Ansiblefest London 2017
I had a surprise conference thrown at me this week. A colleague of mine had suddenly fallen ill and she wasn't able to attend Ansiblefest London, so Codeplay sent me instead. 9 hours later I'm at my hotel getting ready for the conference the next day.
This years Ansiblefest London was the biggest yet with over 800 attendees and the first London event to have multiple track. The lunch time sessions were split into Ansible Essentials, Tech Deep Dive, Solutions and Networking. There was a separate area for the Asking The Experts sessions.
Talks I Attended
State of Union
Mark Phillips - Senior Principle Product Manager @ Ansible
Justin Nemmers - General Manager @ Ansible
Mark Phillips opened Ansiblefest welcoming all the attendees to the conference and asked all attendees to read the code of conduct.
Phillips invited Justin Nemmers to the stage tod discuss Ansible's success. People love Ansible, twitter is full of images them wearing Ansible gear like socks and custom baby grows. Ansible has been a great hit in the Open Source ecosphere. Currently ranked in 10th place in GitHubs open-source community survey, the project has had over 2700 unique contributors
Ansible is part of the RedHat Management Group and has worked hard to permeate into all the products in the group:
Automation for individuals and teams is great but automated organizations are where the magic happens.
Nemmers wants Ansible to be a single language shared across the business. He has identified 3 barriers which need to be broken to over come silo'd automation.
- People problems: Skill gaps and organizational structures
- Point tools: Vendor specific tooling and expensive certificate training
- Pace of innovation: Requires integration across business domains
The Automated Enterprise: Start small, think big, drive change
- Ansible, 2017
Product Highlights
Jason McKerr - Director of Engineering @ Ansible
Peter Sprygada - Senior Princple Engineer @ Ansible
Bill Nottingham - Senior Principle Product Manager @ Ansible
Jason McKerr discussed the focus for Ansible Core over the past year: Cloud, Content Delivery, Windows, Networking and Containers. With Ansible 2.4 they continue their continues that focus with Python 3 support, Ansible vault, continued Windows support, easier configuration and smarter Inventory.
McKerr confirmed that Ansible were still committed to open sourcing Ansible Tower and that it would be coming "within a years time"[^2].
Peter Sprygada provided the networking support update. Ansible has made great strides and their goal is to become the number 1 networking automation tool.
In only the past year, Ansible has come a long way:
- 2.0 - Networking introduced
- 2.3 - Persistent connections (SSH) and Netconf (standardised API)
- 2.4 - Declaritive module support and session tracing
Ansible now supports 29+ networking platforms and has formed close relationships with many platform vendors. This progress now allows network engineers to adopt the CI/CD workflows used by developers.
Bill Nottingham was next to provide an update on Ansible Tower.
Ansible 3.1 was released in February 2017 and brought with it:
- Scaleout clustering
- Log integration
- Search and filtering
- French and Japanese support
- Multi-playbook jobs
Ansible Tower 3.2 which is coming later in 2017 year will be expanding on those features with:
- Automated discovery
- Smart inventories
- Automatically generated remediation (RH Insight provided)
- Scaling
- Multiple environments
- Multiple clusters
- isolated nodes - for remote offices
Applying Ansible at HSBC
Mark Phillips - Senior Principle Product Manager @ Ansible
Richard Henshall - Chief Architect for Cloud @ HSBC
Mark Phillips interviewed Richard Henshall discussing how HSBC encouraged change and openness to bring about the worlds biggest DevOps revolution in over 30 data centres with thousands of engineers world wide.
Phillips asked Henshall how he has managed to bring this change to HSBC. Banks are known to be notoriously difficult businesses to change, commenting that change is hard but rarely technical. Henshall praised HSBC's commitment to his work helping bring improved services to their customers.
Henshall discussed bank regulators, how they are actually friends of the bank but are commonly used as a stick to beat businesses into following best practice. Banks handle this with lots of policy and procedures which harm innovation.
Soon teams were creating good work but not sharing it. They shoved their work into private git repos and questioned if they could even open source and share it.
Efficiency and Effectiveness Through DevOps
Lt Con Dorian Seabrook - Head of Operations, Information Application Service @ British Army
Aidan Beeson - Linux Technical Architect, Information Application Service @ British Army
The British Army is adopting DevOps. A hardware refresh brought attention to state of their infrastructure. This was the starting point to their journey to DevOps. First they moved to VMware from bare servers which sped up server deployment from years/months to days. This lead then started their adoption of Agile and to using CI/CD pipelines for projects. Soon after they went full DevOps for teams
The British Army's structure fits Agile and DevOps, they are experts in creating specialized cross skilled teams.
IAS run a typical business stack but HR deals with illness and wounded and their fleet tracking includes tanks.
Beeson Beeson described their infrastructure as legacy systems but using modern methodologies to improve their effectiveness.
Operations used to manage a rat's nest of documentation, scripts and configuration files to manage servers and services which needed to feed back to each other. The human factor, in addition to lots of interactions made mishaps and errors a regularity.
Beeson attend Ansiblefest London 2016 and moved the server configuration process to Ansible. Now everything is run in Ansible Tower, all within one year.
Keep Calm and Read the Manual
The military are used to following manuals. The manual now says run the correct job and if anything breaks get in touch with operations to fix it.
Beeson described that even though he was new to Python it was easy to write custom modules for Ansible for their password management system.
Automated Management of Shared Secrets
Doug Bridgens - DevOps Engineer @ Far Oeuf
A fellow Ansible from Auld Reekie! Unfortunately Bridgens was a quiet speaker and the setup for the demos was hard to see with such a small font. That being the case, the talk was still informative.
