automation for everyone senior cloud solutions architect … · 2018-06-22 · • take ansible...
TRANSCRIPT
F7212-091117
AUTOMATION FOR EVERYONEIT Automation & Management
PAUL ARMSTRONGSenior Solutions Architect
PATRICK TOALSenior Solutions Architect
CHRIS SAUNDERSSenior Cloud Solutions Architect
1
2
THE MOVE TO HYBRID INFRASTRUCTURESBRINGS ADDITIONAL MANAGEMENT CHALLENGES
APPLICATIONARCHITECTURE
INFRASTRUCTUREPLATFORM
OPERATIONALMODEL
OPERATIONALCHALLENGES
Traditional Applications
Virtualization
Operational
Automation
Orchestration
Automation
Private Cloud
Scalable
Applications
Public Cloud
SaaS and PaaS
Cloud NativeService
Brokering
Containers
Microservices
Self-service
Automated provisioning
Lifecycle management
Root cause analysis
Performance and
capacity management
Hybrid Management
Policy compliance
Quota enforcement
Chargeback
WHAT’S NEW IN RED HAT CLOUDFORMS 4.6?3
BUILD A TRUSTED & SECURE RED HAT ENVIRONMENT
Manage the Red Hat Lifecycle
Provision & Configure at Scale
Standardize Your Environment
DELIVER SERVICES ACROSS YOUR HYBRID CLOUD
Hybrid Cloud Management
Self-Service Provisioning
Policy-driven Compliance
CENTRALIZE AUTOMATIONGOVERNANCE
Centralized Control
Team & User Delegation
Audit Trail
PREVENT CRITICAL ISSUES BEFORE THEY OCCUR
Continuous Insights
Verified Knowledge
Proactive Resolution
AUTOMATE YOUR I.T. PROCESSES & DEPLOYMENTS
RED HAT MANAGEMENT AND AUTOMATION FOR IT OPERATIONS
4 CONFIDENTIAL
WHAT IS ANSIBLE AUTOMATION?
---- name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root
tasks: - name: install httpd yum: pkg=httpd state=latest
- name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf
- name: start httpd service: name=httpd state=started
[user@hostname: $] ansible-playbook -i inventory playbook.yml
PLAY [install and start apache] ***********************************
TASK [Gathering Facts] ********************************************
ok: [webserver.local]
TASK [install httpd] **********************************************
changed: [webserver.local]
TASK [write the apache config file] ********************************
changed: [webserver.local]
TASK [start httpd] *************************************************
changed: [webserver.local]
PLAY RECAP *********************************************************
webserver.local : ok=4 changed=3 unreachable=0 failed=0
The Ansible project is an open source community sponsored by Red Hat. It’s also a simple automation language that perfectly describes IT application environments in Ansible Playbooks.
Ansible Engine is a supported product built from the Ansible community project.
Ansible Tower is an enterprise framework for controlling, securing, managing and extending your Ansible automation (community or engine) with a UI and RESTful API.
5 CONFIDENTIAL
1450+ Ansible modules
28,000+ Stars on GitHub
500,000+ Downloads a month
6 CONFIDENTIAL
CROSS PLATFORM
Agentless support for all major OS variants, physical, virtual, cloud and network devices.
HUMAN READABLE
Perfectly describe and document every aspect of your application environment.
PERFECT DESCRIPTION OF APPLICATION
Every change can be made by Playbooks, ensuring everyone is on the same page.
VERSION CONTROLLED
Playbooks are plain-text. Treat them like code in your existing version control.
DYNAMIC INVENTORIES
Capture all the servers 100% of the time, regardless of infrastructure, location, etc.
ORCHESTRATION PLAYS WELL WITH OTHERS
Every change can be made by Playbooks, ensuring everyone is on the same page.
THE ANSIBLE WAY
7 CONFIDENTIAL
SIMPLE POWERFUL AGENTLESS
App deployment
Configuration management
Workflow orchestration
Network automation
Orchestrate the app lifecycle
Human readable automation
No special coding skills needed
Tasks executed in order
Usable by every team
Get productive quickly
Agentless architecture
Uses OpenSSH & WinRM
No agents to exploit or update
Get started immediately
More efficient & more secure
WHY ANSIBLE?
