From a7eee8628dff5c7566ba02018442d5e8a55717d7 Mon Sep 17 00:00:00 2001 From: Rob Cameron Date: Thu, 26 Mar 2015 16:35:26 -0700 Subject: [PATCH] completed ansible docs, moved old ansible directory --- README.md | 11 +- docs/usingansible.md | 169 +++++++++++++++++- {examples/ansible => old_ansible}/all.yml | 0 .../ansible => old_ansible}/lab_inventory | 0 .../roles/VPN_Headend/defaults/main.yml | 0 .../roles/VPN_Headend/meta/main.yml | 0 .../roles/VPN_Headend/tasks/main.yml | 0 .../roles/VPN_Headend/templates/main.yml | 0 .../VPN_Headend/templates/vpn_edge.conf.js | 0 {examples/ansible => old_ansible}/setpath.sh | 0 proctor/Vagrantfile | 64 +++++++ 11 files changed, 232 insertions(+), 12 deletions(-) rename {examples/ansible => old_ansible}/all.yml (100%) rename {examples/ansible => old_ansible}/lab_inventory (100%) rename {examples/ansible => old_ansible}/roles/VPN_Headend/defaults/main.yml (100%) rename {examples/ansible => old_ansible}/roles/VPN_Headend/meta/main.yml (100%) rename {examples/ansible => old_ansible}/roles/VPN_Headend/tasks/main.yml (100%) rename {examples/ansible => old_ansible}/roles/VPN_Headend/templates/main.yml (100%) rename {examples/ansible => old_ansible}/roles/VPN_Headend/templates/vpn_edge.conf.js (100%) rename {examples/ansible => old_ansible}/setpath.sh (100%) diff --git a/README.md b/README.md index f0e756c..a457a07 100644 --- a/README.md +++ b/README.md @@ -44,18 +44,17 @@ TODO **Docs** -1. Fw policies @robwc - needs docs +1. Fw and vpn fw policies @robwc - needs docs 2. app policies @robwc - needs docs 3. ips policies @robwc - needs docs -4. disaster strikes @robwc - via ansible +4. disaster strikes @robwc - via ansible TBD - completed last 5. dynamic routing @kwbales - needs docs -6. recovering the lab @robwc - via ansible +6. recovering the lab @robwc - via ansible TBD - completed last 7. installing software @routelastresort 8. software overview @routelastresort 9. vpn connection to headend @kwbales -10. using ansible @robwc - needs docs -11. using pyezlibrary @kwbales - NEED TO FINISH TABLES AND VIEWS -12. registering your host @robwc - needs docs and registry +10. using pyezlibrary @kwbales - NEED TO FINISH TABLES AND VIEWS +11. registering your host @robwc - needs docs and registry **Tools** diff --git a/docs/usingansible.md b/docs/usingansible.md index 651aa61..128d799 100644 --- a/docs/usingansible.md +++ b/docs/usingansible.md @@ -1,21 +1,178 @@ Getting Started with Ansible ============================ -Ansible is a command-line automation tool that simplifies the large scale management of devices. +Ansible is a command-line automation tool that simplifies the large scale management of devices. It is one of the simplest tools that you can use to automate a large scale topology. There are only a few basics that you need to learn to use Ansible. + +**Helpful Links** + +1. [Ansible Best Practices](https://docs.ansible.com/playbooks_best_practices.html) +2. [Ansible Inventories](https://docs.ansible.com/intro_inventory.html) +3. [Ansible Variables](http://docs.ansible.com/playbooks_variables.html) +4. [Built-in Modules](https://docs.ansible.com/modules_by_category.html) + +**Benefits** + +1. Tasks are run step-by-step easily identifying any issues during a deployment +2. Can manage not only Junos devices but configure servers as well +3. Extremely flexible ordering of tasks +4. Simple to create playbooks with only YAML templates +5. Easy to learn +6. Easy to extend with custom modules + - Python is first class language for this + - But any language can be used to run scrips (Bash, Ruby, PERL) + +**Drawbacks** + +1. Unable to manage Windows hosts +2. Managing a large scale of devices requires a strong structure + - SSH Keys at scale + - Large scale variables +3. Extremely flexible ordering of tasks +4. Difficult to master + +**Execution Diagram** + +``` ++----------------+ +----------------+ +----------------+ +----------------+ +| | | | | | | | +| Inventory | | Variables | | Playbook | | Tasks | +| | | | | | | | +| | | | | | | | +| | | | | | | | ++-------+--------+ +-------+--------+ +------+---------+ +------+---------+ + | | | | ++-------+--------------------+-------------------+-------------------+-----------------> + +``` + +Ansible Technologies +-------------------- + +Ansible at its core uses [YAML](http://en.wikipedia.org/wiki/YAML) as the syntax for building playbooks. YAML or yet another markup language is a simplified language structure that has become quite popular for use due to its simplicity. In fact it is in use today in the PyEZ libraries for doing tables and views. + +A playbook consists of a few required elements. + +1. Name + - The name of the running playbook +2. Hosts + - Hosts to apply the tasks to +3. Tasks + - Tasks to apply to the hosts +4. (Optionally) Variables + - Variables allow for the customization of a running task + +**Playbook Example** + +```yaml +--- +- name: Configure basic firewall policies #defines playbook + hosts: mysrx #defines hosts to apply + connection: local #defines execution environment, local is needed for Junos devices + gather_facts: no #gathers facts for the devices + vars: #variables to be used in the playbook + junos_user: "root" + junos_password: "Juniper" + build_dir: "/tmp/" + address_entries: [ {'name':'LocalNet','prefix':'172.16.0.0/24'},{'name':'PrivateNet','prefix':'192.168.10.0/24'},{'name':'PublicNet','prefix':'10.10.0.0/24'} ] + fw_policy_info: [ {'policy_name':'Allow_Policy','src_zone':'trust','dst_zone':'untrust','src_ips':['LocalNet'],'dst_ips':['PrivateNet'],'action':'permit','apps':['any']}] + + tasks: #set of tasks to run + - name: Build address book entries #Name of task + template: src=templates/fw_address_book_global.set.j2 dest={{build_dir}}/fw_address_book_global.set #module to run task + with_items: address_entries #Add in additional variables to itterate over + + - name: Apply address book entries + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/fw_address_book_global.