<h1>The Future Is Now<aclass="headerlink"href="#the-future-is-now" title="Permalink to this headline">¶</a></h1>
<h1>Introducing Ansible<aclass="headerlink"href="#introducing-ansible" title="Permalink to this headline">¶</a></h1>
<p>Ansible is a radically simple model-driven configuration management, deployment,
<p>Ansible is a radically simple model-driven configuration management, deployment,
and command execution framework. Other tools in this space have been too
and command execution framework. Other tools in this space have been too complicated for too long,
complicated for too long, require too much bootstrapping, and have too
require too much bootstrapping, and have too much learning curve. By comparison, Ansible is dead simple
much learning curve. Ansible is dead simple and painless to extend.
and painless to extend. Puppet and Chef have about 60k lines of code. Ansible’s core is a little over 2000 lines.</p>
For comparison, Puppet and Chef have about 60k lines of code.
<p>Ansible isn’t just for configuration management – it’s also great for ad-hoc tasks, quickly firing off commands against nodes, and it excels at complex multi-node deployment tasks, being designed for that purpose from day one.</p>
Ansible’s core is a little over 2000 lines..</p>
<p>Systems management doesn’t have to be complicated. We’ve learned well from the “Infrastructure is Code” movement.
<p>Ansible isn’t just for idempotent configuration – it’s also great for ad-hoc
Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project – bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit. This is Ansible’s philosophy and the main reason it’s different. Read on, though, and we’ll tell you more.</p>
tasks, quickly firing off commands against nodes. See <aclass="reference internal"href="examples.html"><em>Command Line</em></a>.</p>
<h1>Innovative Multi-node Control<aclass="headerlink"href="#innovative-multi-node-control"title="Permalink to this headline">¶</a></h1>
</colgroup>
<p>Where Ansible excels though, is expressing complex multi-node
<theadvalign="bottom">
deployment processes, executing ordered sequences on
<tr><thclass="head">Key Features</th>
different sets of nodes through <aclass="reference internal"href="playbooks.html"><em>Playbooks</em></a>. Playbooks contain one or
</tr>
more plays, each executed against a different batch of nodes. Think about
</thead>
webservers, database servers, and backend servers in a multi-node web environment. A play can address each set of machines in a cycle, ensuring the configurations of the machines were correct and also updating them to the specified
<tbodyvalign="top">
version of software if required.</p>
<tr><td>Dead simple setup</td>
<p>Multi-machine software deployment is poorly solved by most systems management tools – often due to architectural nature of being pull oriented and having complex ordering systems, they cover configuration but fail at deployment when updating tiers of machines in well defined steps. This results in using two (or more) logically distinct tools and having complex overlap between them.</p>
</tr>
<p>If you actually do need pull oriented mode, though, Ansible 0.4 and later can run playbooks in pull mode as well.
<tr><td>Super fast & parallel by default</td>
This is useful in extreme scaling scenarios or when automatic system remediation is desired. Since Ansible remains
</tr>
server and daemonless, scaling potential is unlimited, and no resources are wasted on running management daemons.</p>
<tr><td>No server or client daemons; use existing SSHd out of the box</td>
<h1>Deployment and Configuration, Unified<aclass="headerlink"href="#deployment-and-configuration-unified"title="Permalink to this headline">¶</a></h1>
</tr>
<p>Other deployment (compared to config) oriented frameworks similarly cover deployment well but lack a strongly defined resource model and devolve into glorified remote scripts. Ansible playbooks – having been designed with this problem in mind – are good at both deployment & idempotent configuration, meaning you don’t have to spread your infrastructure management out between different tools (Puppet+Capistrano, Chef+Fabric, etc). Performing ordered steps between different classes of machines is no problem, yet our modules affect system state only when required – while avoiding the problem of fragile scripting that assumes certain starting or ending states.</p>
<tr><td>No additional software required on client boxes</td>
