec.com) Ansible: automazione IT vocata al Cloud Pycon sette, 2016-04-16 1 / 40

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Main features

“Ansible is a radically simple IT automation platform that makes yourapplications and systems easier to deploy….”

Avoid writing scripts or custom code to deploy/update applicationsNo agents to install on remote systems (SSH + python)Ansible project dislikes complexity“perfect is the enemy of good”: the learning curve is really fast.Code is YAMLappropriate for managing small-medium setups

some enterprise environments with many thousands.

Acquired by RedHat in October 2015.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Why Ansible is suited to the Cloud

Major Configuration management tools

Tool Style Push/pull Agent?Cfengine Declarative Pull YesPuppet Declarative Pull YesChef Imperative Pull YesSalt Declarative* Both Yes*

Ansible Imperative Push No

Ansible is suited to the immutable/disposable infrastructure approach


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Quoting…

“People often ask me how does Ansible compete with other configurationmanagement tools? We don’t, we compete with Bash.”

-- Greg DeKoenigsberg,CfgMgmtCamp 2016, Gent (BE), 2016-02-02


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Setup overview

Setup overview


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Setup overview

Setup the control machine

Ansible uses python2.7 and SSH to communicate

On the managed systems.1 Have python2.7 installed2 SSH key-based authentication:

ssh-copy-id -i /root/.ssh/admin_id_rsa root@localhost


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Setup overview

On the control machine1 Install Python and required packages

apt-get install python-pipapt-get install python-dev

2 Install AnsiblePro tip: work in a virtualenv

pip install virtualenvvirtualenv myprojectcd myproject. bin/activatepip install ansible


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Simple parallel execution



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Your first commands

1 Create basic inventory fileecho "localhost" > ansible_hosts

2 Ping all hosts in your inventory fileansible all -m ping -i ansible_hosts

Congratulations. You’ve just contacted your nodes with Ansible.

localhost | success >> {"changed": false,"ping": "pong"

}


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Command-line example

ansible all -m ping -i ansible_hosts

all Ansible works against multiple systems in your infrastructureat the same time. It does this by selecting portions ofsystems listed in the inventory file. “all” is a special keywordto work with all the hosts at the same time.

-m accepts a correct module name (e.g., “ping”).-i The name of the inventory file.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


The inventory file

The format for ansible_hosts is an INI-like format and looks like this:

[webservers]localhostone.example.com

[dbservers]one.example.comtwo.example.comthree.example.com

In brackets are group names, used to group and classifying systems. It isOK to put systems in more than one group.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


ModulesAnsible ships with a large module library

Modules are idempotent, usually.Users can write their own modules (in Python)

Frequently used modulespackage Add/Remove packages file (many formats)

command Execute any shell commandservice Start/Stop/Enable servicescopy Copy a file from source to destination on host

template generate a file from a Jinja2 templateExample:ansible all -m apt -a "name=apache2 state=present"ansible all -m service -a "name=apache2 state=started"


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Ansible programming


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Playbooks

Playbooks are the configuration, deployment, and orchestrationlanguage.

They can describe a set of connected actions in a general IT process.

If modules are the tools, playbooks are your design plans.Playbooks are expressed in YAML format and have a minimal syntax

Tries not to be a programming language, but a model of aconfiguration or a process.

Each playbook is composed of one or more ‘plays’ in a list.While it is possible to write a playbook in one very large file, eventuallyyou’ll want to reuse components (roles, more later)


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Playbook example

Write an inventory fileecho localhost > ansible_hosts

a playbook (named playbook.yml)---- hosts: all

vars:http_port: 80

remote_user: roottasks:- name: ensure apache2 is installed

apt: name=apache2 state=present


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Run your playbook:ansible-playbook -i ansible_hosts playbook.yml

Playbook outputPLAY [test]*************************************************************TASK: [ensure apache2 is installed]*******************************************ok: [localhost] => {"changed": false}PLAY RECAP*************************************************************localhost : ok=2 changed=0 unreachable=0 failed=0


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Variables and Facts

VariablesVariables should always start with a letter.Variables can be defined in many places (pros & cons..)

in inventory, playbook, include, command linepriority rules are… involved.

