SlideShare a Scribd company logo

Ansible: How to Get More Sleep and Require Less Coffee

Download as PPTX, PDF
Sarah Z
Sarah Z

Why you need automation, configuration management and remote execution in your life. An intro to Ansible and how it can make your life in Ops infinitely easier.

Technology
1 of 64
How to Get More Sleep and Require Less Coffee Sarah Zelechoski @szelechoski Providence VMUG – 06/19/2014
State of Ops
Why We Sleep on the Couch We’re the ones they call when • “The website is down” • The customer is having an “weird” issue • A critical exploit just entered the wild • “I can’t login to the domain” • New deployment off hours • Offshore needs 6 new VMs for testing • “I’m doing a customer demo at 8AM”
Why We Own DNKN We’re seriously overloaded • Building VM templates • Configuring clusters • Storage management • Networking • Software deployment • User/Group Authentication/Authorization • Performance Testing • OS Upgrades • Software Upgrades • Security Patching • Troubleshooting • Customer Support • Development Labs • Alerting/Monitoring
Guys What R U Doin • Building VM templates • ISO install and configuration • Network setup • Set up users/group, security, authentication/authorization • Software install and configuration • Building out clusters • Cloning N number of VMs from X number of templates • Hostname/network configuration • Firewalling • Software deployments • Turn off monitoring/alerting • Pull nodes out of Load Balanced Group • Run DB migrations • Deploy application code • Restart web server • Put nodes back in/turn monitoring back on • Server maintenance • SSH in to every server and restart a service • Write complex scripts to log in to every server and update openssl
Guys STAHP • Ad hoc is bad hoc • Complex shell scripts to account for every eventuality • DRY (yeah I used to be a ruby dev) • Any manual task can introduce human error • They shouldn’t have to call you on your on vacation
Put an M on It • Configuration Management (CM) • authoritative centralization of configuration data and actions • history of updates, changes for auditing purposes • define the exact state a system should be in • Infrastructure CM • define the state that a system should be in with respect to it’s configuration and use tools that achieve that state • enforce consistency across an entire environment • automate to increase efficiency and repeatability • easier to affect change (cloud provider, OS, etc.) • remove the human factor • disaster recovery
Tool Time • Puppet • great with Windows (as long as they’re not XP) • amazing Enterprise support • cryptic DSL (imo) • Chef • easy to learn if you’re a ruby developer! • amazing wealth of cookbooks • Almost too verbose • SaltStack
Ansible • Agentless! • Uses SSH (with one python requirement) • Everything is a YAML file • Structure is flexible (ad-hoc, playbooks, roles, orchestration) • Easily extensible via modules • Encryption and security built in • Full power at the CLI (open source!) • Even more features available in enterprise (Tower) • No Windows • Idempotent
Idempo-what? “Operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.” – wikipedia
Idempodent: Example • You need all your application servers’ tomcat setenv.sh to look like: JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat • You could get the job done with a classic echo command echo JAVA_HOME=/usr/java/latest >> /usr/local/tomcat/bin/setenv.sh echo JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" >> /usr/local/tomcat/bin/setenv.sh echo CATALINA_HOME=/usr/local/tomcat >> /usr/local/tomcat/bin/setenv.sh • But… • what if these lines already exist? • what if the file doesn’t exist on a few of the servers? • what if you needed to run your script again to update/restore another setting? • If you don’t know the beginning state of the system, the end state is unpredictable
Idempotent: Example • You could write a more complex script for i in $tomcat_env_file do echo "Processing file $i" # i hate this trick, but since a non match is status code 1 and that # will kill this script do an unless here that forces a zero has_java_home=$(grep -cE "^JAVA_HOME=" $i || true) if [ $has_java_home -eq 0 ]; then sed –f setenv-without-java-home.sed -i $i elif [ $has_java_home -eq 1 ]; then sed -f setenv-with-java-home.sed -i $i else echo "Something went very wrong. Please review $i and make sure there is only a single line containing ’JAVA_HOME=' and run script again" fi done
Ain’t Nobody Got Time For That • Use an idempotent CM tool • Tell the tool what state you need the system to be in • Tool will get you from A->Z or B->Z or even C->Z • Won’t get mangled configs • Won’t get conflicting packages • Won’t get mismatched versions • Won’t get error messages you have to handle for each unique case
Ansible: Example • template the setenv.sh file we want # {{ ansible_managed }} JAVA_HOME={{java_home}}latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME={{tomcat_home}} • provide defaults (in yml!) --- java_home: /usr/java/ tomcat_home: /usr/local/tomcat tomcat_user: {name: ‘tomcat’, group: ‘tomcat’}
Ansible: Example • write ansible task - name: Apache Tomcat | Configure | Overlay configuration template: src='setenv.j2' dest='{{tomcat_home}}/bin/setenv.sh' owner={{tomcat_user.name}} group={{tomcat_user.group}} • profit! $ cat /usr/local/tomcat/bin/setenv.sh # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/tomcat- 7/templates/cloud/app/setenv.j2 modified on 2014-04-04 13:18:35 by vagrant on vagrant JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat
Structure • Inventory • Modules • Ad Hoc Commands • Playbooks • Tasks • Variables • Templates • Handlers • Roles
Inventory: Example [production:children] webservers dbservers proxies [webservers] foo.example.com http_port=80 bar.example.com http_port=8080 [dbservers] db[01:03].example.com [dbservers:vars] pgsql_bind_nic=eth1 [proxies] 192.168.1.1 $ ansible production –a “echo hello” –u joe –k $ ansible dbservers –a “service postgresl restart” –u joe –U root –k -K
Dynamic vSphere Inventory • Any script that can output JSON can be used to generate dynamic inventory • Use pysphere (python) or rbvmomi (ruby) to communicate with vSphere/vCenter • Organize your VMs by folder or resource pool to translate in to group
Dynamic vSphere Inventory • https://github.com/RaymiiOrg/ansible-vmware $ python2 query.py -–list { "no_group": { "hosts": [ "vm0031", "vm0032", [...] "vm0999" ] }, "local": [ "127.0.0.1" ] }
Dynamic vSphere Inventory • Preface each command with the script $ ANSIBLE_HOSTS="/src/vmware-ansible/query.py" ansible all -m ping • Export an environmental variable $ export ANSIBLE_HOSTS="/src/vmware-ansible/query.py” $ ansible no_group -m ping
Modules • can be written in any language as long as they output JSON • take parameters and conditions to define desired state • handles processing of system resources, services, packages, files, etc. in idempotent fashion • “seek to avoid changes to the system unless a change needs to be made” • ansible comes preloaded with a plethora of modules • tons of community pull requests
Ad Hoc Commands • run a single, one-off command • run on a full or partial inventory • run on a single host • no need to save for later $ ansible webservers –m command –a “dpkg-query –W openssl” –u joe –k SSH password: foo.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10 bar.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10
Playbooks • More powerful configuration management • Kept in source control, developed, validated • Declare configurations of more complex mutli-system enviornments • Arrange and run tasks synchronously or asynchronously
Playbooks: Example --- - hosts: all remote_user: vagrant sudo: true sudo_user: root vars_files: - roles/vars/webserver.encrypt vars: lifecycle: dev roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/sudoers - roles/iptables - roles/clamav - roles/java-jdk-7 - roles/postgres - roles/apache - roles/tomcat-7 - { role: roles/tc-native, when: native== 'true' } - roles/ansible - roles/git - roles/liquibase - roles/cleanup post_tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}} ’port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat - '80' #httpd