<p>Ansible is also unique in other ways. Extending ansible does not require programming in any particular language – you can write <aclass="reference internal"href="modules.html"><em>Ansible Modules</em></a> as idempotent scripts or programs that return simple JSON. Ansible is also pragmatic, so when you need to, it’s also trivially easy to just execute useful shell commands.</p>
</tr>
<p>Why use Ansible versus other configuration management tools? (Puppet, Chef, etc?) Ansible will have far
<tr><td>Can be easily run from a checkout, no installation required</td>
less code, it will be (by extension) more correct, and it will be the
</tr>
easiest thing to hack on and use you’ll ever see – regardless of your
<tr><td>Modules are idempotent, but you can also easily use shell commands</td>
favorite language of choice. Versus other deployment tools? (Capistrano, Fabric?). Ansible playbooks are easier
</tr>
to use (not being code) and also allows intermixing of idempotent configuration management rules for a higher level
<tr><td>Modules can be written in ANY language</td>
of control. Further, it was designed for deploying multi-node applications from the beginning.</p>
</tr>
</div>
<tr><td>Awesome API for creating very powerful distributed scripts</td>
<divclass="section"id="simple-secure-by-default">
</tr>
<h1>Simple & Secure By Default<aclass="headerlink"href="#simple-secure-by-default"title="Permalink to this headline">¶</a></h1>
<tr><td>Does not have to run remote steps as root</td>
<p>Compared with most configuration managememnt tools, Ansible is also much more secure. While most configuration management tools use a daemon, running as root with full access to the system, with its own in-house developed PKI infrastructure, Ansible just uses SSH (and supports sudo as neccesssary). There is no additional attack surface and OpenSSH is one of the most peer reviewed security components out there.
</tr>
If a central server containing your playbooks are comprimised, your nodes are not – which is NOT the case
<tr><td>Pluggable transports (SSH is just the default)</td>
of these other tools, which can, more or less, turn into a botnet. Our security approach is to avoid writing custom
</tr>
crypto code altogether, and rely on the most secure part of the Linux/Unix subsystem that your machines are already using. There is no PKI subsystem to maintain, which can be a frequent source of problems, particularly when reinstalling or migrating
<tr><td>Source host info & variables from files or external software</td>
hosts.</p>
</tr>
<p>Systems management doesn’t have to be complicated. Ansible’s docs will remain short & simple, and the source will be blindingly obvious. We’ve learned well from “Infrastructure is Code”. Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project – bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit.</p>
<tr><td>The easiest config management system to use, ever.</td>
</tr>
</tbody>
</table>
</div>
</div>
<divclass="section"id="architecture">
<divclass="section"id="architecture">
<h1>Architecture<aclass="headerlink"href="#architecture"title="Permalink to this headline">¶</a></h1>
<h1>Architecture<aclass="headerlink"href="#architecture"title="Permalink to this headline">¶</a></h1>
<li>No additional software required on client boxes</li>
</thead>
<li>Can be easily run from a checkout, no installation required</li>
<tbodyvalign="top">
<li>Modules are idempotent, but you can also easily use shell commands</li>
<tr><td>Multi-node control & orchestration</td>
<li>Modules can be written in ANY language</li>
<td>Ansible is especially strong at expressing complex multi-node
<li>Awesome API for creating very powerful distributed scripts</li>
deployment processes, executing ordered sequences on
<li>Does not have to run remote steps as root</li>
different sets of nodes through <aclass="reference internal"href="playbooks.html"><em>Playbooks</em></a>. Performing
<li>Pluggable transports (SSH is just the default)</li>
steps on all your webservers, then some steps on your database
<li>Source host info & variables from files or external software</li>
servers, and then some steps on monitoring servers – all the
<li>The easiest config management system to use, ever.</li>
while sharing variables between them is trivial.</td>
</ul>
</tr>
</div>
<tr><td>Doesn’t choose sides</td>
<divclass="section"id="what-people-are-saying">
<td>Modules can be written in Bash, Perl, Python, Ruby, whatever.
