Advanced automation

techniques and best

practices with Ansible
Taking your Red Hat Ansible Automation
skills to the next level and managing
automation at scale

John Walter
Solutions Architect, Training + Certification

1
AGENDA
● Ansible Automation
○ Technical Overview
● Ansible Best Practices
○ Curriculum Overview
○ Demo
● Ways to Train and the Red Hat Learning Subscription
○ Advanced Automation: Ansible Best Practices course - DO447
● Q&A
 Ansible Technical Overview

3
 What is Ansible Automation?

Ansible Automation is the enterprise

framework for automating across IT
operations.
RED HAT ANSIBLE TOWER
Operationalize your automation
Ansible Engine runs Ansible
Playbooks, the automation language CONTROL DELEGATION SCALE

that can perfectly describe an IT

application infrastructure. RED HAT ANSIBLE ENGINE
Simple command line automation
Ansible Tower allows you scale IT
automation, manage complex SIMPLE POWERFUL AGENTLESS

deployments and speed productivity.

FUELED BY AN INNOVATIVE OPEN SOURCE COMMUNITY

4
 Why Ansible?

Simple Powerful Agentless

Human readable automation App deployment Agentless architecture

No special coding skills needed Configuration management Uses OpenSSH & WinRM

Tasks executed in order Workflow orchestration No agents to exploit or update

Usable by every team Network automation Get started immediately

Get productive quickly Orchestrate the app lifecycle More efficient & more secure

5
 What can I do using Ansible?
Automate the deployment and management of your entire IT footprint.

Do this...

Configuration Application Continuous Security and

Orchestration Provisioning
Management Deployment Delivery Compliance

On these...

Firewalls Load Balancers Applications Containers Clouds

Servers Infrastructure Storage Network Devices And more...

6
 Ansible automates technologies you use
Time to automate is measured in minutes

Cloud Virt & Container Windows Network Devops Monitoring

AWS Docker ACLs Arista Jira Dynatrace

Azure VMware Files A10 GitHub Airbrake
Digital Ocean RHV Packages Cumulus Vagrant BigPanda
Google OpenStack IIS Bigswitch Jenkins Datadog
OpenStack OpenShift Regedits Cisco Bamboo LogicMonitor
Rackspace +more Shares Cumulus Atlassian Nagios
+more Services Dell Subversion New Relic
Configs F5 Slack PagerDuty
Operating Storage Users Juniper Hipchat Sensu
Systems Netapp Domains Palo Alto +more StackDriver
Rhel And Linux Red Hat Storage +more OpenSwitch Zabbix
Unix Infinidat +more +more
Windows +more
+more
7
 PLAYBOOKS

8
 PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CMDB CLOUD

ANSIBLE AUTOMATION ENGINE

USERS

HOSTS
INVENTORY CLI

MODULES PLUGINS
NETWORK
ANSIBLE DEVICES
PLAYBOOK

9
 Ansible Best Practices

10
 AUTOMATION IS CODE

Treat your Ansible content like code

● Version control your Ansible content

● Iterate
○ Start with a basic playbook and static inventory
○ Refactor and modularize later

11
 CODE NEEDS TO HAVE STYLE GUIDELINES

Do it with style

● Create a style guide for consistency:

○ Tagging
○ Whitespace
○ Naming of Tasks, Plays, Variables, and Roles
○ Directory Layouts
● Enforce the style
● Nice example: openshift-ansible Style Guide
example: https://goo.gl/JfWBcW

12
CODE MUST BE
ORGANIZED

USE GIT!
 Do it with style

site.yml # master playbook, calling others

webservers.yml # playbook for webserver tier
deployonce.yml # separate playbook for single-shot tasks
inventories/
production/ # different stages via inventory
hosts # inventory file for production servers
group_vars/
host_vars/
london/ # additional, alternative grouping if useful
roles/
requirements.yml # includes roles from some other place
common/ # base line, company wide configuration
webtier/

14
 GIT - ONE OR MANY?

Start with one Git repository - but when it grows,

use multiple!
At the beginning: put everything in one Git repository

In the long term:

● One Git repository per role
● Dedicated repositories for completely separated teams / tasks

New to git? Get your cheat sheet here: https://opensource.com/downloads/cheat-sheet-git

15
SO, WHAT DO
WE HAVE?
 USE READABLE INVENTORY NAMES

Give inventory nodes human-meaningful names rather

than IPs or DNS hostnames.

