DevOps Tools - Ansible Automation

 

What is Ansible?

Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.

Designed for multi-tier deployments since day one, Ansible models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.

It uses no agents and no additional custom security infrastructure, so it's easy to deploy - and most importantly, it uses a very simple language (YAML, in the form of Ansible Playbooks) that allow you to describe your automation jobs in a way that approaches plain English.

Ansible works by connecting to your nodes and pushing out small programs, called "Ansible modules" to them. These programs are written to be resource models of the desired state of the system. Ansible then executes these modules (over SSH by default), and removes them when finished.

Your library of modules can reside on any machine, and there are no servers, daemons, or databases required. Typically you'll work with your favorite terminal program, a text editor, and probably a version control system to keep track of changes to your content.
 

Ansible Use Cases

1. PROVISIONING

Automate, manage and connect all stages of an application lifecycle

From traditional bare metal through to serverless or function-as-a-service, automating the provisioning of any infrastructure is the first step in automating the operational life cycle of your applications. Ansible can provision the latest cloud platforms, virtualized hosts and hypervisors, network devices and bare-metal servers.

After bootstrapping, nodes can be connected to storage, added to a load balancer, security patched or any number of other operational tasks by separate teams. In essence Ansible becomes the connecting tool in any of your process pipelines – taking bare infrastructure right through to day to day management, automatically.

 

 

Provisioning with Ansible allows you to seamlessly transition into configuration management, orchestration and application deployment using the same simple, human readable, automation language.

 

Infrastructure Platforms

Baremetal

Underneath virtualization and cloud platforms there is always the physical server. When it's your own cloud or hypervisor system you still need to provision bare metal some of the time. Ansible integrates with many datacenter management tools to both invoke and enact the provisioning steps required.

Virtualized

Hypervisors, virtual storage and virtual networks – the transition from physical devices as the base platform has opened up increasingly diverse scenarios at previously unavailable scale. Tame the complexity with Ansible to simplify the experience of cross platform management. The large selection of available modules gives you the flexibility and choice to manage your diverse environment.
 

Networks

Ansible Network Automation allows users to configure, validate and ensure continuous compliance for physical network devices. Ansible is the only language that can easily provision across multi-vendor environments, often replacing the need for manual processes that exist across network environments.

 

Storage

Ansible can provision and manage the storage in your infrastructure. From software-defined  storage, cloud based storage, or even hardware storage appliances, you can find a module to leverage Ansible’s common, powerful language.

 

Cloud

Public Cloud

Ansible is packaged with hundreds of modules supporting services on the largest public cloud platforms. Compute, storage and networking modules allow playbooks to directly provision these services. Ansible can even act as an orchestrator of other popular provisioning tools, giving you a high level, self documented, workflow.

Private Cloud

One of the easiest ways to deploy, configure and orchestrate OpenStack private cloud is using Ansible. Ansible can be used to provision the underlying infrastructure, install services, add compute hosts, and more. Once the underlying environment is provisioned, Ansible can also be used to provision resources, services, and applications inside of your cloud.

 

Self-Service with Ansible Tower

Red Hat Ansible Tower helps you scale IT automation, manage complex deployments and speed productivity. Centralize and control your IT infrastructure with a visual dashboard, role-based access control, job scheduling, integrated notifications and graphical inventory management. And Ansible Tower's REST API and CLI make it easy to embed Ansible Tower into existing tools and processes.
 

2. CONFIGURATION MANAGEMENT

Keep It Simple

It's likely you currently manage your systems with a collection of scripts and ad-hoc practices curated by a talented team of administrators. Or perhaps you're using an automation framework that requires a bit too much of your time to maintain. Virtualization and cloud technology have increased the complexity and the number of systems to manage is only growing.

You need a consistent, reliable and secure way to manage the environment - but many solutions have gone way too far the other direction, actually adding complexity to an already complicated problem. You need a system that builds on existing concepts you already understand and doesn’t require a large team of developers to maintain.

