Ansible best current practices
-
Not SyncedThank you everyone for coming.
-
Not SyncedIf you were expecting the Postgres talk,
that was the one before, so -
Not Syncedyou might need to watch the video stream.
-
Not SyncedSo, Ansible best practices,
-
Not SyncedI thought about calling it "Ansible,
my best practices", -
Not Syncedso, just warning ahead, this is things
I stumbled on using Ansible -
Not Syncedfor the last 2-3 years and
-
Not Syncedthose are very specific things I found
that worked very well for me. -
Not SyncedAbout me, I do also freelance work,
do a lot of Ansible in there, -
Not SyncedI'm also the Debian maintainer for
Ansible with Harlan Lieberman-Berg -
Not SyncedIf there are any bugs in the package,
just report them. -
Not SyncedThe talk will be roughly divided into
4 parts. -
Not SyncedThe first part will be about why you
actually want to use config management -
Not Syncedand why you specifically want to use
Ansible. -
Not SyncedSo, if you're still SSHing into machines
and editing config files, -
Not Syncedyou're probably a good candidate
for using Ansible. -
Not SyncedThen, the second part will be about good
role and playbook patterns -
Not Syncedthat I have found that work really well
for me. -
Not SyncedThe third chapter will be about typical
antipatterns I've stumbled upon, -
Not Syncedeither in my work with other people
using Ansible, -
Not Syncedor the IRC support channel, for example.
-
Not SyncedThe fourth part will be like advanced
tips and tricks you can use -
Not Syncedlike fun things you can do with Ansible.
-
Not SyncedQuick elevator pitch, what makes config
management good? -
Not SyncedIt actually also serves as a documentation
of changes on your servers over time -
Not Syncedso if you just put the whole config
management in a git repo -
Not Syncedand just regularly commit,
-
Not Syncedyou will actually be able to say
-
Not Synced"Why doesn't this work? It used to work
a year ago" -
Not SyncedYou can actually check why.
-
Not SyncedAlso, most config management tools have
a lot better error reporting than -
Not Syncedyour self-written bash scripts that do
whatever. -
Not SyncedAnd usually, you have a very good
reproducibility with config management -
Not Syncedand also idempotency, meaning that if you
run, for example, a playbook several times -
Not Syncedyou will always get the same result.
-
Not SyncedAlso, it's great if you work in small team
or you admin ??? in the company -
Not Syncedand you have some people working
on a few things too. -
Not SyncedIt makes team work a lot easier and
you will save a lot of time actually -
Not Synceddebugging things when things break.
-
Not SyncedWhat makes Ansible good?
-
Not SyncedComparing it to Chef or Puppet for example
it's really easy to set up, -
Not Syncedyou start with two config files, you have
it installed and you're ready to go. -
Not SyncedIt's also agentless, so whatever machines
you actually want to control, -
Not Syncedthe only thing you they really need to have
is an SSH daemon and Python 2.6+ -
Not Syncedso that's virtually any Debian machine
you have installed and -
Not Syncedthat ???
-
Not SyncedAnsible also supports configuration
of many things like -
Not Syncednetworking equipment or even Windows
machines, -
Not Syncedthey don't need SSH but they use the
WinRM -
Not Syncedbut Ansible came a bit late to the game
so Ansible's still not as good -
Not Syncedin coverage like for example Puppet,
-
Not Syncedwhich literally, you can configure any
machine on the planet with that, -
Not Syncedas long as it has a CPU.
-
Not SyncedNext step, I will talk about good
role patterns. -
Not SyncedIf you've never worked with Ansible
before, -
Not Syncedthis is the point when you watch
the video stream, -
Not Syncedthat you pause it and start working
a few weeks with it -
Not Syncedand then unpause the actual video.
-
Not SyncedA good role should ideally have
the following layout. -
Not SyncedSo, in the "roles" directory, you have
the name of the role and task/main.yml -
Not SyncedYou have the following rough layout.
