Ansible Advanced: Security Consultant at Cspi GMBH

A BOUT I NTRODUCTION P LAYBOOKS IN DEEP W HAT ’ S NEW Amazon AWS Upcoming topics E ND
Ansible Advanced
Oleg Fiksel
Security Consultant @ CSPI GmbH
oleg.fiksel@cspi.com | oleg@fiksel.info
FrOSCon 2016
A GENDA
A BOUT
I NTRODUCTION
P LAYBOOKS IN DEEP
W HAT ’ S NEW
Amazon AWS
Upcoming topics
E ND
Q&A
A BOUT ME
I Security Consultant @ CSPI 1 (former MODCOMP 2 )

I Main topics
I Automation
I Virtualisation
I Application Switching (load balancing)
I Perl Coding
1
About CSPi
2
Wikipedia: MODCOMP
G OALS OF THIS TALK

G OALS OF THIS TALK
I This is not a comparison of configuration management

systems.
G OALS OF THIS TALK

systems.
I Provide overview of some (not all) advanced features of
ansible.
G OALS OF THIS TALK

systems.
ansible.
I Using examples
G OALS OF THIS TALK

systems.
ansible.
I Using examples
I Provide links for possible deep dive on a particular subject
G OALS OF THIS TALK

systems.
ansible.
I Using examples
I Talk about new features in ansible 2.0 (and ansible 2.2)
G OALS OF THIS TALK

systems.
ansible.
I Using examples
I Talk about new features in ansible 2.0 (and ansible 2.2)
I Discuss new topics ansible is approaching
W HY ANSIBLE ?
W HY ANSIBLE ?
I Fresh
W HY ANSIBLE ?
I Fresh
I Started February 2012
W HY ANSIBLE ?
I Fresh
I Core rewrite January 2016
W HY ANSIBLE ?
I Fresh
I Simple syntax
W HY ANSIBLE ?
I Fresh
I Simple syntax
I Bloody Enterprise compatible
W HY ANSIBLE ?
I Fresh
I Simple syntax
I Works with no agents on the systems
W HY ANSIBLE ?
I Fresh
I Simple syntax
I Works via jumphosts
W HY ANSIBLE ?
I Fresh
I Simple syntax
I Works via jumphosts
I Works on stripped down / hardened systems
P LAYBOOK BEST PRACTICES

Source: http://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout
1 stage # inventory f i l e f o r s t a g e environment

2 production # inventory f i l e f o r production environment
3
4 group_vars/
5 group1 # assign v a r i a b l e s to p a r t i c u l a r s e r v e r groups
6 host_vars/
7 hostname1 # systems s p e c i f i c v a r i a b l e s
8
9 s i t e . yml # master playbook
10 webservers . yml # playbook for webserver t i e r
11
12 roles/
13 common/ # this hierarchy represents a " role "
14 tasks/ #
15 main . yml # <−− t a s k s f i l e can i n c l u d e s m a l l e r f i l e s i f w a r r a n t e d
16 handlers/ #
17 main . yml # <−− h a n d l e r s f i l e
18 templates/ # <−− f i l e s f o r u s e w i t h t h e t e m p l a t e r e s o u r c e
19 ntp . conf . j 2 # <−−−−−−− t e m p l a t e s end i n . j 2
20 files/ #
21 foo . sh # <−− s c r i p t f i l e s f o r u s e w i t h t h e s c r i p t r e s o u r c e
22 v a r s/ #
23 main . yml # <−− v a r i a b l e s a s s o c i a t e d w i t h t h i s r o l e
24 defaults/ #
25 main . yml # <−− d e f a u l t l o w e r p r i o r i t y v a r i a b l e s f o r t h i s r o l e
26 meta/ #
27 main . yml # <−− r o l e d e p e n d e n c i e s
28
29 monitoring/ # same k i n d o f s t r u c t u r e a s "common" r o l e
M ODULE INSIGHTS
1
Ansible - Developing Plugins
M ODULE INSIGHTS
Most work in ansible is handled by modules 1 .
1
M ODULE INSIGHTS
I connection modules
1
M ODULE INSIGHTS
I connect to machines
1
M ODULE INSIGHTS
I lookup modules
1
M ODULE INSIGHTS
I lookup modules
I give data
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I register events that happen when tasks are executed
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I self contained script
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I any programming language (core modules - python only)
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I do the heavy lifting
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I copied to the target machine
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I executed with (json) input
1
M ODULE INSIGHTS
I lookup modules
I give data
I filter modules
I transform data
I callback modules
I task modules
I executed with (json) input
I (json) output is registered
1
P LAYBOOKS IN DEEP
TAGS
TAGS
1 # main.yml
2 ---
3 − h o s t s : webservers
4 gather_facts: false
5 tasks:
6 - package:
7 name: "lighttpd"
8 state: installed
9 tags:
10 - packages
11 - template:
12 s r c : "template/lighttpd.j2"
13 d e s t : "/etc/lighttpd/lighttpd.conf"
14 tags:
15 - configuration
TAGS
1 # main.yml
2 ---
3 − h o s t s : webservers
5 tasks:
6 - package:
7 name: "lighttpd"
8 state: installed
9 tags:
10 - packages
11 - template:
12 s r c : "template/lighttpd.j2"
13 d e s t : "/etc/lighttpd/lighttpd.conf"
14 tags:
15 - configuration
Run:
a n s i b l e −playbook main . yml −−t a g s packages
a n s i b l e −playbook main . yml −−skip−t a g s c o n f i g u r a t i o n