<h1>What People Are Saying<aclass="headerlink"href="#what-people-are-saying"title="Permalink to this headline">¶</a></h1>
Playbooks are not a programming language, but a data format.</td>
<p>“I’ve been trying to grok Chef these last weeks, and really, I don’t get it. I discovered ansible yesterday at noon, successfully ran it at 1pm, made my first playbook by 2pm, and pushed two small [contributions to the project] before the office closed... Do that with any other config management software!”</p>
</tr>
<p>“Ansible is much more firewall-friendly. I have a number of hosts that are only accessible via reverse SSH tunnels, and let me tell you getting puppet or chef to play nice with that is a nightmare.”</p>
<tr><td>Infrastructure Is Not Code,
<p>“This software has really changed my life as an network admin, the simplicity ansible comes with is really childs-play and I really adore its design. No more hassle with SSL keys, DNS based ‘server entries’ (e.g. puppet and what not). Just plain (secure!) SSH keys and one is good to go.”</p>
Infrastructure Is Data</td>
<td>Playbooks are not a programming language, they are designed to be
super-easy to write, and easy to audit by non-developers. You
will be able to skim and very quickly understand your entire
configuration policy.</td>
</tr>
<tr><td>Three In One</td>
<td>Ansible handles multiple command and control
problems in one tool. You don’t need to use a config tool, a
deployment tool, and yet another ad-hoc parallel task execution
tool – Ansible will do all three.</td>
</tr>
<tr><td>Lower Attack Surface, No Agents</td>
<td>Ansible is very secure. Ansible uses SSH as a transport,
resulting in a much lower attack surface, and requires no agents
to be running on managed machines. If a central server
containing your playbooks are comprimised, your nodes are not –
which is NOT the case of most other tools, which can, more or
less, turn into a botnet. Our security approach is to avoid
writing custom crypto code altogether, and rely on the most
secure part of the Linux/Unix subsystem that your machines are
already using – openssh.</td>
</tr>
</tbody>
</table>
</div>
</div>
<divclass="section"id="resources">
<divclass="section"id="resources">
<h1>Resources<aclass="headerlink"href="#resources"title="Permalink to this headline">¶</a></h1>
<h1>Resources<aclass="headerlink"href="#resources"title="Permalink to this headline">¶</a></h1>
@ -266,179 +287,77 @@ you with questions about Ansible.</p>
<li>See the presentation on <aclass="reference external"href="http://speakerdeck.com/u/mpdehaan/p/ansible">Speakerdeck</a></li>
<li>See the presentation on <aclass="reference external"href="http://speakerdeck.com/u/mpdehaan/p/ansible">Speakerdeck</a></li>
<li>Visit the <aclass="reference external"href="http://groups.google.com/group/ansible-project">Google Group</a></li>
<li>Visit the <aclass="reference external"href="http://groups.google.com/group/ansible-project">Google Group</a></li>
<li>Chat on <aclass="reference external"href="http://webchat.freenode.net/?channels=ansible">FreeNode</a></li>
<li>Chat on <aclass="reference external"href="http://webchat.freenode.net/?channels=ansible">FreeNode</a></li>
<li>Join the <aclass="reference external"href="http://groups.google.com/group/ansible-project">Mailing List</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="patterns.html">Inventory & Patterns</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="gettingstarted.html#python-2-6-epel-instructions-for-rhel-and-centos-5">Python 2.6 EPEL instructions for RHEL and CentOS 5</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="gettingstarted.html#choosing-between-paramiko-and-native-ssh">Choosing Between Paramiko and Native SSH</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="gettingstarted.html#your-first-commands">Your first commands</a></li>
</ul>
</li>
<liclass="toctree-l1"><aclass="reference internal"href="patterns.html">Inventory & Patterns</a><ul>
