Ansible

Contributors

Authors:

Helena Rasche

Questions

Why Ansible?
How and when to use Ansible?
How to write a role?
How to leverage community build roles?

Objectives

Learn Ansible basics.
Write a simple role.
Install a role from Ansible Galaxy.

last_modification Last modification: Apr 6, 2021

Configuration Management

Manages the configuration of machines.

Specifies what software is installed, how it is configured

Speaker Notes

Configuration management manages the configuration of machines.
It specifies what software should be installed, and how it should be configured

Why Configuration Management?

Are you keeping track of config changes?
What if your server dies?
… or your VM is accidentally deleted?
Can you recover? How quickly?

Speaker Notes

So why do you want configuration management?
What do you do when things go wrong?
What if your server dies?
Did you backup your configuration?
Did you back up your webserver configuration?
Ansible provides an answer.

Configuration Management goals

Reproducibility
Ensure 1000s of machines are correctly configured
Easily recover from bad situations

Speaker Notes

The goals of using CM are reproducibility, uniformity, and recovery.

Ansible

Ansible is an open-source configuration management tool, sponsored by Red Hat
Several alternatives are available (Chef, Puppet, Salt, etc)
It uses an agentless model: SSH into machine and executes commands
Very popular, especially among Galaxy admins!
Many modules for common tasks like copying files or managing users or services.

Speaker Notes

Ansible is a very popular CM tool, sponsored by RedHat.
There are several alternatives, but Galaxy Project uses Ansible.
It uses an agent-less model. You SSH into machines and execute commands on them.
It has many popular pre-existing roles for common tasks.

Important Terms

Speaker Notes

Some important terms you should know

Inventory File

Defines the systems (called “hosts”) against which Ansible will work.

[webservers]
192.168.0.1
192.168.0.2 ansible_user=ubuntu

[databases]
db_1.example.org ansible_user=root

Speaker Notes

First is the Inventory File.
This file lists all of your hosts.
The group name is in square brackets.
Group names are used to select a set of systems, on which Ansible should operate.
It is possible to assign variables to hosts and groups.
Here we override the ansible user variable on two hosts.
This variable controls which user is used in login.

Ansible Module and Tasks

A module is a piece of code that Ansible can execute on a host, collecting return values.

A task is an invocation of single module with its configuration.

---
- copy:
    src: foo.conf
    dest: /etc/foo.conf
    owner: foo
    group: foo
    mode: 0644

- package:
    name: ntpdate
    state: present

Speaker Notes

Here is an example of invoking the copy module and the package module.
Copy copies a file from source, on the local host to destination, on the remote host.
Then it sets some attributes about the file like the owner and mode.
Next we see an example of the package module. This is a generic OS package manager module.
It ensures that for the package named ntpdate, its state is present, i.e. installed.

Role

.pull-left[ A collection of:

tasks
files
templates
variables
handlers

]

.pull-right[ with a predefined directory structure:

.
├── defaults
│   └── main.yml
├── files
│   └── cvmfs_wipecache.centos_7
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   ├── apache.yml
│   ├── main.yml
│   └── stratumN.yml
├── templates
│   └── stratum1_squid.conf.j2
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml

]

Speaker Notes

A role is a collection of tasks, files, templates, variables, and handlers.
Tasks are things to be executed, like a copy task to add files to a remote machine.
Files have static, unchanging files that are used by the tasks.
The templates are like files, but they contain variables which will be replaced, when ansible deploys the file.
Variables contain definitions of variables for use in templates and tasks.
Handlers manage services, restarting them when configuration changes.

Playbook

A YAML file listing a set of tasks and/or roles that should be applied to a group of hosts.

.pull-left[

We define a playbook which has a name
And applies to some group of hosts
We specify some additional variables
And then invoke some roles ]

.pull-right[

- name: CVMFS
  hosts: all
  vars:
    cvmfs_role: client
    galaxy_cvmfs_repos_enabled: true
  roles:
    - geerlingguy.repo-epel
    - galaxyproject.cvmfs

]

Speaker Notes

This is an example playbook.
We give it a name, in this case CVMFS.
Then we select some hosts, i.e. all hosts known to our inventory file.
We specify some additional variables.
And then we invoke two roles.

Vault

Ansible playbooks should be kept under version control (typically with Git)
Playbooks can be safely shared on public Git repositories (e.g. GitHub) by storing secrets like passwords in encrypted files called vaults

$ANSIBLE_VAULT;1.1;AES256
63333238633033313664633437316231323932326531386266636637353037313335613563663934
6639666536653631363739383639633165633337393334630a353233393938646539306362633738
61613439366435336230636561663864323765303663666239613430323534333665636665643964
6537376666323333660a663233343565393166373665366138306661343764623561343634656463
31636265303430623731643766346434323565663436626466353765393465376533376366356463

Speaker Notes

If you have secrets like API keys or passwords, you need to use Vault.
Vault encrypts your secrets with a password, so you can include them in your playbooks.
This lets you collaborate on playbooks and infrastructure publicly with git.

Ansible Philosophies

Some people write a single playbook that completely manages a machine (installing everything on a brand new machine)
Other people write playbooks for a single task (e.g. upgrading software / installing nginx)
Which one depends on your use case.

Speaker Notes

There are multiple ways of designing playbooks, use one that fits your use case.
Some prefer a playbook which does everything, so no step can be forgotten.
Others prefer playbooks which do individual steps. These can be faster, and you can only run the ones that change.

Ansible Galaxy

Public repository of roles
Many for common software deployment (nginx, apache, postgresql)
Different “Galaxy” than the bioinformatics tool server (but Ansible can be used to install that too!)

Speaker Notes

Ansible has a repository for public roles.
There are a huge number of available roles for common tasks.
It is called Ansible Galaxy, but it is a different Galaxy.

Key Points

Ansible lets you do system administration at scale
Many system administration, software installation, and software management tasks are already available as Ansible tasks or roles

Thank you!

This material is the result of a collaborative work. Thanks to the Galaxy Training Network and all the contributors! page logo

This material is licensed under the Creative Commons Attribution 4.0 International License.