CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Deploying your application with Ansible Or: Stop worrying about your server deployments
23.03.2018 © CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Who am I? [email protected]
Operations engineer for CRYPTAS it-Security GmbH / PrimeSign GmbH B.A.P. GmbH
Django core developer (security & operations) apollo13 on IRC & Github
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Disclaimer!
This is not a sales talk Opinions are just that
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible, say what? „fictional instantaneous hyperspace communication system“* FTL you say?
* as featured in Orson Scott Card's Ender's Game (1985)
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible, for real now!
Automation software (cloud) provisioning Configuration management Application deployment
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
History
First release 2012 AWX / Tower in 2013 Red Hat acquired Ansible Inc. In 2015 AWX becomes OSS Version 2.5.1 in April
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
The ingredients
SSH for *NIX / WinRM Windows No agent / master nodes CLI / Written in Python Python 3.5+ compatible YAML + Jinja
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
The basics / Ad-Hoc commands
All centos machines (except db) are alive?
$ ansible 'centos:!db' -m ping -a 'data=hello'
Host Selektor Module Argument(s)
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
The basics / Ad-Hoc commands
OpenSSL issues?
$ ansible '*' -o -m package -a 'name=openssl state=latest'
db1 | SUCCESS => {"changed": false,"msg": "","rc": 0,"results": ["All packages providing openssl are up to date",""]}
web3 | CHANGED => {"changed": true,"msg": "…."}
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
From Ad-Hoc to something usable
Inventory files (scripts) Playbooks host_vars / group_vars
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Inventory files / .ini, .yml
[webserver] web1 ansible_user=root some_var=42 web2... [database] db1 ansible_host=db1.fqdn.net
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Inventory scripts / Source of truth
abiquo.py consul_io.py jail.py nova.py rackhd.py stacki.py apache-libcloud.py digital_ocean.py landscape.py nsot.py rax.py vagrant.py apstra_aos.py docker.py libvirt_lxc.py openshift.py rhv.py vbox.py azure_rm.py ec2.py linode.py openstack.py rudder.py vmware_inventory.py brook.py fleet.py lxc_inventory.py openvz.py scaleway.py vmware.py cloudforms.py foreman.py lxd.py ovirt4.py serf.py zabbix.py cloudstack.py freeipa.py mdt_dynamic_inventory.py ovirt.py softlayer.py zone.py cobbler.py gce.py nagios_livestatus.py packet_net.py spacewalk.py collins.py infoblox.py nagios_ndo.py proxmox.py ssh_config.py
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Playbooks
Written in YAML / Jinja Collection of Ad-Hoc commands Control structures (loops, when, notify) Describe processes instead of single actions Support roles to organize and share code
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Playbooks cont.
- name: Create users user: name: "{{ item }}" groups: [wheel] loop: "{{ system_admins }}"
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Example Run
export ANSIBLE_NOCOWS=1 or via ansible.cfg nocows=1
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
There are many cows (?!)
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Example Run / sane version
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Variables
{{ jinja_expression }} From fact gathering on the system Directly from the inventory/playbook separate group_vars/host_vars folders ini/yaml/json (pick your poison)
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Demo time
What could possibly go wrong?
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Control structures
register when loop notify
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Register/When
- shell: cat /etc/motd register: motd_contents
- debug: msg: "{{ motd_contents.stdout }} when: "'apo' in motd_contents.stdout"
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Loop
- name: Create users user: name: "{{ item }}" groups: [wheel] loop: - apollo13 - devil
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Notify
- name: upload apache configuration template: src: http.conf.j2 dest: /etc/httpd/httpd.conf notify: - restart memcached - restart apache
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Demo time
Assuming the first one went well!
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible modules / What can we do?
Create Vms/containers Copy/assemble files & templates Configure databases/user Manage git/hg/... repos Start & stop services Install packages and much more...
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Packages and Services
- yum: name: "{{ item }}" state: present loop: "{{ packages }}"
- service: name: httpd enabled: yes state: started
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Configuration files
- name: disable root login lineinfile: dest: /etc/ssh/sshd_config regexp: ^PermitRootLogin line: PermitRootLogin no validate: /usr/bin/sshd -tf %s
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
(Templated) Configuration files
- name: upload env file template: dest: /etc/myapp/settings.py src: django_settings.py.j2
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com django_settings.py.j2
SECRET_KEY = "{{ secret_key }}" DEBUG = {{ env == 'prod' }}
{% for k, v in extra_vars.items() %} {{ k }} = {{ v }} {% endfor %}
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
SCM & Django
- git: repo: 'https://github.com/apollo13...' dest: /srv/checkout version: "{{ env.version }}" - django_manage: command: migrate app_path: /srv/checkout virtualenv: /srv/venv
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Notifications
- name: notify about deployment mattermost: url: http://my_mattermost.com api_key: "{{ mattermost_api_key }}" text: deployed {{ version }} to server channel: bot_fight
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Project structure
inventory group_vars/ all.yml databases.yml playbook.yml ... roles/ apache/ tasks/main.yml files/* templates/* postgresql/ tasks/main.yml files/* templates/*
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Secret management
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible vaults
AES256 encrypted Full files or single variables ansible-vault helper cli Vault Ids to use multiple passwords
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible vaults cont.
$ ansible-vault create \ --vault-id=dev@prompt some_file.yml
New vault password (dev): Confirm vew vault password (dev):
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Crypto mess
$ cat some_file.yml $ANSIBLE_VAULT;1.2;AES256;dev 63646465336439323762613861323... 38306232323033633639626234316... 36643233353437386566643633616... 3065316439346432650a383732386... 66663164373966636161313535663
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible vaults cont.
Transparent decryption as needed Pluggable password loader (keychains?) Different passwords for different groups dev/admins No longer searchable :/
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Demo time
Our first small project
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible plugins
Callbacks Connections Strategies Filters & Tests and more exotic plugin types
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible Tower
Management UI Audit Logging Workflows Django / Channels :D
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Ansible Galaxy
Share and reuse roles from other
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected] CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / prime-sign.com
Questions? & Thank you!
© CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553 - 0 / F +43 (1) 35553 - 990 / E [email protected]