 

Ansible Makes IT Automation Accessible

Ansible is the simplest solution for configuration management available. It's designed to be minimal in nature, consistent, secure and highly reliable, with an extremely low learning curve for administrators, developers and IT managers.

Ansible configurations are simple data descriptions of your infrastructure (both human-readable and machine-parsable) - ensuring everyone on your team will be able to understand the meaning of each configuration task. New team members will be able to quickly dive in and make an impact. Existing team members can get work done faster - freeing up cycles to attend to more critical and strategic work instead of configuration management.

Ansible requires nothing more than a password or SSH key in order to start managing systems and can start managing them without installing any agent software, avoiding the problem of "managing the management" common in many automation systems. There's no more wondering why configuration management daemons are down, when to upgrade management agents, or when to patch security vulnerabilities in those agents.

 

Goal-Oriented, Not Scripted

Ansible features an state-driven resource model that describes the desired state of computer systems and services, not the paths to get them to this state. No matter what state a system is in, Ansible understands how to transform it to the desired state (and also supports a "dry run" mode to preview needed changes). This allows reliable and repeatable IT infrastructure configuration, avoiding the potential failures from scripting and script-based solutions that describe explicit and often irreversible actions rather than the end goal.

 

Secure & Agentless

Ansible relies on the most secure remote configuration management system available as its default transport layer: OpenSSH. OpenSSH is available for a wide variety of platforms, is very lightweight and when security issues in OpenSSH are discovered, they are patched quickly.

Further, Ansible does not require any remote agents. Ansible delivers all modules to remote systems and executes tasks, as needed, to enact the desired configuration. These modules run with user-supplied credentials, including support for sudo and even Kerberos and clean up after themselves when complete. Ansible does not require root login privileges, specific SSH keys, or dedicated users and respects the security model of the system under management.

As a result, Ansible has a very low attack surface area and is quite easy to deploy into new environments.

 

Batteries Included

Ansible features over 1,300+ modules in the core distribution, providing a great base to build automation upon. Ansible Galaxy also has over 4,000 community-provided roles that can be used immediately, tailored to your particular environment, or even used as templates for something new.

From services and databases to cloud providers, with Ansible you don't have to start from scratch.

 

3. APPLICATION DEPLOYMENT

 

Deploying Applications Shouldn't Be So Hard

Ansible is the simplest way to deploy your applications. It gives you the power to deploy multi-tier applications reliably and consistently, all from one common framework. You can configure needed services as well as push application artifacts from one common system.

Rather than writing custom code to automate your systems, your team writes simple task descriptions that even the newest team member can understand on first read - saving not only up-front costs, but making it easier to react to change over time.
 

Power Of The Playbooks

Repeatable & Reliable

Ansible allows you to write 'Playbooks' that are descriptions of the desired state of your systems, which are usually kept in source control. Ansible then does the hard work of getting your systems to that state no matter what state they are currently in. Playbooks make your installations, upgrades and day-to-day management repeatable and reliable.

Simple To Write & Maintain

Playbooks are simple to write and maintain. Most users become productive with Ansible after only a few hours. Ansible uses the same tools you likely already use on a daily basis and playbooks are written in a natural language so they are very easy to evolve and edit.

No Agent = More Secure, More Performance, Less Effort

Thanks to its agentless design, Ansible can be introduced into your environment without any bootstrapping of remote systems or opening up additional ports. Not only does this eliminate "managing the management," but system resource utilization is also dramatically improved.
 

Batteries Included

Leverage one giant toolbox. Shipping with over 1,300+ modules in the core distribution, Ansible provides a vast library of building blocks for managing all kinds of IT tasks and network software. With Ansible Galaxy, chances are there are community-contributed roles that can help get you started even faster.

 

Zero Downtime

As alluded to in the diagram above, Ansible can orchestrate zero downtime rolling updates trivially, ensuring you can update your applications in production without users noticing.

 

Super Flexible

Downloading artifacts from servers and configuring the OS are just the basics. Talk to REST APIs, update a team chat server with a heads up, or send an email - Ansible can drive all kinds of workflows.

 

Cloud Ready

Included modules manage not just the local computer system, but can interact with cloud services including Amazon AWS, Microsoft Azure, and more. And since all cloud APIs allow you to trivially inject SSH keys, you can start managing any cloud instance or network software without modifying the base image.
 

 

4. CONINUOUS DELIVERY

 

Release Early & Often But Keep It Simple

We come from a long history of building software the "release early, release often" way. If release often is an ideal, continuous application delivery may be nirvana.

To do it right, automation is key - but so is simplicity. Your team needs the tools that enable quick turnaround, requiring human intervention only when necessary. That's what Ansible does with one of the easiest paths to continuous delivery in the industry.

 

Rolling Updates. Zero Downtime

Ansible provides true multi-tier, multi-step orchestration. Ansible's push-based architecture allows very fine-grained control over operations, able to orchestrate configuration of servers in batches, all while working with load balancers, monitoring systems, and cloud or web services. Slicing thousands of servers into manageable groups and updating them 100 at a time is incredibly simple, and can be done in a half page of automation content.
 

Call Your Play

Ansible let you define "plays", which select a particular group of hosts and assign tasks to execute or roles for them to fulfill. The order in which these plays run, and the hosts on which they run, is tightly controlled by Ansible. For example, you might migrate a database schema and flush the caching servers prior to updating application servers by running one simple play. This is far better than just blasting out orders to servers.

 

Power Plus Simplicity, Across Your Environment 

Stage & Test

Your Ansible inventory can be easily split to slice your environment up into different groups of machines. You can then easily test your plays with a staging machine and if tests pass, that can then be instantly run against production if you so choose.

Beyond Just Servers

We don’t stop at just servers. Ansible can work with networks, load balancers, monitoring systems, web services and other devices that might need touching during a rolling update. For example, you can add or remove servers from your load balancing pool and disable monitoring alerts for each machine that is being updated.
 

Simple Integration

Ansible fits into any existing development practice and can be integrated into any workflow by utilizing the Red Hat® Ansible® Tower API and the command-line interface. One common way to use Ansible is by calling it from a continuous integration (CI) system upon a successful application build:

• The CI asks Ansible to run a playbook that deploys a staging environment with the application.
• When the stage tests pass, it might then be asked to run a production deployment.
• Ansible can check out your artifacts from version control on each machine, or pull artifacts from the CI server, or from a package mirror.
   

 

5. SECURITY AUTOMATION 

Orchestrate Enterprise Security Systems

Challenge

How can we integrate IT security teams and the security solutions they use in a fast paced environment?

Solution

The need to respond to security attacks manually is daunting. With Red Hat® Ansible® Automation Platform you can automate and integrate different security solutions that can investigate and respond to threats across the enterprise in a coordinated, unified way using a curated collection of modules, roles and playbooks.
 

Coordinate Enterprise Security Systems

Investigation Enrichment

Collect logs across firewalls, intrusion detection systems (IDS) and other security systems programmatically, enabling on-demand enrichment of triage activities performed through security information and event management systems (SIEMs).

Threat Hunting

Automatically tune the level of logging, create new intrusion detection system (IDS) rules and new firewall policies facilitating the detection of more threats in less time.

Incident Response

Remediate faster-automating actions like blacklisting attacking IP addresses or domains, whitelisting non-threatening traffic or isolating suspicious workloads for further investigation.
 

Ansible Automation is the common language between security tools

Security encompasses a broad variety of products and services designed to protect individuals and organizations from the loss or damage to their data, applications, IT systems, networks and devices from malicious or unintended activities.

Enterprise Firewalls

Firewalls control what traffic is allowed to traverse from one network to another, protecting line-of-business applications that are exposed to the internet or intranet. Ansible Automation can manipulate policies and log configuration, which speeds up investigation and remediation processes.

IDPS

Intrusion detection & prevention systems (IDPS) monitor network traffic for suspicious activity and issue alerts and block attacks when a known attack pattern is discovered. Ansible Automation can simplify rule and log management, making security operations more efficient.

