 This is the build your own Ansible lightsaber talk. It's got two components. We're going to talk about Ansible So it's gonna be really intro level there and then a little bit about lightsaber So first what is Ansible? Ansible is a tool that lets you do make SSH connections to a large number of remote machines and then Push commands over the wire to them There's three modes that you can use Ansible in. Ad hoc is kind of just running one command at a time on the remote machine You can use it as an orchestration tool, which is really kind of doing the same thing You know running tasks on the remote machine, but it's more of a time when you are able to pre-plan and say Oh, well, you know I have this set of five tasks that all kind of make one logical action And I want to be able to run that on these remote machines So if you have time to prepare that in advance, that's kind of what orchestration comes in And configuration management is what people mostly associate with Ansible Configuration management is also about running tasks on remote machines But instead of thinking about it in terms of I want to do this thing on a remote machine You think more along the lines of I want to make the remote machine match this certain state So here's some That's You guys want to step forward we could do that What is that PDF you could just read it or all the slides like that I Unless they're switches behind the screen Oh, is this all in text No I Didn't have to read the madness. I mean Yes Okay You know really quickly it's just kind of doing one task at a time Ansible the command I'm running here that I stand for inventory inventory is all the host that Ansible is going to go about here. I'm just giving it to a host on the command line web server one and two I'm telling it all which means we're all a host that you know about an inventory So the story behind this could be something like oh, you know, I get a call at 10 p.m And someone says oh the web app is broken. You know, it's doing all these bad things You got to go fix it right now And you know, you start you look at the code you stare at you do this and do that You find you come up with a fix it's midnight You're like now I got to get this out all my web servers and go to sleep so that in the morning you know I can do all the everything correctly check it in to get whatever else So ansible here is allowing me to copy using the copy module The fixed file that I have on my server up to a different directory on the remote server Because the remote server is going to require special permissions. It won't work. It's just my ssha user by logging in as I'm gonna use sudo and it's gonna have to be for a password in order to do that and then after a copy that file up I'm gonna run a second handle task here Calling the service module this time until I go ahead and restart a patchy on that machine so that it applies my changes And one thing about this the second one you can see the force one That's telling ansible that instead of spawning off a new process for every every host here I just want to have one process and that way I'll kind of serialize it and that way I won't end up, you know bouncing all the web servers at once and everyone's seeing an outage The parts of the web app are still working doing the force one means that those were Users upon this low balance system. We'll see things continue to work the whole time So here's the output the first task I run it makes this copy of the file It has to ask me for the password the cgo password. I type it in it goes out Ssh, I've got you know public private keys set up so they'll have to ask me for a password to that it Then copy the file over to the remote system, and then I return some Jason information here that tells me about What it did change true means yes, it did in fact change the file It wasn't the correct file to begin with so I pushed the new one up It gives me a check some of the file Destinations just tell me where it put it and then it's got some other you know file system information about it And you notice it gives me both web servers this telling me what happened on both So if I had been experimenting like I'm one of the web servers live and I already had the file there They tell me changes falls for that web server, but the other one would be changed true And then the second pass that I ran to do that Is returning less information because the service module doesn't have as much information that feels like an easy to give me It's just telling me that change is true. It was a success and That HTTP on that server is now running So pretty simple Here's an example of orchestration orchestration is is similar to running ad hoc tasks We're just telling ansible that you know We want you to go and do this that the other thing on the road server But instead of being at the command line having to type everything out we've got the opportunity to pre-plan this So in this orchestration task what we're saying is we want to run a young update on the remote system Now, you know, sometimes we're young update the package will get in there and say oh I really don't want to upgrade that package because it's kind of dangerous. I want to evaluate the changes first so We're taking this this logical action of updating my server to all the newest packages and we're going to Do it in four different tasks that allows to stop right in the middle So the first task is calling the young module and it's going to do a list This is a parameter. Oh, so playbooks. This is the first time you've seen a playbook Playbooks are yaml and yaml is kind of it at data structure format that's text-based for people to read The top level playbook is a list so the height and introduces a list and each list is each list entry is called a play Within a play you can have a name field that gives you a way to describe it So we're calling this one up. They are hopes Posts which just like on the command line specifies which post that Ansible knows about an inventory are going to get run So once again, we're going to do them all all of our machines And then we have an entry called tasks So each of these is a dictionary key and then value for the task dictionary key is going to reference another list And we have four entries in that list and those are the four tasks that we're gonna run So like when we're in ad hoc mode, you know, we're just doing one task at a time Easy to represent one of those types of tasks We can name each of our tasks and Then the main part is right here. We say young that is the module that we're going to go ahead and And use the young module we're tell giving it a parameter list and we're telling it We want to list all the updates So it's going to copy that command month of that young module out to the remote system And it's going to tell it to list the updates that are available on that system and return that information to us Then we use register In order to register the results into this update variable so we can access it later and use it in the play with the cycle We want to do You notice this is Indented underneath young that means that it's a parameter of the young module along the module Whereas register is out one level and that means that's a parameter of this task So there are certain parameters that you can apply to any path when registered And then the modules themselves also take parameters and the indentation level kind of terms where those fall Second half here is debug debug just prints something to the screen So in this case, we're telling it take the bar updates and inside of updates There's an attribute results and we're going to print that to the screen for the young module That's going to print a list of packages So that's kind of what we want next one is the pause module and what pause does this is just pauses Execution and it lets you decide what you want to do So we're going to give it a prompt that says okay user We want you to take a look at this list of packages you want to apply them Hit enter if you decide. Oh, there's something dangerous in there. I don't want to do it They control C a and then within the board and then finally Then we're going to run the next pass with pseudo the young module again, but this time we're telling it Okay for every single package that's installed. We want the latest version of that package that will actually run the update So here's the output Hey, one of the output It starts out that after the pseudo password again, we hit a dash K. So you can do that Gathering facts gathering facts is an implicit task that all the ansible Playbooks always do what it does is it gathers information about the remote systems that it's talking to So you can decide for instance. Oh, this is these hoes are running fedora And so then if you wanted to in your playbook, you could do something like say write a conditional that says if this is a door machine or a red hat machine then use the young module if this is a This is an emotional machine or a Debian machine then use the app module. And so you can manage a heterogeneous environment approach that way then we get to our first pass Which is that young list one and it goes out the room machine and looks up that information and Then it returns it it doesn't show it to us instead gives it puts in the register variable It passes it to the debug path that we specify and then the debug task goes ahead and prints out the information So ansible is going through and it's applying these tasks to each post that we specify so if you notice In the inventory I used an inventory of the command line again the door 20 and 21 So it's saying okay, so I have two hosts that I know about so when you say do this to all the hosts I mean these two hosts because that's all it knows about And so for each house it runs and it finds the results so on one host It decides what we need design and they've updated it on the other one system Do you got Python freeze is what needs to be updated and so then say okay those sounds safe I mean what could go wrong if we update something to do with system D You know it's not like you can break the world so we're gonna press enter and Then it goes ahead and update the packages And then it tells us a little bit of a summary here of what happened He says all right all of our all our changes are good. Okay, five change one unreachable zero So okay is saying we had five tasks. They all completed successfully failed zero means none of them Failed change we changed things on one whole unreachable zero all of those were contactable. We didn't you know have any time Config management is basically the same as orchestration But the difference is kind of in in what your goal is so this is a playbook It looks a lot like the other one But when you are doing orchestration, you're really saying okay I want to do this thing like I want to deploy my web application and that might be okay check out and get Push push the files up to the rub system Restart patchy so every time you run that it's going to do these tasks. It's going to restart a patchy every single time for instance So you're going to see these changes happen every single time you do it more than once You might see them happen again and again and again So if you're doing something like you're notifying afterwards You have to be careful with those kinds of tasks because oh if I just run this in a loop Then it's going to notify me, you know 20 times and out of email for each of them So orchestration tasks you really you you're kind of training yourself I don't want to run these over and over can big management tasks When you write these you're you're taking care to say okay I don't want this to do anything if no changes occur, right? So if I'm not pushing out new things, I don't want anything new to happen I don't want new notifications to go out and these things so by writing a playbook for big management you're kind of Training yourself. I'm not going to do these things that are going to happen every single time So it's good to separately to separate them in your mind So we have post web servers this time What we're going to do is we're going to say well if we have web server What is a web server a web server is going to have a patchy and modest SL for us It's going to have our special config file and that's what how we're going to find our web server So our tasks this time are young again young module Install the HPV and the modest SL package You notice we use present instead of latest and what that does is it says are these packages available? Are these packages installable in the road system that way if they're already installed it won't do anything Even if there's a later later version it won't do anything. You'll just say okay. These are present. We're all good Then the second thing is to use copy and we're going to copy our hdblocal.conf file that we have written up to a patchy's config directory and The copy module is smart enough that it says okay if it's present on the road system and here then I don't have to do anything and then finally we're going to go ahead and make sure that the patchy has been started and it's enabled on boot and Once again, if it's already started and running it's not going to reload that for That doesn't mean that if the compile changes We won't get anything to change here and that's kind of a personal decision. We can decide to Do that in different ways? For instance handlers are probably more appropriate way to do that that way Whenever this this task actually has a change then go ahead and run the handler to restart And that way if you just run this playbook and then changes occur all the way through here A patchy does not get restarted, but this is the first time running it on a new host a patchy will be started Okay, so that's that's a config manager task in terms of how it looks it basically looks the same as a playbook orchestration path So what is lightsaber? Lightsaber was created by Ralph Dean and several of the fedora infrastructure They decided that the you know, they use ansible inside of the door infrastructure to Configure all of their machines a little bit of puppet That they're slowly phasing out lots of ansible to do that and they wanted to be able to do the same thing for their So they created this collection of playbooks that they're using to to you know work on their home machines Deploy things there that they need like okay. I want the same shell configuration The same t-mux configuration same vim configuration for all of my machines when I have a user account on them I want to be able to bring up a personal vanity web server I want to have an IRC bouncer and so they've just written these roles and said oh well I'm gonna share them with everyone else and see you know, maybe they'll have ideas. Maybe they'll find them useful So as opposed to the fedora infrastructure Repository of ansible playbooks. These are just really experimental. They're meant for maintain home systems So they're not not always as polished But you know people are playing around finding the best practices as they go along So what did we get out of using lightsaber? Ansible is very very flexible, you know, you create these playbook files, but it doesn't specify Oh, the playbook must live exactly in this one location or I need to I can break up these tasks into multiple playbooks or I can have them in one playbook You know, what's the best way to do it? So, you know the flexibility is great when when you've got a task and understand what you're doing and You can do exactly what you want But when you're first starting out, you're like well, well, I got all these choices. What do I do? So it's lightsabers kind of a skeleton you check it out You see what someone else has done and it's working for them and then you can say okay Well, I'm gonna like copy this and do it sort of the same when you do that. Okay. Well, that works I'm writing into this problem. So I'm gonna change it and so then you modify it and you know It gives you the skeleton this framework that can start off with but as you go along you can go ahead and you know make it maybe different and Then it's also weird a way to share roles that work with Fedora and Apple So Ansible has a website galaxy.ansible.com where people upload their roles and then they can share them with the provider community But the problem is that Roles playbooks can be a very specific, you know, because you're configuring an operating system They can be very specific to the operating system that you are Configuring for so if you find a role it might be that the person who wrote it wrote it for Ubuntu And when you try and use it for Fedora, all of a sudden things don't work They're using the app module. They have a package name and it doesn't match up