Ansible Advanced - FrOSCon · ABOUT INTRODUCTION PLAYBOOKS IN DEEP WHAT’S NEW Amazon AWS Upcoming topics END Ansible Advanced Oleg Fiksel Security Consultant @ …

ABOUT INTRODUCTION PLAYBOOKS IN DEEP WHAT’S NEW Amazon AWS Upcoming topics END

Ansible Advanced

Oleg Fiksel

Security Consultant @ CSPI GmbH

[email protected] | [email protected]

FrOSCon 2016

mailto:[email protected]



AGENDA

ABOUT

INTRODUCTION

PLAYBOOKS IN DEEP

WHAT’S NEW

Amazon AWS

Upcoming topics

END

Q & A


ABOUT ME

I Security Consultant @ CSPI 1 (former MODCOMP 2)I Main topics

I AutomationI VirtualisationI Application Switching (load balancing)I Perl Coding

1About CSPi2Wikipedia: MODCOMP

http://www.cspi.com/de/uber-uns/

https://en.wikipedia.org/wiki/MODCOMP


GOALS OF THIS TALK

I This is not a comparison of configuration managementsystems.

I Provide overview of some (not all) advanced features ofansible.

I Using examplesI Provide links for possible deep dive on a particular subject

I Talk about new features in ansible 2.0 (and ansible 2.2)I Discuss new topics ansible is approaching


GOALS OF THIS TALK






GOALS OF THIS TALK






GOALS OF THIS TALK



I Using examples

I Provide links for possible deep dive on a particular subject



GOALS OF THIS TALK






GOALS OF THIS TALK




I Talk about new features in ansible 2.0 (and ansible 2.2)

I Discuss new topics ansible is approaching


GOALS OF THIS TALK






WHY ANSIBLE?

I Fresh

I Started February 2012I Core rewrite January 2016

I Simple syntaxI Bloody Enterprise compatible

I Works with no agents on the systemsI Works via jumphostsI Works on stripped down / hardened systems


WHY ANSIBLE?

I Fresh

I Started February 2012I Core rewrite January 2016




WHY ANSIBLE?

I FreshI Started February 2012

I Core rewrite January 2016




WHY ANSIBLE?

I FreshI Started February 2012I Core rewrite January 2016




WHY ANSIBLE?


I Simple syntax

I Bloody Enterprise compatible



WHY ANSIBLE?





WHY ANSIBLE?



I Works with no agents on the systems

I Works via jumphostsI Works on stripped down / hardened systems


WHY ANSIBLE?



I Works with no agents on the systemsI Works via jumphosts

I Works on stripped down / hardened systems


WHY ANSIBLE?





PLAYBOOK BEST PRACTICESSource: http://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout

1 s tage # i n v e n t o r y f i l e f o r s t a g e env i ronment2 production # i n v e n t o r y f i l e f o r p r o d u c t i o n env i ronment34 group_vars/5 group1 # a s s i g n v a r i a b l e s t o p a r t i c u l a r s e r v e r groups6 host_vars/7 hostname1 # s y s t e m s s p e c i f i c v a r i a b l e s89 s i t e . yml # m as t e r p l a y b o o k

10 webservers . yml # p l a y b o o k f o r w e b s e r v e r t i e r1112 r o l e s /13 common/ # t h i s h i e r a r c h y r e p r e s e n t s a " r o l e "14 t a s k s/ #15 main . yml # <−− t a s k s f i l e can i n c l u d e s m a l l e r f i l e s i f warrant ed16 handlers/ #17 main . yml # <−− h a n d l e r s f i l e18 templates/ # <−− f i l e s f o r use with t h e t e m p l a t e r e s o u r c e19 ntp . conf . j 2 # <−−−−−−− t e m p l a t e s end in . j 220 f i l e s / #21 foo . sh # <−− s c r i p t f i l e s f o r use with t h e s c r i p t r e s o u r c e22 vars/ #23 main . yml # <−− v a r i a b l e s a s s o c i a t e d with t h i s r o l e24 d e f a u l t s / #25 main . yml # <−− d e f a u l t l o w e r p r i o r i t y v a r i a b l e s f o r t h i s r o l e26 meta/ #27 main . yml # <−− r o l e d e p e n d e n c i e s2829 monitoring/ # same k ind o f s t r u c t u r e a s "common" r o l e

http://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout


MODULE INSIGHTS

Most work in ansible is handled by modules 1.

