IT Automation with Ansible

Today’s IT infrastructure is more complex than ever. Our systems span on-premise hardware and software, cloud services, and colocation facilities. We support business applications built on thousands of microservices that need to scale across geographies and respond to changing business requirements rapidly. And, of course, we often have more traditional environments with more requirements for administration and management. 

The complexity has grown beyond the point where it can be managed effectively without powerful automation tools to keep all the various components up-to-date and configured correctly. More and more, the automation tools that IT administrators rely on to manage today’s infrastructure are built on Ansible.

What is Ansible?

Ansible is an automation tool used for IT configuration management, deployment, and orchestration. There are other popular tools in this category, such as Puppet and Chef, and debates rage about the relative merits of each.

The popularity of Ansible has exploded since it was acquired by Red Hat in 2015 and the company invested in providing quality support for corporate teams. Another reason for the popularity of Ansible is that it has the shortest learning curve. “Ansible is designed to be minimal in nature, consistent, secure, and highly reliable, with an extremely low learning curve for administrators, developers, and IT managers. Ansible” [1], according to Red Hat.

The Ansible ecosystem is also enormous, with thousands of vendors providing modules that enable their equipment and software to be managed via Ansible. Almost any conceivable component of your IT infrastructure can be integrated into an Ansible-based automation framework. A comprehensive solution is important, as you realize when you consider the administration challenges faced by companies like Equifax.

A Cautionary Tale

In 2017, Equifax suffered a massive security breach caused by an unpatched web application server vulnerability. There was a patch available for the vulnerable software component (Apache Struts CVE-2017-5638), but the company had not applied the patch. As a result, personal information belonging to 143 million customers was accessed by hackers including 209,000 consumer credit card numbers.

For those of us working in IT, how this could happen is, sadly, entirely understandable. The Equifax infrastructure is massive and complex. Keeping all of the thousands of components patched and configured correctly is an overwhelming task for even the best administrative team.

Even if your IT infrastructure is not nearly as complex as Equifax, you have these issues. In most organizations, our administrative processes have not kept up with the explosion in complexity. The only way to solve the problem is with reliable automation. Patching is a great example. With Ansible, a one-time task like a security patch to a vulnerable component in the software stack can be accomplished quickly, across the entire infrastructure, with a simple command.

How Ansible Manages Complex IT Infrastructure

To manage a complex system, you first need to be able to describe it accurately. Ansible is designed to be descriptive, rather than prescriptive. Instructions in an Ansible play describe the end state of a component, rather than how to get to that end state. This approach is known as a declarative model of task specification (rather than an imperative model). Declarative tasks are more effective and reliable for managing complex systems because they are simpler and easier to understand. You don’t need to write out, or even know, all the steps to accomplish a task. You simply need to specify the end state.

By analogy, in a declarative travel application, you would simply write, “Put me in California.” rather than detailed instructions for taking a car to the airport, boarding the correct flight, etc.

In addition to being declarative, Ansible provides a simple, easy to understand, language for specifying tasks. As a result, your entire organization can read Ansible and participate in the automation process. Broader participation improves reliability as teams work together to build the Ansible Playbooks that configure and manage the infrastructure.

Ansible Playbooks and YAML

Playbooks are the documents that describe Ansible automation tasks. They are written in the YAML (rhymes with “camel”) language. YAML is a simple data description language first released in 2001 and initially used for application configuration files in programming languages like Ruby on Rails. Today, YAML has been widely adopted as a language for specifying the configuration of almost anything from applications to virtual machines to networks.

Playbooks can be written to perform discrete tasks like applying a patch to a software component. For more complex operations, like multi-tier rollouts across your infrastructure, Playbooks can be sequenced together. Examples of Playbooks for common tasks are widely shared and easy to find. For example, the Ansible documentation contains these examples of how to create, terminate, start, or stop an instance in AWS EC2.

When faced with an automation task, you can usually find examples of Playbooks for similar tasks, and modify these to meet your needs. The wide availability of Playbook examples is another reason for the increasing popularity of Ansible.

Example of an Ansible Playbook for provisioning a EC2 instances

As you can see in this example, the Playbook specifies an EC2 instance, but it does not include instructions that interact with AWS to provision the instance. The code that provides these instructions is found in the Ansible AWS Cloud modules that you install on the host where you run your Playbook. Modules handle the execution of Playbooks.

Ansible Modules

Another reason for the increasing popularity of Ansible is the wide availability of modules to control almost any component of your IT infrastructure. The most popular open source automation tool on GitHub today, Ansible benefits from having thousands of individuals at hundreds of companies contributing and maintaining modules. As a result, Ansible is becoming a defacto standard for managing IT infrastructure.

Moreover, if you find something in your datacenter that doesn’t have an Ansible module, you can often easily create a module for it by collaborating with people in the Ansible GitHub community.

Even if you are in a situation where a module doesn’t exist, and the means or time are unavailable to develop a module, there are existing modules that allow us to run our legacy scripts and commands. As a result, we can continue to leverage existing investments in automation scripts while migrating to Ansible.

Ansible is succeeding as a framework and as a community. Much of this success goes back to design decisions made by Michael DeHaan, the founder of the original open source project.

Ansible is Well Designed

Ansible is fundamentally well designed, making it easier to adopt and get productive with quickly. Some of the aspects of it’s design that have powered adoption include:

• Human readable YAML code - Non-coders can understand an Ansible Playbook. This makes it easier for the community to grow.
• Agentless - You don’t need to install agent software on the target components being managed by Ansible. SSH (or WinRM) is used to push changes from a control source to remote resources.
• Declarative tasks - Administrators don’t need to know the current state of systems in order to define tasks. All they need to do is specify the end result that they want.
• Idempotent - Changes are made only once, which minimizes the danger of side-effects. For example, if a server is already running and the you attempt to provision it again with Ansible, nothing happens. Ansible doesn’t shut down and rebuild the server from scratch.
• Simple security model - Ansible respects the credentials supplied by the user running Ansible and does not require you to maintain separate administrative users or credentials.
• Extensible - A wide community of GitHub developers are encourage to extend Ansible by creating and maintaining a large ecosystem of modules.

These design decisions, along with the backing of Red Hat, have enabled Ansible to grow into a powerful tool capable of managing complex IT infrastructures, including physical devices.

Provisioning Infrastructure with Ansible

Ansible is not only for managing cloud resources and services. It also supports building out your infrastructure. That includes provisioning hardware like servers, network devices, and storage devices.

For example, Ansible integrates with tools like Stacki to provision bare metal servers. Stacki begins by installing the base operating system via PXE and then Ansible manages the build from there. Similar integrations with tools from companies like Cisco (networking) and NetApp (storage) provide Ansible with the capability to provision a full IT infrastructure from scratch. Once the physical devices are provisioned, Ansible can complete the build of your entire stack.

Virtual machines (VMs), including VMWare and KVM hypervisors like Red Hat Enterprise Virtualization (RHEV) can also be provisioned and managed. All major operating systems are covered as well, such as Linux (including RHEL, CentOS, Ubuntu, etc.), Windows and Windows Server, UNIX, and OS X.

So, Ansible can provision, manage, and maintain infrastructure from bare metal to VMs, all the way up your business application stack. To appreciate the complexity of tasks that can be managed, let’s look at a detailed orchestration example.

An Example of Complex Orchestration with Ansible

Modern IT infrastructure is complex to stand up and maintain. Without powerful orchestration tools, it take a lot of manual effort to glue together and supervise a myriad of administrative tasks.

But, by combining a myriad of different tasks into an Ansible Playbook, complex automations can be achieved and performed reliability with minimal supervision. Consider this example of a rolling update to a three-tier web application [1].

Three-Tier Web Application - Rolling Update

A traditional three-tier web application contains the following components:

• Application servers
• Database servers
• Content servers
• Load balancers
• A monitoring system to alert administrative staff when issues arise

Ansible can orchestrate these components to complete a rolling update comprised of the following steps.

1. Consulting a configuration management repository for details about all the servers.
2. Configuring a the base OS on all the machines to ensure the correct state.
3. Identifying the components in the web application servers that need to be updated.
4. Signaling the monitoring system of an outage window.
5. Signaling load balancers to take the applications servers out of the pool during maintenance.
6. Stopping the web application server.
7. Deploying the updated web application code, data, and content.
8. Running validation tests.
9. Signaling load balancers to put the updated application servers back in the pool.
10. Signaling the monitoring system to resume alerts.
11. Repeating this process for all the application servers in the rolling update process.
12. Repeating these rolling update processes for database servers and content servers.

