Ansible is an orchestration/automation tool, just like Chef or Puppet which are other alternatives to ansible, but ansible main advantage is that it can work through ssh, so target machines don't need ansible installed.
Big advantage is that it uses declarative playbooks (define what you want done) instead of imperative scripting (define what you want and how).
day-0;getallofyourinfrastructure;hardware/public-cloudetc.day-1;usesomethinglikeAnsibletosetuptheinfrastructurecomponents(EC2nodes,hardwareserversorGCEinstances)day-2;installk8sonthemtostartrunningcontainerizedworkloadsday-3;usek8snativemechanismstodeployandmanageandmonitorapplications (Day 2 and 3 is ideal, but i think we will just deploy the containers through our build system not k8s)
Ansible can help with availability, and we will use it to test, like if an ioc needs another ioc to run for testing, specifying which machine and what resources, ansible should handle that deployment.
Why Ansible
Reduces complexity and runs anywhere.
Lets you automate any task,
Manage and maintain system configuration
Agentless, the managed nodes only need to be accessible via ssh and sftp or scp, and python installed.
Quote from Developing modules — Ansible Community Documentation - 'If you need functionality that is not available in any of the thousands of Ansible modules found in collections, you can easily write your own custom module.' We can make our own as well which is important for like ioc deployment because thats a lot of manual steps
save the public key on this controller "/root/.ssh/id_ed25519.pub" to the target container at "~/.ssh/authrorized_keys"
2nd attempt
docker pull ubuntu
docker run -it -d -p 2200:22 --name ssh-access-server ubuntu:latest
docker exec -it ssh-access-server bash
apt update apt install openssh-server -y apt install vim -y vim /etc/ssh/sshd_config Search for PermitRootLogin and make it Yes service ssh start service ssh status passwd
TODO: 3rd attempt - try using any of the nodes in our ad-build-dev cluster as the managed nodes. (problem is they are inaccessible outside of the cluster), so may try vm's?
Ansible in Build System
TODO: need to figure out how we can roll out the ansible playbooks, for something like buildroot , like
Do we want it specified in the manifest (BOM) of the app
or do we want to have predefined playbooks for the control node and we just pass in arguments depending on the system
Ex use case: if a package needs updating, we just give an installer and some arguments like a filepath, and ansible will automatically handle that. A passive system if you will (it'll modify whenever changes are detected)
Then you would have to use ansible-navigator to actually run any playbooks against the execution environment. Think of it like this: one main controller/container that has ansible-navigator, which creates jobs that runs playbooks to other ansible runners (containers that run once and are killed once completed).
Potential solution: There is an open source automation controller Ansible AWX | Ansible Collaborative, which theoretically achieves the same goal as redhat automation controller, but its backed by the community rather than redhat
This provides web UI, REST API (for our backend to communicate/cli with), and task engine (to manage jobs/playbooks)
We may or may not need a fancy automation controller, if we did we'd use the open-source AWX.
What we will have is any change to configuration (Deployment database) through the CLI, would send a push event to the ansible controller, then that could start the playbooks.
And can have a slow loop that checks if the configuration actually matches whats deployed out there.
SLAC IT for example has an ansible configuration setup, they have all their playbooks in one repo, and a bunch of configuration files. Then they run it when they need to.
TODO: Practice some basic playbooks to get a feel, see above attempts, (Try docker one again?)