FactsA type of variable that are discovered at a run time, not set by theuser. Very useful for dynamic configurationFacts are returned by the setup module, which is executed at thebeginning of a playbook by default and made available as variables.the hostname of the system: {{ ansible_hostname }}


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Roles and Include Actions

A playbook can includes a role:- hosts: webservers

vars:http_port: 80

remote_user: rootroles:- webservers

Roles allow the automatic loading the definitions of variables, tasks,templates, handlers, given a standard layout. Grouping content by rolesallows easy sharing of playbooks too.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Example role structure:ansible_hostswebservers.ymlroles/

webservers/files/templates/

index.html.j2tasks/

main.ymlhandlers/vars/

main.ymldefaults/meta/


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Role hierarchy:If roles/x/[tasks,handlers,vars,meta]/main.yml exists:

[tasks,handlers,vars,meta] listed therein will be added to the play

Any [copy, script, template, include] directive can reference files inrespective roles directory without having to path them

To create a standard-compliant roleansible-galaxy init --offline test-role


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

ansible-galaxy

“It is the Ansible’s official community hub for finding, downloading, rating,and sharing Ansible roles…”

ansible-galaxy install username.rolename

You can use ansible-galaxy to start a project of your own

ansible-galaxy init --offline test-role

Many many projectsMany many duplicatesQuality from excellent through broken to horribly dangerous


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Ansible 2.0 has arrived

Task BlocksError Reporting ImprovementsRun time evaluation of tasks: new strategy plugin200 new modules

new OpenStack modulesexpand Amazon Web Services supportimprove Docker modulesexpand Microsoft support


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

New 2.0 features

Task Blocks: Write lessConsecutive tasks can be grouped under a common name. Thisfeature allows to apply directives at the block level, like:

when conditionerror handling (new block/rescue/always directives)set user

Error Reporting Improvements: Maybe you mean…Clearer identification of errors by printing line and file responsible forplaybook failure with suggestions for fixes


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

New 2.0 features

Run time evaluation of tasks: Speed up executionA new strategy plugin has been added. The canonical way to run tasksadopted by Ansible is “linear”. Now a “free” workflow is available,which allows each host to process its list of tasks as quickly as possible(still in-order) without waiting for all other hosts.

- hosts: allstrategy: freetasks:

...


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible programming

Known Issues with Ansible 2.0

Dynamic Include ProblemsTags on tasks are not seen until the include is processed. Tags shouldbe specified only at “include” levelHandlers in includes will not be seen. Handlers should avoid usingincludesAnsible 2.0 does not currently raise an error if a non-existent tag isspecified via –tags or –skip-tags

Plugin API ChangesCallback, connection, cache and lookup plugin APIs have changed.Existing plugins might require modification to work with the newversions


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Ansible and the Cloud



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Ansible and Amazon Web Services (AWS)

Other CloudsOther Cloud providers are supported too, but AWS is king…

AWS ControlAnsible contains many modules for controlling AWS services. All of themodules require recent versions of boto. You need this Python moduleinstalled on your control machine.pip install boto

Boto is a Python interface to AWS API, and allows dynamic inventory.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Ansible and AWS securityTo access AWS services one needs a set of credentials:

ssh keyaccess_idsecret_key

Set your access_id and secret_key in a “vars” file, then source it:

export BOTO_CONFIG=/path/boto.confexport EC2_INI_PATH=/path/ec2.ini

export AWS_ACCESS_KEY_ID=EXAMPLEKEYexport AWS_SECRET_ACCESS_KEY=ThisIsAnExampleexport AWS_DEFAULT_REGION=region

PLEASE DO NOT SHARE KEYS ON GITHUBIvan Rossi (BioDec.com) Ansible: automazione IT vocata al Cloud Pycon sette, 2016-04-16 28 / 40

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


AWS Dynamic inventory

$ ./plugins/inventory/ec2.py --list

{"_meta": {

"hostvars": {"ec2_architecture": "x86_64",...}

}"ec2": [

"ec2-name.region.compute.amazonaws.com"...

