Вы находитесь на странице: 1из 26
ANSIBLE FROM CLI TO TOWER Flávio Andrade Platform Technical Account Manager fandrade@redhat.com Aug/2018

ANSIBLE FROM CLI TO TOWER

Flávio Andrade

Platform Technical Account Manager

fandrade@redhat.com

Aug/2018

Ansible Super Powers

Ansible Super Powers 2 RED HAT TAM WEBINAR

Why companies are adopting Ansible?

Ansible is the smoothest way to automate your IT!

adopting Ansible? Ansible is the smoothest way to automate your IT! SIMPLE POWERFUL AGENTLESS 3 RED

SIMPLE

POWERFUL
POWERFUL
POWERFUL
POWERFUL

POWERFUL

POWERFUL
AGENTLESS
AGENTLESS
AGENTLESS
AGENTLESS

AGENTLESS

AGENTLESS

Ansible Playbooks

---

- hosts: webservers vars:

http_port: 80 max_clients: 200 remote_user: root tasks:

- name: ensure apache is at the latest version yum: name=httpd state=latest

- name: write the apache config file

template: src=/srv/httpd.j2 dest=/etc/httpd.conf notify:

- restart apache

- name: ensure apache is running (and enable it at boot) service: name=httpd state=started enabled=yes handlers:

- name: restart apache service: name=httpd state=restarted

- name: restart apache service: name=httpd state=restarted Simple and powerful automation tool! 4 RED HAT TAM

Simple and powerful automation tool!

TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE. CONTROL KNOWLEDGE DELEGATION Scheduled and Visibility and centralized
TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE.
CONTROL
KNOWLEDGE
DELEGATION
Scheduled and
Visibility and
centralized jobs
compliance
Role-based access
and self-service
SIMPLE
POWERFUL
AGENTLESS
Designed for
Predictable,
Everyone speaks
Multi-tier
reliable,
the same
deployments
and secure
language
AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.
deployments and secure language AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. 5 RED HAT TAM
deployments and secure language AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. 5 RED HAT TAM
deployments and secure language AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. 5 RED HAT TAM

5

RED HAT TAM WEBINAR

deployments and secure language AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. 5 RED HAT TAM

WHAT IS ANSIBLE TOWER?

WHAT IS ANSIBLE TOWER? Ansible tower is an enterprise framework for controlling, securing and managing your

Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and RESTful API.

Role-based access control keeps environments secure, and teams efficient.

Non-privileged users can safely deploy entire applications with push-button deployment access.

All Ansible automations are centrally logged, ensuring complete auditability and compliance.

All Ansible automations are centrally logged, ensuring complete auditability and compliance . 6 RED HAT TAM

WHAT PROBLEMS DOES IT SOLVES?

Ansible solves the problem of automating and orchestrating Does not address bigger picture security/compliance Tower

Ansible solves the problem of automating and orchestrating

Does not address bigger picture security/compliance

Tower spotlights security considerations and provides predictability Role-based access control and secure credential
Tower spotlights security
considerations and
provides predictability
Role-based access control and
secure credential storage
API integrations, accountability and
execution history
Only respects security in place at host user level No abstraction of remote host or

Only respects security in place at host user level

No abstraction of remote host or cloud credentials from user

No guarantee of execution parameters or integrity of Playbook as designed by the team

Abstracts security from the user
Abstracts security from the user

ANSIBLE TOWER FEATURES

DELEGATE ANSIBLE TO ANYONE

EMPOWER YOUR TEAMS INSIDE AND OUTSIDE OF OPERATIONS

Connect to your LDAP, AD, SAML and other directories

Full role-based access control engine

Store credentials for use without exposure

Enable users to automate without previous Ansible knowledge

Find relevant information more quickly

Simple surveys configure automation at run-time

Workflows chain together automations to orchestrate more of your infrastructure

REST API allows integration into your existing processes and tools

Add capacity with by adding more Tower front end instances to cluster

KNOWLEDGE IS KEY

ENSURE ENVIRONMENT CONSISTENCY

All automation securely logged in Tower

Use Tower’s activity stream for auditing

Notifications automatically alert the channel of your choice

Enterprise Logging Support automatically pushes results to external aggregators

CLI and the Tower Equivalent - RBAC

UI login accounts do not mean you execute in your own shell account (No matter the auth integrations used)

Execution environment is built based on everything configured, but ultimately is done as the awx user on the command-line level.

Repeatability and Consistency are the Goal of Security Abstraction

Ability to use, but not expose, credentials/inventory/playbooks and secure vars key to allocation of a user’s role within the organization.

CLI and the Tower Equivalent - Credentials

From CLI to Tower - Credentials from both:

~/.ssh/id_rsa (SSH keys, or username/password etc.)

