Go Faster with AnsibleRichard Donkin

@rdonkin

$ whoami• Richard Donkin• DevOps engineer / contractor• Ansible, Vagrant, Docker, Linux,

AWS, databases, …

• Experience of sys admin, DevOps, backend dev, architecture, startups, …

@rdonkin linkedin.com/in/rdonkin

Goal: Faster Correct Setup

ServersAppsDevelopers

• Correct configuration• No snowflake servers• Dev, Test, Production

Infrastructure As

Code

Infrastructure as Code

Software processes for server configs:• Code review• Version control• Automated tests• Automated push to servers

What is Configuration Management?

Code that Controls Config

What Ansible DoesConfiguration Management

App Deployment• Basic, "Atomic", zero downtime, ...

Orchestration• Sequence operations on servers,

APIs, etc.• Harder with Configuration

Management

Why Ansible?• Agentless & serverless• Simple• Sequential• Declarative tasks• “Ensure nginx installed” • Enables idempotence

• Easy to learn• Scales to complex cloud

orchestration

Quick InstallMac: brew install ansible

Debian/Ubuntu:sudo apt-add-repository ppa:ansible/ansiblesudo apt-get install -y ansible

RHEL/CentOS: use EPEL, then: sudo yum –y install ansible

Any Linux (latest Ansible, requires Python):sudo easy_install pipsudo pip install ansible

Hello PHPMailerPlaybooks

TasksIdempotence

Key ConceptsPlaybook = series of tasks• Targets one server or thousands• Servers defined by Inventory

Task = "ensure X is done" action

Play = set of tasks in playbook

Running a Playbook (1)

Running a Playbook (2)

Tasks will "skip" if state already OK

(Idempotence)

Writing a PlaybookPlay – hosts to process, become == sudoTasks - descriptive name- invoke module (apt) with parameters Play

Task

The Secret Life of Tasks

Each task runs SSH commands that • Upload a Module (e.g. apt)• Run module with task's

parameters• Return JSON output

Inventory and Variables

Group your servers and assign key parameters ("variables")

[web]10.0.1.5110.0.1.52

[db]10.0.1.61

[web:vars]ansible_port=2222

$ ansible-playbook -i prod apache.yml --limit web

Run different Ansible code per groupRecommended: • Inventory file per environment (or dynamic

inventory)• Put vars in group_vars/mygroup/vars.yml

Apache Playbook (1)

Vars = parameters for this playbookCan be in separate include filesOr attach to hosts or host-groups in Inventory - e.g. Listening IP address should be in inventory

Apache Playbook (2)

template task runs Jinja2 on local file and copies to servernotify sends event to Handler- Each Handler runs just once, at end of whole

playbook- Restart a service, notify Slack, ...

Apache Playbook (3)

service task uses systemctl to enable start on boot- {{ apache_service }} instantiates var with Jinja2Handler restarts apache at end if any task does a notify

Apache PlaybookPlaybooksVariablesHandlers

Modules (1)Over 840 modules "in the box"- Git, yum, apt, compose, pear, pip, …- Copy files, template files- Edit files- Permissions, ownership, SELinux- Services – systemd, sysvinit, ...- Crontabs- MySQL, PostgreSQL, MongoDB, ...

Modules (2)More modules (AWS alone has 87)- Firewalls, routers, switches, ...- AWS, Google, Digital Ocean, ...- Docker, VMware, …- Fallback to shell, upload script, …

Runs best on Linux/Unix including MacWindows as a target only

Roles

"Modularised playbooks"- Split playbook into folder per type of

content- defaults folder for "parameter vars"- vars folder for "role vars" – hard to

override- meta folder for role dependencies

Vars

Tasks

Handlers

Apache + PHPplaybook

Apache role

PHP role

RolesUse Roles for everything!Skinny playbooks + modular roles Ideal playbook only calls roles, not tasks

Typical roles:• mysql• apache• php, php-fpm• deploy-app

"Wrapper roles" to invoke third party roles

Ansible GalaxyHub for 1000s of roles: galaxy.ansible.com

Discovery: Galaxy, GitHub, blogs, …

Assess quality carefully Install the roles needed by project: ansible-galaxy install –r requirements.yml

Pin the role to a version or Git commit

Testing Infra CodeBasic testing:- Separate test playbook using Vagrant VM

- Travis CI popular for open source- Smoke test at end of playbook:

Test frameworks:- Test-Kitchen, ServerSpec, InSpec, testinfra - Run whole series of tests - easier diagnosis

One LinersAd hoc command on single host, or group from inventory

Drupal VM

Create a VM with one command: vagrant upAnsible: 37 roles, 630 tasks, 7,200 lines of code

Drupal VMMultiple Roles

Trellis: Modern WordPress

Near Twelve Factor WordPress• Dev to Prod• PHP 7.1, A+ SSL, HTTP/2, WP-CLI, …• Example: rightsinfo.org

Related roots.io projects: • Bedrock (WP boilerplate)• Sage (starter theme)• Some commercial add-ons

Example project (blog post):• Install node, gulp, bower, Vagrant

plugins• vagrant up• Some fixes required for Ansible 2.2

ResourcesBook: Ansible for DevOps by Jeff Geerling – regular updates

Help: Stack Overflow, Ansible IRC + email lists

Roles:• Geerlingguy roles – wide range – pragmatic & well

maintained• Ansistrano: Deploying PHP apps demo (atomic model)

Projects:• Drupal-VM – http://drupalvm.com• Trellis - https://roots.io/trellis/ - very complete WordPress

setup• Use example project – requires node, bower & gulp

Best practices: Ansible.com, blogs by Leucos and Nylas

Podcasts: Arrested DevOps – general DevOps and Infra as Code

Thank YouRichard Donkin

@rdonkin

linkedin.com/in/rdonkin

Traction – Google Trends, 5 years

Advanced: Write a Module

Much more common to write a roleRequired for major new features:• New API• New package tool• New container format

Most modules written in PythonAny language works: PHP, C, Go, Perl, …Writing a module using PHP