Ansible Basics Oleg Fiksel Security Consultant @ CSPI GmbH - - PowerPoint PPT Presentation

ABOUT INTRODUCTION ANSIBLE END

Ansible Basics

Oleg Fiksel Security Consultant @ CSPI GmbH

• leg.fiksel@cspi.com | oleg@fiksel.info

FrOSCon 2015

ABOUT INTRODUCTION ANSIBLE END

AGENDA

ABOUT INTRODUCTION Goals of this talk Configuration management ANSIBLE Key Points Ad hoc Approach Playbook Run Playbook Idempotence Facts Handlers Best practices Summary END Q & A Links

ABOUT INTRODUCTION ANSIBLE END

ABOUT ME

◮ Security Consultant at CSPI (former MODCOMP) ◮ Main topics

◮ Automation ◮ Virtualisation ◮ Application Switching (load balancing) ◮ Perl Coding

ABOUT INTRODUCTION ANSIBLE END

ABOUT MODCOMP

◮ Founded in 1976 as MODCOMP Inc.

Since 1985 in Germany.

◮ Main scope: production of minicomputer for real-time

environments. Example: NASA Space Shuttle Program.

◮ Development of real-time operating system Real/IX. ◮ 1990 - 1992 Cray and Bull equip their HPCs with Real/IX. ◮ 1995 New scope: Security Consulting. ◮ 1996 purchased by CSPI. ◮ Since 2015 re-branded as CSPI Germany.

ABOUT INTRODUCTION ANSIBLE END

ABOUT CSPI

◮ 3 locations world wide: US, DE, UK. ◮ CSPI Germany (Köln) ~90 employees.

◮ 9 solution centers covering every aspect of IT-Security. ◮ An opportunity to work on big infrastructures with cutting

edge technology.

ABOUT INTRODUCTION ANSIBLE END

GOALS OF THIS TALK

ABOUT INTRODUCTION ANSIBLE END

GOALS OF THIS TALK

◮ This is not a comparison of configuration management

systems.

ABOUT INTRODUCTION ANSIBLE END

GOALS OF THIS TALK

◮ This is not a comparison of configuration management

systems.

◮ Basic theoretical understanding of configuration

management.

ABOUT INTRODUCTION ANSIBLE END

GOALS OF THIS TALK

◮ This is not a comparison of configuration management

systems.

◮ Basic theoretical understanding of configuration

management.

◮ Introduction to ansible.

ABOUT INTRODUCTION ANSIBLE END

GOALS OF THIS TALK

◮ This is not a comparison of configuration management

systems.

◮ Basic theoretical understanding of configuration

management.

◮ Introduction to ansible. ◮ Practical examples using ansible.

ABOUT INTRODUCTION ANSIBLE END

WHAT IS A GOAL OF CONFIGURATION

MANAGEMENT?

Provide easy, repeatable and scalable provisioning and configuration management.

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

◮ configuration is consolidated versioned

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

◮ configuration is consolidated versioned

◮ repeatable

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

◮ configuration is consolidated versioned

◮ repeatable

◮ provisioning produces every time the same result

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

◮ configuration is consolidated versioned

◮ repeatable

◮ provisioning produces every time the same result

◮ scalable

ABOUT INTRODUCTION ANSIBLE END

WHAT DOES THIS MEAN?

◮ easy

◮ configuration is consolidated versioned

◮ repeatable

◮ provisioning produces every time the same result

◮ scalable

◮ provisioning can be done to any number of machines

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012)

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012) ◮ Simple

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012) ◮ Simple

◮ YAML Syntax

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012) ◮ Simple

◮ YAML Syntax ◮ straight forward running scenario

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012) ◮ Simple

◮ YAML Syntax ◮ straight forward running scenario

◮ Agentless

ABOUT INTRODUCTION ANSIBLE END

ANSIBLE KEY POINTS

◮ Fresh (started February 2012) ◮ Simple

◮ YAML Syntax ◮ straight forward running scenario

◮ Agentless

◮ dependencies for node

SSH + ( Python >= 2.5 | Python < 2.5 + python-simplejson)