Plain text passwords, Plain text passwords everywhere
Bridgens wants the DevOps community to address the gap between DevOps and Security. Security is part of a product not a bolt on.
Security Policy
| Tooling,
| Political,
| and understanding
| gap
v
DevOps reality
Ansible vault makes storing passwords and API tokens more secure easier.
We can do even better with Ansible and Hashicrop Vault. Vault is shared secret storage servers access the vault through authentication tokens. The vault then tells the application that server/service is authenticated. The secret is never accessed outside of the vault. This allows easy rotation of secrets, keeping the keys to the castle safe.
Using Ansible you can automate password generation and submition to the vault. This leads to easy and regular password rotation and certificate rotation.
You can read about how to do this in Bridgens blog post.
Automating Your Infrastructure with Ansible
Fabio Alesscandro Locati - Senior Consultant @ RedHat
This talks was basically a verbalized version of Ansibles getting started page
Ten Thing I Hate About You: Managing Windows Like Linux with Ansible
Matt Davis - Senior Principle Software Engineer @ Ansible
Matt Davis was an energetic and clearly a passionate developer for Windows for Ansible.
1 - No SSH
Windows has no SSH but instead uses WinRM an HTTP API based on SOAP, XML and
other goo. It is disabled by default and needs to be enabled so we can use it
with Ansible. WinRM provides a batch logon which enables lots of restrictions
for a session. Currently pywinrm is not a requirement for Ansible so you'll
need to install it if you want to use WinRM.
2 - Powershell
Ansible is an agentless automation tool. Ansible achieves this on Linux because all modern distributions run Python by default. Windows doesn't, so instead all Window Ansible modules are implemented in Powershell. Powershell is Windows equivelant of Python. It is "just there" and provides powerful language with full access to the .NET framework.
3 - Package Installation/Maintenance
Almost all Linux distros have a package manager. Window has not adopted package
management. There is however the Chocolatey project which bring this experience
to windows. Using win_chocolatey you can download packages for Windows. For
packages missing from Chocolatey there is win_package but you need to know the
registry product ID.
4 - Reboots, oh the reboots
Whether it is installing updates or applications Windows loves to
reboot. win_reboothandles this process easily in Ansible for us.
5 - Windows Update
win_updates makes updating easy with synchronous updates and it is designed
to used the configured source for updating (WSUS/Windows Updates).
- win_updates
register: wuout
- win_reboot
when: wuout.reboot_required
6 - IIS^1
Ansible can configure Windows ISS websites
7 - Registry
There typically aren't configuration files in Windows, instead it uses the registry. Ansible as two methods for managing registry entries:
win_regedit- Manage a key/value pairwin_regmerge- Manage idempotent bulk imports
8 - Services
Windows services can sometimes be tricky to manage but with win_services is
designed to handle creating deleted, changing state and managing dependent
services
9 - Domains
Ansible creates throwaway domains for managing Enterprise level identities with
win_domain. Managing a Windows domain controller is apparently hellish 😈.
10 - ACLs
Windows does not have the same permission settings as Linux, they are more
granular akin to SELinux setting. win_acl actually makes it easier than
writing SDDL.
A Poem
I hate that your not SSH and the shell you call power.
I hate the way you install your apps. Windows updates make me glower.
I hate the way you must reboot and your web server ISS.
I hate your complex registry it always is a mess.
I hate your janky services and stupid domain auth.
And managing your ACLs is sure to make me wroth.
I hate your not Linux, that I have to learn you at all.
But with Ansible in my tool belt I don't hate you. Not even close. Not even a little bit. Not even at all.
Check out this post by James Hogarth in Fedora magazine, it's for anyone interested in Ansible Windows support.
From Dockerfiles to Ansible Container
Tomérš Tomeček - Senior Software Engineer @ RedHat
Tomérš Tomeček discussed the different pros and cons between using Docker and Ansible Containers for development.
Pros
| Dockerfile/Compose | Ansible Containers | | --------------------- | ---------------------------------------------------------- | | Widely used | Full Ansible Power | | Docker Hub for images | Role ready, not an image but a deployable unit of code[^3] | | | Support lifecycle of application |
Both projects make it easy to start a project. Provide consistent environments.
Cons
| Dockerfile/Compose | Ansible Containers | | ------------------------------------------------ | ----------------------------------------------------------- | | Compose is not powerful | New things to learn | | Cannot run commands easily in the container | Ansible files are more complex than Dockerfile instructions | | Can't have many defined environments in one file | Not mature - yet | | Service readiness checks are clunky | | | No support for variables | | | Dockerfile/compose are docker only | | | Missing docs for images | | | No idea what is in a file | |
Prep for 1.0
- No conductor container rebuilding
- Provide prebuilt conductor images
- Target images based on Python 3
- Established ansible-container SIG
Fin
Thanks for reading this post! Checkout some previous Ansiblefest videos:
Footnotes:
Jimbob0i0 for spotting that I wrote ISS not IIS. Although, that would be pretty cool marketing if Ansible was used to automate the ISS. [^2]: I didn't record the audio during the keynote, I remember hearing that while committed it was going to take a few years before it was ready. However, there seems to be a bit of confusion on what was said on stage. But good news! It should be out within a year. Thanks @dmsimard for setting the record straight [^3]: This originally said deplorable unit of code, which is pretty funny. Thanks Chillysurfer for spotting the mistake.