Is that an Ansible?
Stop holding it like a Puppet.
OSDC 2017, Berlin
Felix Frank, Systems Architect
The unbelievable Machine Company GmbH
What? Who now?
Felix (probably not literally a cat)
- old command line geezer
- open source vagabond
- config management nerd
- came here by bicycle
A text
Guess the author?
The story goes as follows.
Don't use blatantly wrong tools.
When all you have
is a hammer,
everything looks like a nail
No quack.
Now for some items in the
config management
tool chain
No manual tinkering. No wiki install guides.
Repeatable setup
Infrastructure as Code
Let's model a webserver
Ansible: Similar but different
| Puppet | Ansible |
|---|---|
| resource type | module |
| module | role |
| role | group (more or less) |
| resource | task |
Editing code and data
- Puppet manifests
- Hiera data stores
class nodejs::install {
$npmrc_auth = $::nodejs::npmrc_auth
if $caller_module_name != $module_name {
fail("Use of private class ${name} by ${caller_module_name}")
}
# npm is a Gentoo USE flag
if $::operatingsystem == 'Gentoo' {
package_use { $nodejs::nodejs_package_name:
ensure => present,
target => 'nodejs-flags',
use => $nodejs::use_flags,
before => Package[$nodejs::nodejs_package_name],
}
}
# nodejs
package { $nodejs::nodejs_package_name:
ensure => $nodejs::nodejs_package_ensure,
tag => 'nodesource_repo',
}
---
nodejs::npm_path: /opt/osdc/npm/bin/npm
nodejs::manage_package_repo: false
nodejs::repo_proxy: "10.17.81.121"
nodejs::repo_proxy_username: sys
nodejs::repo_proxy_password: o0psThisisS3cre3t
apache::default_vhost: stage_site
apache::user: fitz
Modules are available from the Puppet Forge
Custom code organized into Roles and Profiles
http://projects.theforeman.org/projects/foreman/wiki/Screenshots
Optionally use ENCs like the Foreman
http://maxpixel.freegreatpicture.com/Dream-Space-Sky-Galaxy-Magic-Unicorn-Fantasy-2035174
orchestration through MCollective
visualization with e.g. PuppetBoard
http://www.dailymail.co.uk/news/article-3152277/Dog-tor-Doolittle-Pet-pooch-friends-animals-loves-snuggling-hamster-bird-pals.html
Write code in Ansible's YAML language:
- structure things into roles
- orchestrate roles across your infrastructure in playbooks
---
# roles/varnish/tasks/main.yml
- name: Install the varnish package
apt: name=varnish state=installed
- name: Write varnish config files
template: src={{ item.template }} dest={{ item.dest }} mode=0644
with_items:
- dest: /etc/default/varnish
src: etc_default_varnish.j2
- dest: /etc/varnish/default.vcl
src: etc_varnish_default.vcl.j2
- name: Manage varnish service
service: name=varnish state={{ varnish_service_state }}
---
# playbooks/webtier.yml
- name: Provision webservers
hosts: web
roles:
- common
- apache
- name: Provision reverse proxies
hosts: proxies
roles:
- common
- varnish
Open Source Roles from Ansible Galaxy
--- | ---
# inventory/group_vars/all/vars.yml | # inventory/group_vars/web/vars.yml
ssh_enabled: true | ssh_root_login: true
ssh_root_login: false |
| password_hashes:
password_hashes: | root: ""
root: "$6$deadbeef" | felix: "{{ password_hashes.felix }}"
felix: "$6$acceff00" | gitlab_ssh_key: "{{ vault_gitlab_ssh_key }}"
run from anywhere using ssh
http://projects.theforeman.org/projects/foreman/wiki/Screenshots
Foreman supports Ansible as well
https://img.memecdn.com/youre-doing-it-wrong_o_195760.jpg
not very comfortable without Ansible Tower
We've seen the parallels
Now for the differences
Puppet models systems
- system state will (should) converge
- equilibrium often after single transaction
- each machine has a definitive catalog of state
Ansible models
distributed activity
- structured like a script, convergence is up to the user
- a play in a playbook is like a view or projection
- assigns tasks to hosts, rather than state
In Summary
Or let's use a metaphor
Imagine your infrastructure was a theatre stage
So don't try to push Ansible into a Puppet-shaped box.
https://img.memecdn.com/youre-doing-it-wrong_o_195760.jpg
Having a site.yml is nice, but it should not be
the primary use case.
Running the code for all machines will become
too slow sooner or later.
Tags aren't very flexible.
Better to rely on single-purpose playbooks.
Create ad-hoc playbooks whenever you need.
Don't shoot for DRY on playbook level.
But do make DRY roles.
Take advice on best practices
from the upstream Ansible documentation
with a grain of salt.
Let's look at site.yml
Use the tooling.
Orchestrate
- need to cover code deployments?
- primarily managing switches and similar gear?
- many use cases for "ad hoc" management?
- ubiquitous Python but no Ruby?
- managing only OS level system properties?
- very heterogeneous environment?
- you value power over simplicity?
- ubiquitous Ruby but no Python?
(or Python 3 only?)
Only if you know what you are doing.
There is value in limiting your tool chain.
Finally, what's the best way to lead discussions about config management codes?
Well...
http://www.mrwallpaper.com/wallpapers/man-tiger-hug-1024x1024.jpg
Thanks for listening!
We are filling many (not only tech) roles!
Check out our careers page
Questions?
| Style | Puppet | Ansible |
|---|---|---|
| Preview | --noop | --check |
| Unit | rspec-puppet | N/A |
| Static | catalog-diff | N/A |
| Acceptance | beaker | testinfra |
- The Git logo, available under Creative Commons 3.0.
- The Jenkins logo: https://jenkins.io/