I connection modules

I connect to machines

I lookup modules

I give data

I filter modules

I transform data

I callback modules

I register events that happen when tasks are executed

I task modules

I self contained scriptI any programming language (core modules - python only)I do the heavy liftingI copied to the target machineI executed with (json) inputI (json) output is registered

1Ansible - Developing Plugins

http://docs.ansible.com/ansible/developing_plugins.html


MODULE INSIGHTSMost work in ansible is handled by modules 1.


I connect to machines

I lookup modules

I give data

I filter modules

I transform data

I callback modules


I task modules







I connect to machinesI lookup modules

I give data

I filter modules

I transform data

I callback modules


I task modules






I connection modulesI connect to machines

I lookup modules

I give data

I filter modules

I transform data

I callback modules


I task modules







I lookup modules

I give dataI filter modules

I transform data

I callback modules


I task modules







I lookup modulesI give data

I filter modules

I transform data

I callback modules


I task modules








I filter modules

I transform dataI callback modules


I task modules








I filter modulesI transform data

I callback modules


I task modules









I callback modules

I register events that happen when tasks are executedI task modules









I callback modulesI register events that happen when tasks are executed

I task modules










I task modules










I task modulesI self contained script

I any programming language (core modules - python only)I do the heavy liftingI copied to the target machineI executed with (json) inputI (json) output is registered









I task modulesI self contained scriptI any programming language (core modules - python only)

I do the heavy liftingI copied to the target machineI executed with (json) inputI (json) output is registered









I task modulesI self contained scriptI any programming language (core modules - python only)I do the heavy lifting

I copied to the target machineI executed with (json) inputI (json) output is registered









I task modulesI self contained scriptI any programming language (core modules - python only)I do the heavy liftingI copied to the target machine

I executed with (json) inputI (json) output is registered









I task modulesI self contained scriptI any programming language (core modules - python only)I do the heavy liftingI copied to the target machineI executed with (json) input

I (json) output is registered









I task modulesI self contained scriptI any programming language (core modules - python only)I do the heavy liftingI copied to the target machineI executed with (json) inputI (json) output is registered




PLAYBOOKS IN DEEP


TAGS

1 # main.yml2 ---3 − hosts : webservers4 g a t h e r _ f a c t s : f a l s e5 t a s k s :6 - package:7 name: "lighttpd"8 s t a t e : i n s t a l l e d9 tags :

10 - packages11 - template:12 s r c : "template/lighttpd.j2"13 dest : "/etc/lighttpd/lighttpd.conf"14 tags :15 - c o n f i g u r a t i o n

Run:ans ib le−playbook main . yml −−tags packages

ans ib le−playbook main . yml −−skip−tags c o n f i g u r a t i o n

1More details: Ansible - Playbook Tags

http://docs.ansible.com/ansible/playbooks_tags.html


TAGS1 # main.yml2 ---3 − hosts : webservers4 g a t h e r _ f a c t s : f a l s e5 t a s k s :6 - package:7 name: "lighttpd"8 s t a t e : i n s t a l l e d9 tags :







TAGS1 # main.yml2 ---3 − hosts : webservers4 g a t h e r _ f a c t s : f a l s e5 t a s k s :6 - package:7 name: "lighttpd"8 s t a t e : i n s t a l l e d9 tags :







CUSTOM ACTIONS

1 ---2 − inc lude_vars : "includes/{{ ansible_os_family }}.yml"3 − name: "remove the apache package"4 a c t i o n : "{{custom_package_mgr}} name={{apache}} state=absent"


CUSTOM ACTIONS

1 ---2 − inc lude_vars : "includes/{{ ansible_os_family }}.yml"3 − name: "remove the apache package"4 a c t i o n : "{{custom_package_mgr}} name={{apache}} state=absent"