ABOUT INTRODUCTION ANSIBLE END

USING ANSIBLE AS PSSH

Ansible can be used as pssh.

ansible −i 1 0 . 0 . 0 . 1 , 1 0 . 0 . 0 . 2 , a l l − m command −a ’/ bin/date ’

ABOUT INTRODUCTION ANSIBLE END

USING ANSIBLE AS PSSH

Ansible can be used as pssh.

ansible −i 1 0 . 0 . 0 . 1 , 1 0 . 0 . 0 . 2 , a l l − m command −a ’/ bin/date ’

Run /bin/date on machines 10.0.0.1 and 10.0.0.2.

ABOUT INTRODUCTION ANSIBLE END

PLAYBOOK

Playbooks are YAML.

1 --- 2 # http://www.withoutthesarcasm.com/ubuntu-motd-landscape/ 3 − hosts: a l l 4

remote_user: root

5

tasks:

6

• name: remove landscape−c l i e n t

7

apt: name=landscape−c l i e n t s t a t e =absent purge=yes

8

• name: remove landscape−

common

9

apt: name=landscape− common s t a t e =absent purge=yes

ABOUT INTRODUCTION ANSIBLE END

RUN PLAYBOOK

How to run a Playbook?

ansible−playbook −i inventory_file playbook . yml ansible−playbook −i hostname1 , hostname2 , 1 9 2 . 1 6 8 . 0 . 1 0 , playbook . yml

ABOUT INTRODUCTION ANSIBLE END

IDEMPOTENCE

1Wikipedia Quote

ABOUT INTRODUCTION ANSIBLE END

IDEMPOTENCE

"Idempotence is the property of certain operations in mathematics and computer science, that can be applied multiple times without changing the result." 1

1Wikipedia Quote

ABOUT INTRODUCTION ANSIBLE END

IDEMPOTENCE

"Idempotence is the property of certain operations in mathematics and computer science, that can be applied multiple times without changing the result." 1 Simple: Goal of ansible playbook is to define the desired state and not script you way to this state.

1Wikipedia Quote

ABOUT INTRODUCTION ANSIBLE END

EXAMPLE 1

1 ansible −i

test −node , a l l − m s h e l l \

2 −a

’ echo " 1 9 2 . 1 6 8 . 0 . 1 test −node " >> /etc/hosts ’

ABOUT INTRODUCTION ANSIBLE END

EXAMPLE 2

1 ansible −i

test −node , a l l − m l i n e i n f i l e \

2 −a

’ dest=/etc/hosts l i n e=" 1 9 2 . 1 6 8 . 0 . 1 test −node " ’

ABOUT INTRODUCTION ANSIBLE END

EXAMPLE 3

1 --- 2 − hosts: a l l 3

tasks:

4

• name: clean up /etc/hosts

5

l i n e i n f i l e : dest=/etc/hosts regexp =192\.168\.0 s t a t e =absent

6

• name: add new /etc/hosts

entry

7

l i n e i n f i l e : dest=/etc/hosts l i n e="192.168.0.1 test-node"

ABOUT INTRODUCTION ANSIBLE END

FACTS

Facts are fetched from a host and exported as variables, which can be used in playbooks.