Playbooks: Example $ ansible-playbook –i production webserver.yml –k –K $ ansible-playbook –i production webserver.yml –f 10 –k –K $ ansible-playbook –i production webserver.yml --list-hosts -k –K $ ansible-playbook –i production webserver.yml –-check –k –K
Tasks: Example module parameter iterator variable - name: Apache Tomcat | Install | Grab latest tomcat tarball get_url: url='{{tomcat.base_url}}{{item.sub_url}}{{item.file}}' dest='/tmp/{{item.file}}' with_items: tomcat.files - name: Apache Tomcat | Install | Extract archive shell: tar -xvzf /tmp/{{item.file}} -C /usr/local creates=/usr/local/{{item.target}} with_items: tomcat.files - name: Apache Tomcat | Install | Give ownership of install to tomcat user file: path=/usr/local/{{item.target}} state=directory owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.files - name: Apache Tomcat | Install | Symlink install directory file: src='/usr/local/{{item.target}}' path='/usr/local/tomcat' state='link' with_items: tomcat.files - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}' owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.config_files
Variables: • Simple YAML format • Can create arrays and hashes • Can substitute vars into vars • Vars can be defined at many levels (default, role ,playbook) • Can test conditionals on vars and require them • Can be filtered and manipulated with jinja2 • Can be matched to regex!
Variables: Example #################################### ## TOMCAT ## tomcat_home: '/usr/local/tomcat' tomcat: config_files: - {file: 'tomcat.j2', target: '/etc/init.d/tomcat'} - {file: 'setenv.j2', target: '{{tomcat_home}}/bin/setenv.sh'} - {file: 'server.j2', target: '{{tomcat_home}}/conf/server.xml'} default_webapps: ['ROOT','docs','examples','host-manager','manager'] base_url: 'http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-7/v7.0.54/bin/' files: - {file: 'apache-tomcat-7.0.54.tar.gz', target: 'apache-tomcat-7.0.54'} user: {name: 'tomcat', group: 'tomcat'}
Templates • Templates are interpreted by jinja2 • stub out files • fill variables in differently depending on conditions • Powerful conditionals • Loops and iterators • Replace a file completely every time? • Yes. We configure for an end state.
Templates: Example # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd is true %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad is defined %} {% for item in ad.sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
Templates: Example # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/sudoers/templates/sudoers- debian.j2 modified on 2014-06-09 10:08:44 by vagrant on vagrant Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL yoda ALL= NOPASSWD: ALL Defaults:yoda !requiretty luke ALL=(ALL) ALL anakin ALL=(ALL) ALL %jedi ALL=(ALL) ALL
Handlers • Written just like a regular task • Only run if triggered by the notify directive • Indicates a change in the system state • Any module can be used for the handler action Handler - name: Restart Tomcat service: name=tomcat state=restarted Task - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}’ with_items: tomcat.config_files notify: Restart Tomcat
Roles • Break up configuration into repeatable chunks • Reduce, reuse, recycle • Clean, understandable structure • Stack on top of each other • Ansible Galaxy
Roles • active directory • ansible • apache • app-dynamics • artifactory • centos • clamav • cleanup • debian • git • gradle • iptables • java-jdk-6 • java-jdk-7 • jenkins • keystore • liquibase • local-users • postgres • sudoers • swarm • packer • tomcat-6 • tomcat-7 • tomcat-native • vmware-tools • zeromq
Roles • Structure roles/ tomcat-7/ defaults/ main.yml files/ blah.txt handlers/ main.yml meta/ main.yml tasks/ main.yml templates/ setenv.j2 tomcat.j2 server.j2 limits.j2 vars/ main.yml
Roles • Dependencies • Always run before the roles that depend on them • If dependencies are duplicated amongst roles, they will only be run once by default • Can use allow_duplicates to require a role to be run more than once with different conditions --- dependencies: - { role: liquibase } - { role: apache, port: 80 } - { role: postgres, dbname: appdb, bind_nice: eth1 }
Orchestration • “Rolling Updates” • Performing very complex infrastructure or cluster operations • Run plays in serial instead of parallel • Wait for certain conditions to move forward • Abort if certain percentage of failure
Orchestration: Example • turn off monitoring and alerting • remove application server from load balanced group • stop services • wait for services to stop fully • checkout new code from git • deploy webapp • restart services • wait for services to start fully • return to load blanced group
Example: Simple Service Restart • Problem • 50ish production customer VMs • Older CentOS 5 mixed with CentOS 6 • May or may not have python installed • Domain authentication • Need to restart livevault service
Example: Simple Service Restart • Create inventory • Dump IP addresses of customer VM into simple ansible inventory [customer_vms:vars] [customer_vms] 192.168.32.117 192.168.32.39 192.168.34.176 192.168.34.28 192.168.33.100 192.168.32.197 192.168.34.181 192.168.34.158 ...
Example: Simple Service Restart • Use an ad hoc command to make sure VMs are bootstrapped for Ansible $ ansible cusomter_vms -i oldvms –u domainjoe -s -U root -m raw -a "sudo yum install -y python-simplejson" -k –K • Restart the live vault service $ ansible customer_vms –i oldvms –u domainjoe –s –U root -m service –a "name=livevault state=restarted" –k -K
Example: Heartbleed • openssl exploit • good news: patched for your OS • other packages updated along with openssl • 6 different environments (production, test, demo, etc.) • may require service restarts • need verification of final state version
Example: Heartbleed --- hosts: all sudo: yes sudo_user: root tasks: - name: OpenSSL | Get current version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get current version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}" - name: OpenSSL | Apt | Install debconf-utils apt: pkg='debconf-utils' state='latest'
Example: Heartbleed - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Upgrade Openssl apt: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes' with_items: - 'openssl' - 'libssl1.0.0' - name: OpenSSL | Get new version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get new version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"
Example: Heartbleed $ ansible-playbook -i cloud-daily, openssl.yml -u joe -k -K SSH password: sudo password [defaults to SSH password]: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u9, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u9" }
Example: Heartbleed TASK: [OpenSSL | Apt | Install debconf-utils] ********************************* ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Upgrade Openssl] *************************************** changed: [cloud-daily] => (item=openssl,libssl1.0.0) TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u11, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u11" } PLAY RECAP ******************************************************************** cloud-daily : ok=11 changed=5 unreachable=0 failed=0
Example: Join Domain • every new VM needs to be added to a domain • packages needed (winbind/samba) • domain could depend on environment • samba/winbind configuration different per machine • sudoers will be different per machine • domain admin must authenticate • this happens a lot • reusable playbook and roles
Example: Join Domain • Roles • install active directory requirements (active-directory) • join the assigned domain (active-directory-join) • maniuplate sudoers (sudoers)
Example: Join Domain • active-directory active-directory/ tasks/ main.yml templates/ nsswitch.j2 • tasks (main.yml) --- - name: AD Authentication| Install | Install dependencies for AD authentication apt: pkg={{item}} state=installed force=yes with_items: - krb5-user - libpam-krb5 - winbind - samba - name: AD Authentication | Configure | Allow for authentication using winbind template: src='nsswitch.j2' dest='/etc/nsswitch.conf'