8 CONFIDENTIAL
WHAT CAN I DO WITH ANSIBLE?
Automate the deployment and management of your entire IT footprint.
Orchestration
Do this...
Firewalls
Configuration Management
Application Deployment Provisioning Continuous
DeliverySecurity and Compliance
On these...
Load Balancers Applications Containers Clouds
Servers Infrastructure Storage And more...Network Devices
9 CONFIDENTIAL
WHY IS AUTOMATION IMPORTANT?
Your applications and systems are more than just collections of configurations. They’re a finely tuned and ordered list of tasks and processes that result in your working application. Ansible can do it all: • Provisioning
• App Deployment
• Configuration Management
• Multi-tier Orchestration
10 CONFIDENTIAL
ANSIBLE’S AUTOMATION ENGINE
CMDB
USERS
INVENTORYHOSTS
NETWORK DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATECLOUD
PUBLIC / PRIVATECLOUD
ANSIBLE PLAYBOOK
ANSIBLE’S AUTOMATION ENGINE
CMDB
INVENTORYHOSTS
NETWORK DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATECLOUD
PUBLIC / PRIVATECLOUD
USERS
ANSIBLE PLAYBOOK
PLAYBOOKS
• Written in YAML
• Tasks are executed sequentially
• Invokes Ansible modules
MODULES
• Tools in the toolkit
• Python, Powershell or
any language
• Extend Ansible simplicity
to entire stack
ANSIBLE’S AUTOMATION ENGINE
CMDB
INVENTORYHOSTS
NETWORK DEVICES
PLUGINS
API
PUBLIC / PRIVATECLOUD
PUBLIC / PRIVATECLOUD
USERS
ANSIBLE PLAYBOOK
MODULES
HOW ANSIBLE WORKS
CMDB PUBLIC / PRIVATE
CLOUD
PLUGINS
• Gears in the engine
• Python that plugs into the
core engine
• Adaptability for various uses
& platforms
USERS
ANSIBLE PLAYBOOK
ANSIBLE’S AUTOMATION ENGINE
HOSTS
NETWORK DEVICES
API
MODULES
PUBLIC / PRIVATECLOUD
INVENTORY
PLUGINS
USERS
ANSIBLE PLAYBOOK
[web]webserver1.example.comwebserver2.example.com
[db]dbserver1.example.com
ANSIBLE’S AUTOMATION ENGINE
CMDB
HOSTS
NETWORK DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATECLOUD
PUBLIC / PRIVATECLOUD
INVENTORY
CLOUD
OpenStack, VMware, EC2,
Rackspace, GCE, Azure,
Spacewalk, Hanlon, Cobbler
CUSTOM CMDBUSERS
ANSIBLE PLAYBOOK
ANSIBLE’S AUTOMATION ENGINE
HOSTS
NETWORK DEVICES
PLUGINS
API
MODULES
PUBLIC / PRIVATECLOUD
INVENTORY
CMDB PUBLIC / PRIVATE
CLOUD
11 CONFIDENTIAL
CLOUD
AWS
Azure
CenturyLink
CloudScale
Digital Ocean
Docker
Linode
OpenStack
Rackspace
And more...
WINDOWS
ACLs
Files
Commands
Packages
IIS
Regedits
Shell
Shares
Services
DSC
Users
Domains
And more...
VIRT ANDCONTAINER
Docker
VMware
RHEV
OpenStack
OpenShift
Atomic
CloudStack
And more...
NETWORK
Arista
A10
Cumulus
Big Switch
Cisco
Cumulus
Dell
F5
Juniper
Palo Alto
OpenSwitch
And more...
NOTIFY
HipChat
IRC
Jabber
RocketChat
Sendgrid
Slack
Twilio
And more...
ANSIBLE SHIPS WITH OVER 1250 MODULES
12 CONFIDENTIAL
AUTOMATION FOR TEAMSAnsible Tower technical introduction and overview
13 CONFIDENTIAL
WHAT IS ANSIBLE TOWER?