1
More details: Ansible - Playbook Tags
C USTOM ACTIONS
C USTOM ACTIONS
1 ---
2 − i n c l u d e _ v a r s : "includes/{{ ansible_os_family }}.yml"
3 − name: "remove the apache package"
4 a c t i o n : "{{custom_package_mgr}} name={{apache}} state=absent"
I NTERACTION
COMMANDLINE / FILE
COMMANDLINE / FILE
a n s i b l e −playbook −e ’ apache_hostname=example . com ’ deploy . yml
a n s i b l e −playbook −−e x t r a −v a r s " @vars . j s o n " deploy . yml
1 # vars . json
2 { " apache_hostname " : " example . com" }
P ROMPTS AND PAUSE
1
Ansible - Playbook Prompts
2
Ansible - Pause Module
P ROMPTS AND PAUSE
1 ---
2 − hosts: localhost
4 vars_prompt:
5 - name: "name"
6 prompt: "What is your name?"
7 p r i v a t e : no
8 - name: "location"
9 prompt: "What is you location?"
11 tasks:
12 - debug:
13 msg: "{{name}}, let me think for a moment..."
14 - pause:
15 seconds: 10
16 - debug:
17 msg: "Let me guess, you are now at {{location}}?"
1
Ansible - Playbook Prompts
2
Ansible - Pause Module
P LAYBOOK AS AN EXECUTABLE
1
Example from: Ansible Webinar - Tips and Tricks by Brian Coca
Use Shebang to run ansible as an executable.
1 #!/usr/bin/ansible-playbook
2 ---
3 − hosts: a l l
5 # sudo: true
6 vars_files:
7 - d e p a r t e d _ u s e r s . yml
8 tasks:
9 - name: D e l e t e departed u s e r s and a l l i t ’s files
10 u s er: name = { { item } } s t a t e = a b s e n t remove=yes
11 with_items: "{{departed}}"
1
2 ---
3 − hosts: a l l
5 # sudo: true
6 vars_files:
8 tasks:
1 # departed_users.yml
2 ---
3 − departed: [ "toor" , "admin" ]
1
2 ---
3 − hosts: a l l
5 # sudo: true
6 vars_files:
8 tasks:
1 # departed_users.yml
2 ---
3 − departed: [ "toor" , "admin" ]
. / d e l e t e _ d e p a r t e d _ u s e r s . yml −i . . / i n v e n t o r y −l h o s t 1
1
D ELEGATION
D ELEGATION
1 ---
2 − name: shush n a g i o s b e f o r e deployment
3 n a gi o s:
4 action: silence
5 h o s t : "{{inventory_hostname}}"
6 d e l e g a t e _ t o : "{{nagios_host}}"
7
8 . . . deployment
9
10 − name: unshush n a g i o s a f t e r deployment
11 n a gi o s:
12 action: unsilence
13 h o s t : "{{inventory_hostname}}"
14 d e l e g a t e _ t o : "{{nagios_host}}"
L OOKUPS
L OOKUPS 1/4
Lookups are executed on ansible controller.

