Ansiblefest London 2017

I had a surprise conference thrown at me this week. A colleague of mine had suddenly fallen ill and she wasn't able to attend Ansiblefest London, so Codeplay sent me instead. 9 hours later I'm at my hotel getting ready for the conference the next day.

This years Ansiblefest London was the biggest yet with over 800 attendees and the first London event to have multiple track. The lunch time sessions were split into Ansible Essentials, Tech Deep Dive, Solutions and Networking. There was a separate area for the Asking The Experts sessions.

Talks I Attended

State of Union

Mark Phillips - Senior Principle Product Manager @ Ansible

Justin Nemmers - General Manager @ Ansible

Mark Phillips opened Ansiblefest welcoming all the attendees to the conference and asked all attendees to read the code of conduct.

Phillips invited Justin Nemmers to the stage tod discuss Ansible's success. People love Ansible, twitter is full of images them wearing Ansible gear like socks and custom baby grows. Ansible has been a great hit in the Open Source ecosphere. Currently ranked in 10th place in GitHubs open-source community survey, the project has had over 2700 unique contributors

Ansible is part of the RedHat Management Group and has worked hard to permeate into all the products in the group:

Automation for individuals and teams is great but automated organizations are where the magic happens.

Nemmers wants Ansible to be a single language shared across the business. He has identified 3 barriers which need to be broken to over come silo'd automation.

  1. People problems: Skill gaps and organizational structures
  2. Point tools: Vendor specific tooling and expensive certificate training
  3. Pace of innovation: Requires integration across business domains

The Automated Enterprise: Start small, think big, drive change - Ansible, 2017

Product Highlights

Jason McKerr - Director of Engineering @ Ansible

Peter Sprygada - Senior Princple Engineer @ Ansible

Bill Nottingham - Senior Principle Product Manager @ Ansible

Jason McKerr discussed the focus for Ansible Core over the past year: Cloud, Content Delivery, Windows, Networking and Containers. With Ansible 2.4 they continue their continues that focus with Python 3 support, Ansible vault, continued Windows support, easier configuration and smarter Inventory.

McKerr confirmed that Ansible were still committed to open sourcing Ansible Tower and that it would be coming "within a years time"2.

Peter Sprygada provided the networking support update. Ansible has made great strides and their goal is to become the number 1 networking automation tool.

In only the past year, Ansible has come a long way:

Ansible now supports 29+ networking platforms and has formed close relationships with many platform vendors. This progress now allows network engineers to adopt the CI/CD workflows used by developers.

Bill Nottingham was next to provide an update on Ansible Tower.

Ansible 3.1 was released in February 2017 and brought with it:

Ansible Tower 3.2 which is coming later in 2017 year will be expanding on those features with:

Applying Ansible at HSBC

Mark Phillips - Senior Principle Product Manager @ Ansible

Richard Henshall - Chief Architect for Cloud @ HSBC

Mark Phillips interviewed Richard Henshall discussing how HSBC encouraged change and openness to bring about the worlds biggest DevOps revolution in over 30 data centres with thousands of engineers world wide.

Phillips asked Henshall how he has managed to bring this change to HSBC. Banks are known to be notoriously difficult businesses to change, commenting that change is hard but rarely technical. Henshall praised HSBC's commitment to his work helping bring improved services to their customers.

Henshall discussed bank regulators, how they are actually friends of the bank but are commonly used as a stick to beat businesses into following best practice. Banks handle this with lots of policy and procedures which harm innovation.

Soon teams were creating good work but not sharing it. They shoved their work into private git repos and questioned if they could even open source and share it.

Efficiency and Effectiveness Through DevOps

Lt Con Dorian Seabrook - Head of Operations, Information Application Service @ British Army

Aidan Beeson - Linux Technical Architect, Information Application Service @ British Army

The British Army is adopting DevOps. A hardware refresh brought attention to state of their infrastructure. This was the starting point to their journey to DevOps. First they moved to VMware from bare servers which sped up server deployment from years/months to days. This lead then started their adoption of Agile and to using CI/CD pipelines for projects. Soon after they went full DevOps for teams

The British Army's structure fits Agile and DevOps, they are experts in creating specialized cross skilled teams.

IAS run a typical business stack but HR deals with illness and wounded and their fleet tracking includes tanks.

Beeson Beeson described their infrastructure as legacy systems but using modern methodologies to improve their effectiveness.

Operations used to manage a rat's nest of documentation, scripts and configuration files to manage servers and services which needed to feed back to each other. The human factor, in addition to lots of interactions made mishaps and errors a regularity.

Beeson attend Ansiblefest London 2016 and moved the server configuration process to Ansible. Now everything is run in Ansible Tower, all within one year.

Keep Calm and Read the Manual

The military are used to following manuals. The manual now says run the correct job and if anything breaks get in touch with operations to fix it.

Beeson described that even though he was new to Python it was easy to write custom modules for Ansible for their password management system.

Automated Management of Shared Secrets

Doug Bridgens - DevOps Engineer @ Far Oeuf

A fellow Ansible from Auld Reekie! Unfortunately Bridgens was a quiet speaker and the setup for the demos was hard to see with such a small font. That being the case, the talk was still informative.