INTERACTION


COMMANDLINE/FILE

ans ib le−playbook −e ’ apache_hostname=example . com ’ deploy . yml

ans ib le−playbook −−extra−vars " @vars . j son " deploy . yml

1 # v a r s . j s o n2 { " apache_hostname " : " example . com" }


COMMANDLINE/FILE

ans ib le−playbook −e ’ apache_hostname=example . com ’ deploy . yml

ans ib le−playbook −−extra−vars " @vars . j son " deploy . yml

1 # v a r s . j s o n2 { " apache_hostname " : " example . com" }


PROMPTS AND PAUSE

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 vars_prompt:5 - name: "name"6 prompt: "What is your name?"7 p r i v a t e : no8 - name: "location"9 prompt: "What is you location?"

10 p r i v a t e : no11 t a s k s :12 - debug:13 msg: "{{name}}, let me think for a moment..."14 - pause:15 seconds: 1016 - debug:17 msg: "Let me guess, you are now at {{location}}?"

1Ansible - Playbook Prompts2Ansible - Pause Module

http://docs.ansible.com/ansible/playbooks_prompts.html

http://docs.ansible.com/ansible/pause_module.html


PROMPTS AND PAUSE

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 vars_prompt:5 - name: "name"6 prompt: "What is your name?"7 p r i v a t e : no8 - name: "location"9 prompt: "What is you location?"

10 p r i v a t e : no11 t a s k s :12 - debug:13 msg: "{{name}}, let me think for a moment..."14 - pause:15 seconds: 1016 - debug:17 msg: "Let me guess, you are now at {{location}}?"

1Ansible - Playbook Prompts2Ansible - Pause Module

http://docs.ansible.com/ansible/playbooks_prompts.html

http://docs.ansible.com/ansible/pause_module.html


PLAYBOOK AS AN EXECUTABLE

Use Shebang to run ansible as an executable.

1 #!/usr/bin/ansible-playbook2 ---3 − hosts : a l l4 g a t h e r _ f a c t s : f a l s e5 # sudo: true6 v a r s _ f i l e s :7 - departed_users . yml8 t a s k s :9 - name: Delete departed users and a l l i t ’s files

10 user: name= { { item } } s t a t e =absent remove=yes11 with_items: "{{departed}}"

1 # departed_users.yml2 ---3 − departed: ["toor" , "admin" ]

./ dele te_depar ted_users . yml −i . . / inventory −l host1

1Example from: Ansible Webinar - Tips and Tricks by Brian Coca

https://www.ansible.com/webinars-training/ansible-tips-tricks

https://github.com/bcoca
































DELEGATION

1 ---2 − name: shush nagios before deployment3 nagios:4 a c t i o n : s i l e n c e5 host : "{{inventory_hostname}}"6 d el eg a t e _ t o : "{{nagios_host}}"7

8 . . . deployment9

10 − name: unshush nagios a f t e r deployment11 nagios:12 a c t i o n : uns i l ence13 host : "{{inventory_hostname}}"14 d el eg a t e _ t o : "{{nagios_host}}"


DELEGATION

1 ---2 − name: shush nagios before deployment3 nagios:4 a c t i o n : s i l e n c e5 host : "{{inventory_hostname}}"6 d el eg a t e _ t o : "{{nagios_host}}"7

8 . . . deployment9

10 − name: unshush nagios a f t e r deployment11 nagios:12 a c t i o n : uns i l ence13 host : "{{inventory_hostname}}"14 d el eg a t e _ t o : "{{nagios_host}}"


LOOKUPS


LOOKUPS 1/4

Lookups are executed on ansible controller.