10.1.2.75 db1 ansible_host=10.1.2.75

10.1.5.45 db2 ansible_host=10.1.5.45
10.1.4.5 db3 ansible_host=10.1.4.5
10.1.0.40 db4 ansible_host=10.1.0.40

w14301.acme.com web1 ansible_host=w14301.acme.com

w17802.acme.com web2 ansible_host=w17802.acme.com
w19203.acme.com web3 ansible_host=w19203.acme.com
w19304.acme.com web4 ansible_host=w19203.acme.com

17
 TAKE ADVANTAGE OF GROUPING

Group hosts for easier inventory selection and less

conditional tasks -- the more the better.

[db] [east] [dev]

db[1:4] db1 db1
web1 web1
[web] db3
web[1:4] web3 [testing]
db3
[west] web3
db2
web2 [prod]
db4 db2
web4 web2
db4
web4
18
 COMBINE ALL INVENTORY SOURCES

Use dynamic sources where possible. Either as a single

source of truth - or let Ansible unify multiple sources.

● Stay in sync automatically

● Reduce human error
● No lag when changes occur
● Let others manage the inventory

19
 VARIABLES

JUST WORDS,
RIGHT?
 DESCRIBE VARIABLES WITH THEIR NAMES

Proper variable names can make plays more readable and

avoid variable name conflicts

a: 25 apache_max_keepalive: 25
data: ab apache_port: 80
data2: abc tomcat_port: 8080
id: 123

21
 PREFIX ROLE VARIABLES

Avoid collisions and confusion by adding the role name to

a variable as a prefix.

apache_max_keepalive: 25
apache_port: 80
tomcat_port: 8080

22
 PLACE VARIABLES APPROPRIATELY

Know where your variables are

● Find the appropriate place for your variables based on what, where and
when they are set or modified
● Separate logic (tasks) from variables and reduce repetitive patterns
● Do not use every possibility to store variables - settle to a defined
scheme and as few places as possible

23
MAKE YOUR PLAYBOOK
READABLE
 USE NATIVE YAML SYNTAX

NO!

- name: install telegraf

yum: name=telegraf-{{ telegraf_version }} state=present update_cache=
notify: restart telegraf

- name: start telegraf

service: name=telegraf state=started

25
 USE FOLDING ONLY IF REALLY REQUIRED

Better, but no

- name: install telegraf

yum: >
name=telegraf-{{ telegraf_version }}
state=present
update_cache=yes
enablerepo=telegraf
notify: restart telegraf

- name: start telegraf

service: name=telegraf state=started

26
 USE KEY:VALUE PAIRS

Yes!

- name: install telegraf

yum:
name: “telegraf-{{ telegraf_version }}”
state: present
update_cache: yes
enablerepo: telegraf
notify: restart telegraf

- name: start telegraf

service:
name: telegraf
state: started

27
 DO NOT OMIT THE TASK NAME

Exhibit A

- hosts: web PLAY [web]

tasks: ********************************
- yum:
name: httpd TASK [setup]
state: latest ********************************
ok: [web1]
- service:
name: httpd TASK [yum]
state: started ********************************
enabled: yes ok: [web1]

TASK [service]
********************************
ok: [web1]
28
 USE TASK NAMES

Exhibit B

- hosts: web PLAY [install and starts apache]

name: installs and starts apache ********************************

tasks: TASK [setup]

- name: install apache packages ********************************
yum: ok: [web1]
name: httpd
state: latest TASK [install apache packages]
********************************
- name: starts apache service ok: [web1]
service:
name: httpd TASK [starts apache service]
state: started ********************************
enabled: yes ok: [web1]
29
POWERFUL
BLOCKS
 USE BLOCK SYNTAX

Blocks can help in organizing code, but also enable

rollbacks or output data for critical changes.