Fedora calls the package and so on So if you get the roles from lightsaber, then you know that they've been used on Fedora and Apple and therefore they're gonna they're gonna work for you With a much higher like it Okay, let's do something with lightsaber First thing you have to do is you have to fork the repo. It's up on give up under under Ralph's Ralph's account And then I like to create a place to do My work so inside of lightsaber there's There's a director called playbooks. So inside of the playbooks directories kind of where you make your own configuration so I made I made a directory with my username and I put Configuring actions inside of there because like I was telling you earlier, you know There's orchestration actions that you're gonna you're gonna do in this configuration Which you're like, oh, I can run these on con jobs about one two minutes Not gonna knock out harm or anything not just view out email to me all the time So that's kind of how I Then you want to create your own ansible config file at the top level the ansible of the lightsaber repo They have an example and they basically this but with some comments. I'd like to create my own because For instance the inventory file. We're going to store all the hooks though Ansible knows about the inventory file. I like to put that inside of my my own private playbook repo as well They the ansible config that they ship with that lightsaber has It actually references a top level in the tutorial file where everyone is storing their their hosts And you can do that what they're doing is they're creating a separate group inside for each person. So Ralph has his as all like being belonging to a 3D group and for me the CosMaker has his in a decos group So you can do it that way I just think it's cleaner to have a separate file So I redefined that first file to be separate the inside of this playbook spadger directory Rolls I'll talk about rolls a little bit They're the way that you take your playbook and you just separate out the part that's going to be generic I'm going to apply it at anyone who wants to do a similar thing So that rolls path is going back to the top level the lightsaber repository Rolls I'll show you a little bit The vault password file vault is a way to encrypt secrets like passwords and share tokens certificates different things that you don't want to be shared with the whole world and In the in this repo in the lightsaber repo they've got a little script called all paths. What's this? Saving your passwords into a single file. They have a script that helps manage that I'm not going to get into it, but you can talk to Ralph Bean or Luke Mackin or someone if you want to And they'll tell you how this script works and how it manages the password for them SSH connection. This is kind of just optimization here you can turn on pipeline what pipeline does is The way ansible works is you install it onto your your machine your local laptop your you know central server node whatever and then Ansible itself takes care of shipping the module that you're saying you want to invoke to the remote machine over SSH And then running it with Python So yeah, pipeline is true It takes that module and it pushes it to stamp Python standard in and then Python executes it. So you only need one One SSH connection in order to do that But you know You have pipeline that's true then Python has to Realize that you're sending it the data as a pipe and sometimes you can configure pseudo or SSH and it allocates a TTY for it and then Python gets confused and when you do that then the module doesn't work It thinks that it's an interactive session and so certain syntax doesn't work the same in the interactive session So if you're in an environment like that, you can't change your pseudo setting that set pipeline And that'll work around the problem SSH are kind of another optimization We're using it here for the SSH agent to the remote machine and that works around some problems For instance, if you're using synchronized module that uses our sync under the hood Our sync uses SSH talk to another machine So if you're going to synchronize and you don't have agent pouring on you can end up in a situation where You try and synchronize between two remote machines You get to the first one successfully it runs our sync and it's oops We've got a big error because I don't know how to authenticate the other machine turning forward SSH agent on a lead base that kind of problem Okay, and then in terms of organizing your playbooks, so we've got this little directory off on our own We want to drop our playbooks from before they were scandal on playbooks, right? So like the configure Apache one It had the the configure Apache playbook the animal file and then it had that one thought that one config file And we're copying so we can just drop that to the config directory and you know anytime We want to bring up a new web server we can just run that from there and it will just work The update post one where we did the young update that's kind of an action so I drop in the actions folder And that's all there is really to it if that's all you want to do with it is you know have a way to organize your own stuff but really I mean You're gonna want to get more in-depth with what lights you're right, so Inventory about so now we've been doing the unit or purely on the command line, you know You can get that high switch and specify all of our host But instead you can create a file that shows all the host that you know about you can use groups You can use aliases. There's a lot of things that