Probably most well known lookup is:1 ---2 − name: add ssh key3 authorized_key:4 user: root5 key: "{{ lookup(’file’, ’~/.ssh/id_rsa.pub’) }}"


LOOKUPS 1/4

Lookups are executed on ansible controller.Probably most well known lookup is:

1 ---2 − name: add ssh key3 authorized_key:4 user: root5 key: "{{ lookup(’file’, ’~/.ssh/id_rsa.pub’) }}"


LOOKUPS 2/4

You can use lookups for other weird things too:

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 t a s k s :5 - name: random number ( using lookup )6 debug:7 msg: "Random number {{ lookup(’pipe’, ’perl -e "p r i n t i n t (

rand ( 1 0 0 ) )"’) }}"


LOOKUPS 2/4

You can use lookups for other weird things too:1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 t a s k s :5 - name: random number ( using lookup )6 debug:7 msg: "Random number {{ lookup(’pipe’, ’perl -e "p r i n t i n t (

rand ( 1 0 0 ) )"’) }}"


LOOKUPS 3/4

Or just use build-in function:

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 t a s k s :5 - name: a n s i b l e nat ive random number6 debug:7 msg: "{{100 | random}}"


LOOKUPS 3/4

Or just use build-in function:1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 t a s k s :5 - name: a n s i b l e nat ive random number6 debug:7 msg: "{{100 | random}}"


LOOKUPS 4/4

Lookups list (incomplete):I pipeI redis_kvI templateI etcdI dig (DNS)I csvfileI iniI . . .


FILTERS

Filters manipulate data and are executed on the ansiblecontroller.

More information:I http://docs.ansible.com/ansible/playbooks_filters.html

I http://jinja.pocoo.org/docs/dev/templates/#builtin-filters

http://docs.ansible.com/ansible/playbooks_filters.html

http://jinja.pocoo.org/docs/dev/templates/#builtin-filters


FILTERS

Filters manipulate data and are executed on the ansiblecontroller.

More information:I http://docs.ansible.com/ansible/playbooks_filters.html

I http://jinja.pocoo.org/docs/dev/templates/#builtin-filters

http://docs.ansible.com/ansible/playbooks_filters.html

http://jinja.pocoo.org/docs/dev/templates/#builtin-filters


EXAMPLE 1

Not all filters are dependency-free.IP address validation needs python-netaddr.

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : no4 t a s k s :5 - debug: msg= { { ip | ipv4 } }


EXAMPLE 2

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 t a s k s :5 - debug:6 msg: "{{ ’ansible’ | regex_replace(’^a.*i(.*)$’, ’a\\1’) }}"

Produces: “able”


VARIABLE VALIDATION

1 ---2 − hosts : a l l3 g a t h e r _ f a c t s : no4 t a s k s :5 - debug: msg= { { hostname | mandatory } }6 - debug: msg= { { ip | mandatory } }7 . . .


VARIABLE VALIDATION

1 ---2 − hosts : a l l3 g a t h e r _ f a c t s : no4 t a s k s :5 - debug: msg= { { hostname | mandatory } }6 - debug: msg= { { ip | mandatory } }7 . . .


INCLUDES AND ROLES


INCLUDES

1 ---2 − s e r v e r s : a l l3 t a s k s :4 - inc lude: set_mysql_password . yml mysql_user=root mysql_pass

= { { var_mysql_pass } }5 . . .


INCLUDES

1 ---2 − s e r v e r s : a l l3 t a s k s :4 - inc lude: set_mysql_password . yml mysql_user=root mysql_pass

= { { var_mysql_pass } }5 . . .


ROLES

1 # sample r o l e s t r u c t u r e2 r o l e s /3 common/4 f i l e s /5 templates/6 t a s k s /7 handlers/8 vars/9 d e f a u l t s /

10 meta/


ROLES

1 # sample r o l e s t r u c t u r e2 r o l e s /3 common/4 f i l e s /5 templates/6 t a s k s /7 handlers/8 vars/9 d e f a u l t s /

10 meta/


INCLUDES V.S. ROLES

When use includes and when roles?

I includes for small code pieces

I if you have files/templates/handlers - use roles


INCLUDES V.S. ROLES

When use includes and when roles?

