View markdown source on GitHub

Ansible

Helena Rasche

Questions

• Why Ansible?

• How and when to use Ansible?

• How to write a role?

• How to leverage community build roles?

Objectives

• Learn Ansible basics.

• Write a simple role.

• Install a role from Ansible Galaxy.

last_modification Last modification: Apr 6, 2021

Configuration Management

Manages the configuration of machines.

Specifies what software is installed, how it is configured

Speaker Notes

• Configuration management manages the configuration of machines.
• It specifies what software should be installed, and how it should be configured

Why Configuration Management?

• Are you keeping track of config changes?
• What if your server dies?
• … or your VM is accidentally deleted?
• Can you recover? How quickly?

Speaker Notes

• So why do you want configuration management?
• What do you do when things go wrong?
• What if your server dies?
• Did you backup your configuration?
• Did you back up your webserver configuration?

Configuration Management goals

• Reproducibility

• Ensure 1000s of machines are correctly configured

• Easily recover from bad situations

Speaker Notes

• The goals of using CM are reproducibility, uniformity, and recovery.

Ansible

• Ansible is an open-source configuration management tool, sponsored by Red Hat

• Several alternatives are available (Chef, Puppet, Salt, etc)

• It uses an agentless model: SSH into machine and executes commands

• Very popular, especially among Galaxy admins!

• Many modules for common tasks like copying files or managing users or services.

Speaker Notes

• Ansible is a very popular CM tool, sponsored by RedHat.
• There are several alternatives, but Galaxy Project uses Ansible.
• It uses an agent-less model. You SSH into machines and execute commands on them.
• It has many popular pre-existing roles for common tasks.

Important Terms

Speaker Notes

• Some important terms you should know

Inventory File

Defines the systems (called “hosts”) against which Ansible will work.

[webservers]
192.168.0.1
192.168.0.2 ansible_user=ubuntu

[databases]
db_1.example.org ansible_user=root


Speaker Notes

• First is the Inventory File.
• This file lists all of your hosts.
• The group name is in square brackets.
• Group names are used to select a set of systems, on which Ansible should operate.
• It is possible to assign variables to hosts and groups.
• Here we override the ansible user variable on two hosts.
• This variable controls which user is used in login.

A module is a piece of code that Ansible can execute on a host, collecting return values.

A task is an invocation of single module with its configuration.

---
- copy:
src: foo.conf
dest: /etc/foo.conf
owner: foo
group: foo
mode: 0644

- package:
name: ntpdate
state: present


Speaker Notes

• Here is an example of invoking the copy module and the package module.
• Copy copies a file from source, on the local host to destination, on the remote host.
• Then it sets some attributes about the file like the owner and mode.
• Next we see an example of the package module. This is a generic OS package manager module.
• It ensures that for the package named ntpdate, its state is present, i.e. installed.

Role

.pull-left[ A collection of:

• files
• templates
• variables
• handlers

]

.pull-right[ with a predefined directory structure:

.
├── defaults
│   └── main.yml
├── files
│   └── cvmfs_wipecache.centos_7
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
│   ├── apache.yml
│   ├── main.yml
│   └── stratumN.yml
├── templates
│   └── stratum1_squid.conf.j2
├── tests
│   ├── inventory
│   └── test.yml
└── vars
└── main.yml



]

Speaker Notes

• A role is a collection of tasks, files, templates, variables, and handlers.
• Tasks are things to be executed, like a copy task to add files to a remote machine.
• Files have static, unchanging files that are used by the tasks.
• The templates are like files, but they contain variables which will be replaced, when ansible deploys the file.
• Variables contain definitions of variables for use in templates and tasks.
• Handlers manage services, restarting them when configuration changes.

Playbook

A YAML file listing a set of tasks and/or roles that should be applied to a group of hosts.

.pull-left[

• We define a playbook which has a name
• And applies to some group of hosts
• We specify some additional variables
• And then invoke some roles ]

.pull-right[

- name: CVMFS
hosts: all
vars:
cvmfs_role: client
galaxy_cvmfs_repos_enabled: true
roles:
- geerlingguy.repo-epel
- galaxyproject.cvmfs


]

Speaker Notes

• This is an example playbook.
• We give it a name, in this case CVMFS.
• Then we select some hosts, i.e. all hosts known to our inventory file.
• We specify some additional variables.
• And then we invoke two roles.

Vault

• Ansible playbooks should be kept under version control (typically with Git)
• Playbooks can be safely shared on public Git repositories (e.g. GitHub) by storing secrets like passwords in encrypted files called vaults
\$ANSIBLE_VAULT;1.1;AES256
63333238633033313664633437316231323932326531386266636637353037313335613563663934
6639666536653631363739383639633165633337393334630a353233393938646539306362633738
61613439366435336230636561663864323765303663666239613430323534333665636665643964
6537376666323333660a663233343565393166373665366138306661343764623561343634656463
31636265303430623731643766346434323565663436626466353765393465376533376366356463


Speaker Notes

• If you have secrets like API keys or passwords, you need to use Vault.
• This lets you collaborate on playbooks and infrastructure publicly with git.

Ansible Philosophies

• Some people write a single playbook that completely manages a machine (installing everything on a brand new machine)

• Other people write playbooks for a single task (e.g. upgrading software / installing nginx)

• Which one depends on your use case.

Speaker Notes

• There are multiple ways of designing playbooks, use one that fits your use case.
• Some prefer a playbook which does everything, so no step can be forgotten.
• Others prefer playbooks which do individual steps. These can be faster, and you can only run the ones that change.

Ansible Galaxy

• Public repository of roles

• Many for common software deployment (nginx, apache, postgresql)

• Different “Galaxy” than the bioinformatics tool server (but Ansible can be used to install that too!)

Speaker Notes

• Ansible has a repository for public roles.
• There are a huge number of available roles for common tasks.
• It is called Ansible Galaxy, but it is a different Galaxy.

Key Points

• Ansible lets you do system administration at scale