L OOKUPS 1/4
Lookups are executed on ansible controller.

Probably most well known lookup is:
1 ---
2 − name: add ssh key
3 authorized_key:
4 u s er: r o o t
5 key: "{{ lookup(’file’, ’~/.ssh/id_rsa.pub’) }}"
L OOKUPS 2/4
You can use lookups for other weird things too:

L OOKUPS 2/4
You can use lookups for other weird things too:

1 ---
4 tasks:
5 - name: random number ( using lookup )
6 debug:
7 msg: "Random number {{ lookup(’pipe’, ’perl -e " p r i n t i n t (
rand ( 1 0 0 ) ) "’) }}"
L OOKUPS 3/4
Or just use build-in function:

L OOKUPS 3/4
Or just use build-in function:

1 ---
4 tasks:
5 - name: a n s i b l e n a t i v e random number
6 debug:
7 msg: "{{100 | random}}"
L OOKUPS 4/4
Lookups list (incomplete):

I pipe
I redis_kv
I template
I etcd
I dig (DNS)
I csvfile
I ini
I ...
F ILTERS
F ILTERS
Filters manipulate data and are executed on the ansible

controller.
More information:
I http://docs.ansible.com/ansible/playbooks_filters.html
I http://jinja.pocoo.org/docs/dev/templates/#builtin-filters
E XAMPLE 1
Not all filters are dependency-free.

IP address validation needs python-netaddr.
1 ---
3 g a t h e r _ f a c t s : no
4 tasks:
5 - debug: msg = { { i p | ipv4 } }
E XAMPLE 2
1 ---
4 tasks:
5 - debug:
6 msg: "{{ ’ansible’ | regex_replace(’^a.*i(.*)$’, ’a\\1’) }}"
Produces: “able”
VARIABLE VALIDATION
VARIABLE VALIDATION
1 ---
2 − hosts: a l l
3 g a t h e r _ f a c t s : no
4 tasks:
5 - debug: msg = { { hostname | mandatory } }
6 - debug: msg = { { i p | mandatory } }
7 ...
I NCLUDES AND R OLES

I NCLUDES
I NCLUDES
1 ---
2 − servers: a l l
3 tasks:
4 - i n c l u d e : set_mysql_password . yml mysql_user= r o o t mysql_pass
= { { var_mysql_pass } }
5 ...
R OLES
R OLES
1 # sample r o l e s t r u c t u r e
2 roles/
3 common/
4 files/
5 templates/
6 tasks/
7 handlers/
8 vars/
9 defaults/
10 meta/
I NCLUDES V. S . R OLES
When use includes and when roles?

I NCLUDES V. S . R OLES
When use includes and when roles?
I includes for small code pieces
I if you have files/templates/handlers - use roles

V ERBOSITY AND ERROR HANDLING

IGNORE _ ERRORS
Continue running the task disregarding an error.