I includes for small code pieces

I if you have files/templates/handlers - use roles


VERBOSITY AND ERROR HANDLING


IGNORE_ERRORS

Continue running the task disregarding an error.1 ---2 − name: mysql root password3 mysql_user: name=root password = { { db_root_password } }4 i g n o r e _ e r r o r s : t rue


ASSERT

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 vars_prompt:5 - name: "name"6 prompt: "What is your name?"7 # show input contents8 p r i v a t e : no9 t a s k s :

10 - name: Very secure user v a l i d a t i o n11 a s s e r t :12 t h a t : "name == ’Oleg’"


FAIL

1 ---2 − hosts : l o c a l h o s t3 g a t h e r _ f a c t s : f a l s e4 vars_prompt:5 - name: "name"6 prompt: "What is your name?"7 # show input contents8 p r i v a t e : no9 t a s k s :

10 - name: Very secure user v a l i d a t i o n11 f a i l :12 msg: "You are not allowed to run this playbook, {{name}}!"13 when: "name != ’Oleg’"


WHAT’S NEW IN ANSIBLE 2.0

I Task BlocksI Playbook parsing and Error Reporting improvements

I Syntax error shows the exact place in a playbook and givessugestions

I No more escaping of escapings needed (\\\\)

I Dynamic IncludesI Execution Strategy Plugins

1Details: Ansible 2.0 Release Notes

https://www.ansible.com/blog/ansible-2.0-launch



I Task Blocks

I Playbook parsing and Error Reporting improvements



































I Dynamic Includes

I Execution Strategy Plugins












TASK BLOCKS - BASIC EXAMPLE

1 t a s k s :2 - block:3 - debug: msg=’i execute normally’4 - command: /bin/ f a l s e5 - debug: msg=’i never execute, cause ERROR!’6 rescue:7 - debug: msg=’I caught an error’8 - command: /bin/ f a l s e9 - debug: msg=’I also never execute :-(’

10 always:11 - debug: msg="this always executes"


TASK BLOCKS - BASIC EXAMPLE

1 t a s k s :2 - block:3 - debug: msg=’i execute normally’4 - command: /bin/ f a l s e5 - debug: msg=’i never execute, cause ERROR!’6 rescue:7 - debug: msg=’I caught an error’8 - command: /bin/ f a l s e9 - debug: msg=’I also never execute :-(’

10 always:11 - debug: msg="this always executes"


TASK BLOCKS - ADVANCED EXAMPLE1 ---2 − hosts : a l l3 s e r i a l : 14 vars:5 - debug: f a l s e6 - packages: [ g i t , l i g h t t p d ]7 t a s k s :8 - block:9 - name: i n s t a l l packages

10 package: name="{{item}}" s t a t e = i n s t a l l e d11 with_items:12 - "{{packages}}"13 r e g i s t e r : packages_s ta te14 - debug: msg="{{packages_state}}"15 when: "debug == true"16 - name: copy l i g h t t p d conf ig f i l e17 template:18 s r c : "lighttpd.conf.j2"19 dest : "/etc/lighttpd/conf-enabled/00-test.conf"20 - name: r e s t a r t l i g h t t p d21 s e r v i c e : name="lighttpd" s t a t e = r e s t a r t e d22 rescue:23 - name: remove l i g h t t p conf ig f i l e24 f i l e :25 dest : "/etc/lighttpd/conf-enabled/00-test.conf"26 s t a t e : absent27 - name: remove i n s t a l l e d packages28 package: name="{{item}}" s t a t e =absent purge= t rue29 with_items:30 - "{{packages}}"31 when: "packages_state[’changed’] == true"32 - f a i l :


DYNAMIC INCLUDES

I Before ansible 2.0 includes were preprocessed (once atstart-time)

I From ansible 2.0 on includes are dynamically evaluated inruntime

I The fact that your plabook from ansible < 2.0 is parsedcorrectly in ansible 2.0 doesn’t mean it will behave thesame way

I Examples:

I − inc lude: "{{ ansible_os_family }}.yml"

I − inc lude_vars : "{{ ansible_os_family }}.yml"

1Porting guide to ansible 2.0

https://docs.ansible.com/ansible/porting_guide_2.0.html


DYNAMIC INCLUDES




I Examples:






DYNAMIC INCLUDES




I Examples:






DYNAMIC INCLUDES




I Examples:






DYNAMIC INCLUDES




I Examples:






DYNAMIC INCLUDES




I Examples:






DYNAMIC INCLUDES




I Examples:






EXECUTION STRATEGIES

Sice ansible 2.0 execution strategies are plugins.