- block:
copy:
src: critical.conf
dest: /etc/critical/crit.conf
service:
name: critical
state: restarted
rescue:
command: shutdown -h now

31
 EXECUTING THE ANSIBLE COMMANDS

How to execute

32
 PROPER
LAUNCHING
 TROUBLESHOOT ON EXECUTION

Ansible provides multiple switches for command line

interaction and troubleshooting.

-vvvv
--step
--check
--diff
--start-at-task

34
 ANALYZE WHAT YOUR ARE RUNNING

Ansible has switches to show you what will be done

Use the power of included options:

--list-tasks
--list-tags
--list-hosts
--syntax-check

35
 QUICKLY LAUNCH WITHOUT INVENTORY

If there is a need to launch something without an

inventory - just do it!

● For single tasks - note the comma:

ansible all -i neon.qxyz.de, -m service -a
"name=redhat state=present"
● For playbooks - again, note the comma:
ansible-playbook -i neon.qxyz.de, site.yml

36
THE RIGHT
TOOLS
 CHECK IMMEDIATELY WHAT WAS DONE

Don’t just start services -- use smoke tests

- name: check for proper response

uri:
url: http://localhost/myapp
return_content: yes
register: result
until: '"Hello World" in result.content'
retries: 10
delay: 1

38
 USE NATIVE MODULES WHERE POSSIBLE

Try to avoid the command module - always seek out a

module first
- name: add user - name: add user
command: useradd appuser user:
name: appuser
- name: install apache state: present
command: yum install httpd
- name: install apache
- name: start apache yum:
shell: | name: httpd
service httpd start && chkconfig state: latest
httpd on
- name: start apache
service:
name: httpd
state: started
39
enabled: yes
 MARK MANAGED FILES

If managed files are not marked, they might be

overwritten accidentally

● Label template output files as being generated by Ansible

● Use the ansible_managed** variable with the comment filter

{{ ansible_managed | comment }}

40
ROLES AND
GALAXIES
 USE ROLES WHERE POSSIBLE

Roles enable you to encapsulate your operations.

● Like playbooks -- keep roles purpose and function focused

● Store roles each in a dedicated Git repository
● Include roles via roles/requirements.yml file, import via
ansible-galaxy tool
● Limit role dependencies

42
 USE GALAXY - WITH CARE

Get roles from Galaxy, but be careful and adopt them to

your needs

● Galaxy provides thousands of roles

● Quality varies drastically
● Take them with a grain of salt
● Pick trusted or well known authors

43
ACCESS RIGHTS
 USE BECOME, DON’T BE A ROOT

Root access is harder to track than sudo - use sudo

wherever possible

● Ansible can be run as root only

● But login and security reasons often request non-root access
● Use become method - so Ansible scripts are executed via sudo
(sudo is easy to track)
● Best: create an Ansible only user
● Don’t try to limit sudo rights to certain commands - Ansible
does not work that way!

45
DEBUG YOUR
PROBLEM
 HAVE A LOOK AT THE NODE LEVEL

Check logging on target machine

ansible-node sshd[2395]: pam_unix(sshd:session): session

opened for user liquidat by (uid=0)
ansible-node ansible-yum[2399]: Invoked with
name=['httpd']
list=None install_repoquery=True conf_file=None
disable_gpg_check=False state=absent disablerepo=None
update_cache=False enablerepo=None exclude=None

47
 IN WORST CASE, DEBUG ACTUAL CODE

How to keep the code executed on the target machine

Look into the logging of your target machine

$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible target-node -m yum

-a "name=httpd state=absent"

Execute with:

$ /bin/sh -c 'sudo -u $SUDO_USER /bin/sh -c

"/usr/bin/python /home/liquidat/.ansible/tmp/..."

