Deploying Your Application with Ansible Or: Stop Worrying About Your Server Deployments

CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com

Deploying your application with Ansible Or: Stop worrying about your server deployments

23.03.2018 © CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com

Who am I? [email protected]

Operations engineer for CRYPTAS it-Security GmbH / PrimeSign GmbH B.A.P. GmbH

Django core developer (security & operations) apollo13 on IRC & Github

© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com

Disclaimer!

This is not a sales talk Opinions are just that

Ansible, say what? „fictional instantaneous hyperspace communication system“* FTL you say?

* as featured in Orson Scott Card's Ender's Game (1985)

Ansible, for real now!

Automation software (cloud) provisioning Configuration management Application deployment

History

First release 2012 AWX / Tower in 2013 Red Hat acquired Ansible Inc. In 2015 AWX becomes OSS Version 2.5.1 in April

The ingredients

SSH for *NIX / WinRM Windows No agent / master nodes CLI / Written in Python Python 3.5+ compatible YAML + Jinja

The basics / Ad-Hoc commands

All centos machines (except db) are alive?

$ ansible 'centos:!db' -m ping -a 'data=hello'

Host Selektor Module Argument(s)

The basics / Ad-Hoc commands

OpenSSL issues?

$ ansible '*' -o -m package -a 'name=openssl state=latest'

db1 | SUCCESS => {"changed": false,"msg": "","rc": 0,"results": ["All packages providing openssl are up to date",""]}

web3 | CHANGED => {"changed": true,"msg": "…."}

From Ad-Hoc to something usable

Inventory files (scripts) Playbooks host_vars / group_vars

Inventory files / .ini, .yml

[webserver] web1 ansible_user=root some_var=42 web2... [database] db1 ansible_host=db1.fqdn.net

Inventory scripts / Source of truth

abiquo.py consul_io.py jail.py nova.py rackhd.py stacki.py apache-libcloud.py digital_ocean.py landscape.py nsot.py rax.py vagrant.py apstra_aos.py docker.py libvirt_lxc.py openshift.py rhv.py vbox.py azure_rm.py ec2.py linode.py openstack.py rudder.py vmware_inventory.py brook.py fleet.py lxc_inventory.py openvz.py scaleway.py vmware.py cloudforms.py foreman.py lxd.py ovirt4.py serf.py zabbix.py cloudstack.py freeipa.py mdt_dynamic_inventory.py ovirt.py softlayer.py zone.py cobbler.py gce.py nagios_livestatus.py packet_net.py spacewalk.py collins.py infoblox.py nagios_ndo.py proxmox.py ssh_config.py

Playbooks

Written in YAML / Jinja Collection of Ad-Hoc commands Control structures (loops, when, notify) Describe processes instead of single actions Support roles to organize and share code

Playbooks cont.

- name: Create users user: name: "{{ item }}" groups: [wheel] loop: "{{ system_admins }}"

Example Run

export ANSIBLE_NOCOWS=1 or via ansible.cfg nocows=1

There are many cows (?!)

Example Run / sane version

Variables

{{ jinja_expression }} From fact gathering on the system Directly from the inventory/playbook separate group_vars/host_vars folders ini/yaml/json (pick your poison)

Demo time

What could possibly go wrong?

Control structures

- shell: cat /etc/motd register: motd_contents

- debug: msg: "{{ motd_contents.stdout }} when: "'apo' in motd_contents.stdout"

Loop

- name: Create users user: name: "{{ item }}" groups: [wheel] loop: - apollo13 - devil

Notify

- name: upload apache configuration template: src: http.conf.j2 dest: /etc/httpd/httpd.conf notify: - restart memcached - restart apache

Demo time

Assuming the first one went well!

Ansible modules / What can we do?

Create Vms/containers Copy/assemble files & templates Configure databases/user Manage git/hg/... repos Start & stop services Install packages and much more...

Packages and Services

- yum: name: "{{ item }}" state: present loop: "{{ packages }}"

- service: name: httpd enabled: yes state: started

Configuration files

- name: disable root login lineinfile: dest: /etc/ssh/sshd_config regexp: ^PermitRootLogin line: PermitRootLogin no validate: /usr/bin/sshd -tf %s

(Templated) Configuration files

- name: upload env file template: dest: /etc/myapp/settings.py src: django_settings.py.j2

SECRET_KEY = "{{ secret_key }}" DEBUG = {{ env == 'prod' }}

{% for k, v in extra_vars.items() %} {{ k }} = {{ v }} {% endfor %}

SCM & Django

- git: repo: 'https://github.com/apollo13...' dest: /srv/checkout version: "{{ env.version }}" - django_manage: command: migrate app_path: /srv/checkout virtualenv: /srv/venv

Notifications

- name: notify about deployment mattermost: url: http://my_mattermost.com api_key: "{{ mattermost_api_key }}" text: deployed {{ version }} to server channel: bot_fight

Project structure

inventory group_vars/ all.yml databases.yml playbook.yml ... roles/ apache/ tasks/main.yml files/* templates/* postgresql/ tasks/main.yml files/* templates/*

Secret management

Ansible vaults

AES256 encrypted Full files or single variables ansible-vault helper cli Vault Ids to use multiple passwords

Ansible vaults cont.

$ ansible-vault create \ --vault-id=dev@prompt some_file.yml

New vault password (dev): Confirm vew vault password (dev):

Crypto mess

$ cat some_file.yml $ANSIBLE_VAULT;1.2;AES256;dev 63646465336439323762613861323... 38306232323033633639626234316... 36643233353437386566643633616... 3065316439346432650a383732386... 66663164373966636161313535663

Ansible vaults cont.

Transparent decryption as needed Pluggable password loader (keychains?) Different passwords for different groups dev/admins No longer searchable :/

Demo time

Our first small project

Ansible plugins

Callbacks Connections Strategies Filters & Tests and more exotic plugin types

Ansible Tower

Management UI Audit Logging Workflows Django / Channels :D

Ansible Galaxy

Share and reuse roles from other

Questions? & Thank you!