🔆What is Ansible ?
- Ansible is a software tool that provides simple but powerful automation for cross-platform computer support. It is primarily intended for IT professionals, who use it for application deployment, updates on workstations and servers, cloud provisioning, configuration management, intra-service orchestration, and nearly anything a systems administrator does on a weekly or daily basis.
- Ansible doesn’t depend on agent software and has no additional security infrastructure, so it’s easy to deploy.
- Because Ansible is all about automation, it requires instructions to accomplish each job. With everything written down in simple script form, it’s easy to do version control.
- While Ansible may be at the forefront of automation, systems administration, and DevOps, it’s also useful to everyday users.
- Ansible allows you to configure not just one computer, but potentially a whole network of computers at once, and using it requires no programming skills.
- Instructions written for Ansible are human-readable. Whether you’re entirely new to computers or an expert, Ansible files are easy to understand.
- Designed for multi-tier deployments since day one, Ansible models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.
- It uses no agents and no additional custom security infrastructure, so it’s easy to deploy.
- Most importantly, it uses a very simple language YAML, in the form of Ansible Playbooks that allow you to describe your automation jobs in a way that approaches plain English.
Ansible Use Cases
Ansible is usually grouped along with other Configuration Management tools like Puppet, Chef, SaltStack etc. Well, Ansible is not just limited to Configuration Management. It can be used in many different ways too some pf them are mentioned below:-
Provisioning: Your apps have to live somewhere. If you’re PXE (Preboot eXecution Environment) booting and kick starting bare-metal servers or Virtual Machines, or creating virtual or cloud instances from templates. For example, if I want to test the debug version of an application that is built with Visual C++, I ought to meet some prerequisite requirements like having Visual C++ library DLLs (msvcr100d.dll). I will also need Visual Studio installed in your computer. This is when Ansible makes sure that the required packages are downloaded and installed in order to provision my application.
Configuration Management: It establishes and maintains consistency of the product performance by recording and updating detailed information which describes an enterprise’s hardware and software. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices.
For e.g. If you want to install the new version of Tomcat on all of the machines present in your enterprise, it is not feasible for you to manually go and update each and every machine. You can install Tomcat in one go on all of your machines with Ansible playbooks and inventory written in the most simple way. All you have to do is list out the IP addresses of your nodes in the inventory and write a playbook to install Tomcat. Run the playbook from your control machine & it will be installed on all your nodes.
Application Deployment: When you define your application with Ansible, and manage the deployment with Ansible Tower, teams are able to effectively manage the entire application life cycle from development to production.
For example, let’s say I want to deploy the Default Servlet Engine. There are a number of steps that needs to be undergone to deploy the engine.
- Move a .war application from dropins directory to apps directory
- Add server.xml file
- Navigate to the webpage to see your application.
No need to perform these steps one by one when we have a tool like Ansible. All you need to do is list these tasks in your Ansible playbook and ansible will do for uhh.
Security and Compliance: When you define your security policy in Ansible, scanning and remediation of site-wide security policy can be integrated into other automated processes. And it’ll be integral in everything that is deployed. It means that, you need to configure your security details once in your control machine and it will be embedded in all other nodes automatically.
Orchestration: Configurations alone don’t define your environment. You need to define how multiple configurations interact and ensure the disparate pieces can be managed as a whole. Out of complexity and chaos, Ansible brings order. Ansible provides Orchestration in the sense of aligning the business request with the applications, data, and infrastructure. It defines the policies and service levels through automated workflows, provisioning, and change management.
How Ansible works
In Ansible, there are two categories of computers: the control node and managed nodes. The control node is a computer that runs Ansible. There must be at least one control node, although a backup control node may also exist. A managed node is any device being managed by the control node.
Ansible works by connecting to nodes (clients, servers, or whatever you’re configuring) on a network, and then sending a small program called an Ansible module to that node. Ansible executes these modules over SSH and removes them when finished. The only requirement for this interaction is that your Ansible control node has login access to the managed nodes. SSH keys are the most common way to provide access, but other forms of authentication are also supported.
🔆 Ansible Architecture?
Ansible architecture is fairly straightforward. Refer to the diagram below to understand the Ansible architecture:
As you can see, in the diagram above, the Ansible automation engine has a direct interaction with the users who write playbooks to execute the Ansible Automation engine. It also interacts with cloud services and Configuration Management Database (CMDB).