1 ---
2 − name: mysql r o o t password
3 mysql_user: name= r o o t password = { { db_root_password } }
4 ignore_errors: true
ASSERT
1 ---
4 vars_prompt:
5 - name: "name"
7 # show input contents
9 tasks:
10 - name: Very s e c u r e u s e r v a l i d a t i o n
11 assert:
12 t h a t : "name == ’Oleg’"
FAIL
1 ---
4 vars_prompt:
5 - name: "name"
7 # show input contents
9 tasks:
10 - name: Very s e c u r e u s e r v a l i d a t i o n
11 fail:
12 msg: "You are not allowed to run this playbook, {{name}}!"
13 when: "name != ’Oleg’"
W HAT ’ S NEW IN A NSIBLE 2.0
1
Details: Ansible 2.0 Release Notes
I Task Blocks
1
I Task Blocks
I Playbook parsing and Error Reporting improvements
1
I Task Blocks
I Syntax error shows the exact place in a playbook and gives
sugestions
1
I Task Blocks
sugestions
I No more escaping of escapings needed (\\\\)
1
I Task Blocks
sugestions
I Dynamic Includes
1
I Task Blocks
sugestions
I Dynamic Includes
I Execution Strategy Plugins
1
TASK B LOCKS - B ASIC E XAMPLE

TASK B LOCKS - B ASIC E XAMPLE
1 tasks:
2 - block:
3 - debug: msg=’i execute normally’
4 - command: /bin/ f a l s e
5 - debug: msg=’i never execute, cause ERROR!’
6 rescue:
7 - debug: msg=’I caught an error’
8 - command: /bin/ f a l s e
9 - debug: msg=’I also never execute :-(’
10 always:
11 - debug: msg="this always executes"
TASK B LOCKS - A DVANCED E XAMPLE

1 ---
2 − hosts: a l l
3 serial: 1
4 vars:
5 - debug: f a l s e
6 - packages: [ g i t , l i g h t t p d ]
7 tasks:
8 - block:
9 - name: i n s t a l l packages
10 package: name="{{item}}" s t a t e = i n s t a l l e d
11 with_items:
12 - "{{packages}}"
13 r e g i s t e r : packages_state
14 - debug: msg="{{packages_state}}"
15 when: "debug == true"
16 - name: copy l i g h t t p d c o n f i g f i l e
17 template:
18 s r c : "lighttpd.conf.j2"
19 d e s t : "/etc/lighttpd/conf-enabled/00-test.conf"
20 - name: r e s t a r t l i g h t t p d
21 s e r v i c e : name="lighttpd" s t a t e = r e s t a r t e d
22 rescue:
23 - name: remove l i g h t t p c o n f i g f i l e
24 file:
25 d e s t : "/etc/lighttpd/conf-enabled/00-test.conf"
26 s t a t e : absent
27 - name: remove i n s t a l l e d packages
28 package: name="{{item}}" s t a t e = a b s e n t purge= t r u e
29 with_items:
30 - "{{packages}}"
31 when: "packages_state[’changed’] == true"
32 - fail:
D YNAMIC INCLUDES
1
Porting guide to ansible 2.0
D YNAMIC INCLUDES
I Before ansible 2.0 includes were preprocessed (once at

start-time)
1
D YNAMIC INCLUDES

start-time)
I From ansible 2.0 on includes are dynamically evaluated in
runtime
1
D YNAMIC INCLUDES

start-time)
runtime
I The fact that your plabook from ansible < 2.0 is parsed
correctly in ansible 2.0 doesn’t mean it will behave the
same way
1
D YNAMIC INCLUDES

start-time)
runtime
same way
I Examples:
1
D YNAMIC INCLUDES

start-time)
runtime
same way
I Examples:
I − i n c l u d e : "{{ ansible_os_family }}.yml"
1
D YNAMIC INCLUDES

start-time)
runtime
same way
I Examples:
I − i n c l u d e : "{{ ansible_os_family }}.yml"
I − i n c l u d e _ v a r s : "{{ ansible_os_family }}.yml"
1
E XECUTION STRATEGIES
E XECUTION STRATEGIES
Sice ansible 2.0 execution strategies are plugins.

