2. #>whoami
● currently: ansible core team member (bcoca)
● helpdesk/application support
● programmer/analyst/software engineer
● QA, systems & network administrator
● release manager, DBA, information security,
● “Tech Janitor”
3. #>apropos ansible
● Configuration management
● Release management
● Automation framework
● Orchestration system
● Distributed batch executor
____________________
/ It runs a TASK * x
on a HOST * x /
--------------------
^__^
(oo)_______
(__) )/
||----w |
|| ||
4. #LIVE>multiply_shell
● allows you to reuse your shell magic
● must be non interactive
● plays well with traditional unix tools
● just multiply by ### hosts
● requires some work for nicer outputs
● -t == json file database per host
7. #UTIL>small_scripts
● tries not to be a programming language
● but … sometimes its very useful as such
● plays can wrap existing roles/task lists
● vars_prompt/pause allow for interactivity
● -e “var=val” for completely batch
● -e @file.json: you can use json data files
8. #UTIL>/sbin/departed
#!/usr/bin/ansible-playbook
---
- name: Ensure only valid users
hosts: all
gather_facts: False
sudo: True
vars_files:
#departed: [ alan, bcoca, isaac, mathew, willy ]
- /etc/departed_users.yml
tasks:
- name: Delete departed user and all it’s files
user: name={{item}} state=absent remove=yes
with_items: “{{departed}}”
9. #UTIL>/bin/release_apps
#!/usr/bin/ansible-playbook
- hosts: localhost
vars_prompt:
- name: app_name
prompt: “Which app do you want to deploy?”
- name: app_version
prompt: “Choose version/tag (default HEAD)”
default: ‘HEAD’
tasks:
- git: repo=git@myreposerver/{{app_version}} version={{app_version}} ...
...
- hosts: app_servers
serial: 1
tasks:
- pause: "are you sure you want to stop all services?"
- name: shush nagios
nagios: action=silence host={{inventory_hostname}}
delegate_to: {{monitor}}
- name: nginx graceful stop
service: name=nginx state=stopped
- name: stop uwsgi
service name=uwsgi state=stopped …
...
______________________
/ for reusability, use
includes and roles /
----------------------
__
UooU.'@@@@@@`.
__/(@@@@@@@@@@)
(@@@@@@@@)
`YY~~~~YY'
|| ||
10. #QA>verify
● The same way I do things , I can check them
● Gentle learning curve for your test creator
● Checks don’t normally need root
● check_mode and diff_mode
● assert/fail, no need to read the output!
11. #QA>check_server
- hosts: app_server
tasks:
- users: name=appuser state=present
name: verify that app user is present
- file: path=/to/app/dir owner=appuser mode=0700
name: check that app dir has proper permissions
- service: name={{item}} state=started
name: check that services are running
with_items: [‘nginx’, ‘uwsgi’]
- postgres_user: name=dbapp1 password=secretrole_attr_flags=NOSUPERUSER
name: check app user is accessible via app server
____________________________________
/ or if your playbook is idempotent,
just run it again Sam! /
------------------------------------
/
( )
.( o ).
13. #AUDIT>verify --- qa?
● The same way I do, I can check
● Gentle learning curve for your auditor
● Checks don’t normally need root
● check_mode and diff_mode
14. #AUDIT>check_firewall
# verify firewall after manual config
- wait_for:
port: “{{item}}”
host: prod.example.com
delegate_to: outside.host.com
with_items: [‘80, ‘443’]
- wait_for: port={{item}} host=prod.example.com
delegate_to: outside.host.com
failed_when: not left_door_open|failed
register: left_door_open
when: item not in [‘80’, ‘443’]
with_sequence: start=1 end=1024
______________
< or call nmap >
--------------
___
{~._.~}
( Y )
()~*~()
(_)-(_)
16. #AUDIT>facts_drift
● set fact caching to use jsonfile
● make git repo or checkout in cache dir
● set incron to commit when file changes
● now git log shows facts change over time
● filter out time facts (or not)
● … so ... tower will do this for me?
17. #AUDIT>file_changes_xattr
● {{ansible_managed}} (changed or lack info)
● use xattr to keep metadata with the file
● requires user_xattr on mount
● great ETL, can keep correct file transforms
● does not affect copy/template ‘changed’
18. #HACK>expand_ansible
● roles: as shared libraries
● plugins: there are more than modules
● callbacks: send events
● notification modules: specific events
● dynamic modules: if you crave abstraction
26. #THE END>wait 6 && exit
● Ansible was born to play well with Unix
● Roles allow for reuse and sharing
● Plugins are where you code
● Plugins are useful to non programmers.
● callbacks, lookups, filters, etc are also plugins
● Many ways to make Ansible work for you
__________
< goodbye! >
----------
^__^
(oo)_______
(__) )/
||----w |
|| ||