The Ansible Automation engine consists of:
- Inventories: Ansible inventories are lists of hosts (nodes) along with their IP addresses, servers, databases etc. which needs to be managed. Ansible then takes action via a transport — SSH for UNIX, Linux or Networking devices and WinRM for Windows system.
- APIs: APIs in Ansible are used as transport for Cloud services, public or private.
- Modules: Modules are executed directly on remote hosts through playbooks. The modules can control system resources, like services, packages, or files (anything really), or execute system commands. Modules do it by acting on system files, installing packages or making API calls to the service network. There are over 450 Ansible-provided modules that automate nearly every part of your environment. For e.g.
- Cloud Modules like cloudformation which creates or deletes an AWS cloud formation stack.
- Database modules like mssql_db which removes MYSQL databases from remote hosts.
- Plugins: Plugins allows to execute Ansible tasks as a job build step. Plugins are pieces of code that augment Ansible’s core functionality. Ansible ships with a number of handy plugins, and you can easily write your own. For example,
- Action plugins are front ends to modules and can execute tasks on the controller before calling the modules themselves.
- Cache plugins are used to keep a cache of ‘facts’ to avoid costly fact-gathering operations.
- Callback plugins enable you to hook into Ansible events for display or logging purposes.
There are a few more components in Ansible Architecture which are explained below:
→Networking: Ansible can also be used to automate different networks. Ansible uses the same simple, powerful, and the agentless automation framework IT operations and development are already using. It uses a data model (a playbook or role) that is separate from the Ansible automation engine that easily spans different network hardware.
→Hosts: The hosts in the Ansible architecture are just node systems which are getting automated by Ansible. It can be any kind of machine — Windows, Linux, RedHat etc.
→Playbooks: Playbooks are simple files written in YAML format which describes the tasks to be executed by Ansible. Playbooks can declare configurations, but they can also orchestrate the steps of any manual ordered process, even if it contains jump statements. They can launch tasks synchronously or asynchronously.
→CMDB : It is a repository that acts as a data warehouse for IT installations. It holds data relating to a collection of IT assets (commonly referred to as configuration items (CI)), as well as to describe relationships between such assets.
→Cloud: It is a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server. You can launch your resources and instances on cloud and connect to your servers.
So, now let us see a real life example of how NASA & AWS has benefited through Ansible.
Ansible Case Study – A Real Life Usage by NASA
Let us consider the business challenge that was faced by NASA.
NASA needed to move 65 applications from a traditional hardware based data center to a cloud-based environment for better agility and cost savings. The rapid timeline resulted in many applications being migrated ‘as it is’ to a cloud environment. This created an environment which spanned multiple virtual private clouds (VPCs) and AWS accounts that could not be managed easily. Even simple things, like ensuring every system administrator had access to every server, or simple security patching, were extremely cumbersome.
The solution was to leverage Ansible Tower to manage and schedule the cloud environment.
Hence, to solve the problems that NASA had with lack of centralized management and a diverse environment, they evaluated multiple solutions and decided on an implementation of Ansible Tower. NASA is now leveraging Ansible Tower to manage their environment in a very organized and scheduled way.
How NASA is using Ansible:
Ansible Tower provided with a dashboard which provided the status summary of all hosts and jobs which allowed NASA to group all contents and manage access permissions across different departments. It also helped to split up the organization by associating content and control permission for groups as well.
Ansible Tower is a web-based interface for managing Ansible. One of the top items in Ansible users’ wishlists was an easy-to-use UI for managing quick deployments and monitoring one’s configurations. Ansible management came up with Ansible Tower in response.
Further, Ansible divided the tasks among teams by assigning various roles. It managed the clean up of old job history, activity streams, data marked for deletion and system tracking info. Refer to the diagram below to understand how Ansible has simplified the work of NASA.
As a result, NASA has achieved the following efficiencies:
• NASA web app servers are being patched routinely and automatically through Ansible Tower with a very simple 10-line Ansible playbook.
• Ansible is also being used to re-mediate security issues and was leveraged to re-mediate OpenSSL issues. This not only saved time but allowed to quickly re-mediate a very daunting security issue.
• Every single week, both the full and mobile versions of www.nasa.gov are updated via Ansible, generally only taking about 5 minutes to do.
• OS level user accounts for mission critical staff are continually checked and created if missing. Now, everyone who needs access has access, even if that means adding or removing a user almost instantly from all servers.
• NASA has also integrated Ansible facts into their CMDB, CloudAware, for better management visibility of entire AWS inventory. As a result, it became possible to organize the inventory of AWS resources in a very granular way that was not possible before.