EXECUTION STRATEGIES

Sice ansible 2.0 execution strategies are plugins.


EXECUTION STRATEGIES 1/3strategy: linear

(default)

host1host2

task1=1sec

task1=5sec

task2=5sec

task2=9sec



(default)strategy: free

host1host2 host1host2

task1=1sec

task1=5sec

task2=5sec

task2=9sec

t1=5sec

t1=5sec

task1=1sec

task2=9sec

task1=5sec

task2=5sec



(default)strategy: free strategy: linear

serial: 1

host1host2 host1host2 host1host2

task1=1sec

task1=5sec

task2=5sec

task2=9sec

t1=5sec

t1=5sec

task1=1sec

task2=9sec

task1=5sec

task2=5sec

task1=5sec

task2=5sec

task1=1sec

task2=9sec


EXECUTION STRATEGIES - PLAYBOOK 1/3

1 # F i l e s t r u c t u r e :2

3 ./ deploy_fac t s . yml4 ./ f i l e s5 ./ f i l e s /host1 . f a c t6 ./ f i l e s /host2 . f a c t7 ./ run . yml

1 # f i l e s / h o s t 1 . f a c t2 [ genera l ]3 t 1 =14 t 2 =9




1 # F i l e s t r u c t u r e :2

3 ./ deploy_fac t s . yml4 ./ f i l e s5 ./ f i l e s /host1 . f a c t6 ./ f i l e s /host2 . f a c t7 ./ run . yml





1 # deploy_facts.yml2 ---3 − hosts : a l l4 t a s k s :5 - debug:6 msg: "{{ ansible_local[’times’][’general’] }}"7 i g n o r e _ e r r o r s : True8 - f i l e :9 path: ’/etc/ansible/facts.d’

10 s t a t e : d i r e c t o r y11 - copy:12 s r c : "files/{{ inventory_hostname }}.fact"13 dest : "/etc/ansible/facts.d/times.fact"



1 # run.yml2 ---3 − hosts : a l l4 s t r a t e g y : f r e e5 # strategy: linear6 # serial: 17 t a s k s :8 - debug:9 msg: "{{ ansible_local[’times’][’general’] }}"

10 - s h e l l :11 cmd: "sleep {{ ansible_local[’times’][’general’][’t1’] }}"12 - s h e l l :13 cmd: "sleep {{ ansible_local[’times’][’general’][’t2’] }}"


GENERIC PACKAGE MODULE

1 ---2 − package: name= g i t s t a t e =present

We all have been waiting for it!

1Details: Ansible - Package Module

https://docs.ansible.com/ansible/package_module.html



1 ---2 − package: name= g i t s t a t e =present

We all have been waiting for it!

1Details: Ansible - Package Module

https://docs.ansible.com/ansible/package_module.html



But wait a minute...Does this ease the pain of creating playbook for different

distros?

I apache package nameI CentOS/RHEL: httpdI Debian: apache2

I apache config directoryI CentOS/RHEL: /etc/httpd/conf.dI Debian: /etc/apache2/conf-enabled

How to solve?




distros?



How to solve?




distros?



How to solve?


GENERIC PACKAGE MODULEWorking with distro-dependent variables.

1 # remove_apache.yml2 ---3 − hosts : a l l4 t a s k s :5 - inc lude_vars : "includes/{{ ansible_os_family }}.yml"6

7 - debug:8 msg: "going to remove package {{apache}}"9

10 # This uses a variable as this changes per distribution.11 - name: "remove the apache package"12 package: name= { { apache } } s t a t e =absent

1 # includes/Debian.yml2 ---3 apache: "apache2"

1 # includes/RedHat.yml2 ---3 apache: "httpd"


GENERIC PACKAGE MODULEWorking with distro-dependent variables.

