Thursday, February 28, 2013

All your servers are belong to Ansible.

So say you've got a few *NIX servers of various flavors, a dozen or two; it takes a day or so to add a new one to production, installing ntp, configuring your custom software repositories, configuring the various accounts it might need, installing ssh, adding it to the backup system, to the monitoring system etc etc.  Say you're getting over it.  Say you need to change your software repositories or your admin ssh keys.  Familiar?  enter server automation:


We'd heard about chef, and tried puppet; the uuber configuration management system which is great, so they say; on the 3rd or 4th incarnation :)  We wanted something a bit simpler something that avoided the monolithic client/server model, could be run anywhere (with git) and which used the SSH key auth we were already using.  It had to be able to manage groups of machines in a logical "idempotent" way.  Idempotent means you can apply a play which says "make it like thus" and if nothing needs to change, nothing is changed.  You can apply it again (and again) and not break anything.

So anyhow we found all of that in a free open source software project called Ansible;

"Orchestrate From Above.
Most software does not run on a single machine.
Ansible parallelizes complex multi-tier rollouts across app servers, databases, monitoring servers, and load balancers.."

after following the doco I had it up and running managing NTP on 25 servers within a day.  A good percentage of that was spent sorting out root ssh access (although sudo is ok too) and finding out what NTP is actually packaged as on centos vs ubuntu vs debian etc.

We've now moved on to managing users and ssh keys with Ansible and i can see this making a very significant difference for us.