-
Not SyncedAt the beginning of the role, you check
for various conditions, -
Not Syncedfor example using the "assert" task to
for example check that -
Not Syncedcertain variables are defined, things
are set, -
Not Syncedthat it's maybe part of a group, things
like that you actually want to check. -
Not SyncedThen, usually, you install packages, you
can use apt on CentOS machines, -
Not Syncedyum, or you can do a git checkout or
whatever, -
Not Syncedthen usually you do some templating of
files where you have certain abstraction -
Not Syncedand the variables are actually put into
the template and -
Not Syncedmake the actual config file.
-
Not SyncedThere's also good to point out that
the template module actually has -
Not Synceda "validate" parameter,
-
Not Syncedthat means you can actually use a command
to check your config files for syntax errors -
Not Syncedand if that fails, your playbook will fail
before actually deploying that config file -
Not Syncedso you can for example use Apache with
the right parameters to actually do -
Not Synceda check on the syntax of the file.
-
Not SyncedThat way, you never end up with a state
where there's a broken config. -
Not SyncedIn the end, you usually…
-
Not SyncedWhen you change things, you trigger
handlers to restart any ??? -
Not SyncedIf you use variables, I recommend putting
sensible defaults in -
Not Synceddefaults/main.yml
-
Not Syncedand then you only have to override
those variables on specific cases. -
Not SyncedIdeally, you should have sensible defaults
you want to have to get whatever things -
Not Syncedyou want to have running.
-
Not SyncedWhen you start working with it and do that
a bit more, -
Not Syncedyou notice a few things and that is
-
Not Syncedyour role should ideally run in "check mode".
-
Not Synced"ansible-playbook" has --check that
basically is just a dry run of -
Not Syncedyour complete playbook
-
Not Syncedand with --diff, it will actually show you
for example file changes, -
Not Syncedor file mode changes, stuff like that
-
Not Syncedand won't actually change anything.
-
Not SyncedSo if you end up editing a lot of stuff,
you can use that as a check. -
Not SyncedI'll later get to some antipatterns that
actually break that thing. -
Not SyncedAnd, ideally, the way you change files
and configs and states, -
Not Syncedyou should make sure that when the actual
changes are deployed, -
Not Syncedand you run it a second time,
-
Not Syncedthat Ansible doesn't report any changes
-
Not Syncedbecause if you end up writing your roles
fairly sloppy, you end up having -
Not Synceda lot of changes and then,
-
Not Syncedin the end of the report, you have like
20 changes reported and -
Not Syncedyou kind of then know those 18,
they're always there -
Not Syncedand you kind of miss the 2 that are
important, that actually broke your system -
Not SyncedIf you want to do it really well, you make
sure that it doesn't report any changes -
Not Syncedwhen you run it twice in a row.
-
Not SyncedAlso, a thing to consider is you can define
variables in the "defaults" folder -
Not Syncedand also in the "vars" folder,
-
Not Syncedbut if you look up how variables get
inherited, you'll notice that -
Not Syncedthe "vars" folder is really hard to
actually override, -
Not Syncedso you want to avoid that as much as
possible.
- Title:
- Ansible best current practices
- Description:
-
more » « less
Talk given by Lee Garrett at Minidebconf Hamburg 2018
https://meetings-archive.debian.net/pub/debian-meetings/2018/miniconf-hamburg/2018-05-20/ansible_bcp.webm - Video Language:
- English
- Team:
Debconf
- Project:
- 2018_mini-debconf-hamburg
- Duration:
- 23:46
|
tvincent edited English subtitles for Ansible best current practices | |
|
|
tvincent edited English subtitles for Ansible best current practices | |
|
|
tvincent edited English subtitles for Ansible best current practices | |
|
|
tvincent edited English subtitles for Ansible best current practices | |
|
|
tvincent edited English subtitles for Ansible best current practices |