Windows usernames/passwords

Cloud credentials/API credentials (like ~/.boto )

Networking devices username/password

SCM (Usually also an SSH key, but possibly username/password)

CLI and the Tower Equivalent - Inventory

$ ls ~/inventory/cloud/ openstack.ini openstack.py group_vars hosts

CLI and Tower can both mix dynamic and static sources

Group_vars and host_vars can also be static or dynamic

Like CLI:

Var and namespace is collapsed at run time, similar scripts overwrite each other

INVENTORY CONSIDERATIONS

Groups are not hierarchies they are Venn diagrams

• “Type” groups can overlap with “location” groups

• Bare groups (not groups of groups) should be specific as possible

• Groups of groups should not have overlapping variables to bare groups

Group variables can overstep each other in unpredictable ways

Variable precedence is key to knowing where to put your variables

ORGANIZATION AND RBAC

CONSIDERATIONS

Multiple Inventories may be needed

• Network automation may not need to have app/cache/db hosts in their inventory

• Multiple Cloud Dynamic Sources will overwrite each other

Things that “just work” for CLI may need consideration in Tower

• Execution isolation means config files at ~/.* need to be placed for AWX user in Tower

• Bubblewrap isolates Tower runs to project/Playbook directory (can’t write to /tmp locally, etc.)

SCM is to your advantage:

• Playbook projects for different teams/orgs can utilize forks, branch tags

• Roles don’t need one monolithic repository

CLI and the Tower Equivalent - Projects

$ ls lamp-playbooks/

playbook.yml

site.yml

roles/

uninstall.yaml

Projects are:

A directory containing your playbooks and roles

Local disk or remote SCM

Able to be assigned via RBAC

CLI and the Tower Equivalent - Job Templates

Job Templates are the UI representation of each option of the ansible-playbook command, including:

Connection information

Playbook to run

Inventory specifications (inventory and target groups)

Privilege escalation

General options under “man ansible-playbook”

$ ansible-playbook site.yml \ -e “var=extra” --ask-vault-pass -i inventory -b \ --private-key=~/.ssh/id_rsa -u user1 \ -t tag1 --skip-tags=SKIP_TAGS

Red Hat Ansible Tower Integration

INTEGRATED INTO TOOLS YOU ALREADY USE

Ansible Tower could be integrate with:

Red Hat Satellite

Red Hat Cloud Forms

Red Hat Openstack

Red Hat OpenShift

RED HAT Ansible Tower benefits

IMPROVE SECURITY, AUDITING, AND WORKFLOW CI/CD

Red Hat Ansible addresses key business concerns to help IT quickly and effectively address Provisioning and orchestration with CI/CD and auditing

Avoid downtime Correct issues — such as security vulnerabilities and configuration errors — faster than
Avoid
downtime
Correct issues — such as security vulnerabilities and configuration errors — faster
than a manually intervention, who could impact business operations
Boost
security
Maintain control of configuration files, and versions of tools installed on a system,
With auditing of actions and comparative dashboards
Workflow
Automation
Take advantage of idempotence of playbooks with Workflow automation, granting
& a continuous integration and a continuous delivery
CI/CD

RED HAT ANSIBLE TOWER

BENEFITS SUMMARY

With Red Hat Ansible Tower could configure, orchestrate and automatize all infrastructure in a single dashboard, and integrating with another Red Hat Tools Ansible Tower coulçd be even more powerfull

Grant automation in a single dashboard Increased efficiency
Grant automation in a
single dashboard
Increased
efficiency
automation in a single dashboard Increased efficiency Faster provisioning avoiding human intervation 22 RED HAT

Faster provisioning avoiding human intervation

RED HAT ANSIBLE TOWER

OFFERING CHOICE BASED ON CUSTOMER NEEDS

Single Dashboard

Real time jobs status update

 

Multi-playbook workflow

Who run what job when

Scale capacity with tower cluster

Integrating notifications

Schedule Ansible job

Manage and Track your entire inventory

Simplified self service

Remote command execution

Comprehensive

REST API

Tower CLI tool

● Remote command execution ● Comprehensive REST API ● Tower CLI tool 23 RED HAT TAM

RED HAT ANSIBLE TOWER

DEMO SESSION

RED HAT ANSIBLE TOWER

ADDITIONAL REFERENCES

THANK YOU

plus.google.com/+RedHat facebook.com/redhatinc

plus.google.com/+RedHat

plus.google.com/+RedHat facebook.com/redhatinc

facebook.com/redhatinc

linkedin.com/company/red-hat twitter.com/RedHatNews

linkedin.com/company/red-hat

linkedin.com/company/red-hat twitter.com/RedHatNews

twitter.com/RedHatNews

youtube.com/user/RedHatVideos  

youtube.com/user/RedHatVideos