Example: Join Domain • active-directory-join active-directory-join/ tasks/ main.yml templates/ krb5.j2 pam/ common-account.j2 common-auth.j2 common-password.j2 common-session-interactive.j2 sudo.j2 smb.j2 vars/ example.com office.lan
Example: Join Domain • vars (office.lan) --- #################################### ## ACTIVE DIRECTORY ## ad_domain: office.lan ad_primary_dc: ad1.office.lan ad_secondary_dc: ad2.office.lan ad_workgroup: OFFICE ad_sudoers_groups: - 'domain admins' - 'qasudoers' - 'devsudoers'
Example: Join Domain • templates (smb.j2) # {{ ansible_managed }} # #======================= Global Settings ======================= [global] bind interfaces only = yes interfaces = lo eth0 wlan workgroup = {{ad_workgroup}} netbios name = {{ansible_hostname|truncate(15, True, end='')}} password server = {{ad_primary_dc}} {{ad_secondary_dc}} realm = {% filter upper %}{{ad_domain}}{% endfilter %} security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
Example: Join Domain • tasks (main.yml) --- - name: AD Authentication | Configure | Place kerberos config for domain authentication template: src='krb5.j2' dest='/etc/krb5.conf' - name: AD Authentication | Configure | Place samba config for domain authentication template: src='smb.j2' dest='/etc/samba/smb.conf' - name: AD Authentication | Configure | Start services and enable on boot (Debian) service: name={{item}} state='restarted' enabled='yes' with_items: - winbind - name: AD Authentication | Configure | Start services and do not enable on boot (Debian) service: name={{item}} state='restarted' enabled='no' with_items: - samba - name: AD Authentication | Configure | kinit shell: echo "{{ad_domain_admin_password}}" | kinit {{ad_domain_admin_username}}@{% filter upper %}{{ad_domain}}{% endfilter %}
Example: Join Domain - name: AD Authentication | Configure | Join Active Directory shell: net ads join -U{{ad_domain_admin_username}}%'{{ad_domain_admin_password}}' - name: AD Authentication | Configure | Enable pam authentication via winbind (Debian) template: src='pam/{{item.name}}' dest='/etc/pam.d/{{item.target}}' with_items: - {name: 'common-session-interactive.j2', target: 'common-session-interactive'} - {name: 'common-password.j2', target: 'common-password'} - {name: 'common-account.j2', target: 'common-account'} - {name: 'common-auth.j2', target: 'common-auth'} - {name: 'sudo.j2', target: 'sudo'} - name: AD Authentication | Configure | Set domain controllers to be ntp servers lineinfile: regexp='^server {{item}}' insertafter='^#server ntp.your-provider.example' line='server {{item}}' state=present dest='/etc/ntp.conf' with_items: - "{{ad_primary_dc}}" - "{{ad_secondary_dc}}" - name: AD Authentication | Configure | Restart services service: name={{item}} state='restarted' with_items: - winbind - samba - ntpd
Example: Join Domain • sudoers sudoers/ tasks/ main.yml templates/ sudoers-debian.j2 • tasks (main.yml) --- - name: User | sudo Configure | Don't always set home and Preserve env home template: src='sudoers-debian.j2' dest='/tmp/sudoers' owner='root' group='root' mode='0600' validate='visudo -cf %s’ - name: User | sudo Configure | Place new config shell: 'cp -vf /tmp/sudoers /etc/sudoers’ - name: User | sudo Configure | Clean up temporary files file: path='/tmp/sudoers' state='absent’
Example: Join Domain • templates (sudoers-debian.j2) # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd == 'true' %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad_sudoers_groups is defined %} {% for item in ad_sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
Example: Join Domain • Put it all together in a playbook --- - hosts: all sudo: True sudo_user: root vars_prompt: - name: "ad_domain" prompt: "Domain to join (e.g. office.lan)" private: no - name: "ad_domain_admin_username" prompt: "Domain Admin username" private: no - name: "ad_domain_admin_password" prompt: "Domain Admin password" private: yes vars_files: - ../roles/active-directory-join/vars/{{ad_domain}}.encrypt roles: - ../roles/active-directory - ../roles/active-directory-join - ../roles/sudoers tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22' delay='5' timeout='300' sudo: no delegate_to: localhost
Example: Join Domain $ ansible-playbook -i new-vm-clone, ad-join.yml –u joe -k -K SSH password: sudo password [defaults to SSH password]: Domain to join (e.g. office.lan): office.lan Domain Admin username: admin Domain Admin password: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [new-vm-clone] TASK: [../roles/active-directory | AD Authentication| Install | Install dependencies for AD authentication] *** ok: [new-vm-clone] => (item=krb5-user,libpam-krb5,winbind,samba) TASK: [../roles/active-directory | AD Authentication | Configure | Allow for authentication using winbind] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place kerberos config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place samba config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and enable on boot] *** changed: [new-vm-clone] => (item=winbind)
Example: Join Domain TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and do not enable on boot] *** changed: [new-vm-clone] => (item=samba) TASK: [../roles/active-directory-join | AD Authentication | Configure | kinit] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Join Active Directory] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Enable pam authentication via winbind] *** changed: [new-vm-clone] => (item={'name': 'common-session-interactive.j2', 'target': 'common-session-interactive'}) changed: [new-vm-clone] => (item={'name': 'common-password.j2', 'target': 'common-password'}) changed: [new-vm-clone] => (item={'name': 'common-account.j2', 'target': 'common-account'}) changed: [new-vm-clone] => (item={'name': 'common-auth.j2', 'target': 'common-auth'}) changed: [new-vm-clone] => (item={'name': 'sudo.j2', 'target': 'sudo'}) TASK: [../roles/active-directory-join | AD Authentication | Configure | Set domain controllers to be ntp servers] *** ok: [new-vm-clone] => (item=ad1.office.lan) ok: [new-vm-clone] => (item=ad2.office.lan) TASK: [../roles/active-directory-join | AD Authentication | Configure | Restart services] *** changed: [new-vm-clone] => (item=winbind) changed: [new-vm-clone] => (item=samba)
Example: Join Domain TASK: [../roles/sudoers | User | sudo Configure | Don't always set home and Preserve env home] *** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Place new config] *********** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Clean up temporary files] *** changed: [new-vm-clone] TASK: [Reboot the Server] ***************************************************** changed: [new-vm-clone] TASK: [Wait for Server to come back] ****************************************** ok: [new-vm-clone] PLAY RECAP ******************************************************************** new-vm-clone : ok=18 changed=13 unreachable=0 failed=0
Example: Server provisioner • Build and configure webserver --- #packer provisioning only - hosts: all connection: local remote_user: vagrant sudo: True sudo_user: root vars_files: - roles/vars/cloud.encrypt vars: lifecycle: 'production' build_flavor: 'cloud' app_flavor: 'app' roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/active-directory - roles/cloud-baseline - roles/sudoers - roles/iptables - roles/java-jdk-7 - roles/tomcat-7 - { role: roles/tomcat-native, when: native == 'true' } - roles/ansible - roles/app-dynamics - roles/opsview - roles/cleanup - roles/git tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat
Where do I go from here? • Stop doing everything by hand! • If you find yourself logging in to more than one VM to do the same task... • If you have been meaning to get around to patching or updating a bunch of VMs... • If you know all of the prompts of the OS installer by heart... • If scp and vi are your favorite tools... • If you dread the next release of your application • If you wince every time your phone rings
Use Ansible • Get more sleep • Require less coffee
Recommended Reading • http://docs.ansible.com/ • https://github.com/ansible/ansible-examples • https://gist.github.com/marktheunissen/2979474 • http://jpmens.net/ • https://galaxy.ansible.com/ • http://docs.ansible.com/vsphere_guest_module.html

