Friday, August 8, 2014

Time to look at Ansible

I find it time I take a look at Ansible. From the ad-hoc perspective it seems to fit in nicely and probably works a little better than my "batchcmd" bash script I use to run commands across a list of hosts.

I am not sure I agree with Ansible's design concept. The marriage of configuration management and ad-hoc execution is prone to problems. Puppet Labs and R.I.Pienaar, creator of Mcollective, take a pretty strong stance of trying to avoid execution of scripts or code because some crazy things can happen. It's not so bad when it's one or two systems but when you do something on hundreds and they run into the problem that could be an issue.

The nice thing about automation is it enables you to do good things faster across many more systems.
The problem with automation is it enables you to do bad things faster across many more systems.

Both Puppet and Ansible are declarative in nature, so they do not require the item to change only that the item "becomes" a finished state. However given Ansible's "push" philosophy it is also looking for "immediate consistency". This may work for small deployments but in larger systems this becomes problematic as I can break everything from the start. Puppet follows the "eventual consistency" model which when properly accounted for leads to large scale services that deploy as opposed to small scale ones that for whatever reason will not get to the state you want when you think you want it. It also gives me an idio-second to change something back because I broke the first 5 nodes that checked in and not all 100.

Ansible does have a "pull" option which does allow for "eventual consistency" but this begs the question of "why have another configuration management system?". Which then just brings us back to what does Ansible give me that Puppet does not? At this point it gives me the ability to run ad-hoc command execution across multiple systems. Puppet already gives me configuration management and Mcollective gives me safer orchestration.

After trying Ansible out I may change my mind and there is nothing that fundamentally says you cannot use both tools. Ansible being agent-less has it's advantages. However puppet agent has saved me from my stupidity when I broke SSH and OpenSSL. It was nice to have Puppet correct my screw up after locking everyone out of SSH. I could see where it would be nice to have Ansible save me when I inevitably break Puppet doing something silly.

UPDATE: 2014-08-11T19:33-50
Ansible allows you to --ask-sudo-pass to prompt for your sudo password on the systems. This means that as long as your user has sudo rights to run the command in question you can do what you like. Not sure how --ask-sudo-pass stores your password though?