E XECUTION STRATEGIES 1/3

strategy: linear
(default)
host2 host1
task1=1sec
task1=5sec
task2=5sec
task2=9sec

strategy: linear strategy: free
(default)
host2 host1 host2 host1
task1=1sec task1=1sec
t1=5sec
task2=9sec
t1=5sec
task2=9sec

strategy: linear strategy: free strategy: linear
(default) serial: 1
host2 host1 host2 host1 host2 host1
t1=5sec task1=5sec
task2=9sec
t1=5sec task2=5sec
task2=9sec
task1=1sec
task2=9sec
E XECUTION STRATEGIES - P LAYBOOK 1/3
1 # File structure :
2
3 . / d e p l o y _ f a c t s . yml
4 ./ f i l e s
5 ./ f i l e s /host1 . f a c t
7 . / run . yml
1 # File structure :
2
3 . / d e p l o y _ f a c t s . yml
4 ./ f i l e s
7 . / run . yml
1 # f i l e s / host1 . f a c t
2 [ general ]
3 t 1 =1
4 t 2 =9
1 # f i l e s / host2 . f a c t
2 [ general ]
3 t 1 =5
4 t 2 =5
1 # deploy_facts.yml
2 ---
3 − hosts: a l l
4 tasks:
5 - debug:
6 msg: "{{ ansible_local[’times’][’general’] }}"
7 i g n o r e _ e r r o r s : True
8 - file:
9 path: ’/etc/ansible/facts.d’
10 state: directory
11 - copy:
12 s r c : "files/{{ inventory_hostname }}.fact"
13 d e s t : "/etc/ansible/facts.d/times.fact"
1 # run.yml
2 ---
3 − hosts: a l l
4 strategy: free
5 # strategy: linear
6 # serial: 1
7 tasks:
8 - debug:
9 msg: "{{ ansible_local[’times’][’general’] }}"
10 - shell:
11 cmd: "sleep {{ ansible_local[’times’][’general’][’t1’] }}"
12 - shell:
13 cmd: "sleep {{ ansible_local[’times’][’general’][’t2’] }}"
G ENERIC PACKAGE M ODULE
1
Details: Ansible - Package Module
1 ---
2 − package: name= g i t s t a t e = p r e s e n t
We all have been waiting for it!
1
Details: Ansible - Package Module
But wait a minute...

Does this ease the pain of creating playbook for different
distros?

distros?
I apache package name

I CentOS/RHEL: httpd
I Debian: apache2
I apache config directory
I CentOS/RHEL: /etc/httpd/conf.d
I Debian: /etc/apache2/conf-enabled

distros?
I apache package name

I CentOS/RHEL: httpd
I Debian: apache2
I apache config directory
I CentOS/RHEL: /etc/httpd/conf.d
I Debian: /etc/apache2/conf-enabled
How to solve?

Working with distro-dependent variables.