• Ansible is also used to ensure that the environment is compliant with necessary Federal security standards as outlined by FedRAMP and other regulatory requirements.
As a result of implementing Ansible, NASA is better equipped to manage its AWS environment. Ansible allowed NASA to provide better operations and security to its clients. It has also increased efficiency as a team.
If we see by the numbers:
• Updating nasa.gov went from over 1 hour to under 5 minutes
- Security Patching updates went from a multi-day process to 45 minutes
- Achieving near real-time RAM and disk monitoring (accomplished without agents)
- Provisioning OS Accounts across entire environment in under 10 minutes
- Baselining standard AMIs (Amazon Machine Image) went from 1 hour of manual configuration to becoming an invisible and seamless background process
- Application stacks set up time reduced from 1–2 hours to under 10 minutes per stack.
- I hope you have enjoyed this blog and learned
The Power of AWS Meets Ansible Simplicity
Using Ansible to automate your applications in AWS greatly increases the chances that your cloud initiative will be a success. The breadth of AWS capability enables IT organizations to dynamically provision entire workloads like never before. To harness this power, IT organizations must effectively answer:
- How can we control cloud deployments?
- How does devops work in the cloud?
- Will my deployments be secure?
- How can we migrate existing apps to the cloud?
The answer? Automate with Ansible.
Manage Cloud Like Cloud with Ansible
When you deploy an application into AWS, you will soon realize that the cloud is much more than a collection of servers in someone else’s data center. You now have a fleet of services available to you to rapidly deploy and scale applications. However, if you continue to manage AWS like just a group of servers, you won’t see the full benefit of your migration to the cloud. Ansible automation can help you manage your AWS environment like a fleet of services instead of a collection of servers.
Ansible & AWS: Batteries included
From the beginning, Ansible has offered deep support for AWS. Ansible can be used to define, deploy, and manage a wide variety of AWS services. Even the most complicated of AWS environments can be easily described in Ansible playbooks. Once your AWS-based application environments are described with Ansible, you can deploy them again and again, easily scaling out to 100s or 1000s of instances across multiple regions, with the same results each and every time.
Out of the box, Ansible has nearly 100 modules supporting AWS capabilities, including:
Elastic Block Store (EBS)
Elastic Cloud Compute (EC2)
Elastic IPs (EIP)
Elastic Load Balancers (ELB)
Identity Access Manager (IAM)
Relational Database Service
Security Token Service
Simple Storage Service (S3)
Virtual Private Cloud (VPC)
Ansible also has over 1,300+ additional modules to help you manage every aspect of your Linux, Windows, UNIX, network infrastructure, and applications — regardless of where they’re deployed. With Ansible, one common language can be used to describe everything deployed in your cloud (and your enterprise).
Control Cloud Sprawl with Dynamic Inventory
Now that you have deployed applications into the cloud, how do you keep track of what you have? Keeping accurate track of deployed infrastructure is a critical part of ensuring security policies are always followed and systems are properly managed through their lifecycles. You don’t want to be paying for services you don’t need.
With Red Hat® Ansible® Tower’s cloud inventory synchronization, you can know exactly what AWS instances you have no matter how they were launched. Simply enter your AWS credentials and your entire AWS infrastructure can be made available as resources to use in your Ansible automation jobs.
Safely Automating at the Speed of Business
When you only had one or two engineers working in AWS, everything seemed easy. Now that you’ve got ten or more, you need controls in place that restrict users’ ability to modify certain environments. Ansible Tower delivers with its extensive set of role-based access controls that ensures users will only have access to the AWS resources (networks, systems, security groups, etc.) that they require for their job. Plus, Ansible Tower encrypts credentials such as AWS and SSH keys so that you can delegate simple automation jobs to junior employees without giving out the keys.
Migrations Made Easy
Your CIO just mandated that you have to migrate dozens of workloads to AWS. With Ansible, you can use the same simple playbook language to manage your infrastructure and deploy your application. Use Ansible to define your application locally. Once you can repeatedly deploy that application locally, re-deploying it to a different infrastructure is as straightforward as defining your AWS environment, and then applying your application’s playbook. No more surprises.
We chose Ansible as our first orchestration solution for its simplicity combined with power.
Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code. It runs on many Unix-like systems, and can configure both Unix-like systems as well as Microsoft Windows. Ansible solves the lots of industries problems.