]}


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Now you are Elastic

$ ansible all -i ./plugins/inventory/ec2.py -m ping --user=admin

ec2-name.region.compute.amazonaws.com | success >> {"changed": false,"ping": "pong"

}


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Manage your AWS nodes with ansible



...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Create and start nodes

- name: Creates aws-nodeshosts: allconnection: localremote_user: admin

tasks:- name: Create and launch instance

ec2:key_name: "{{ ssh-key }}"instance_type: "{{ instance }}"image: "{{ image_id }}"region: "{{ region }}"state: presentcount: 3wait: yes


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Stop nodes

- name: Stop aws serversconnection: localremote_user: rootvars:

- region: region_nametasks:

- name: Stop instancesec2:

region: "{{ region }}"state: stoppedinstance_ids: "{{ec2_id}}"

To see your instances being stopped.

$ ansible-playbook -i plugins/inventory/ec2.py demo-stop.yml


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Provision nodes

Provision your nodesInstall apache on remote AWS hosts

$ ansible all -m apt -i plugins/inventory/ec2.py -a"name=apache2 state=present" --user=admin --become=sudo

"changed": true,"stderr": "","stdout": "Reading package lists...

Building dependency tree...Reading state information......Setting up apache2"


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Delete nodes

$ ansible-playbook -i plugins/inventory/ec2.py demo-terminate.yml$ cat demo-terminate.yml

- name: Delete aws serversremote_user: rootvars:

- region: region_nametasks:

- name: Delete hostsec2:

instance_ids: "{{ ec2_id }}"region: "{{ region }}"state: absentwait: yes


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Cloudformation: one-shot AWS infrastructure

AWS Cloudformation is a service to easily and repeatably provisionan AWS infrastructure (instances, VPCs, security groups…).The infrastructure objects and relations are modeled in a JSON filecalled “template”.Using the template a “stack” is instantiated. A “stack” is “acollection of AWS resources you create and delete as a single unit.”

N.B.notice the “delete”: think “immutable infrastructure”…


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Launching stacks with Ansible

The Ansible “cloudformation” module launches a Cloudformation stack.Once the stack template is created, an Ansible task can provision it:

- cloudformation:aws_access_key: "{{ AwsAccessKey }}"aws_secret_key: "{{ AwsSecretKey }}"stack_name: "{{ CloudFormationStackName }}"state: presentregion: "{{ AwsRegion }}"disable_rollback: falsetemplate_url: "https://s3-{{ AwsRegion }}.amazonaws.com/omissis-{{ AwsRegion }}/{{ CloudFormationStackName }}"

register: stack

NOTE : the returning “stack” variable let us to retrieve information aboutthe resources instantiated in order to perform other actions on them.


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.


Pythonic template by TrophospereThe JSON template can grow to be really messy. A Python library calledTroposphere may make the cloudformation model description easier tomanage

>>> from troposphere import Ref, Template>>> import troposphere.ec2 as ec2>>> t = Template()>>> instance = ec2.Instance("myinstance")>>> instance.ImageId = "ami-951945d0">>> instance.InstanceType = "t1.micro">>> t.add_resource(instance)<troposphere.ec2.Instance object at 0x101bf3390>>>> print(t.to_json()){

"Resources": {"myinstance": {

"Properties": {"ImageId": "ami-951945d0","InstanceType": "t1.micro"

},"Type": "AWS::EC2::Instance"

}}

}


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Thank you

Thank you


...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

...

.

Thank you

Contacts

Ivan Rossi email: [email protected]: @rouge2507

BioDec www.biodec.com


introduction to ansible (pycon7 2016)

Software