Recommended

Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Timothy Appnel
 
Ansible intro
Ansible introAnsible intro
Ansible introMarcelo Quintiliano da Silva
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible + WordPress
Ansible + WordPressAnsible + WordPress
Ansible + WordPressAlan Lok
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introductionManuel de la Peña Peña
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using dockerLarry Cai
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 

Recommended

Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Ansible v2 and Beyond (Ansible Hawai'i Meetup)
Ansible v2 and Beyond (Ansible Hawai'i Meetup)Timothy Appnel
 
Ansible intro
Ansible introAnsible intro
Ansible introMarcelo Quintiliano da Silva
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible + WordPress
Ansible + WordPressAnsible + WordPress
Ansible + WordPressAlan Lok
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introductionManuel de la Peña Peña
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using dockerLarry Cai
 
Deploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleDeploying PHP Applications with Ansible
Deploying PHP Applications with AnsibleOrestes Carracedo
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation EasyPeter Sankauskas
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102APNIC
 
Ansible
AnsibleAnsible
AnsibleVladimír Smitka
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleJeff Geerling
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerGeorge Miranda
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to AnsibleDan Vaida
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with AnsibleAhmed AbouZaid
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them AllTim Fairweather
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible referencelaonap166
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef
 
Ansible Case Studies
Ansible Case StudiesAnsible Case Studies
Ansible Case StudiesGreg DeKoenigsberg
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleMichael Bahr
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 
Ansible and AWS
Ansible and AWSAnsible and AWS
Ansible and AWSPeter Sankauskas
 
Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Pavel Chunyayev
 
Hosting Ruby Web Apps
Hosting Ruby Web AppsHosting Ruby Web Apps
Hosting Ruby Web AppsMichael Reinsch
 

More Related Content

What's hot

How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation EasyPeter Sankauskas
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102APNIC
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleJeff Geerling
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerGeorge Miranda
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to AnsibleDan Vaida
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with AnsibleAhmed AbouZaid
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them AllTim Fairweather
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible referencelaonap166
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleMichael Bahr
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 

What's hot (20)

How Ansible Makes Automation Easy
How Ansible Makes Automation EasyHow Ansible Makes Automation Easy
How Ansible Makes Automation Easy
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102
 
Ansible
AnsibleAnsible
Ansible
 
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and AnsibleLocal Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
Local Dev on Virtual Machines - Vagrant, VirtualBox and Ansible
 
EC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and PackerEC2 AMI Factory with Chef, Berkshelf, and Packer
EC2 AMI Factory with Chef, Berkshelf, and Packer
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)
 
A quick intro to Ansible
A quick intro to AnsibleA quick intro to Ansible
A quick intro to Ansible
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
Jenkins and ansible reference
Jenkins and ansible referenceJenkins and ansible reference
Jenkins and ansible reference
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 
Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015Chef Provisioning a Chef Server Cluster - ChefConf 2015
Chef Provisioning a Chef Server Cluster - ChefConf 2015
 
Ansible Case Studies
Ansible Case StudiesAnsible Case Studies
Ansible Case Studies
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for Docker
 
Ansible and AWS
Ansible and AWSAnsible and AWS
Ansible and AWS
 

Similar to Ansible: How to Get More Sleep and Require Less Coffee

Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Pavel Chunyayev
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)DECK36
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of AnsibleDevOps Ltd.
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Managing Infrastructure as Code
Managing Infrastructure as CodeManaging Infrastructure as Code
Managing Infrastructure as CodeAllan Shone
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesMike Splain
 
Planning to Fail #phpne13
Planning to Fail #phpne13Planning to Fail #phpne13
Planning to Fail #phpne13Dave Gardner
 
Automating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAutomating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAkshaya Mahapatra
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnwgarrett honeycutt
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns appliedLars Fronius
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesHiroshi SHIBATA
 
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Miguel Zuniga
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at ScaleAntony Messerl
 
Planning to Fail #phpuk13
Planning to Fail #phpuk13Planning to Fail #phpuk13
Planning to Fail #phpuk13Dave Gardner
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 

Similar to Ansible: How to Get More Sleep and Require Less Coffee (20)

Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015Ansible benelux meetup - Amsterdam 27-5-2015
Ansible benelux meetup - Amsterdam 27-5-2015
 
Hosting Ruby Web Apps
Hosting Ruby Web AppsHosting Ruby Web Apps
Hosting Ruby Web Apps
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)
 
A tour of Ansible
A tour of AnsibleA tour of Ansible
A tour of Ansible
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Managing Infrastructure as Code
Managing Infrastructure as CodeManaging Infrastructure as Code
Managing Infrastructure as Code
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of Kubernetes
 
Planning to Fail #phpne13
Planning to Fail #phpne13Planning to Fail #phpne13
Planning to Fail #phpne13
 
Automating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps ApproachAutomating Software Development Life Cycle - A DevOps Approach
Automating Software Development Life Cycle - A DevOps Approach
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns applied
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 Minutes
 
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
 
Corley scalability
Corley scalabilityCorley scalability
Corley scalability
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
 
Planning to Fail #phpuk13
Planning to Fail #phpuk13Planning to Fail #phpuk13
Planning to Fail #phpuk13
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Ansible: How to Get More Sleep and Require Less Coffee

  • 1. How to Get More Sleep and Require Less Coffee Sarah Zelechoski @szelechoski Providence VMUG – 06/19/2014
  • 3. Why We Sleep on the Couch We’re the ones they call when • “The website is down” • The customer is having an “weird” issue • A critical exploit just entered the wild • “I can’t login to the domain” • New deployment off hours • Offshore needs 6 new VMs for testing • “I’m doing a customer demo at 8AM”
  • 4. Why We Own DNKN We’re seriously overloaded • Building VM templates • Configuring clusters • Storage management • Networking • Software deployment • User/Group Authentication/Authorization • Performance Testing • OS Upgrades • Software Upgrades • Security Patching • Troubleshooting • Customer Support • Development Labs • Alerting/Monitoring
  • 5. Guys What R U Doin • Building VM templates • ISO install and configuration • Network setup • Set up users/group, security, authentication/authorization • Software install and configuration • Building out clusters • Cloning N number of VMs from X number of templates • Hostname/network configuration • Firewalling • Software deployments • Turn off monitoring/alerting • Pull nodes out of Load Balanced Group • Run DB migrations • Deploy application code • Restart web server • Put nodes back in/turn monitoring back on • Server maintenance • SSH in to every server and restart a service • Write complex scripts to log in to every server and update openssl
  • 6. Guys STAHP • Ad hoc is bad hoc • Complex shell scripts to account for every eventuality • DRY (yeah I used to be a ruby dev) • Any manual task can introduce human error • They shouldn’t have to call you on your on vacation
  • 7. Put an M on It • Configuration Management (CM) • authoritative centralization of configuration data and actions • history of updates, changes for auditing purposes • define the exact state a system should be in • Infrastructure CM • define the state that a system should be in with respect to it’s configuration and use tools that achieve that state • enforce consistency across an entire environment • automate to increase efficiency and repeatability • easier to affect change (cloud provider, OS, etc.) • remove the human factor • disaster recovery
  • 8. Tool Time • Puppet • great with Windows (as long as they’re not XP) • amazing Enterprise support • cryptic DSL (imo) • Chef • easy to learn if you’re a ruby developer! • amazing wealth of cookbooks • Almost too verbose • SaltStack
  • 9. Ansible • Agentless! • Uses SSH (with one python requirement) • Everything is a YAML file • Structure is flexible (ad-hoc, playbooks, roles, orchestration) • Easily extensible via modules • Encryption and security built in • Full power at the CLI (open source!) • Even more features available in enterprise (Tower) • No Windows • Idempotent
  • 10. Idempo-what? “Operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.” – wikipedia
  • 11. Idempodent: Example • You need all your application servers’ tomcat setenv.sh to look like: JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat • You could get the job done with a classic echo command echo JAVA_HOME=/usr/java/latest >> /usr/local/tomcat/bin/setenv.sh echo JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" >> /usr/local/tomcat/bin/setenv.sh echo CATALINA_HOME=/usr/local/tomcat >> /usr/local/tomcat/bin/setenv.sh • But… • what if these lines already exist? • what if the file doesn’t exist on a few of the servers? • what if you needed to run your script again to update/restore another setting? • If you don’t know the beginning state of the system, the end state is unpredictable
  • 12. Idempotent: Example • You could write a more complex script for i in $tomcat_env_file do echo "Processing file $i" # i hate this trick, but since a non match is status code 1 and that # will kill this script do an unless here that forces a zero has_java_home=$(grep -cE "^JAVA_HOME=" $i || true) if [ $has_java_home -eq 0 ]; then sed –f setenv-without-java-home.sed -i $i elif [ $has_java_home -eq 1 ]; then sed -f setenv-with-java-home.sed -i $i else echo "Something went very wrong. Please review $i and make sure there is only a single line containing ’JAVA_HOME=' and run script again" fi done
  • 13. Ain’t Nobody Got Time For That • Use an idempotent CM tool • Tell the tool what state you need the system to be in • Tool will get you from A->Z or B->Z or even C->Z • Won’t get mangled configs • Won’t get conflicting packages • Won’t get mismatched versions • Won’t get error messages you have to handle for each unique case
  • 14. Ansible: Example • template the setenv.sh file we want # {{ ansible_managed }} JAVA_HOME={{java_home}}latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME={{tomcat_home}} • provide defaults (in yml!) --- java_home: /usr/java/ tomcat_home: /usr/local/tomcat tomcat_user: {name: ‘tomcat’, group: ‘tomcat’}
  • 15. Ansible: Example • write ansible task - name: Apache Tomcat | Configure | Overlay configuration template: src='setenv.j2' dest='{{tomcat_home}}/bin/setenv.sh' owner={{tomcat_user.name}} group={{tomcat_user.group}} • profit! $ cat /usr/local/tomcat/bin/setenv.sh # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/tomcat- 7/templates/cloud/app/setenv.j2 modified on 2014-04-04 13:18:35 by vagrant on vagrant JAVA_HOME=/usr/java/latest JAVA_OPTS="-Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m" CATALINA_HOME=/usr/local/tomcat
  • 16. Structure • Inventory • Modules • Ad Hoc Commands • Playbooks • Tasks • Variables • Templates • Handlers • Roles