• Role-based access control
• Deploy entire applications with push-button deployment access
• All automations are centrally logged
Ansible Tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and RESTful API.
14 CONFIDENTIAL
RED HAT ANSIBLE TOWER
RED HAT ANSIBLE ENGINE
Scale + operationalize your automation
Support for your Ansible automation
CONTROL KNOWLEDGE DELEGATION
SIMPLE POWERFUL AGENTLESS
FUELED BY AN INNOVATIVE OPEN SOURCE COMMUNITY
15 CONFIDENTIAL
USE CASES
USERS
ANSIBLEPYTHON CODEBASE
OPEN SOURCE MODULE LIBRARY
PLUGINS
CLOUDAWS,GOOGLE CLOUD,AZURE …
INFRASTRUCTURELINUX,WINDOWS,UNIX …
NETWORKSARISTA, CISCO, JUNIPER …
CONTAINERSDOCKER, LXC …
SERVICESDATABASES, LOGGING,SOURCE CONTROL MANAGEMENT…
TRANSPORT
SSH, WINRM, ETC.
AUTOMATEYOUR
ENTERPRISE
ADMINS
ANSIBLE CLI & CI SYSTEMS
ANSIBLE PLAYBOOKS
….
ANSIBLETOWER
SIMPLE USER INTERFACE TOWER API
ROLE-BASEDACCESS CONTROL
KNOWLEDGE& VISIBILITY
SCHEDULED &CENTRALIZED JOBS
CONFIGURATIONMANAGEMENT
APP DEPLOYMENT
CONTINUOUSDELIVERY
SECURITY &COMPLIANCE
ORCHESTRATIONPROVISIONING
16 CONFIDENTIAL
Client accessing Ansible Tower
Postgre5QL
MANAGED HOSTS DOMAIN CONTROLLER
CMDB
ANSIBLE TOWER INTEGRATIONS
F7212-091117
ANSIBLE & NETWORKINGIT Automation & Management
PATRICK TOALSenior Solutions Architect
17
18
INSTALL; CONFIGURE - REPEATAUTOMATE
MANAGING NETWORKSHASN’T CHANGED
IN 30 YEARS.
WHY HASN’T NETWORKING CHANGED?
PEOPLE PRODUCTS
Infrastructure-focused features
CLI-only methodologies
Siloed technologies
Monolithic, proprietary platforms
Domain specific skillsets
Vendor oriented experience
Siloed organizations
Legacy operational practices
SIMPLE POWERFUL AGENTLESS
What is missing?
● A10● Apstra AOS● Arista EOS (cli, eAPI), CVP● Aruba Networks● AVI Networks● Big Switch Networks● Brocade Ironware● Cisco ACI, AireOS, ASA, IOS,
IOS-XR, NSO, NX-OS● Citrix Netscaler● Cumulus Linux● Dell OS6, OS9, OS10● Exoscale● F5 BIG-IP● Fortinet FortIOS, FMGR
● Huawei● Illumos● Infoblox NIOS● Juniper Junos● Lenovo CNOS, ENOS● Mellanox ONYX● Ordnance● NETCONF● Netvisor● Openswitch● Open vSwitch (OVS)● Palo Alto PAN-OS● Nokia NetAct, SR OS● VyOS
NETWORK MODULES: BUILT-IN DEVICE ENABLEMENT
NETWORK OPERATIONS AUTOMATION
MAKES PEOPLE MORE PRODUCTIVE
Photo by Dave Michuda on Unsplash
WHY AUTOMATE YOUR NETWORK?
WHY AUTOMATE YOUR NETWORK?
“Start small, Think big!”
Infrastructure as YAML• Backups/restores can be automated• Manage “golden” versions of configurations
Configuration management• Changes can be incremental or wholesale• Make it part of the process: agile, waterfall, etc.