Working with distro-dependent variables.
1 # remove_apache.yml
2 ---
3 − hosts: a l l
4 tasks:
5 - i n c l u d e _ v a r s : "includes/{{ ansible_os_family }}.yml"
6
7 - debug:
8 msg: "going to remove package {{apache}}"
9
10 # This uses a variable as this changes per distribution.
11 - name: "remove the apache package"
12 package: name = { { apache } } s t a t e = a b s e n t
1 # includes/Debian.yml
2 ---
3 apache: "apache2"
1 # includes/RedHat.yml
2 ---
3 apache: "httpd"
IPTABLES MODULE
IPTABLES MODULE
1 ---
2 # Block specific IP
3 − iptables:
4 i p _ v e r s i o n : ipv4
5 ch a i n : INPUT
6 source: 8 . 8 . 8 . 8
7 jump: DROP
8 # this must be runned as root (sudo)
9 become: t r u e
ANSIBLE 2.2 ( CURRENT DEVELOPMENT )
1
Changelog
Currently in development.
1
Changelog
I Added support for binary modules.
"Yeah!" to all Golang programmers.
1
Changelog
I letsencrypt
1
Changelog
I letsencrypt
I cisco ASA
1
Changelog
I letsencrypt
I cisco ASA
I lxd module
1
Changelog
I letsencrypt
I cisco ASA
I lxd module
I aws_vpc_∗
1
Changelog
I letsencrypt
I cisco ASA
I lxd module
I aws_vpc_∗
I telegram
1
Changelog
I letsencrypt
I cisco ASA
I lxd module
I aws_vpc_∗
I telegram
I wakeonlan
1
Changelog
I letsencrypt
I cisco ASA
I lxd module
I aws_vpc_∗
I telegram
I wakeonlan
I ...
1
Changelog
A MAZON AWS
1
Changelog
2
List of cloud modules
A MAZON AWS
I Current status
1
Changelog
2
A MAZON AWS
I Current status
I ansible 2.0 ∼ 70 AWS modules
1
Changelog
2
A MAZON AWS
I Current status
I For everthing else use awscli (until module will be
implemented)
1
Changelog
2
A MAZON AWS
I Current status
implemented)
I For better experience
1
Changelog
2
A MAZON AWS
I Current status
implemented)
I Use ansible = 2.0 + Boto3 (long-term Boto will go away)
1
Changelog
2
A MAZON AWS
I Current status
implemented)
I Use ansible = 2.0 + Boto3 (long-term Boto will go away)
I ansible 2.2 (current development) has more aws modules,
see changelog 1 for details
1
Changelog
2
E XAMPLE
1 ---
2 − name: s ea m le ss deployment
3 h o s t s : nodes_behind_elb
4 serial: 1
5 pre_tasks:
6 - name: g e t ec2 f a c t s
7 ec2_facts:
8 - name: d i a c t i v a t e node i n e l b
9 e c 2 _ e l b : s t a t e = a b s e n t # arguments
10 delegate_to: localhost
11
12 tasks:
13 - name: deploy new s o f t w a r e
14 g i t : # arguments
15
16 post_tasks:
17 - name: a c t i v a t e node i n e l b
18 e c 2 _ e l b : s t a t e = p r e s e n t # arguments
19 delegate_to: localhost
U PCOMING TOPICS
C OMPLIANCE
1
ansible-lockdown
C OMPLIANCE
ansible-lockdown 1
1
ansible-lockdown
C OMPLIANCE
ansible-lockdown 1
I goal - implement STIG baseline
1
ansible-lockdown
C OMPLIANCE
ansible-lockdown 1
I IMHO good idea
1
ansible-lockdown
C OMPLIANCE
ansible-lockdown 1
I IMHO good idea
I current status: v0.1
1
ansible-lockdown
N ETWORK O RCHESTRATION
1
Ansible - List of Network Modules
N ETWORK O RCHESTRATION
Support in ansible 2.0 1 :

I Arista EOS (cli, eapi)
I Cisco NXOS (cli, nsapi)
I Cisco IOS (cli)
I Cisco IOSXR (cli, netconf)
I Cumulus Linux (ssh)
I Juniper JUNOS (cli, netconf)
I OpenSwitch (ssh, cli, rest)
1
Ansible - List of Network Modules
E XAMPLE
1 ---
2 − hosts: ios1
3 tasks:
4 - ios_command:
5 commands: show running−c o n f i g a l l
6 p r o v i d e r : "{{cli}}"
7 r e g i s t e r : deviceconfig
8
9 - ios_config
10 lines:
11 - d e s c r i p t i o n c o n f i g u r e d by a n s i b l e
12 - i p address 1 0 . 0 . 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
13 - no shutdown
14 p a r e n t s : i n t e r f a c e G i g a b i t E t h e r n e t 0 /1
15 c o n f i g : "{{ deviceconfig.stdout[0] }}"
16 p r o v i d e r : "{{cli}}"
1
Ansible Webcast - Automating your network
ANSIBLE - CONTAINER
1
ansible-container readme
ANSIBLE - CONTAINER
I For all you Docker hipsters out there.
1
ANSIBLE - CONTAINER