48
 USE THE DEBUG MODULE

Debugging tasks can clutter the output, apply some

housekeeping

- name: Output debug message

debug:
msg: "This always displays"

- name: Output debug message

debug:
msg: "This only displays with ansible-playbook -vv+"
verbosity: 2

49
 GET TOWER TO ADOPT ANSIBLE IN YOUR DATA CENTER

How to use in real life

50
 TOWER FUNCTIONS

Simple: Use Tower.

● Tower was developed with Ansible in mind

● Extends the limits of Ansible to meet
enterprise needs:
Scalability, API, RBAC, audits, etc.

51
 TOWER FUNCTIONS

Tower has inbuilt help

● Tower provides in-program help via

questionmark bubbles
● Can include examples or links to further docs

52
BRANCHES, ANYONE?
 TAKE ADVANTAGE OF GIT BRANCHES

Tower can import a repository multiple times with

different branches

● Use feature or staging branches in your Git

● Import them all separately, address them separately
● Useful for testing of new features but also to move changes
through stages

54
MANY, MANY ROLES
 TOWER & ROLES

Tower automatically imports Roles during Project update

● Do not copy roles into your playbook repository, just create a

roles/requirements.yml
● Tower will automatically import the roles during Project
installation
● Mix roles from various sources
● Fix version in roles/requirements.yml to have auditable
environment!

56
WHAT ARE WE
TALKING TO?
 TOWER FUNCTIONS

Use dynamic & smart inventories

● Combine multiple inventory types

● Let Tower take care of syncing and caching
● Use smart inventories to group nodes

QUICK TIP
Try right clicking on the icon and using
“Replace Image” to insert your own icons.

58
DOING GOOD JOBS
 USE THE POWER OF JOB TEMPLATES

Tower job templates provide multiple options - use them

wisely

● Keep jobs simple, focussed - as playbooks or roles

● Add labels to them to better filter
● For idempotent jobs, create “check” templates as well - and let
them run over night
● Combine with notifications - and get feedback when a “check”
failed

60
1+1+1 = 1
 USE WORKFLOWS FOR COMPLEX TASKS

Multiple playbooks can be combined into one workflow

● Simple jobs, complex workflows

● React to problems via workflow
● Combine playbooks of different teams, different repositories
● Re-sync inventories during the play

62
DO ASK PROPER QUESTIONS
 TOWER FUNCTIONS

Use surveys to get variable values

● Use good, meaningful variable names

● Provide a default choice
● Multiple choice > free text
● If answer not required - do you really need it at
all?

QUICK TIP
Try right clicking on the icon and using
“Replace Image” to insert your own icons.

64
A POWERFUL
TEAM
 USE TOWER TEAMS, SEPARATIONS

Tower provides tenants, teams, and users - use them for

separation

● Provide automation to others without exposing credentials

● Let others only see what they really need
● Use personal view instead of full Tower interface

66
ONE KEY TO RULE
THEM ALL ...
 USE TOWER SPECIFIC ACCESS CREDENTIALS

Tower credentials should only be used by Tower - not by

others

● Set up a separate user and password/key for Tower

● That way, automation can easily be identified on target
machines
● The key/password can be ridiculously complicated secure
● Store key/password in a safe for emergencies

68
NOTIFY YOURSELF!
 LET TOWER SEND NOTIFICATIONS TO YOU

Tower can send notifications if a job succeeds, fails or

always - as mail, IRC, web hook, and so on

● Let Tower notify you and your team if something breaks

● Send mails/web-hooks automatically to a ticket systems and
monitoring if there is a serious problem

70
LOGS, ANYONE?
 CONNECT TOWER TO CENTRAL LOGGING

Send all logs from Tower to central logging

● Splunk, Loggly, ELK, REST

● Send results from Ansible runs - but also from Tower changes

72
 ALWAYS KEEP
THE LIGHTS ON
 USE HA, DEPLOY ISOLATED NODES

Tower can be easily set up HA - and for restricted

networks, deploy isolated nodes

● Make Tower HA - it is easy!