Ensure an on-going steady-state• Daily, weekly, monthly scheduled tasks• State checking and validation
It’s a strategy, it’s a journey
No need to abandon or redefine network operations• Build with Ansible for bridges between legacy and modern
networks
Foster and leverage tribal knowledge
AUTOMATION IS NOT JUST A TOOL
DEMO
Learn Ansible• Join existing Ansible network automation communities• Take Ansible training courses from Red Hat or others
– Ansible for Network Automation DO457)
Develop success criteria• Create specific goals that require planning, tailored to your organization• Create phases to ensure people and processes aren’t alienated
Start small!• Create Playbooks that read or check only• Create simple jobs that eliminate the most annoying tasks• Leverage existing knowledge internally
WHERE DO I BEGIN?
RESOURCESAnsible Networking Homepage:ansible.com/networking
Ansible Networking Github:github.com/network-automation
Join the CommunityUsers list: ansible-projectDevelopment list: ansible-develAnnouncement list: ansible-announce (read only)irc.freenode.net: #ansibleslack.networktocode.com: #ansible
Download the latest Ansible:releases.ansible.com/ansible/
Evaluate Ansible Tower:ansible.com/tower-trial/Email: [email protected]
Photo by Clark Tibbs on Unsplash
F7212-091117
ANSIBLE & WINDOWSIT Automation & Management
CHRIS SAUNDERSSenior Cloud Solutions Architect
30
F7212-091117
Windows and Ansible?
F7212-091117
● WinRM (Windows remote shell protocol)● Non-interactive logon● Different connection plugin● Microsoft + OpenSSH = ?
Not SSH
F7212-091117
● Every modern Windows Server (2012+) has Powershell 3 or above● Ansible works with Powershell 3+● win_dsc module provides access to Powershell DSC
Powershell
F7212-091117
● Chocolatey is our friend - win_chocolatey● win_package also works● win_msi is deprecated
Application Installs/Updates
F7212-091117
● Use win_reboot to reboot a system● Add wait_for_connection to playbook to pause while reboot
completes
Ok, but - Reboots?
F7212-091117
Ok, but - Reboots?
F7212-091117
● win_updates● Basic synchronous updates using configured source (Windows
Update, WSUS)● Auto reboot? Yes, please
Windows Updates
F7212-091117
Windows Updates
- win_updates: category_names: CriticalUpdates reboot: yes blacklist: - KB4056892
F7212-091117
Modules for:● managing websites● Webapps● AppPools● Virtual Directories
IIS Configuration
F7212-091117
IIS Configuration?
- win_iis_website: name: Default Web Site physical_path: C:\Inetpub\WWWRoot- win_iis_webapp: site: Default Web Site name: AnsibleRocks physical_path: C:\Inetpub\WWWRoot\ansibleblog
F7212-091117
● Manage individual keys + values with win_regedit● Bulk import registry entries with Ansible idempotency using
win_regmerge
Registry
F7212-091117
Registry
- win_regedit: path: HKLM\Software\Microsoft\Windows name: SomeValueName value: 0x12345- win_regmerge: path: WinServerMember.reg
F7212-091117
● Manage Windows services like Linux with win_service● Additional controls for Windows
Services
F7212-091117
Services# ensure IIS is running- win_service: name: W3Svc state: running# ensure firewall service is stopped/disabled- win_service: name: MpsSvc state: stopped start_mode: disabled
F7212-091117
● Create test domains● Promote/demote DCs● Join/leave domains● Manage domain objects
Managing Domains
F7212-091117
Managing Domains# create a domain- win_domain: dns_domain_name: mydomain.local safe_mode_password: AnsibleRocks# add a domain user- win_domain_user: name: somebody upn: [email protected] groups: - Domain Admins
F7212-091117
● More granular than Linux permissions● SDDL●
ACLs
F7212-091117
ACLs- win_owner: path: C:\Program Files\SomeApp user: Administrator recurse: true- win_acl: path: C:\Temp user: Users rights: ReadAndExecute,Write,Delete inherit: ContainerInherit,ObjectInherit
F7212-091117
Demo
F7212-091117
THANK YOU
red.ht/red-hat-shares
50
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews