mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
390 lines
13 KiB
ReStructuredText
390 lines
13 KiB
ReStructuredText
13 years ago
|
Best Practices
|
||
|
==============
|
||
|
|
||
11 years ago
|
Here are some tips for making the most of Ansible playbooks.
|
||
13 years ago
|
|
||
11 years ago
|
You can find some example playbooks illustrating these best practices in our `ansible-examples repository <https://github.com/ansible/ansible-examples>`_. (NOTE: These may not use all of the features in the latest release, but are still an excellent reference!).
|
||
12 years ago
|
|
||
11 years ago
|
.. _content_organization:
|
||
|
|
||
12 years ago
|
Content Organization
|
||
|
++++++++++++++++++++++
|
||
|
|
||
11 years ago
|
The following section shows one of many possible ways to organize playbook content. Your usage of Ansible should fit your needs, however, not ours, so feel free to modify this approach and organize as you see fit.
|
||
12 years ago
|
|
||
12 years ago
|
(One thing you will definitely want to do though, is use the "roles" organization feature, which is documented as part
|
||
11 years ago
|
of the main playbooks page. See :doc:`playbooks_roles`).
|
||
12 years ago
|
|
||
11 years ago
|
.. _directory_layout:
|
||
|
|
||
12 years ago
|
Directory Layout
|
||
|
````````````````
|
||
|
|
||
|
The top level of the directory would contain files and directories like so::
|
||
|
|
||
12 years ago
|
production # inventory file for production servers
|
||
|
stage # inventory file for stage environment
|
||
12 years ago
|
|
||
|
group_vars/
|
||
12 years ago
|
group1 # here we assign variables to particular groups
|
||
|
group2 # ""
|
||
12 years ago
|
host_vars/
|
||
12 years ago
|
hostname1 # if systems need specific variables, put them here
|
||
|
hostname2 # ""
|
||
|
|
||
|
site.yml # master playbook
|
||
|
webservers.yml # playbook for webserver tier
|
||
|
dbservers.yml # playbook for dbserver tier
|
||
|
|
||
|
roles/
|
||
|
common/ # this hierarchy represents a "role"
|
||
|
tasks/ #
|
||
|
main.yml # <-- tasks file can include smaller files if warranted
|
||
|
handlers/ #
|
||
|
main.yml # <-- handlers file
|
||
|
templates/ # <-- files for use with the template resource
|
||
|
ntp.conf.j2 # <------- templates end in .j2
|
||
|
files/ #
|
||
|
bar.txt # <-- files for use with the copy resource
|
||
12 years ago
|
foo.sh # <-- script files for use with the script resource
|
||
12 years ago
|
vars/ #
|
||
|
main.yml # <-- variables associated with this role
|
||
12 years ago
|
|
||
|
webtier/ # same kind of structure as "common" was above, done for the webtier role
|
||
|
monitoring/ # ""
|
||
|
fooapp/ # ""
|
||
12 years ago
|
|
||
11 years ago
|
.. _stage_vs_prod:
|
||
|
|
||
12 years ago
|
How to Arrange Inventory, Stage vs Production
|
||
|
`````````````````````````````````````````````
|
||
|
|
||
11 years ago
|
In the example below, the *production* file contains the inventory of all of your production hosts. Of course you can pull inventory from an external data source as well, but this is just a basic example.
|
||
|
|
||
|
It is suggested that you define groups based on purpose of the host (roles) and also geography or datacenter location (if applicable)::
|
||
12 years ago
|
|
||
|
# file: production
|
||
|
|
||
|
[atlanta-webservers]
|
||
|
www-atl-1.example.com
|
||
|
www-atl-2.example.com
|
||
|
|
||
|
[boston-webservers]
|
||
|
www-bos-1.example.com
|
||
|
www-bos-2.example.com
|
||
|
|
||
|
[atlanta-dbservers]
|
||
|
db-atl-1.example.com
|
||
|
db-atl-2.example.com
|
||
|
|
||
|
[boston-dbservers]
|
||
|
db-bos-1.example.com
|
||
|
|
||
|
# webservers in all geos
|
||
|
[webservers:children]
|
||
|
atlanta-webservers
|
||
|
boston-webservers
|
||
|
|
||
|
# dbservers in all geos
|
||
|
[dbservers:children]
|
||
|
atlanta-dbservers
|
||
|
boston-dbservers
|
||
|
|
||
|
# everything in the atlanta geo
|
||
|
[atlanta:children]
|
||
|
atlanta-webservers
|
||
|
atlanta-dbservers
|
||
|
|
||
|
# everything in the boston geo
|
||
|
[boston:children]
|
||
|
boston-webservers
|
||
|
boston-dbservers
|
||
|
|
||
11 years ago
|
|
||
11 years ago
|
.. _groups_and_hosts:
|
||
|
|
||
12 years ago
|
Group And Host Variables
|
||
|
````````````````````````
|
||
|
|
||
11 years ago
|
Now, groups are nice for organization, but that's not all groups are good for. You can also assign variables to them! For instance, atlanta has its own NTP servers, so when setting up ntp.conf, we should use them. Let's set those now::
|
||
12 years ago
|
|
||
|
---
|
||
|
# file: group_vars/atlanta
|
||
|
ntp: ntp-atlanta.example.com
|
||
|
backup: backup-atlanta.example.com
|
||
|
|
||
11 years ago
|
Variables aren't just for geographic information either! Maybe the webservers have some configuration that doesn't make sense for the database servers::
|
||
12 years ago
|
|
||
|
---
|
||
|
# file: group_vars/webservers
|
||
|
apacheMaxRequestsPerChild: 3000
|
||
|
apacheMaxClients: 900
|
||
|
|
||
|
If we had any default values, or values that were universally true, we would put them in a file called group_vars/all::
|
||
|
|
||
|
---
|
||
|
# file: group_vars/all
|
||
|
ntp: ntp-boston.example.com
|
||
|
backup: backup-boston.example.com
|
||
|
|
||
|
We can define specific hardware variance in systems in a host_vars file, but avoid doing this unless you need to::
|
||
|
|
||
|
---
|
||
|
# file: host_vars/db-bos-1.example.com
|
||
|
foo_agent_port: 86
|
||
|
bar_agent_port: 99
|
||
|
|
||
11 years ago
|
.. _split_by_role:
|
||
|
|
||
12 years ago
|
Top Level Playbooks Are Separated By Role
|
||
12 years ago
|
`````````````````````````````````````````
|
||
|
|
||
|
In site.yml, we include a playbook that defines our entire infrastructure. Note this is SUPER short, because it's just including
|
||
12 years ago
|
some other playbooks. Remember, playbooks are nothing more than lists of plays::
|
||
12 years ago
|
|
||
|
---
|
||
|
# file: site.yml
|
||
|
- include: webservers.yml
|
||
|
- include: dbservers.yml
|
||
|
|
||
|
In a file like webservers.yml (also at the top level), we simply map the configuration of the webservers group to the roles performed by the webservers group. Also notice this is incredibly short. For example::
|
||
|
|
||
|
---
|
||
|
# file: webservers.yml
|
||
|
- hosts: webservers
|
||
12 years ago
|
roles:
|
||
|
- common
|
||
|
- webtier
|
||
12 years ago
|
|
||
11 years ago
|
.. _role_organization:
|
||
|
|
||
12 years ago
|
Task And Handler Organization For A Role
|
||
|
````````````````````````````````````````
|
||
|
|
||
12 years ago
|
Below is an example tasks file that explains how a role works. Our common role here just sets up NTP, but it could do more if we wanted::
|
||
12 years ago
|
|
||
|
---
|
||
12 years ago
|
# file: roles/common/tasks/main.yml
|
||
12 years ago
|
|
||
|
- name: be sure ntp is installed
|
||
|
yum: pkg=ntp state=installed
|
||
|
tags: ntp
|
||
|
|
||
|
- name: be sure ntp is configured
|
||
12 years ago
|
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||
12 years ago
|
notify:
|
||
|
- restart ntpd
|
||
|
tags: ntp
|
||
13 years ago
|
|
||
12 years ago
|
- name: be sure ntpd is running and enabled
|
||
|
service: name=ntpd state=running enabled=yes
|
||
12 years ago
|
tags: ntp
|
||
|
|
||
|
Here is an example handlers file. As a review, handlers are only fired when certain tasks report changes, and are run at the end
|
||
|
of each play::
|
||
|
|
||
|
---
|
||
12 years ago
|
# file: roles/common/handlers/main.yml
|
||
12 years ago
|
- name: restart ntpd
|
||
|
service: name=ntpd state=restarted
|
||
12 years ago
|
|
||
11 years ago
|
See :doc:`playbooks_roles` for more information.
|
||
|
|
||
|
|
||
11 years ago
|
.. _organization_examples:
|
||
|
|
||
12 years ago
|
What This Organization Enables (Examples)
|
||
|
`````````````````````````````````````````
|
||
|
|
||
11 years ago
|
Above we've shared our basic organizational structure.
|
||
12 years ago
|
|
||
|
Now what sort of use cases does this layout enable? Lots! If I want to reconfigure my whole infrastructure, it's just::
|
||
|
|
||
|
ansible-playbook -i production site.yml
|
||
|
|
||
|
What about just reconfiguring NTP on everything? Easy.::
|
||
|
|
||
|
ansible-playbook -i production site.yml --tags ntp
|
||
|
|
||
|
What about just reconfiguring my webservers?::
|
||
|
|
||
|
ansible-playbook -i production webservers.yml
|
||
|
|
||
|
What about just my webservers in Boston?::
|
||
|
|
||
|
ansible-playbook -i production webservers.yml --limit boston
|
||
|
|
||
|
What about just the first 10, and then the next 10?::
|
||
|
|
||
|
ansible-playbook -i production webservers.yml --limit boston[0-10]
|
||
|
ansible-playbook -i production webservers.yml --limit boston[10-20]
|
||
|
|
||
|
And of course just basic ad-hoc stuff is also possible.::
|
||
|
|
||
12 years ago
|
ansible -i production -m ping
|
||
|
ansible -i production -m command -a '/sbin/reboot' --limit boston
|
||
12 years ago
|
|
||
12 years ago
|
And there are some useful commands to know (at least in 1.1 and higher)::
|
||
12 years ago
|
|
||
|
# confirm what task names would be run if I ran this command and said "just ntp tasks"
|
||
|
ansible-playbook -i production webservers.yml --tags ntp --list-tasks
|
||
|
|
||
|
# confirm what hostnames might be communicated with if I said "limit to boston"
|
||
|
ansible-playbook -i production webservers.yml --limit boston --list-hosts
|
||
|
|
||
11 years ago
|
.. _dep_vs_config:
|
||
|
|
||
12 years ago
|
Deployment vs Configuration Organization
|
||
|
````````````````````````````````````````
|
||
|
|
||
11 years ago
|
The above setup models a typical configuration topology. When doing multi-tier deployments, there are going
|
||
12 years ago
|
to be some additional playbooks that hop between tiers to roll out an application. In this case, 'site.yml'
|
||
|
may be augmented by playbooks like 'deploy_exampledotcom.yml' but the general concepts can still apply.
|
||
|
|
||
11 years ago
|
Consider "playbooks" as a sports metaphor -- you don't have to just have one set of plays to use against your infrastructure
|
||
|
all the time -- you can have situational plays that you use at different times and for different purposes.
|
||
|
|
||
12 years ago
|
Ansible allows you to deploy and configure using the same tool, so you would likely reuse groups and just
|
||
12 years ago
|
keep the OS configuration in separate playbooks from the app deployment.
|
||
12 years ago
|
|
||
11 years ago
|
.. _stage_vs_production:
|
||
11 years ago
|
|
||
12 years ago
|
Stage vs Production
|
||
|
+++++++++++++++++++
|
||
|
|
||
12 years ago
|
As also mentioned above, a good way to keep your stage (or testing) and production environments separate is to use a separate inventory file for stage and production. This way you pick with -i what you are targeting. Keeping them all in one file can lead to surprises!
|
||
12 years ago
|
|
||
|
Testing things in a stage environment before trying in production is always a great idea. Your environments need not be the same
|
||
|
size and you can use group variables to control the differences between those environments.
|
||
|
|
||
11 years ago
|
.. _rolling_update:
|
||
|
|
||
12 years ago
|
Rolling Updates
|
||
|
+++++++++++++++
|
||
|
|
||
|
Understand the 'serial' keyword. If updating a webserver farm you really want to use it to control how many machines you are
|
||
|
updating at once in the batch.
|
||
|
|
||
11 years ago
|
See :doc:`playbooks_delegation`.
|
||
|
|
||
11 years ago
|
.. _mention_the_state:
|
||
|
|
||
12 years ago
|
Always Mention The State
|
||
|
++++++++++++++++++++++++
|
||
|
|
||
|
The 'state' parameter is optional to a lot of modules. Whether 'state=present' or 'state=absent', it's always best to leave that
|
||
|
parameter in your playbooks to make it clear, especially as some modules support additional states.
|
||
13 years ago
|
|
||
11 years ago
|
.. _group_by_roles:
|
||
|
|
||
13 years ago
|
Group By Roles
|
||
|
++++++++++++++
|
||
|
|
||
11 years ago
|
A system can be in multiple groups. See :doc:`intro_inventory` and :doc:`intro_patterns`. Having groups named after things like
|
||
13 years ago
|
*webservers* and *dbservers* is repeated in the examples because it's a very powerful concept.
|
||
13 years ago
|
|
||
|
This allows playbooks to target machines based on role, as well as to assign role specific variables
|
||
|
using the group variable system.
|
||
|
|
||
11 years ago
|
See :doc:`playbooks_roles`.
