book

Ansible: Up and Running, 3rd Edition

by Bas Meijer, Lorin Hochstein, René Moser

July 2022

Intermediate to advanced

470 pages

10h 22m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsFrom LorinFrom RenéFrom Bas
A Note About VersionsAnsible: What Is It Good For?How Ansible WorksWhat’s So Great About Ansible?SimplePowerfulSecureIs Ansible Too Simple?What Do I Need to Know?What Isn’t CoveredMoving Forward
Installing AnsibleLoose DependenciesRunning Ansible in ContainersAnsible DevelopmentSetting Up a Server for TestingUsing Vagrant to Set Up a Test ServerTelling Ansible About Your ServersSimplifying with the ansible.cfg FileKill Your DarlingsConvenient Vagrant Configuration OptionsPort Forwarding and Private IP AddressesEnabling Agent ForwardingThe Docker ProvisionerThe Ansible Local ProvisionerWhen the Provisioner RunsVagrant Plug-insHostmanagerVBGuestVirtualBox CustomizationVagrantfile Is RubyProduction SetupConclusion
PreliminariesA Very Simple PlaybookSpecifying an NGINX Config FileCreating a Web PageCreating a GroupRunning the PlaybookPlaybooks Are YAMLStart of DocumentEnd of FileCommentsIndentation and WhitespaceStringsBooleansListsDictionariesMultiline StringsPure YAML Instead of String ArgumentsAnatomy of a PlaybookPlaysTasksModulesViewing Ansible Module DocumentationPutting It All TogetherDid Anything Change? Tracking Host StateGetting Fancier: TLS SupportGenerating a TLS CertificateVariablesQuoting in Ansible StringsGenerating the NGINX Configuration TemplateLoopHandlersA Few Things to Keep in Mind About HandlersTestingValidationThe PlaybookRunning the PlaybookConclusion
Inventory/Hosts FilesPreliminaries: Multiple Vagrant MachinesBehavioral Inventory ParametersChanging Behavioral Parameter DefaultsGroups and Groups and GroupsExample: Deploying a Django AppAliases and PortsGroups of GroupsNumbered Hosts (Pets Versus Cattle)Hosts and Group Variables: Inside the InventoryHost and Group Variables: In Their Own FilesDynamic InventoryInventory Plug-insAmazon EC2Azure Resource ManagerThe Interface for a Dynamic Inventory ScriptWriting a Dynamic Inventory ScriptBreaking the Inventory into Multiple FilesAdding Entries at Runtime with add_host and group_byadd_hostgroup_byConclusion
Defining Variables in PlaybooksDefining Variables in Separate FilesDirectory LayoutViewing the Values of VariablesVariable InterpolationRegistering VariablesFactsViewing All Facts Associated with a ServerViewing a Subset of FactsAny Module Can Return Facts or InfoLocal FactsUsing set_fact to Define a New VariableBuilt-In Variableshostvarsinventory_hostnamegroupsExtra Variables on the Command LinePrecedenceConclusion
Why Is Deploying to Production Complicated?Postgres: The DatabaseGunicorn: The Application ServerNGINX: The Web ServerSupervisor: The Process ManagerConclusion
Listing Tasks in a PlaybookOrganization of Deployed FilesVariables and Secret VariablesInstalling Multiple PackagesAdding the Become Clause to a TaskUpdating the apt CacheChecking Out the Project Using GitInstalling Mezzanine and Other Packages into a Virtual EnvironmentComplex Arguments in Tasks: A Brief DigressionConfiguring the DatabaseGenerating the local_settings.py File from a TemplateRunning django-manage CommandsRunning Custom Python Scripts in the Context of the ApplicationSetting Service Configuration FilesEnabling the NGINX ConfigurationInstalling TLS CertificatesInstalling Twitter Cron JobThe Full PlaybookRunning the Playbook Against a Vagrant MachineTroubleshootingCannot Check Out Git RepositoryCannot Reach 192.168.33.10.nip.ioBad Request (400)Conclusion
Humane Error MessagesDebugging SSH IssuesCommon SSH ChallengesPasswordAuthentication noSSH as a Different UserHost Key Verification FailedPrivate NetworksThe debug ModulePlaybook DebuggerThe assert ModuleChecking Your Playbook Before ExecutionSyntax CheckList HostsList TasksCheck ModeDiff (Show File Changes)TagsLimitsConclusion
Basic Structure of a RoleExample: Deploying Mezzanine with RolesUsing Roles in Your PlaybooksPre-Tasks and Post-TasksA database Role for Deploying the DatabaseA mezzanine Role for Deploying MezzanineCreating Role Files and Directories with ansible-galaxyDependent RolesAnsible GalaxyWeb InterfaceCommand-Line InterfaceRole Requirements in PracticeContributing Your Own RoleConclusion