  • 17. Inventory: Example [production:children] webservers dbservers proxies [webservers] foo.example.com http_port=80 bar.example.com http_port=8080 [dbservers] db[01:03].example.com [dbservers:vars] pgsql_bind_nic=eth1 [proxies] 192.168.1.1 $ ansible production –a “echo hello” –u joe –k $ ansible dbservers –a “service postgresl restart” –u joe –U root –k -K
  • 18. Dynamic vSphere Inventory • Any script that can output JSON can be used to generate dynamic inventory • Use pysphere (python) or rbvmomi (ruby) to communicate with vSphere/vCenter • Organize your VMs by folder or resource pool to translate in to group
  • 19. Dynamic vSphere Inventory • https://github.com/RaymiiOrg/ansible-vmware $ python2 query.py -–list { "no_group": { "hosts": [ "vm0031", "vm0032", [...] "vm0999" ] }, "local": [ "127.0.0.1" ] }
  • 20. Dynamic vSphere Inventory • Preface each command with the script $ ANSIBLE_HOSTS="/src/vmware-ansible/query.py" ansible all -m ping • Export an environmental variable $ export ANSIBLE_HOSTS="/src/vmware-ansible/query.py” $ ansible no_group -m ping
  • 21. Modules • can be written in any language as long as they output JSON • take parameters and conditions to define desired state • handles processing of system resources, services, packages, files, etc. in idempotent fashion • “seek to avoid changes to the system unless a change needs to be made” • ansible comes preloaded with a plethora of modules • tons of community pull requests
  • 22. Ad Hoc Commands • run a single, one-off command • run on a full or partial inventory • run on a single host • no need to save for later $ ansible webservers –m command –a “dpkg-query –W openssl” –u joe –k SSH password: foo.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10 bar.example.com | success | rc=0 >> openssl 1.0.1e-2+deb7u10
  • 23. Playbooks • More powerful configuration management • Kept in source control, developed, validated • Declare configurations of more complex mutli-system enviornments • Arrange and run tasks synchronously or asynchronously
  • 24. Playbooks: Example --- - hosts: all remote_user: vagrant sudo: true sudo_user: root vars_files: - roles/vars/webserver.encrypt vars: lifecycle: dev roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/sudoers - roles/iptables - roles/clamav - roles/java-jdk-7 - roles/postgres - roles/apache - roles/tomcat-7 - { role: roles/tc-native, when: native== 'true' } - roles/ansible - roles/git - roles/liquibase - roles/cleanup post_tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}} ’port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat - '80' #httpd
  • 25. Playbooks: Example $ ansible-playbook –i production webserver.yml –k –K $ ansible-playbook –i production webserver.yml –f 10 –k –K $ ansible-playbook –i production webserver.yml --list-hosts -k –K $ ansible-playbook –i production webserver.yml –-check –k –K
  • 26. Tasks: Example module parameter iterator variable - name: Apache Tomcat | Install | Grab latest tomcat tarball get_url: url='{{tomcat.base_url}}{{item.sub_url}}{{item.file}}' dest='/tmp/{{item.file}}' with_items: tomcat.files - name: Apache Tomcat | Install | Extract archive shell: tar -xvzf /tmp/{{item.file}} -C /usr/local creates=/usr/local/{{item.target}} with_items: tomcat.files - name: Apache Tomcat | Install | Give ownership of install to tomcat user file: path=/usr/local/{{item.target}} state=directory owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.files - name: Apache Tomcat | Install | Symlink install directory file: src='/usr/local/{{item.target}}' path='/usr/local/tomcat' state='link' with_items: tomcat.files - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}' owner={{tomcat.user.name}} group={{tomcat.user.group}} with_items: tomcat.config_files
  • 27. Variables: • Simple YAML format • Can create arrays and hashes • Can substitute vars into vars • Vars can be defined at many levels (default, role ,playbook) • Can test conditionals on vars and require them • Can be filtered and manipulated with jinja2 • Can be matched to regex!
  • 28. Variables: Example #################################### ## TOMCAT ## tomcat_home: '/usr/local/tomcat' tomcat: config_files: - {file: 'tomcat.j2', target: '/etc/init.d/tomcat'} - {file: 'setenv.j2', target: '{{tomcat_home}}/bin/setenv.sh'} - {file: 'server.j2', target: '{{tomcat_home}}/conf/server.xml'} default_webapps: ['ROOT','docs','examples','host-manager','manager'] base_url: 'http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-7/v7.0.54/bin/' files: - {file: 'apache-tomcat-7.0.54.tar.gz', target: 'apache-tomcat-7.0.54'} user: {name: 'tomcat', group: 'tomcat'}
  • 29. Templates • Templates are interpreted by jinja2 • stub out files • fill variables in differently depending on conditions • Powerful conditionals • Loops and iterators • Replace a file completely every time? • Yes. We configure for an end state.
  • 30. Templates: Example # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd is true %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad is defined %} {% for item in ad.sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
  • 31. Templates: Example # Ansible managed: /tmp/packer-provisioner-ansible-local/roles/roles/sudoers/templates/sudoers- debian.j2 modified on 2014-06-09 10:08:44 by vagrant on vagrant Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL yoda ALL= NOPASSWD: ALL Defaults:yoda !requiretty luke ALL=(ALL) ALL anakin ALL=(ALL) ALL %jedi ALL=(ALL) ALL
  • 32. Handlers • Written just like a regular task • Only run if triggered by the notify directive • Indicates a change in the system state • Any module can be used for the handler action Handler - name: Restart Tomcat service: name=tomcat state=restarted Task - name: Apache Tomcat | Configure | Overlay configuration template: src=‘{{item.file}}' dest='{{item.target}}’ with_items: tomcat.config_files notify: Restart Tomcat
  • 33. Roles • Break up configuration into repeatable chunks • Reduce, reuse, recycle • Clean, understandable structure • Stack on top of each other • Ansible Galaxy
  • 34. Roles • active directory • ansible • apache • app-dynamics • artifactory • centos • clamav • cleanup • debian • git • gradle • iptables • java-jdk-6 • java-jdk-7 • jenkins • keystore • liquibase • local-users • postgres • sudoers • swarm • packer • tomcat-6 • tomcat-7 • tomcat-native • vmware-tools • zeromq
  • 36. Roles • Dependencies • Always run before the roles that depend on them • If dependencies are duplicated amongst roles, they will only be run once by default • Can use allow_duplicates to require a role to be run more than once with different conditions --- dependencies: - { role: liquibase } - { role: apache, port: 80 } - { role: postgres, dbname: appdb, bind_nice: eth1 }
  • 37. Orchestration • “Rolling Updates” • Performing very complex infrastructure or cluster operations • Run plays in serial instead of parallel • Wait for certain conditions to move forward • Abort if certain percentage of failure