I Aim is to use ansible playbooks for physical hosts, VMs as
well as containers.
1
ANSIBLE - CONTAINER

well as containers.
I Workflow: build, flatten the image, (run), push to
container registry.
1
ANSIBLE - CONTAINER

well as containers.
container registry.
I Current status:
1
ANSIBLE - CONTAINER

well as containers.
container registry.
I Current status:
I Only Docker support now
1
ANSIBLE - CONTAINER

well as containers.
container registry.
I Current status:
I Support for other container providers will come (Rocket?)
1
ANSIBLE - CONTAINER

well as containers.
container registry.
I Current status:
I Support for other container providers will come (Rocket?)
I Until now no network function support for docker
1
S UMMARY
1
Playbooks from this talk
S UMMARY
I Ansible is expanding it’s work area and developing

rapidly
1
S UMMARY

rapidly
I Play the slides after the talk and try things out
1
S UMMARY

rapidly
I Use the links in slides to dive deeper
1
S UMMARY

rapidly
I Most of standard recurring tasks can be automated using

ansible
1
S UMMARY

rapidly

ansible
I Playbooks from the slides are available on Github 1
1
S UMMARY

rapidly

ansible
I Playbooks from the slides are available on Github 1
I ansible-doc is pretty handy for writing playbooks offline
1
Q&A
Thanks!
Oleg Fiksel
oleg.fiksel@cspi.com | oleg@fiksel.info

Ansible Advanced: Security Consultant at Cspi GMBH

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ansible Advanced: Security Consultant at Cspi GMBH

Uploaded by

Copyright:

Available Formats

A BOUT I NTRODUCTION P LAYBOOKS IN DEEP W HAT ’ S NEW Amazon AWS Upcoming topics E ND

Security Consultant @ CSPI GmbH

I Security Consultant @ CSPI 1 (former MODCOMP 2 )

G OALS OF THIS TALK

G OALS OF THIS TALK

I This is not a comparison of configuration management

G OALS OF THIS TALK

I This is not a comparison of configuration management

G OALS OF THIS TALK

I This is not a comparison of configuration management

G OALS OF THIS TALK

I This is not a comparison of configuration management

G OALS OF THIS TALK

I This is not a comparison of configuration management

G OALS OF THIS TALK

I This is not a comparison of configuration management

P LAYBOOK BEST PRACTICES

1 stage # inventory f i l e f o r s t a g e environment

a n s i b l e −playbook main . yml −−skip−t a g s c o n f i g u r a t i o n

a n s i b l e −playbook −e ’ apache_hostname=example . com ’ deploy . yml

a n s i b l e −playbook −−e x t r a −v a r s " @vars . j s o n " deploy . yml

P ROMPTS AND PAUSE

P ROMPTS AND PAUSE

Lookups are executed on ansible controller.

Lookups are executed on ansible controller.

You can use lookups for other weird things too:

You can use lookups for other weird things too:

Or just use build-in function:

Or just use build-in function:

Lookups list (incomplete):

Filters manipulate data and are executed on the ansible

Not all filters are dependency-free.

I NCLUDES AND R OLES

When use includes and when roles?

When use includes and when roles?

I includes for small code pieces

I if you have files/templates/handlers - use roles

V ERBOSITY AND ERROR HANDLING

Continue running the task disregarding an error.

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

W HAT ’ S NEW IN A NSIBLE 2.0

TASK B LOCKS - B ASIC E XAMPLE

TASK B LOCKS - B ASIC E XAMPLE

TASK B LOCKS - A DVANCED E XAMPLE

I Before ansible 2.0 includes were preprocessed (once at

I Before ansible 2.0 includes were preprocessed (once at

I Before ansible 2.0 includes were preprocessed (once at

I Before ansible 2.0 includes were preprocessed (once at

I Before ansible 2.0 includes were preprocessed (once at

I Before ansible 2.0 includes were preprocessed (once at

I − i n c l u d e _ v a r s : "{{ ansible_os_family }}.yml"

Sice ansible 2.0 execution strategies are plugins.

E XECUTION STRATEGIES 1/3

E XECUTION STRATEGIES 2/3

host2 host1 host2 host1

E XECUTION STRATEGIES 3/3

host2 host1 host2 host1 host2 host1