1 # remove_apache.yml2 ---3 − hosts : a l l4 t a s k s :5 - inc lude_vars : "includes/{{ ansible_os_family }}.yml"6

7 - debug:8 msg: "going to remove package {{apache}}"9

10 # This uses a variable as this changes per distribution.11 - name: "remove the apache package"12 package: name= { { apache } } s t a t e =absent

1 # includes/Debian.yml2 ---3 apache: "apache2"

1 # includes/RedHat.yml2 ---3 apache: "httpd"


IPTABLES MODULE

1 ---2 # Block specific IP3 − i p t a b l e s :4 ip_vers ion : ipv45 chain: INPUT6 source: 8 . 8 . 8 . 87 jump: DROP8 # this must be runned as root (sudo)9 become: t rue


IPTABLES MODULE

1 ---2 # Block specific IP3 − i p t a b l e s :4 ip_vers ion : ipv45 chain: INPUT6 source: 8 . 8 . 8 . 87 jump: DROP8 # this must be runned as root (sudo)9 become: t rue


ANSIBLE 2.2 (CURRENT DEVELOPMENT)

Currently in development.

I Added support for binary modules."Yeah!" to all Golang programmers.

I letsencryptI cisco ASAI lxd moduleI aws_vpc_∗I telegramI wakeonlanI ...

1Changelog

https://github.com/ansible/ansible/blob/devel/CHANGELOG.md



Currently in development.

I Added support for binary modules."Yeah!" to all Golang programmers.


1Changelog




Currently in development.I Added support for binary modules.

"Yeah!" to all Golang programmers.


1Changelog





"Yeah!" to all Golang programmers.I letsencrypt

I cisco ASAI lxd moduleI aws_vpc_∗I telegramI wakeonlanI ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASA

I lxd moduleI aws_vpc_∗I telegramI wakeonlanI ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASAI lxd module

I aws_vpc_∗I telegramI wakeonlanI ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASAI lxd moduleI aws_vpc_∗

I telegramI wakeonlanI ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASAI lxd moduleI aws_vpc_∗I telegram

I wakeonlanI ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASAI lxd moduleI aws_vpc_∗I telegramI wakeonlan

I ...

1Changelog





"Yeah!" to all Golang programmers.I letsencryptI cisco ASAI lxd moduleI aws_vpc_∗I telegramI wakeonlanI ...

1Changelog



AMAZON AWS

I Current status

I ansible 2.0 ∼ 70 AWS modulesI For everthing else use awscli (until module will be

implemented)

I For better experience

I Use ansible = 2.0 + Boto3 (long-term Boto will go away)I ansible 2.2 (current development) has more aws modules,

see changelog 1 for details

1Changelog2List of cloud modules


http://docs.ansible.com/ansible/list_of_cloud_modules.html


AMAZON AWS

I Current status

I ansible 2.0 ∼ 70 AWS modulesI For everthing else use awscli (until module will be

implemented)








AMAZON AWS

I Current statusI ansible 2.0 ∼ 70 AWS modules

I For everthing else use awscli (until module will beimplemented)








AMAZON AWS

I Current statusI ansible 2.0 ∼ 70 AWS modulesI For everthing else use awscli (until module will be

implemented)








AMAZON AWS


implemented)








AMAZON AWS


implemented)

I For better experienceI Use ansible = 2.0 + Boto3 (long-term Boto will go away)

I ansible 2.2 (current development) has more aws modules,see changelog 1 for details





AMAZON AWS


implemented)

I For better experienceI Use ansible = 2.0 + Boto3 (long-term Boto will go away)I ansible 2.2 (current development) has more aws modules,






EXAMPLE

1 ---2 − name: seamless deployment3 hosts : nodes_behind_elb4 s e r i a l : 15 pre_tasks :6 - name: get ec2 f a c t s7 e c 2 _ f a c t s :8 - name: d i a c t i v a t e node in e lb9 ec2_e lb : s t a t e =absent # arguments

10 d el eg a te _ t o : l o c a l h o s t11

12 t a s k s :13 - name: deploy new software14 g i t : # arguments15

16 pos t_ tasks :17 - name: a c t i v a t e node in e lb18 ec2_e lb : s t a t e =present # arguments19 d el eg a te _ t o : l o c a l h o s t