  • 38. Orchestration: Example • turn off monitoring and alerting • remove application server from load balanced group • stop services • wait for services to stop fully • checkout new code from git • deploy webapp • restart services • wait for services to start fully • return to load blanced group
  • 39. Example: Simple Service Restart • Problem • 50ish production customer VMs • Older CentOS 5 mixed with CentOS 6 • May or may not have python installed • Domain authentication • Need to restart livevault service
  • 40. Example: Simple Service Restart • Create inventory • Dump IP addresses of customer VM into simple ansible inventory [customer_vms:vars] [customer_vms] 192.168.32.117 192.168.32.39 192.168.34.176 192.168.34.28 192.168.33.100 192.168.32.197 192.168.34.181 192.168.34.158 ...
  • 41. Example: Simple Service Restart • Use an ad hoc command to make sure VMs are bootstrapped for Ansible $ ansible cusomter_vms -i oldvms –u domainjoe -s -U root -m raw -a "sudo yum install -y python-simplejson" -k –K • Restart the live vault service $ ansible customer_vms –i oldvms –u domainjoe –s –U root -m service –a "name=livevault state=restarted" –k -K
  • 42. Example: Heartbleed • openssl exploit • good news: patched for your OS • other packages updated along with openssl • 6 different environments (production, test, demo, etc.) • may require service restarts • need verification of final state version
  • 43. Example: Heartbleed --- hosts: all sudo: yes sudo_user: root tasks: - name: OpenSSL | Get current version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get current version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}" - name: OpenSSL | Apt | Install debconf-utils apt: pkg='debconf-utils' state='latest'
  • 44. Example: Heartbleed - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Prevent restart services dialog debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp’ - name: OpenSSL | Apt | Upgrade Openssl apt: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes' with_items: - 'openssl' - 'libssl1.0.0' - name: OpenSSL | Get new version shell: 'dpkg-query -W openssl' register: openssl_version - name: OpenSSL | Get new version shell: 'dpkg-query -W libssl1.0.0' register: libssl_version - name: OpenSSL | Confirm new version debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"
  • 45. Example: Heartbleed $ ansible-playbook -i cloud-daily, openssl.yml -u joe -k -K SSH password: sudo password [defaults to SSH password]: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Get current version] ***************************************** changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u9, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u9" }
  • 46. Example: Heartbleed TASK: [OpenSSL | Apt | Install debconf-utils] ********************************* ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Prevent restart services dialog] *********************** ok: [cloud-daily] TASK: [OpenSSL | Apt | Upgrade Openssl] *************************************** changed: [cloud-daily] => (item=openssl,libssl1.0.0) TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Get new version] ********************************************* changed: [cloud-daily] TASK: [OpenSSL | Confirm new version] ***************************************** ok: [cloud-daily] => { "msg": "OpenSSL version installed is opensslt1.0.1e-2+deb7u11, libssl version installed is libssl1.0.0:amd64t1.0.1e-2+deb7u11" } PLAY RECAP ******************************************************************** cloud-daily : ok=11 changed=5 unreachable=0 failed=0
  • 47. Example: Join Domain • every new VM needs to be added to a domain • packages needed (winbind/samba) • domain could depend on environment • samba/winbind configuration different per machine • sudoers will be different per machine • domain admin must authenticate • this happens a lot • reusable playbook and roles
  • 48. Example: Join Domain • Roles • install active directory requirements (active-directory) • join the assigned domain (active-directory-join) • maniuplate sudoers (sudoers)
  • 49. Example: Join Domain • active-directory active-directory/ tasks/ main.yml templates/ nsswitch.j2 • tasks (main.yml) --- - name: AD Authentication| Install | Install dependencies for AD authentication apt: pkg={{item}} state=installed force=yes with_items: - krb5-user - libpam-krb5 - winbind - samba - name: AD Authentication | Configure | Allow for authentication using winbind template: src='nsswitch.j2' dest='/etc/nsswitch.conf'
  • 50. Example: Join Domain • active-directory-join active-directory-join/ tasks/ main.yml templates/ krb5.j2 pam/ common-account.j2 common-auth.j2 common-password.j2 common-session-interactive.j2 sudo.j2 smb.j2 vars/ example.com office.lan
  • 51. Example: Join Domain • vars (office.lan) --- #################################### ## ACTIVE DIRECTORY ## ad_domain: office.lan ad_primary_dc: ad1.office.lan ad_secondary_dc: ad2.office.lan ad_workgroup: OFFICE ad_sudoers_groups: - 'domain admins' - 'qasudoers' - 'devsudoers'
  • 52. Example: Join Domain • templates (smb.j2) # {{ ansible_managed }} # #======================= Global Settings ======================= [global] bind interfaces only = yes interfaces = lo eth0 wlan workgroup = {{ad_workgroup}} netbios name = {{ansible_hostname|truncate(15, True, end='')}} password server = {{ad_primary_dc}} {{ad_secondary_dc}} realm = {% filter upper %}{{ad_domain}}{% endfilter %} security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
  • 53. Example: Join Domain • tasks (main.yml) --- - name: AD Authentication | Configure | Place kerberos config for domain authentication template: src='krb5.j2' dest='/etc/krb5.conf' - name: AD Authentication | Configure | Place samba config for domain authentication template: src='smb.j2' dest='/etc/samba/smb.conf' - name: AD Authentication | Configure | Start services and enable on boot (Debian) service: name={{item}} state='restarted' enabled='yes' with_items: - winbind - name: AD Authentication | Configure | Start services and do not enable on boot (Debian) service: name={{item}} state='restarted' enabled='no' with_items: - samba - name: AD Authentication | Configure | kinit shell: echo "{{ad_domain_admin_password}}" | kinit {{ad_domain_admin_username}}@{% filter upper %}{{ad_domain}}{% endfilter %}
  • 54. Example: Join Domain - name: AD Authentication | Configure | Join Active Directory shell: net ads join -U{{ad_domain_admin_username}}%'{{ad_domain_admin_password}}' - name: AD Authentication | Configure | Enable pam authentication via winbind (Debian) template: src='pam/{{item.name}}' dest='/etc/pam.d/{{item.target}}' with_items: - {name: 'common-session-interactive.j2', target: 'common-session-interactive'} - {name: 'common-password.j2', target: 'common-password'} - {name: 'common-account.j2', target: 'common-account'} - {name: 'common-auth.j2', target: 'common-auth'} - {name: 'sudo.j2', target: 'sudo'} - name: AD Authentication | Configure | Set domain controllers to be ntp servers lineinfile: regexp='^server {{item}}' insertafter='^#server ntp.your-provider.example' line='server {{item}}' state=present dest='/etc/ntp.conf' with_items: - "{{ad_primary_dc}}" - "{{ad_secondary_dc}}" - name: AD Authentication | Configure | Restart services service: name={{item}} state='restarted' with_items: - winbind - samba - ntpd