<liclass="toctree-l2"><aclass="reference internal"href="patterns.html#hosts-and-groups">Hosts and Groups</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="patterns.html#groups-of-groups-and-group-variables">Groups of Groups, and Group Variables</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="patterns.html#splitting-out-host-and-group-specific-data">Splitting Out Host and Group Specific Data</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="playbooks2.html#accessing-information-about-other-hosts">Accessing Information About Other Hosts</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="playbooks2.html#prompting-for-sensitive-data">Prompting For Sensitive Data</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="playbooks2.html#passing-variables-on-the-command-line">Passing Variables On The Command Line</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="playbooks2.html#selecting-files-and-templates-based-on-variables">Selecting Files And Templates Based On Variables</a></li>
<liclass="toctree-l2"><aclass="reference internal"href="playbooks2.html#asynchronous-actions-and-polling">Asynchronous Actions and Polling</a></li>
<liclass="toctree-l3"><aclass="reference internal"href="faq.html#what-is-ansible-s-approach-to-security">What is Ansible’s approach to security?</a></li>
<liclass="toctree-l3"><aclass="reference internal"href="faq.html#how-does-ansible-scale">How does Ansible scale?</a></li>
<liclass="toctree-l3"><aclass="reference internal"href="faq.html#are-transports-other-than-ssh-supported">Are transports other than SSH supported?</a></li>
<liclass="toctree-l3"><aclass="reference internal"href="faq.html#what-are-some-ideal-uses-for-ansible">What are some ideal uses for Ansible?</a></li>
<h1>Presented By...<aclass="headerlink"href="#presented-by"title="Permalink to this headline">¶</a></h1>
<colwidth="100%"/>
<p>Ansible was created and is run by <aclass="reference external"href="http://michaeldehaan.net">Michael DeHaan</a> (<aclass="reference external"href="http://twitter.com/#!/laserllama">@laserllama</a>), a Raleigh, NC
</colgroup>
<theadvalign="bottom">
<tr><thclass="head">Presented By...</th>
</tr>
</thead>
<tbodyvalign="top">
<tr><td>Ansible was created and is run by <aclass="reference external"href="http://michaeldehaan.net">Michael DeHaan</a>
(<aclass="reference external"href="http://twitter.com/#!/laserllama">@laserllama</a>), a Raleigh, NC
based software developer and architect, who also created the popular
based software developer and architect, who also created the popular
DevOps install server <aclass="reference external"href="http://cobbler.github.com/">Cobbler</a>.
DevOps install server <aclass="reference external"href="http://cobbler.github.com/">Cobbler</a>.
Cobbler is used to deploy mission critical systems all over the
Cobbler is used to deploy mission critical systems all over the
planet, in industries ranging from massively multiplayer gaming, core
planet, in industries ranging from massively multiplayer gaming, core
internet infrastructure, finance, chip design, and more. Michael also
internet infrastructure, finance, chip design, and more. Michael also
helped co-author <aclass="reference external"href="http://fedorahosted.org/func/">Func</a>, a precursor to Ansible, which is used to
helped co-author <aclass="reference external"href="http://fedorahosted.org/func/">Func</a>, a precursor to Ansible, which is used
orchestrate systems in lots of diverse places. He’s worked on systems
to orchestrate systems in lots of diverse places. He’s worked on systems
software for IBM, Motorola, Red Hat’s Emerging Technologies Group,
software for IBM, Motorola, Red Hat’s Emerging Technologies Group,
Puppet Labs, and is now with <aclass="reference external"href="http://rpath.com">rPath</a>. Reach Michael by email <aclass="reference external"href="mailto:michael.dehaan%40gmail.com">here</a>.</p>
Puppet Labs, and is now with <aclass="reference external"href="http://rpath.com">rPath</a>. Reach Michael by email
Ansible is a radically simple model-driven configuration management, deployment,
Ansible is a radically simple model-driven configuration management, deployment,
and command execution framework. Other tools in this space have been too
and command execution framework. Other tools in this space have been too complicated for too long,
complicated for too long, require too much bootstrapping, and have too
require too much bootstrapping, and have too much learning curve. By comparison, Ansible is dead simple
much learning curve. Ansible is dead simple and painless to extend.
and painless to extend. Puppet and Chef have about 60k lines of code. Ansible's core is a little over 2000 lines.
For comparison, Puppet and Chef have about 60k lines of code.
Ansible's core is a little over 2000 lines..