SIEM

Security information and event management (SIEM) systems collect and analyze security events to help detect and respond to threats. Ansible Automation gives users programmatic access to a wide variety of data sources so security analysts can use as much data as possible to assess situations.

PAM

Privileged Access Management (PAM) tools monitor and manage privileged accounts and access, provide single sign-on (SSO) and supersede hardcoded password for service and applications. Ansible Automation streamlines the rotation and management of privileged credentials to automate the prevention and remediation of high-risk activities.
 

6. ORCHESTRATION

Complex orchestration? Simple solutions

Deploying a single service on a single machine can be fairly simple and you have lots of solutions to choose from. You can bake all your configuration into a virtual image, or you can run a configuration management tool (we recommend Ansible, of course). But no one deploys a single service on a single machine any more. Today’s IT brings complex deployments and complex challenges. You’ve got to deal with clustered applications, multiple datacenters, public, private and hybrid clouds and applications with complex dependencies. You need a tool that can orchestrate your complex tasks simply. You need Ansible.

Building order from chaos

Orchestration is about bringing together disparate things into a coherent whole. In the classical sense, you’ve got strings, brass, woodwinds and percussion, all with their own separate sheet music. It’s up to the conductor to ensure everyone is properly playing their part and organize them in order to produce harmony instead of cacophony.

Your application deployments are no different. You’ve got frontend and backend services, databases, monitoring, networks and storage. Each has their own role to play with their own configuration and deployment and you can’t just turn them all on at once and expect that the right thing happens. What you need is an orchestration tool that can ensure all these tasks happen in the proper order - that the database is up before the backend server, that the frontend server is removed from the load balancer before it’s upgraded, that your networks have their proper VLANs configured. Ansible’s clear syntax and task-based nature makes orchestrating these tasks easy.

Take this gig on the road

Once you’ve orchestrated and arranged your musical composition, it becomes available for anyone to use at any level - from the London Philharmonic to your local middle school concert band. Similarly, Ansible’s orchestration allows you to define your infrastructure once and use it wherever and however you need. Once you’ve got Ansible playbooks that describe your multi-node production infrastructure, you can then use the same orchestration to deploy it on your laptop for testing. Or in your private OpenStack cloud for testing. Using Ansible’s roles for reusability and Ansible’s extensive library of modules makes it easy to replicate your complex deployments wherever needed.

Your software stack, simplified

There are many different kinds of complex IT orchestrations. Let’s take OpenStack as an example. The OpenStack cloud platform is built on a variety of separate interlocking services - including separate services for storage, networking, identity and more. Each of these services has their own dependencies on other services and other components and each has their own separate configurations and sequences for deployment and upgrading. Attempting to deploy, operate and upgrade an OpenStack cloud can be a complex and daunting task.

That’s why, across the industry, Ansible is used to orchestrate OpenStack rollouts. Companies like Rackspace, CSC, HP, Cisco and IBM rely on Ansible to keep their OpenStack clouds available simply and securely.

Conducting the conductors

The need for orchestration in complex IT environments is not new and you’ll find that many ecosystems have their own orchestrators already. Tools like OpenStack’s Heat, Amazon’s CloudFormations, or Docker’s Swarm are all about orchestrating tasks in those environments. But what are the chances that you’re going to be able to constrain your orchestration to just one environment?

That’s where Ansible comes in. Ansible’s library of modules and easy extensibility, makes it simple to orchestrate different conductors in different environments, all using one simple language. Your admins don’t need to remember 12 different syntaxes - now they can concentrate on one.

You've freed yourself, now go and free the others

You’ve written your Ansible playbooks and orchestrated your deployments and rollouts. You can now kick back and relax… but how do you let everyone else do so as well? That’s where Red Hat® Ansible® Tower comes in. With Ansible Tower’s self-service surveys, you can delegate your complex orchestration to whomever in your organization needs it. Sales team needs to set up customer environments? Just enter a couple of parameters, click and go - everything is provisioned and set up for them. With Ansible and Ansible Tower, orchestrating the most complex tasks becomes merely the click of a button even for the non-technical people in your organization.