● For distant or restricted networks, use isolated nodes

74
 Training at Red Hat

75
 WAYS TO TRAIN
Onsite Training
Private On-site training and
exams delivered at your location
or at one of our training centers
76
Classroom Training
Training and test in a professional
classroom environment led by
Red Hat Certified Instructors
Virtual Training
Live instructor-led online training
with the same high-quality,
hands-on labs you'd find in our
classrooms
Online Learning
90 days of access to course
content and up to 80 hours of
hands on labs – all available
online, at your pace, and your
schedule.
 RED HAT LEARNING SUBSCRIPTION
A prescriptive, reliable, learning solution for rapid skills transformation on Red Hat technologies

Simple, flexible, on-demand training

● 24x7 access globally, available offline

● Self-paced, unlimited access to Red Hat courses

● Access to content currently in development

● Updated content pushed as early releases

● Content spanning the entire Red Hat product portfolio

● Early access to completed chapters of courses

77
 RED HAT LEARNING SUBSCRIPTION TRIAL
Take advantage of 7-days of free access to Red Hat Training’s on-demand learning solution.

Start learning with access to:

- 50+ courses chapters
- Video classroom course chapters
- 1 hour cloud-based lab access
- Early Access to content in
development
- Including beta content for
upcoming product releases of
OpenShift Container Platform 4
- User consumption reports

TRY NOW AT: red.ht/learning-subscription

78
 ANSIBLE LEARNING PATH
Ansible Essentials: Simplicity in Automation Technical
DO007
Overview

Network Admins Linux Admins Windows Admins

Red Hat System Administration Microsoft Windows Automation
DO457 Ansible for Network Automation RH294 DO417
III: Linux Automation with Red Hat Ansible

EX294 Red Hat Certified Engineer

DO447 Advanced Automation: Ansible Best Practices

EX447 Red Hat Certified Specialist in Ansible Automation Exam

79

Required Suggested
Pre-req Overview Complementary
Course Exam
 Advanced Automation: Ansible Best Practices (DO447)
Take your Red Hat Ansible Automation skills to the next level and manage automation at scale
Advanced Automation: Ansible Best Practices (DO447) is for experienced Red Hat® Ansible® Automation
users who want to take their Ansible skills to the next level, enabling scalable design and operation of Ansible
Automation in the enterprise. You will explore better ways to automate tasks and use Red Hat Ansible Engine
effectively, as well as how to leverage advanced features of Ansible to perform more complex tasks. You will
also learn how to install and use Red Hat Ansible Tower to centrally coordinate your use of Ansible, control
access to hosts and systems, and manage Ansible workflows through the web interface and the Red Hat Ansible
Tower API.

Topics covered include managing playbooks/inventories with Git, controlling applications through their REST
API with Ansible Playbooks, and implementing a CI/CD pipeline with Git and Red Hat Ansible Tower.

Prerequisites: Be a Red Hat Certified Specialist in Ansible Automation or Red Hat Certified Engineer (RHCE®)
on Red Hat Enterprise Linux 8, or demonstrate equivalent Ansible experience

Certification: Red Hat Certified Specialist in Advanced Automation: Ansible Best Practices (EX447)

80
 Questions?

81
 CONFIDENTIAL Designator

Thank you linkedin.com/company/red-hat

youtube.com/user/RedHatVideos
Red Hat is the world’s leading provider of

enterprise open source software solutions.

facebook.com/redhatinc
Award-winning support, training, and consulting

services make
twitter.com/RedHat
Red Hat a trusted adviser to the Fortune 500.

82