|
||
|
|
||
11 years ago
|
.. _os_variance:
|
||
|
|
||
12 years ago
|
Operating System and Distribution Variance
|
||
|
++++++++++++++++++++++++++++++++++++++++++
|
||
|
|
||
|
When dealing with a parameter that is different between two different operating systems, the best way to handle this is
|
||
|
by using the group_by module.
|
||
|
|
||
|
This makes a dynamic group of hosts matching certain criteria, even if that group is not defined in the inventory file::
|
||
|
|
||
|
---
|
||
|
|
||
|
# talk to all hosts just so we can learn about them
|
||
|
|
||
|
- hosts: all
|
||
|
tasks:
|
||
11 years ago
|
- group_by: key={{ ansible_distribution }}
|
||
12 years ago
|
|
||
|
# now just on the CentOS hosts...
|
||
13 years ago
|
|
||
12 years ago
|
- hosts: CentOS
|
||
|
gather_facts: False
|
||
|
tasks:
|
||
|
- # tasks that only happen on CentOS go here
|
||
|
|
||
12 years ago
|
If group-specific settings are needed, this can also be done. For example::
|
||
13 years ago
|
|
||
13 years ago
|
---
|
||
12 years ago
|
# file: group_vars/all
|
||
|
asdf: 10
|
||
13 years ago
|
|
||
12 years ago
|
---
|
||
|
# file: group_vars/CentOS
|
||
|
asdf: 42
|
||
13 years ago
|
|
||
12 years ago
|
In the above example, CentOS machines get the value of '42' for asdf, but other machines get '10'.
|
||
13 years ago
|
|
||
11 years ago
|
.. _ship_modules_with_playbooks:
|
||
13 years ago
|
|
||
13 years ago
|
Bundling Ansible Modules With Playbooks
|
||
|
+++++++++++++++++++++++++++++++++++++++
|
||
|
|
||
13 years ago
|
.. versionadded:: 0.5
|
||
|
|
||
12 years ago
|
If a playbook has a "./library" directory relative to its YAML file, this directory can be used to add ansible modules that will
|
||
12 years ago
|
automatically be in the ansible module path. This is a great way to keep modules that go with a playbook together.
|
||
|
|
||
11 years ago
|
.. _whitespace:
|
||
|
|
||
12 years ago
|
Whitespace and Comments
|
||
|
+++++++++++++++++++++++
|
||
13 years ago
|
|
||
12 years ago
|
Generous use of whitespace to break things up, and use of comments (which start with '#'), is encouraged.
|
||
|
|
||
11 years ago
|
.. _name_tasks:
|
||
|
|
||
12 years ago
|
Always Name Tasks
|
||
|
+++++++++++++++++
|
||
|
|
||
|
It is possible to leave off the 'name' for a given task, though it is recommended to provide a description
|
||
|
about why something is being done instead. This name is shown when the playbook is run.
|
||
|
|
||
11 years ago
|
.. _keep_it_simple:
|
||
|
|
||
12 years ago
|
Keep It Simple
|
||
|
++++++++++++++
|
||
13 years ago
|
|
||
13 years ago
|
When you can do something simply, do something simply. Do not reach
|
||
|
to use every feature of Ansible together, all at once. Use what works
|
||
12 years ago
|
for you. For example, you will probably not need 'vars',
|
||
13 years ago
|
'vars_files', 'vars_prompt' and '--extra-vars' all at once,
|
||
|
while also using an external inventory file.
|
||
|
|
||
11 years ago
|
.. _version_control:
|
||
|
|
||
12 years ago
|
Version Control
|
||
|
+++++++++++++++
|
||
13 years ago
|
|
||
|
Use version control. Keep your playbooks and inventory file in git
|
||
|
(or another version control system), and commit when you make changes
|
||
|
to them. This way you have an audit trail describing when and why you
|
||
12 years ago
|
changed the rules that are automating your infrastructure.
|
||
13 years ago
|
|
||
13 years ago
|
.. seealso::
|
||
|
|
||
|
:doc:`YAMLSyntax`
|
||
|
Learn about YAML syntax
|
||
|
:doc:`playbooks`
|
||
|
Review the basic playbook features
|
||
|
:doc:`modules`
|
||
|
Learn about available modules
|
||
11 years ago
|
:doc:`developing_modules`
|
||
13 years ago
|
Learn how to extend Ansible by writing your own modules
|
||
11 years ago
|
:doc:`intro_patterns`
|
||
13 years ago
|
Learn about how to select hosts
|
||
13 years ago
|
`Github examples directory <https://github.com/ansible/ansible/tree/devel/examples/playbooks>`_
|
||
13 years ago
|
Complete playbook files from the github project source
|
||
|
`Mailing List <http://groups.google.com/group/ansible-project>`_
|
||
|
Questions? Help? Ideas? Stop by the list on Google Groups
|