Plain text passwords, Plain text passwords everywhere

Bridgens wants the DevOps community to address the gap between DevOps and Security. Security is part of a product not a bolt on.

Security Policy
       |        Tooling,
       |        Political,
       |        and understanding
       |        gap
       v
 DevOps reality

Ansible vault makes storing passwords and API tokens more secure easier.

We can do even better with Ansible and Hashicrop Vault. Vault is shared secret storage servers access the vault through authentication tokens. The vault then tells the application that server/service is authenticated. The secret is never accessed outside of the vault. This allows easy rotation of secrets, keeping the keys to the castle safe.

Using Ansible you can automate password generation and submition to the vault. This leads to easy and regular password rotation and certificate rotation.

You can read about how to do this in Bridgens blog post.

Automating Your Infrastructure with Ansible

Fabio Alesscandro Locati - Senior Consultant @ RedHat

This talks was basically a verbalized version of Ansibles getting started page

Ten Thing I Hate About You: Managing Windows Like Linux with Ansible

Matt Davis - Senior Principle Software Engineer @ Ansible

Matt Davis was an energetic and clearly a passionate developer for Windows for Ansible.

1 - No SSH

Windows has no SSH but instead uses WinRM an HTTP API based on SOAP, XML and other goo. It is disabled by default and needs to be enabled so we can use it with Ansible. WinRM provides a batch logon which enables lots of restrictions for a session. Currently pywinrm is not a requirement for Ansible so you'll need to install it if you want to use WinRM.

2 - Powershell

Ansible is an agentless automation tool. Ansible achieves this on Linux because all modern distributions run Python by default. Windows doesn't, so instead all Window Ansible modules are implemented in Powershell. Powershell is Windows equivelant of Python. It is "just there" and provides powerful language with full access to the .NET framework.

3 - Package Installation/Maintenance

Almost all Linux distros have a package manager. Window has not adopted package management. There is however the Chocolatey project which bring this experience to windows. Using win_chocolatey you can download packages for Windows. For packages missing from Chocolatey there is win_package but you need to know the registry product ID.

4 - Reboots, oh the reboots

Whether it is installing updates or applications Windows loves to reboot. win_reboothandles this process easily in Ansible for us.

5 - Windows Update

win_updates makes updating easy with synchronous updates and it is designed to used the configured source for updating (WSUS/Windows Updates).

- win_updates
  register: wuout

- win_reboot
  when: wuout.reboot_required

6 - IIS1

Ansible can configure Windows ISS websites

7 - Registry

There typically aren't configuration files in Windows, instead it uses the registry. Ansible as two methods for managing registry entries:

8 - Services

Windows services can sometimes be tricky to manage but with win_services is designed to handle creating deleted, changing state and managing dependent services

9 - Domains

Ansible creates throwaway domains for managing Enterprise level identities with win_domain. Managing a Windows domain controller is apparently hellish 😈.

10 - ACLs

Windows does not have the same permission settings as Linux, they are more granular akin to SELinux setting. win_acl actually makes it easier than writing SDDL.

A Poem

I hate that your not SSH and the shell you call power.

I hate the way you install your apps. Windows updates make me glower.

I hate the way you must reboot and your web server ISS.

I hate your complex registry it always is a mess.

I hate your janky services and stupid domain auth.

And managing your ACLs is sure to make me wroth.

I hate your not Linux, that I have to learn you at all.

But with Ansible in my tool belt I don't hate you. Not even close. Not even a little bit. Not even at all.

Check out this post by James Hogarth in Fedora magazine, it's for anyone interested in Ansible Windows support.

From Dockerfiles to Ansible Container

Tomérš Tomeček - Senior Software Engineer @ RedHat

Tomérš Tomeček discussed the different pros and cons between using Docker and Ansible Containers for development.

Pros

Dockerfile/Compose Ansible Containers
Widely used Full Ansible Power
Docker Hub for images Role ready, not an image but a deployable unit of code3
Support lifecycle of application

Both projects make it easy to start a project. Provide consistent environments.

Cons

Dockerfile/Compose Ansible Containers
Compose is not powerful New things to learn
Cannot run commands easily in the container Ansible files are more complex than Dockerfile instructions
Can't have many defined environments in one file Not mature - yet
Service readiness checks are clunky
No support for variables
Dockerfile/compose are docker only
Missing docs for images
No idea what is in a file

Prep for 1.0

Fin

Thanks for reading this post! Checkout some previous Ansiblefest videos:

Footnotes:


  1. Thanks Jimbob0i0 for spotting that I wrote ISS not IIS. Although, that would be pretty cool marketing if Ansible was used to automate the ISS. 

  2. I didn't record the audio during the keynote, I remember hearing that while committed it was going to take a few years before it was ready. However, there seems to be a bit of confusion on what was said on stage. But good news! It should be out within a year. Thanks @dmsimard for setting the record straight 

  3. This originally said deplorable unit of code, which is pretty funny. Thanks Chillysurfer for spotting the mistake.