  • 55. Example: Join Domain • sudoers sudoers/ tasks/ main.yml templates/ sudoers-debian.j2 • tasks (main.yml) --- - name: User | sudo Configure | Don't always set home and Preserve env home template: src='sudoers-debian.j2' dest='/tmp/sudoers' owner='root' group='root' mode='0600' validate='visudo -cf %s’ - name: User | sudo Configure | Place new config shell: 'cp -vf /tmp/sudoers /etc/sudoers’ - name: User | sudo Configure | Clean up temporary files file: path='/tmp/sudoers' state='absent’
  • 56. Example: Join Domain • templates (sudoers-debian.j2) # {{ ansible_managed }} Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL {% for item in admins %} {% if item.nopasswd == 'true' %} {{item.name}} ALL= NOPASSWD: ALL Defaults:{{item.name}} !requiretty {% else %} {{item.name}} ALL=(ALL) ALL {% endif %} {% endfor %} {% if ad_sudoers_groups is defined %} {% for item in ad_sudoers_groups %} %{{item}} ALL=(ALL) ALL {% endfor %} {% endif %}
  • 57. Example: Join Domain • Put it all together in a playbook --- - hosts: all sudo: True sudo_user: root vars_prompt: - name: "ad_domain" prompt: "Domain to join (e.g. office.lan)" private: no - name: "ad_domain_admin_username" prompt: "Domain Admin username" private: no - name: "ad_domain_admin_password" prompt: "Domain Admin password" private: yes vars_files: - ../roles/active-directory-join/vars/{{ad_domain}}.encrypt roles: - ../roles/active-directory - ../roles/active-directory-join - ../roles/sudoers tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22' delay='5' timeout='300' sudo: no delegate_to: localhost
  • 58. Example: Join Domain $ ansible-playbook -i new-vm-clone, ad-join.yml –u joe -k -K SSH password: sudo password [defaults to SSH password]: Domain to join (e.g. office.lan): office.lan Domain Admin username: admin Domain Admin password: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** ok: [new-vm-clone] TASK: [../roles/active-directory | AD Authentication| Install | Install dependencies for AD authentication] *** ok: [new-vm-clone] => (item=krb5-user,libpam-krb5,winbind,samba) TASK: [../roles/active-directory | AD Authentication | Configure | Allow for authentication using winbind] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place kerberos config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Place samba config for domain authentication] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and enable on boot] *** changed: [new-vm-clone] => (item=winbind)
  • 59. Example: Join Domain TASK: [../roles/active-directory-join | AD Authentication | Configure | Start services and do not enable on boot] *** changed: [new-vm-clone] => (item=samba) TASK: [../roles/active-directory-join | AD Authentication | Configure | kinit] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Join Active Directory] *** changed: [new-vm-clone] TASK: [../roles/active-directory-join | AD Authentication | Configure | Enable pam authentication via winbind] *** changed: [new-vm-clone] => (item={'name': 'common-session-interactive.j2', 'target': 'common-session-interactive'}) changed: [new-vm-clone] => (item={'name': 'common-password.j2', 'target': 'common-password'}) changed: [new-vm-clone] => (item={'name': 'common-account.j2', 'target': 'common-account'}) changed: [new-vm-clone] => (item={'name': 'common-auth.j2', 'target': 'common-auth'}) changed: [new-vm-clone] => (item={'name': 'sudo.j2', 'target': 'sudo'}) TASK: [../roles/active-directory-join | AD Authentication | Configure | Set domain controllers to be ntp servers] *** ok: [new-vm-clone] => (item=ad1.office.lan) ok: [new-vm-clone] => (item=ad2.office.lan) TASK: [../roles/active-directory-join | AD Authentication | Configure | Restart services] *** changed: [new-vm-clone] => (item=winbind) changed: [new-vm-clone] => (item=samba)
  • 60. Example: Join Domain TASK: [../roles/sudoers | User | sudo Configure | Don't always set home and Preserve env home] *** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Place new config] *********** changed: [new-vm-clone] TASK: [../roles/sudoers | User | sudo Configure | Clean up temporary files] *** changed: [new-vm-clone] TASK: [Reboot the Server] ***************************************************** changed: [new-vm-clone] TASK: [Wait for Server to come back] ****************************************** ok: [new-vm-clone] PLAY RECAP ******************************************************************** new-vm-clone : ok=18 changed=13 unreachable=0 failed=0
  • 61. Example: Server provisioner • Build and configure webserver --- #packer provisioning only - hosts: all connection: local remote_user: vagrant sudo: True sudo_user: root vars_files: - roles/vars/cloud.encrypt vars: lifecycle: 'production' build_flavor: 'cloud' app_flavor: 'app' roles: - roles/debian - roles/vmware-tools - roles/local-users - roles/active-directory - roles/cloud-baseline - roles/sudoers - roles/iptables - roles/java-jdk-7 - roles/tomcat-7 - { role: roles/tomcat-native, when: native == 'true' } - roles/ansible - roles/app-dynamics - roles/opsview - roles/cleanup - roles/git tasks: - name: Reboot the Server command: '/sbin/reboot' - name: Wait for Server to come back wait_for: host='{{inventory_hostname}}' port='22’ sudo: no delegate_to: localhost - name: Wait for Services to start fully wait_for: port='{{item}}' delay='5' timeout='600' with_items: - '8009' #ajp - '8080' #tomcat
  • 62. Where do I go from here? • Stop doing everything by hand! • If you find yourself logging in to more than one VM to do the same task... • If you have been meaning to get around to patching or updating a bunch of VMs... • If you know all of the prompts of the OS installer by heart... • If scp and vi are your favorite tools... • If you dread the next release of your application • If you wince every time your phone rings
  • 63. Use Ansible • Get more sleep • Require less coffee
  • 64. Recommended Reading • http://docs.ansible.com/ • https://github.com/ansible/ansible-examples • https://gist.github.com/marktheunissen/2979474 • http://jpmens.net/ • https://galaxy.ansible.com/ • http://docs.ansible.com/vsphere_guest_module.html

Editor's Notes

  1. Say we can put these fires out long enough to get ourselves into the next work day
  2. Cluster ssh Bash scripts Building templates by hand Yo dawg, I heard you like snapshots of your snapshots
  3. Don’t repeat yourself If you have to do a manual task more than two times, you need to rethink Consistency is key
  4. You’ve heard of SCM, change management, release management, patch management… Configuration management
  5. Describe the end state you want. Tool will get you to that state regardless of starting point.
  6. structure
  7. Restart livevault
  8. Heartbleed/openssl Playbook that turned in to a role
  9. Join machines to the domain
  10. Full server build with roles
  11. Phillip fry