you can do in the inventory file You can go ahead and talk to me and I can tell you about them, but this is just a very simple inventory file It's kind of an I and I format. I've got local host at the top VM via a virtual machine group and I put the door 21 and 22 because those are two virtual machines on my laptop Bear metal Rome. That's my laptop fedora I decided that instead of relying on facts I create my own group and All my fedora machines would be there so that I could know okay. I want to do young update other to the door And then this is a test host group and by saying children there I'm saying take the children this group and put it in there So all of my VMs are test hosts. So if I wanted to do something to all the ones that call test hosts Then I can use that group name Alright, so lightsaber the roles that are currently in lightsaber make use of certain variables that they want to have the time So that you know free being stuff is different from your stuff There's different from my stuff like username Just the username that you're using in your local system so that like if we're going to create a new user on it on a fresh install box It doesn't use an HP If you're using the ir3 browser role, then it uses these two, the ir3 nip and twitter nip. So you just put those in This is also for creating a new user account So you can use this is a dictionary all users Okay, there's a dictionary. I think the key is all users And then we're going to create a list of users each user In the list, you know, if you're using the hyphen in the list, and then each of those is a dick user This one is used by the SSH lightsaber role meant for the login So it's a it's got a little You know a conditional inside of the role that says okay root login is true Then in our configuration of SSH We're gonna set it to allow root logins and if it's false then we'll turn that off and then the common role is also used to create you and you can specify a shell there There are better ways to define variables and I'll get into some of those But this is the way that like Ralph set up his stuff So I wanted to show it to you so that when you read it you don't think oh well So should do this one thing, but I don't see that you're anywhere. So you can look at this I'll show you another way to do it So role I talked about roles mentioned them. I haven't really explained them Roles encapsulate a set of tasks just like playbooks But they're a way to make it more generic. So the playbook we specify, you know the host and There's other things you can specify the playbook level like variables and so on and so forth So those are all kind of types of your local environment So the roles instead are allow you to parameterize The variables so that when you run this action this logical set of tasks You're able to give it certain information But somebody else who runs it can give a different information or if you have something like oh I want to install Apache on Five different types of machines one's a proxy server and once there's static web pages and one does this and one does that Being able to parameterize the role means that you can feed a different information depending on you know What exactly you want to do? okay, so lightsaber shifts with several roles and So like if I wanted to set up an IRC bouncer There is an IRC role in that top the whole lightsaber roles directory So this is what my playbook would need to look like in order to set up Mike the door is only one voice to be to have an IRC bouncer Instead of a tasks area, I just say role use the role IRC and that's it You remember in the variables that we defined earlier we defined a few user information Use of the IRC bouncer role, so it's possible to pick those up Handles off the role the roles can substitute them into the files As long as there's no bugs in that role, but you know So it makes things really simple if you can find a predefined role that already does what you want So let's create our own role and see what that looks like Now you go to the top level lightsaber check out directory and then into roles And then you want to create your own directory for the role. Let's create one for bed message So there's Ansible, like I said, it has a website galaxy.hansible.com where Users can upload roles. So the command line tool that works with roles with Ansible Galaxy But it just really works with roles not with Galaxy itself So Ansible Galaxy and its head message will create this directory structure that is proper for a role CD's the head message directory that I've created and you can take a look It has a bunch of a bunch of directories inside of it Each directory can have YAML information or regular files. I will explain a few of them And a few of them we don't really need at all So you can feel free to remove all the ones that you don't need So this is going to be a very simple role. We won't need to deal with handlers or meta We'll use templates instead of files, and we'll use decals instead of files So I'm just gonna get rid of those directories If you want to know more about making roles, you can go ahead and ask me afterwards And we can go over some of the other things you can do So the first thing is you define your tasks. So this is like the task section of a playable file We don't have the post and other stuff up at the top, but we do have the tasks themselves So in the tasks of directory, there's a main.yaml file Go ahead and put your three tasks in here that are kind of how we're going to find bed message So we're going to use the young module again. This time there's two