UPCOMING TOPICS


COMPLIANCE

ansible-lockdown 1

I goal - implement STIG baselineI IMHO good ideaI current status: v0.1

1ansible-lockdown

https://github.com/ansible/ansible-lockdown


COMPLIANCE

ansible-lockdown 1


1ansible-lockdown



COMPLIANCE

ansible-lockdown 1

I goal - implement STIG baseline

I IMHO good ideaI current status: v0.1

1ansible-lockdown



COMPLIANCE

ansible-lockdown 1

I goal - implement STIG baselineI IMHO good idea

I current status: v0.1

1ansible-lockdown



COMPLIANCE

ansible-lockdown 1


1ansible-lockdown



NETWORK ORCHESTRATION

Support in ansible 2.0 1:I Arista EOS (cli, eapi)I Cisco NXOS (cli, nsapi)I Cisco IOS (cli)I Cisco IOSXR (cli, netconf)I Cumulus Linux (ssh)I Juniper JUNOS (cli, netconf)I OpenSwitch (ssh, cli, rest)

1Ansible - List of Network Modules

http://docs.ansible.com/ansible/list_of_network_modules.html


NETWORK ORCHESTRATION

Support in ansible 2.0 1:I Arista EOS (cli, eapi)I Cisco NXOS (cli, nsapi)I Cisco IOS (cli)I Cisco IOSXR (cli, netconf)I Cumulus Linux (ssh)I Juniper JUNOS (cli, netconf)I OpenSwitch (ssh, cli, rest)

1Ansible - List of Network Modules

http://docs.ansible.com/ansible/list_of_network_modules.html


EXAMPLE

1 ---2 − hosts : i o s 13 t a s k s :4 - ios_command:5 commands: show running−conf ig a l l6 provider: "{{cli}}"7 r e g i s t e r : deviceconf ig8

9 - i o s _ c o n f i g10 l i n e s :11 - d e s c r i p t i o n configured by a n s i b l e12 - ip address 1 0 . 0 . 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 013 - no shutdown14 parents : i n t e r f a c e Gigabi tEthernet0 /115 conf ig : "{{ deviceconfig.stdout[0] }}"16 provider: "{{cli}}"

1Ansible Webcast - Automating your network

https://www.ansible.com/webinars-training/automating-your-network


ANSIBLE-CONTAINER

I For all you Docker hipsters out there.I Aim is to use ansible playbooks for physical hosts, VMs as

well as containers.I Workflow: build, flatten the image, (run), push to

container registry.I Current status:

I Only Docker support now

I Support for other container providers will come (Rocket?)

I Until now no network function support for docker

1ansible-container readme

https://github.com/ansible/ansible-container/blob/develop/README.md


ANSIBLE-CONTAINER

I For all you Docker hipsters out there.

I Aim is to use ansible playbooks for physical hosts, VMs aswell as containers.

I Workflow: build, flatten the image, (run), push tocontainer registry.

I Current status:







ANSIBLE-CONTAINER


well as containers.

I Workflow: build, flatten the image, (run), push tocontainer registry.

I Current status:







ANSIBLE-CONTAINER



container registry.

I Current status:







ANSIBLE-CONTAINER










ANSIBLE-CONTAINER





I Support for other container providers will come (Rocket?)I Until now no network function support for docker




ANSIBLE-CONTAINER




I Only Docker support nowI Support for other container providers will come (Rocket?)





ANSIBLE-CONTAINER




I Only Docker support nowI Support for other container providers will come (Rocket?)





SUMMARY

I Ansible is expanding it’s work area and developingrapidly

I Play the slides after the talk and try things out

I Use the links in slides to dive deeper

I Most of standard recurring tasks can be automated usingansible

I Playbooks from the slides are available on Github 1

I ansible-doc is pretty handy for writing playbooks offline

1Playbooks from this talk

https://github.com/oleg-fiksel/ansible-advanced-demo


SUMMARY










SUMMARY










SUMMARY










SUMMARY










SUMMARY










SUMMARY










Q & A


Thanks!

Oleg [email protected] | [email protected]



Ansible Advanced - FrOSCon · ABOUT INTRODUCTION PLAYBOOKS IN DEEP WHAT’S NEW Amazon AWS Upcoming topics END Ansible Advanced Oleg Fiksel Security Consultant @ …

Documents