All of the tasks required to complete these steps can be included in an Ansible Playbook that the team develops and reviews together. The Playbook brings together best practices from a number of administrators and codifies them into an automation plan that is simple to execute and transparent to maintain.

In this example, we’ve seen how Ansible supports the orchestration on on-premise resources. But Ansible support hybrid operations as well, and can even help with portability of workloads between cloud and on-premise environments.

Supporting the Hybrid Cloud

Ansible has modules for VMWare, Red Hat Virtualization (RHV), OpenStack, and most virtualization tools that you’ll find in a datacenter. All the public cloud providers are covered as well, including AWS, Azure, Google Cloud, and more. As a result, you can create Playbooks that span on-premise and cloud environments such as a trade processing system running in your datacenter that archives data to cloud-based infrastructure for analytics.

Not only can you provision and manage a hybrid cloud environment with Ansible, but you can create Playbooks to migrate workloads between on-premise and cloud computing environments. In fact, Red Hat even has a program that enables you to use your product subscriptions in the Cloud.

Red Hat Cloud Access

Red Hat Cloud Access is a program that allows their customers to run product subscriptions on certified public cloud providers. As a result, your subscriptions are portable, and you can more easily move virtual machine workloads between cloud and on-premise environments.

This kind of flexibility has made Ansible a popular choice for organizations needing the flexibility to pull computing resources back from cloud environments when faced with regulatory concerns, or better economics on-premise. Red Hat provides enterprise tools, as well, to help you scale your IT automation with Ansible. One of the most popular is Ansible Tower.

Ansible Tower

Ansible Tower helps you operationalize Ansible across your organization, scale up IT automation, and manage complex deployments. Particularly when you manage a large or complex environment, you need a centralized repository and control point to help you govern, manage, and scale. You need to be able to give non-administrative users ability to provision and manage resources using the Playbooks you’ve developed. Ansible Tower is designed to coordinate your automation activities with features such as:

• Role-based access control to edit and run playbooks.
• Push-button deployment of entire applications.
• Central logging for audit and compliance.

Ansible Tower also provides a dashboard view of everything that’s going on in your Ansible environment.

Ansible Tower Dashboard

When adopting any new technology, it can help to have an experienced guide to get you started and moving in the right direction. Ansible is no exception. IIS can be the trusted partner you need to ensure that your transition to Ansible is a success.

Ansible Solutions from IIS

International Integrated Solutions (IIS) is a managed service provider and system integrator focused on delivering solid, supportable infrastructure for the datacenter. As a Red Hat Premier Solution Provider, IIS provides deep expertise implementing IT automation with Ansible.

IIS can provide customers with complimentary Ansible Enablement Workshops both pre- and post-sales. These workshops were designed by Red Hat to introduce the concepts around how Ansible works and how to effectively interact with Ansible to achieve greater efficiencies by leveraging automation. IIS can deliver these Workshops in their original format, or craft additional content around potential use cases or desired outcomes that customers specify.

IIS also offers Ansible services from Red Hat’s pre-packaged Ansible Smart Start offerings, where we stand up a high availability instance of Ansible Tower and work with our customer to create Playbooks, operationalize use cases, and design an automation environment that meets their needs.

Save Time and Money with Ansible Automation

In this post, we’ve explained the power of Ansible, and how you can leverage the technology to achieve scalable IT automation. These are benefits that all IT administrators can appreciate.

But there are benefits for the executive suite as well. Ansible will save your organization money. According to a Forrester study commissioned by Red Hat [2], an organization providing managed cloud service operations saved $1.3 million over three years by using Ansible to automate the core activities of bringing servers online, provisioning them for customers, and maintaining them with reconfigurations an patches. Prior to Ansible, this was time-intensive and error-prone work often requiring assistance from expensive hourly contractors.

If it feels like you and your colleagues are often stuck in the same repetitive tasks day after day, doing chores that could be automated, it is probably time to check out Ansible. Chances are, you can automate the grunt work and free yourselves up to focus on problems that add more value - and save your company some money along the way.

Sources

[1] Ansible In Depth Whitepaper, Red Hat, Inc. 2017
[2] The Total Economic Impact Of Red Hat Ansible Tower, Forrester, June 2018