ABOUT INTRODUCTION ANSIBLE END

FACTS

Facts are fetched from a host and exported as variables, which can be used in playbooks. See all facts for a host:

1 ansible hostname −

m setup

2 ansible −i

hostname , a l l − m setup

ABOUT INTRODUCTION ANSIBLE END

EXAMPLE

1 --- 2 − hosts: a l l 3

tasks:

4

• name: "shutdown CentOS 6 and 7 systems"

5

command: /sbin/shutdown −t now

6

when: ans ib l e_di str ib utio n == "CentOS" and

7

( ansible_distribution_major_version == "6"

8

• r

9

ansible_distribution_major_version == "7")

ABOUT INTRODUCTION ANSIBLE END

TURN OFF GATHERING FACTS IN A PLAYBOOK

1 --- 2 − hosts: a l l 3

gather_facts: no

4

tasks:

5

• name: clean up /etc/hosts

6

l i n e i n f i l e : dest=/etc/hosts regexp =192\.168\.0 s t a t e =absent

7

• name: add new /etc/hosts

entry

8

l i n e i n f i l e : dest=/etc/hosts l i n e="192.168.0.1 test-node"

ABOUT INTRODUCTION ANSIBLE END

HANDLERS

Handlers only run after all of the tasks are run, and they only run once, even if they are notified multiple times. They always run in the order that they appear in the playbook, not the notification order.

ABOUT INTRODUCTION ANSIBLE END

EXAMPLE

1 --- 2 − hosts: webservers 3

handlers:

4

• name: r e s t a r t

apache

5

service: name=httpd s t a t e =restarted

6

tasks:

7

• name: ensure apache

i s at the l a t e s t version

8

yum: name=httpd s t a t e = l a t e s t

9

• name: write

the apache config f i l e

10

template: src=/srv/httpd . j 2 dest=/etc/httpd . conf

11

notify:

12

• r e s t a r t

apache

13

• name: ensure apache

i s running ( and enable i t at boot )

14

service: name=httpd s t a t e =started enabled=yes

ABOUT INTRODUCTION ANSIBLE END

BEST PRACTICES

1 stage # inventory f i l e f o r s t a g e environment 2 production # inventory f i l e f o r production environment 3 4 group_vars/ 5 group1 # assign v a r i a b l e s to p a r t i c u l a r s e r v e r groups 6 host_vars/ 7 hostname1 # systems s p e c i f i c v a r i a b l e s 8 9 s i t e . yml # master playbook 10 webservers . yml # playbook f o r webserver t i e r 11 12 roles/ 13 common/ # t h i s h i e r a r c h y r e p r e s e n t s a " r o l e " 14 tasks/ # 15 main . yml # < − − t a s k s f i l e can i n c l u d e s m a l l e r f i l e s i f warranted 16 handlers/ # 17 main . yml # < − − h a n d l er s f i l e 18 templates/ # < − − f i l e s f o r use with the t e m p l a t e r e s o u r c e 19 ntp . conf . j 2 # < − − − − − − − t e m p l a t e s end in . j2 20 f i l e s / # 21 foo . sh # < − − s c r i p t f i l e s f o r use with the s c r i p t r e s o u r c e 22 vars/ # 23 main . yml # < − − v a r i a b l e s a s s o c i a t e d with t h i s r o l e 24 defaults/ # 25 main . yml # < − − d e f a u l t lower p r i o r i t y v a r i a b l e s f o r t h i s r o l e 26 meta/ # 27 main . yml # < − − r o l e d e p en d e n c i es 28 29 monitoring/ # same kind

• f

s t r u c t u r e as "common" r o l e

ABOUT INTRODUCTION ANSIBLE END

SUMMARY

◮ Try ansible (ad hoc approach) ◮ Read ansible documentation ◮ Read other Playbooks ◮ Think on Playbook Idempotence ◮ Split big Playbooks into Roles

ABOUT INTRODUCTION ANSIBLE END

Q & A

ABOUT INTRODUCTION ANSIBLE END

Thanks!

Oleg Fiksel

• leg.fiksel@cspi.com | oleg@fiksel.info

ABOUT INTRODUCTION ANSIBLE END

LINKS

◮ MODCOMP/CSPI

◮ MODCOMP History ◮ MODCOMP on Wikipedia

◮ Ansible

◮ Ansible docs ◮ Ansible - managed node requirements ◮ Ansible: Up and Running (ISBN: 9781491915325)