Dealing with Badly Behaved CommandsFiltersThe default FilterFilters for Registered VariablesFilters That Apply to FilepathsWriting Your Own FilterLookupsfilepipeenvpasswordtemplatecsvfiledigredisWriting Your Own Lookup Plug-inMore Complicated LoopsWith Lookup Plug-inwith_lineswith_fileglobwith_dictLooping Constructs as Lookup Plug-insLoop ControlsSetting the Variable NameLabeling the OutputImports and IncludesDynamic IncludesRole IncludesRole Flow ControlBlocksError Handling with BlocksEncrypting Sensitive Data with ansible-vaultMultiple Vaults with Different PasswordsConclusion
Patterns for Specifying HostsLimiting Which Hosts RunRunning a Task on the Control MachineManually Gathering FactsRetrieving an IP Address from the HostRunning on One Host at a TimeRunning on a Batch of Hosts at a TimeRunning Only OnceLimiting Which Tasks Runstepstart-at-taskRunning TagsSkipping TagsRunning StrategiesLinearFreeAdvanced HandlersHandlers in Pre- and Post-TasksFlush HandlersMeta CommandsHandlers Notifying HandlersHandlers ListenThe SSL Case for the listen FeatureConclusion
Connection to WindowsPowerShellWindows ModulesOur Java Development MachineAdding a Local UserWindows FeaturesInstalling Software with ChocolateyConfiguration of JavaUpdating WindowsConclusion
KubernetesDocker Application Life CycleRegistriesAnsible and DockerConnecting to the Docker DaemonExample Application: GhostRunning a Docker Container on Our Local MachineBuilding an Image from a DockerfilePushing Our Image to the Docker RegistryOrchestrating Multiple Containers on Our Local MachineQuerying Local ImagesDeploying the Dockerized ApplicationProvisioning MySQLDeploying the Ghost DatabaseFrontendFrontend: GhostFrontend: NGINXCleaning Out ContainersConclusion
Installation and SetupConfiguring Molecule DriversCreating an Ansible RoleScenariosDesired StateConfiguring Scenarios in MoleculeManaging Virtual MachinesManaging ContainersMolecule CommandsLintingYAMLlintansible-lintansible-laterVerifiersAnsibleGossTestInfraConclusion
Installing CollectionsListing CollectionsUsing Collections in a PlaybookDeveloping a CollectionConclusion
Creating Images with PackerVagrant VirtualBox VMCombining Packer and VagrantCloud ImagesGoogle Cloud PlatformAzureAmazon EC2The PlaybookDocker Image: GCC 11Conclusion
TerminologyInstanceAmazon Machine ImageTagsSpecifying CredentialsEnvironment VariablesConfiguration FilesPrerequisite: Boto3 Python LibraryDynamic InventoryInventory CachingOther Configuration OptionsDefining Dynamic Groups with TagsApplying Tags to Existing ResourcesNicer Group NamesVirtual Private CloudsConfiguring ansible.cfg for Use with ec2Launching New InstancesEC2 Key PairsCreating a New KeyUploading Your Public KeySecurity GroupsPermitted IP AddressesSecurity Group PortsGetting the Latest AMICreate a New Instance and Add It to a GroupWaiting for the Server to Come UpPutting It All TogetherSpecifying a Virtual Private CloudDynamic Inventory and VPCConclusion
Stdout Plug-insARAdebugdefaultdensejsonminimalnullonelineNotification and Aggregate Plug-insPython Requirementsforemanjabberjunitlog_playslogentrieslogstashmailprofile_rolesprofile_taskssayslacksplunktimerConclusion
Example: Checking That You Can Reach a Remote ServerUsing the Script Module Instead of Writing Your Owncan_reach as a ModuleShould You Develop a Module?Where to Put Your Custom ModulesHow Ansible Invokes ModulesGenerate a Standalone Python Script with the Arguments (Python Only)Copy the Module to the HostCreate an Arguments File on the Host (Non-Python Only)Invoke the ModuleExpected OutputsOutput Variables That Ansible ExpectsImplementing Modules in PythonParsing ArgumentsAccessing ParametersImporting the AnsibleModule Helper ClassArgument OptionsAnsibleModule Initializer ParametersReturning Success or FailureInvoking External CommandsCheck Mode (Dry Run)Documenting Your ModuleDebugging Your ModuleImplementing the Module in BashSpecifying an Alternative Location for BashConclusion
SSH Multiplexing and ControlPersistManually Enabling SSH MultiplexingSSH Multiplexing Options in AnsibleMore SSH TuningAlgorithm RecommendationsPipeliningEnabling PipeliningConfiguring Hosts for PipeliningMitogen for AnsibleFact CachingJSON File Fact-Caching BackendRedis Fact-Caching BackendMemcached Fact-Caching BackendParallelismConcurrent Tasks with AsyncConclusion
Network ManagementSupported VendorsAnsible Connection for Network AutomationPrivileged ModeNetwork InventoryNetwork Automation Use CasesSecurityComply with Compliance?Secured, but Not SecureShadow ITSunshine ITZero TrustConclusion
Continuous IntegrationElements in a CI SystemJenkins and AnsibleRunning CI for Ansible RolesStagingAnsible Plug-inAnsible Tower Plug-inConclusion
Subscription ModelsAnsible Automation Platform TrialWhat Ansible Automation Platform SolvesAccess ControlProjectsInventory ManagementRun Jobs by Job TemplatesRESTful APIAWX.AWXInstallationCreate an OrganizationCreate an InventoryRunning a Playbook with a Job TemplateUsing Containers to Run AnsibleCreating Execution EnvironmentsConclusion
Simplicity, Modularity, and ComposabilityOrganize ContentDecouple Inventories from ProjectsDecouple Roles and CollectionsPlaybooksCode StyleTag and Test All the ThingsDesired StateDeliver ContinuouslySecurityDeploymentPerformance IndicatorsBenchmark EvidenceFinal Words