packages that we have to install Then we're going to configure it by using the template module instead of the copy module I'll get into what the template module can do And then we'll take this endpoint.py.d2 file And because this is a role, look for it in the templates directory And we'll go ahead and run the template module to template in our variable And then it'll drop it off on the remote machine, etc. And then we'll use service again in your policy service in order to restart the service on the remote machine So this is like the tasks from the role. It's pretty simple. I want you to know how to make a playbook This is just, you know, an extension of that Here's the template endpoint.py.d2 We put it in that templates directory so that means we'll know the square to find it when it's processing this role And it's just a basic FedMessage config file You fresh install the package and look at it. It looks almost exactly like this Except for this line here, you can see the double curve braces FedMessage underscore server That's a variable that Ansible is that we're going to set in Ansible And then it will go ahead and Substitute the value of the variable into the template before it pushes it over That way, you know, you can at your site, you can set FedMessage server to one thing But at someone else's site, they can set it to something else In the defaults sub directory, we here are going to set that variable to some default value And there's two ways they can set variables. There's the defaults directory and the bars directory The reason I'm using defaults is that it's easier to override So there's like a precedence order of where you can get bars from the inventory files can hold our variables The playbooks themselves, the whole variables, you can get them from all these places The role defaults is kind of the lowest on the total pool So that means that, okay, we're going to set FedMessage server to low by lowest here But anyone who wants to override this is going to have an easy time of doing it If I put it in bars, it's like a higher precedence So there's certain places where it will not override from And so you use that for, you know, things that you're more sure you want This is what the role directory tree looks like Now that we've got every whole file in place, there's the defaults sub directory with the main.gaml That's where we put the bars that we just saw There's a reason why you can still add in with information about your role If you want to let other people know what's going on Task, this is where we put the main.gaml that has the tasks just like in the playbook Templates has endpoint.py.a2 and Ansible will then look in templates for that file Whenever it's referenced from a template's model Okay, and then, you know, back in our private little area here We're going to set up the config before I get my server And this is what it looks like, you know It's pretty much like the IRC one except that instead of relying on the variables in Ansible Are a new, you can see that we're passing in the parameter here as another entry to this dictionary So roles is the list of roles We only have one role in this list The role name is fedMessage And then there's a comma that we're setting fedMessageServer And it goes to the door.com too That's in fact as much beautiful and not a beautiful sign Okay, so anyways, that will override the load most that we had earlier And have the door.com 22 being substituted into the template So that's the end If anybody has questions or comments or anything else Here are some links Ansible is written by Michael DeHaan You can find it on GitHub Ansible, Ansible It's in the floor repo It's .mitage.vansible.com Lightsaber is written by Ralph And it's a .mitage.vansible page there And if you like this presentation software, that's where you get that Okay, questions No questions? Yeah, go ahead So I noticed when you did the first few examples, you used the sudo So it prompted you for a password Where was it? Was it prompting you for the Where was it acquiring root on the local machine? And then SSHing as root to the remote machine Or was it SSHing as you and then acquiring root there? So at SSHs as you And you can set that as a Variable as well Per host if you want to So you can say, okay I've got a site one user And that's what I want All of my customer site ones are going to use that user So you can set Ansible SSH user It uses that user to SSH over And then once it's there Then it uses sudo to get permissions Okay Can it just use SSH keys without needing sudo at all? Yes So like the first Because mounting my home directory Over NFS to everything Would be bad Right Now I've got four Kerberos tickets in It's further back I thought it was bad It was waiting for it So this one If you notice I've got sudo true here So if I don't specify dash dash sudo on the command line I have to just do dash capital K It'll prompt my sudo password But for these It will not use sudo It goes SSHing and run these commands Because they don't need to have your permissions But then when it gets down here Then it will SSHing use sudo Because you do need root permission for that Because I generally have like a SSH key SSH key with a really big password That lets me get in as root To all, yeah Yeah, so if you have root Just take out the sudo from everywhere And use answalt underscore SSH I'm just going to use our user equal Oh, okay And then it'll all SSHing Yep, any other questions? Okay, great We're done If you want to, you know Talk to me about examples or anything Problems that you're having Feel free Nope