Ansible isn't just for configuration management -- it's also great for ad-hoc tasks, quickly firing off commands against nodes, and it excels at complex multi-node deployment tasks, being designed for that purpose from day one.
Ansible isn't just for idempotent configuration -- it's also great for ad-hoc
Systems management doesn't have to be complicated. We've learned well from the "Infrastructure is Code" movement.
tasks, quickly firing off commands against nodes. See :doc:`examples`.
Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project -- bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit. This is Ansible's philosophy and the main reason it's different. Read on, though, and we'll tell you more.
webservers, database servers, and backend servers in a multi-node web environment. A play can address each set of machines in a cycle, ensuring the configurations of the machines were correct and also updating them to the specified
| No server or client daemons; use existing SSHd out of the box |
Multi-machine software deployment is poorly solved by most systems management tools -- often due to architectural nature of being pull oriented and having complex ordering systems, they cover configuration but fail at deployment when updating tiers of machines in well defined steps. This results in using two (or more) logically distinct tools and having complex overlap between them.
Other deployment (compared to config) oriented frameworks similarly cover deployment well but lack a strongly defined resource model and devolve into glorified remote scripts. Ansible playbooks -- having been designed with this problem in mind -- are good at both deployment & idempotent configuration, meaning you don't have to spread your infrastructure management out between different tools (Puppet+Capistrano, Chef+Fabric, etc). Performing ordered steps between different classes of machines is no problem, yet our modules affect system state only when required -- while avoiding the problem of fragile scripting that assumes certain starting or ending states.
| Awesome API for creating very powerful distributed scripts |
Ansible is also unique in other ways. Extending ansible does not require programming in any particular language -- you can write :doc:`modules` as idempotent scripts or programs that return simple JSON. Ansible is also pragmatic, so when you need to, it's also trivially easy to just execute useful shell commands.
Compared with most configuration managememnt tools, Ansible is also much more secure. While most configuration management tools use a daemon, running as root with full access to the system, with its own in-house developed PKI infrastructure, Ansible just uses SSH (and supports sudo as neccesssary). There is no additional attack surface and OpenSSH is one of the most peer reviewed security components out there.
If a central server containing your playbooks are comprimised, your nodes are not -- which is NOT the case
of these other tools, which can, more or less, turn into a botnet. Our security approach is to avoid writing custom
crypto code altogether, and rely on the most secure part of the Linux/Unix subsystem that your machines are already using. There is no PKI subsystem to maintain, which can be a frequent source of problems, particularly when reinstalling or migrating
hosts.
Systems management doesn't have to be complicated. Ansible's docs will remain short & simple, and the source will be blindingly obvious. We've learned well from "Infrastructure is Code". Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project -- bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit.
| Three In One | Ansible handles multiple command and control |
| | problems in one tool. You don't need to use a config tool, a |
"I've been trying to grok Chef these last weeks, and really, I don't get it. I discovered ansible yesterday at noon, successfully ran it at 1pm, made my first playbook by 2pm, and pushed two small [contributions to the project] before the office closed... Do that with any other config management software!"
| | deployment tool, and yet another ad-hoc parallel task execution |
| | tool -- Ansible will do all three. |
"Ansible is much more firewall-friendly. I have a number of hosts that are only accessible via reverse SSH tunnels, and let me tell you getting puppet or chef to play nice with that is a nightmare."
| Lower Attack Surface, No Agents | Ansible is very secure. Ansible uses SSH as a transport, |
"This software has really changed my life as an network admin, the simplicity ansible comes with is really childs-play and I really adore its design. No more hassle with SSL keys, DNS based 'server entries' (e.g. puppet and what not). Just plain (secure!) SSH keys and one is good to go."
| | resulting in a much lower attack surface, and requires no agents |
| | to be running on managed machines. If a central server |
| | containing your playbooks are comprimised, your nodes are not -- |
| | which is NOT the case of most other tools, which can, more or |
| | less, turn into a botnet. Our security approach is to avoid |
| | writing custom crypto code altogether, and rely on the most |
| | secure part of the Linux/Unix subsystem that your machines are |
Michael DeHaan
13 years ago