Content preview from Ansible: Up and Running, 3rd Edition

Chapter 20. Making Ansible Go Even Faster

Once you start using Ansible on a regular basis, you’ll often find yourself wishing that your playbooks could run more quickly. This chapter presents strategies for reducing the time it takes Ansible to execute playbooks.

SSH Multiplexing and ControlPersist

If you’ve made it this far in the book, you know that Ansible uses SSH as its primary transport mechanism for communicating with servers. In particular, it uses the system SSH program by default.

Because the SSH protocol runs on top of the TCP protocol, when you make a connection to a remote machine with SSH, you need to make a new TCP connection. The client and server must negotiate this connection before you can actually start doing useful work. The negotiation takes a small amount of time, but it adds up if you have to do it many times, so it becomes a “penalty.”

When Ansible runs a playbook it makes many SSH connections, to do things such as copy over files and run modules. Each time Ansible makes a new SSH connection to a host, it has to pay this negotiation penalty.

OpenSSH is the most common implementation of SSH; if you are on Linux or macOS, it is almost certainly the SSH client you have installed on your local machine. OpenSSH supports an optimization called SSH multiplexing, also referred to as ControlPersist, which allows multiple SSH sessions to the same host to share the same TCP connection. This means that the TCP connection negotiation happens only the first time, thus ...