go faster with ansible (aws meetup)
TRANSCRIPT
$ whoami• Richard Donkin• DevOps engineer / contractor• Ansible, Packer, Vagrant, Docker,
Linux, AWS, databases, …
• Experience of sys admin, DevOps, backend dev, architecture, startups, …
@rdonkin linkedin.com/in/rdonkin www.tempohq.net
Goal: Faster Correct Setup
ServersAppsDevelopers
• Correct configuration• No snowflake servers• Dev, Test, Production
InfrastructureAs Code
Software processes and tools for
infrastructure configuration
What Ansible DoesConfiguration Management• Code that controls config
App Deployment
Orchestration• Sequence operations on servers,
APIs, etc.
Why Ansible?• Agentless & serverless• Simple• Sequential• Declarative tasks• “Ensure nginx installed” • Enables idempotence
• Easy to learn• Scales to complex cloud
orchestration
Quick InstallMac: brew install ansible
Debian/Ubuntu:sudo apt-add-repository ppa:ansible/ansiblesudo apt-get install -y ansible
RHEL/CentOS: use EPEL, then: sudo yum –y install ansible
Any Linux (latest Ansible, requires Python):sudo easy_install pipsudo pip install ansible
Hello PHPMailerPlaybooks
TasksIdempotence
Key ConceptsPlaybook = series of tasks• Targets one server or thousands• Servers defined by Inventory
Task = "ensure X is done" action
Play = set of tasks in playbook
Running a Playbook (1)
Running a Playbook (2)
Tasks will "skip" if state already OK
(Idempotence)
Writing a PlaybookPlay – hosts to process, become == sudoTasks - descriptive name- invoke module (apt) with parameters Play
Task
The Secret Life of Tasks
Each task runs SSH commands that • Upload a Module (e.g. apt)• Run module with task's
parameters• Return JSON output
Inventory and Variables
Group your servers & assign parameters[web]10.0.1.5110.0.1.52
[db]10.0.1.61
[web:vars]ansible_port=2222
$ ansible-playbook -i prod apache.yml --limit web
Ansible conditions based on groups and vars(Typically) inventory file for dev, test, prod, ...
AWS Dynamic Inventory
Generated by ec2.py from AWS API• EC2 instances, Route53, RDS, …• Many params per instance, inc. one
per tag• Groups for regions, AZs, and Tags:
ansible tag_KEY_VALUE -m ping
Apache Playbook (1)
Vars = parameters for this playbookCan be in separate include filesOr attach to hosts or host-groups in Inventory - e.g. Listening IP address should be in inventory
Apache Playbook (2)
template task runs Jinja2 on local file and copies to servernotify sends event to Handler- Each Handler runs just once, at end of whole
playbook- Restart a service, notify Slack, ...
Apache Playbook (3)
service task uses systemctl to enable start on boot- {{ apache_service }} instantiates var with Jinja2Handler restarts apache at end if any task does a notify
Apache PlaybookPlaybooksVariablesHandlers
Modules Over 840 modules "in the box"- Git, yum, apt, compose, pip, gem, …- Files: copy, template, edit, …- Permissions, ownership, SELinux- MySQL, PostgreSQL, MongoDB, ...
Targets:- Linux, Windows, Mac, Docker, VMs- AWS, Azure, GCP, network devices Anything with an API or CLI
AWS Security GroupsDefine security groups as vars in YAML• Format defined by your playbook• Each has list of rules (ingress and
egress)
AWS Security GroupsPlaybook applies all groups in a list
Roles
"Modularised playbooks"- Split playbook into folder per type of
content- defaults folder for "parameter vars"- vars folder for "role vars" – hard to
override- meta folder for role dependencies
Vars
Tasks
Handlers
Apache + PHPplaybook
Apache role
PHP role
RolesUse Roles for everything!Skinny playbooks + modular roles Ideal playbook only calls roles, not tasks
Typical roles:• create-vpc• create-instances• base, apache, php, redis• deploy-app
"Wrapper roles" to invoke third party roles
Ansible GalaxyHub for 1000s of roles: galaxy.ansible.com
Discovery: Galaxy, GitHub, blogs, …
Assess quality carefully Install the roles needed by project: ansible-galaxy install –r requirements.yml
Pin the role to a version or Git commit
Testing Infra CodeBasic testing:- Separate test playbook using Vagrant VM
- Travis CI popular for open source- Smoke test at end of playbook:
Test frameworks:- Test-Kitchen, ServerSpec, InSpec, testinfra - Run whole series of tests - easier diagnosis
Drupal VM
Create a VM with one command: vagrant upAnsible: 37 roles, 630 tasks, 7,200 lines of code
ResourcesBook: Ansible for DevOps by Jeff Geerling – regular updates
Help: Stack Overflow, Ansible IRC + email lists
Roles:• Geerlingguy roles – wide range – pragmatic & well
maintained• Ansistrano: Deploying PHP apps demo (atomic model)
Projects:• Drupal-VM – http://drupalvm.com• Trellis - https://roots.io/trellis/ - very complete WordPress
setup• Use example project – requires node, bower & gulp
Best practices: Ansible.com, blogs by Leucos and Nylas
Podcasts: Arrested DevOps – general DevOps and Infra as Code
Thank YouRichard Donkin
@rdonkin
linkedin.com/in/rdonkin
www.tempohq.net
Infrastructure as Code
Software processes for cloud resources and server configs:• Code review• Version control• Automated tests• Automated push to servers
Rapid Growth in Ansible Activity
• Google Trends• 5 years to Jan 2017
One LinersAd hoc command on single host, or group from inventory
Trellis: Modern WordPress
Near Twelve Factor WordPress• Dev to Prod• PHP 7.1, A+ SSL, HTTP/2, WP-CLI, …• Example: rightsinfo.org
Related roots.io projects: • Bedrock (WP boilerplate)• Sage (starter theme)• Some commercial add-ons
Example project (blog post):• Install node, gulp, bower, Vagrant
plugins• vagrant up• Some fixes required for Ansible 2.2
Advanced: Write a Module
Much more common to write a roleRequired for major new features:• New API• New package tool• New container format
Most modules written in PythonAny language is fine: • PHP, C, Go, Perl, PowerShell, ...