ansible

bcn sudoers 20131105

Wednesday, November 6, 13

In Science Fiction...
An ansible is a ctional machine capable of instantaneous or superluminal communication.
http://en.wikipedia.org/wiki/Ansible

Wednesday, November 6, 13

In Science Fiction...
An ansible is a ctional machine capable of instantaneous or superluminal communication.
http://en.wikipedia.org/wiki/Ansible

Wednesday, November 6, 13

In Science Fiction...
An ansible is a ctional machine capable of instantaneous or superluminal communication.
http://en.wikipedia.org/wiki/Ansible

Wednesday, November 6, 13

In Science Fiction...
An ansible is a ctional machine capable of instantaneous or superluminal communication.
http://en.wikipedia.org/wiki/Ansible

Wednesday, November 6, 13

In Open Source...
https://en.wikipedia.org/wiki/File:Dublin_Philharmonic_Orchestra_performing_Tchaikovsky%27s_Symphony_No_4_in_Charlotte,_North_Carolina.jpg
Wednesday, November 6, 13

In Open Source...
IT orchestration engine created by Michael DeHaan Conguration Management Software Deployment Ad-Hoc Command Execution

Wednesday, November 6, 13

KISS

Wednesday, November 6, 13

KISS
!No client setup

http://www.theregister.co.uk/2007/05/08/dell_box_multipack/
Wednesday, November 6, 13

KISS
!No client setup !SSH-based

http://www.cs.umd.edu/faq/ssh.html
Wednesday, November 6, 13

KISS
!No client setup !SSH-based !sudo-aware

http://xkcd.com/149/
Wednesday, November 6, 13

Business Model

AnsibleWorks Commercial Support Non-free add-ons

Wednesday, November 6, 13

Installation
Native Packages Source tarball pip install ansible git clone https://github.com/ansible/ansible.git

!Not on Mac Homebrew!

Wednesday, November 6, 13

Hands-on Install

Wednesday, November 6, 13

Host Setup

Have proper SSH keys Use ssh-agent Check .ssh/cong

Wednesday, November 6, 13

Host Inventory
# production host01 host02:port host[03:50] ... [webservers] host[03:20] [database] host02

Wednesday, November 6, 13

Variables
# production host01 host02:port host[03:50] ... [webservers] host[03:20] [webservers:vars] database_server=host02 [database] host02

Wednesday, November 6, 13

Execute a command
$ ansible -vvvv -i production remotehost -m setup

Wednesday, November 6, 13

Modules

Idempotent ansible-doc

Wednesday, November 6, 13

The Play
A set of rules Declarative syntax YAML Idempotent

Wednesday, November 6, 13

lineinfile
- name: disable reverse dns lookup in sshd action: lineinfile dest=/etc/ssh/sshd_config state=present regexp="^UseDNS " line="UseDNS no" insertafter=EOF

Wednesday, November 6, 13

Register results
- name: disable reverse dns lookup in sshd action: lineinfile dest=/etc/ssh/sshd_config state=present regexp="^UseDNS " line="UseDNS no" insertafter=EOF register: sshd_config

Wednesday, November 6, 13

Backrefs
- name: apt-sources deb lineinfile: dest=/etc/apt/sources.list backrefs=yes regexp='^(deb .* ${dist} main)$' line='\1 contrib non-free' register: apt_get_update

Wednesday, November 6, 13

Shell
- name: apt-sources deb lineinfile: dest=/etc/apt/sources.list backrefs=yes regexp='^(deb .* ${dist} main)$' line='\1 contrib non-free' register: apt_get_update - name: update apt-get cache shell: /usr/bin/apt-get update when: apt_get_update.changed

Wednesday, November 6, 13

Iterate
- name: install essential packages action: apt name={{ item }} state=latest with_items: - etckeeper - sudo - iptables-persistent - fail2ban

Wednesday, November 6, 13

Conditional execution
- name: disable reverse dns lookup in sshd action: lineinfile dest=/etc/ssh/sshd_config state=present regexp="^UseDNS " line="UseDNS no" insertafter=EOF register: sshd_config - name: restart sshd when: sshd_config.changed action: service name=ssh state=restarted

Wednesday, November 6, 13

Use templates
- name: install default iptables rules action: template src=$item dest=/etc/iptables/rules.v4 first_available_file: - templates/host/${ansible_hostname}/iptables-rules-v4.j2 - templates/iptables-rules-v4.j2 register: new_iptables

Wednesday, November 6, 13

Enter the Playbook

Wednesday, November 6, 13

Playbook Structure
Vars Hosts Tasks Handlers

Wednesday, November 6, 13

Playbook Tree
production stage group_vars/ group1 group2 host_vars/ hostname1 hostname2 site.yml webservers.yml dbservers.yml roles/ common/ tasks/ main.yml handlers/ main.yml templates/ ntp.conf.j2 files/ bar.txt foo.sh vars/ main.yml webtier/ monitoring/ fooapp/ # inventory file for production servers # inventory file for stage environment # here we assign variables to particular groups # "" # # # # # if systems need specific variables, put them here "" master playbook playbook for webserver tier playbook for dbserver tier

# this hierarchy represents a "role" # # <-- tasks file can include smaller files if warranted # # <-- handlers file # <-- files for use with the template resource # <------- templates end in .j2 # # <-- files for use with the copy resource # <-- script files for use with the script resource # # <-- variables associated with this role # same kind of structure as "common" was above, done for the webtier role # "" # ""

http://www.ansibleworks.com/docs/playbooks_best_practices.html
Wednesday, November 6, 13

Launch Playbook
$ ansible-play -vvvv -i production playbook.yml

Wednesday, November 6, 13

One-shot SSH is expensive

Wednesday, November 6, 13

" " "

!
Wednesday, November 6, 13

" " "

!
Wednesday, November 6, 13

" " "

" "

!
Wednesday, November 6, 13

Fireball Mode

Persistent server Requires python-keyczar and python-zmq

Wednesday, November 6, 13

Fireball Mode

Transient ZMQ queue + TCP listener Unique, random key

Wednesday, November 6, 13

Fireball Mode

Wednesday, November 6, 13

Fireball Mode
--- hosts: debian user: root # Uncomment next block to use fireball mode # gather_facts: false # connection: ssh # tasks: # - action: fireball # - hosts: debian # connection: fireball # End comment block for fireball mode vars: ...

Wednesday, November 6, 13

Fireball Mode
--- hosts: debian user: root # Uncomment next block to use fireball mode # gather_facts: false # connection: ssh # tasks: # - action: fireball # - hosts: debian # connection: fireball # End comment block for fireball mode vars: ...

E R P E D

T A C

D E

Wednesday, November 6, 13

Accelerated Mode

Supercedes Fireball Uses single TCP port Does not depend on ZMQ

Wednesday, November 6, 13

Accelerated Mode
--- hosts: all accelerate: true # default port is 5099 accelerate_port: 10000

Wednesday, November 6, 13

Local Mode

Wednesday, November 6, 13

Non-free

AWX Callback mode

Wednesday, November 6, 13

Preguntas?

Wednesday, November 6, 13

Gracias!
@codehead javier a.t. rodriguez.org.mx scribd.com/javierrgz

Wednesday, November 6, 13