Configuration management is an essential competency when running production systems. It enables you to define the intended state of your servers as code rather than through manual effort- saving a lot of time in the process.
Throughout my career, I’ve used Ruby-based configuration management tools like Puppet or Chef- however recently I have started to use Ansible for client projects.
Ansible is accessible to newcomers as:
- no programming experience is required;
- no centralized server is required.
For these reasons, you may decide to try Ansible for managing your own infrastructure. This article provides some recommendations to help quickly get up and running.
Organize Your Ansible Files
The Ansible knowledge base provides this example directory structure for organizing your Ansible repository. It features a separate directory structure for variables and breaks up each role into task, template, and handler directories.
Don’t Put Secrets in Variable Files
As your Ansible project matures, it is very likely that you’ll need to manage secrets. Resist the temptation of putting credentials directly into variable files, as it is a HUGE security risk especially if committed to revision control.
Ansible provides the ansible-vault tool, which will allow you to encrypt a variable file using a shared secret. For example, here’s how to create a vault file for a web role:
ansible-vault create group_vars/web/vault
Since variables in vault files involve an extra step to see, I recommend creating references to them from a corresponding plaintext var file and then using those references in your playbooks and templates:
svc_api_creds: "{{ vault_svc_api_creds }}"
Finally, when running ansible-playbook, use argument --ask-vault-pass (interactive) or --vault-password-file (non-interactive) so that you can provide the shared secret for the vault file.
Of course, Ansible can use more mature options such as your current password manager or an enterprise solution such as Hashicorp Vault, but Ansible Vault is a good first step in the absence of these.
Ansible-Lint Is Your Friend
As with any software project, it is important that you continually verify that your playbooks are syntactically correct and meet best practices when it comes to style.
The tool ansible-lint can be used for this purpose, and just like any other code linter- can be made part of a pre-commit hook or part of a CI pipeline triggered by a pull request.
ansible-lint --offline -p site.yml
Option –check Is Also Your Friend
The --check option to ansible-playbook allows you to ‘dry-run’ your playbooks before allowing them to change production. This can serve as a useful smoke test to catch errors as well as verify that the resources that are detected to change are the ones that you intend.
I recommend adding a --check run to your CI pipeline to provide feedback on pull requests.
Use ansible-mitogen to Speed Things Up
My final recommendation, especially if you manage a large number of servers, is to try using ansible-mitogen to reduce your playbook’s runtime:
pip install ansible mitogen
ansible-galaxy collection install serverscom.mitogen
ANSIBLE_STRATEGY=serverscom.mitogen.mitogen_linear ansible-playbook -i hosts site.yml
Some users can experience a performance improvement of up to 7x!
Conclusion
Ansible is a very popular configuration management tool for Linux systems. To ensure that your playbooks are applied reliably, securely, and fast, consider the above recommendations when adopting the tool.
I’ve used tools like Ansible for over a decade. Need help bring order to chaos in your infrastructure? Reach out and let’s discuss how I can help you!
(Image credit: Christina Morillo)