Friday, May 31, 2019

Enterprise Infrastructure as Code with Ansible

Keeping up on enterprise network configuration with spreadsheets, CAB meetings, scripts, and a swiss army knife of configuration software isn't sustainable.  Normalizing network administration to a single tool brings focus and effective standardization.  Ansible is one of the many ways to do this. Ansible is lightweight and easily extensible to administer any equipment that allows SSH.  I perfromed the below on MacOS Mojave.  Here is the code on GitHub.  

Get Ansible on MacOS

To run Ansible on Mac install the following: Python 2 (version 2.7) or Python 3 (versions 3.5 and higher), Open SSL, and Ansible ( https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#control-node-requirements )  This will allow your Mac to be a "control node" and send commands out to many machines.  MacOS is limited to 15 open files so you may need to adjust this if you're controlling a lot of nodes.  (See https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#control-node-requirements)

It's a bit "sporty" to build and install OpenSSL on a Mac.  If you use Brew or MacPorts, do one of the following and skip to install Ansible:

If you're like me and not a user of brew or MacPorts, then see the following steps.

Update Python 

The Python that comes stock on MacOS is likely pretty old. Go to the terminal and check:
(If you happen to accidentally type "python -v" use ctrl-D to close the REPL.)
$ python -V 
Or 
$ python3 -V

The later option checks for a common name that the newer python is installed as.  You can also check /usr/local/bin and see if there are other versions of python already sitting there.  The stock version of python is at /usr/bin.

If you don't have python 3.5 or greater, install a newer version.  Here are some instructions:
https://www.macobserver.com/analysis/how-to-upgrade-your-mac-to-python-3-2017-update/

Build and Install Open SSL

Go here and follow the instructions (https://github.com/openssl/openssl/blob/master/INSTALL) to build, execute tests, and install OpenSSL.  

Install Ansible

Follow the instructions for MacOS here: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#latest-releases-on-macos

Test it with:
$ ansible --version

Notice what version of python it reports back. This is the version of python your control node is using. If it's not using the Python 3 that you intended, keep this into account before doing something important with ansible. If you notice some of the ansible commands not working, then you'd better attend to this.  (You can't simply change /user/bin/python as MacOS keeps this immutable for a number of good reasons.)

Your first configuration

Since we want to use network configuration as code, make a directory for storing configurations so they can be checked in.  In my case, I used Git for source control and VI for editing files:
$ mkdir ansible_repository
$ cd ansible_repository
$ git init
$ mkdir hosts
$ vi lancer_kind_com.ini

Here is background on creating inventory files.  For this example, it's simple.  https://docs.ansible.com/ansible/2.3/intro_inventory.html




Test it by invoking the ping module:
$ ansible macattack -i lancer_kind_com.ini -m ping

Managing Remote Objects

Great.  You can administer your workstation with Ansible.  Time for the next level: managing a single remote site.

Configure SSH, Passwords, and Security

Let's all agree that it doesn't make any sense to type in SSH passwords as that's not a scalable or very useful automation strategy.  If you're new to using ssh public/private keys, and want to set it up by hand, here is a good article.  Once you've done that, test your configuration:
$ ssh username@hostname ls

(When you generated a key with ssh-keygen, you set a pass phrase, you'll still need to type in the pass phrase whenever ssh needs to work with the key you created.  If you don't like that, set the pass phrase to empty--press return.  You can use "ssh-keygen -p -f " to change the pass phrase of an existing file.)

To configure SSH for all your thousands of nodes in a scalable fashion, read how to do key distribution.

Ansible

Add the remote host to the inventory file.  For more details on configuration file, see the Ansible docs: https://docs.ansible.com/ansible/2.3/intro_inventory.html.

[] is a grouping mechanism.  With [blogs] for example, many sites can be listed and managed as a group.  Execute the ping module on [blogs].  "-u " has been redacted.  It is the SSH user that ansible will use.

Where to put your Ansible user name?

You can put the username in the inventory file, or in the roles (I'll go over this in an article about Ansible Playbooks), or at the command line.  I chose the command line so that I could check in files and still keep my ansible user name secret from the internet.  Here is a StackOverflow thread about these three options.

Executing ad hoc CLI

A simple yet powerful feature is that now a command can be sent to many nodes in a SIMD manner.  Since there is no "-m" argument, ansible uses the default which is the "command" module.  Command module takes a "-a" argument which means what is after "-a" is executed by the endpoint.  So "hostname" will be executed it every machine in the "blogs" group, in parallel execution.  Using -f tells ansible to do them in sets of 20 rather than ALL the endpoints grouped under "blogs."

Conclusion

Ansible can be used to manage any system which can handle SSH (not only computers but routers, ...).  Keeping your private key secure and distributing keys is a bit more work.  What's left to learn is to organize your inventory files (or integrate an inventory service into Ansible) in a maintainable way.  The good news is that you can start small and grow your Ansible skills.

Here are two pathways for continued education:

  • Other Ansible utilities:
    • ansible  - the command used in this article
    • ansible-config - list configurations that ansible has access too
    • ansible-console - a REPL environment to practice your ansible commands
    • ansible-doc - list plugins and documents
    • ansible-galaxy - install modules from ansible galaxy
    • ansible-inventory - display or dump configuration information as ansible sees it
    • ansible-playbook - execute playbooks
    • ansible-pull - pulls a playbook from a VCS repo
    • ansible-vault - encrypt a structured data file used by Ansible.
  • Ansible for network administration

References

Nice getting started video: https://www.ansible.com/resources/videos/quick-start-video?extIdCarryOver=true&sc_cid=701f2000001OH7YAAW

Current suggested practices: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html

2 comments:

  1. Thank you for the great post.
    Prancer is a pre-deployment and post-deployment multi-cloud validation framework for your Infrastructure as Code (IaC) pipeline and continuous compliance in the cloud.

    ReplyDelete