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + + + - name: Build firewall policies config template + template: src=templates/fw_policy.set.j2 dest={{build_dir}}/fw_policy.set + with_items: fw_policy_info + + - name: Apply firewall policies + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/fw_policy.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + +``` Inventory --------- +The inventory defines which hosts you can run Ansible against. This can consist of a simple text file or also utilize an API to gather this information. The format of file is in the traditional INI style format. The listing consists of a single host per line. You can also have groups of hosts that may have a common role. An example is if you had multiple web servers or database servers and you want to apply the same tasks to that group. You can also include ranges of alphanumeric characters as well. + +[Ansible Inventories](https://docs.ansible.com/intro_inventory.html) + +```ini +mail.example.com #A single host +host[a:z].example.com #26 different hosts defined by a range +172.16.0.1 #A host defined by an IP +172.16.0.[1:254] #Hosts defined by an IP range + +[webservers] #A group of hosts +foo.example.com +bar.example.com + +[dbservers] #A second group of hosts +one.example.com +two.example.com +three.example.com +``` + +It is also possible to query the inventory from a script or API. There are existing tools that allow you to plug into things like AWS. With a simple API call to AWS it pulls in your entire inventory from the list of existing VMs. + Variables --------- +Variables are the special sauce that makes Ansible so tasty to use. This allows you to take a playbook and customize it for your specific set of hosts you want to run against. So imagine you have two data centers. Each data center has a set of DNS, NTP, and syslog servers that are specific to the data center. In this case you can use the same playbook for both data centers, but specify different DNS, NTP, and syslog servers for each datacenter. + +**Variable Example** + +```yaml +--- +- name: Configure basic firewall policies + hosts: mysrx + connection: local + gather_facts: no + vars: #variables to be used in the playbook + junos_user: "root" #username for our Junos devices + junos_password: "Juniper" #password for our Junos devices + build_dir: "/tmp/" #directory for us build templates in + #a complex variable, this is just a python dictionary or dict + address_entries: [ {'name':'LocalNet','prefix':'172.16.0.0/24'},{'name':'PrivateNet','prefix':'192.168.10.0/24'},{'name':'PublicNet','prefix':'10.10.0.0/24'} ] + ``` -export ANSIBLE_LIBRARY=/etc/ansible/roles/Juniper.junos:/usr/local/share/ansible -Install Junos module -sudo ansible-galaxy install Juniper.junos +### Variable scope + +A variable can be applied to several locations within your Ansible environment. The most specific application of a variable becomes the value that is used when applied. Using the ordering capabilities of variables allows you to further customize how your tasks are run. + +**Variable Order** + +1. Host +2. Group +3. Role +4. Variable File +5. Playbook -using pyenv in ansible -In inventory file: 172.16.0.1 ansible_python_interpreter=python +Ansible Galaxy +-------------- +Ansible not only includes a host of included modules, but we also have a repository that users can contribute to for Ansible. This is called Ansible galaxy and it allows you to easily install 3rd party modules for use in your Ansible environment. + +**Example of installing Junos Ansible modules** + +```bash +[root@ansible-cm]# ansible-galaxy install Juniper.junos +downloading role 'junos', owned by Juniper +no version specified, installing 1.0.0 +- downloading role from +https://github.com/Juniper/ansible-junos-stdlib/archive/1.0.0.tar.gz +- extracting Juniper.junos to /etc/ansible/roles/Juniper.junos +Juniper.junos was installed successfully ``` + +Ansible Tower +------------- + +While all of this may seem great to use, how do you scale these scripts to a larger environment. For this Ansile has the tool Ansible Tower. It gives you a GUI that is wrapped around the management of Ansible tasks. This has a free trial version but it is not free to use. This can assist you in the management of a large scale environment + +[Ansible Tower](http://www.ansible.com/tower) diff --git a/examples/ansible/all.yml b/old_ansible/all.yml similarity index 100% rename from examples/ansible/all.yml rename to old_ansible/all.yml diff --git a/examples/ansible/lab_inventory b/old_ansible/lab_inventory similarity index 100% rename from examples/ansible/lab_inventory rename to old_ansible/lab_inventory diff --git a/examples/ansible/roles/VPN_Headend/defaults/main.yml b/old_ansible/roles/VPN_Headend/defaults/main.yml similarity index 100% rename from examples/ansible/roles/VPN_Headend/defaults/main.yml rename to old_ansible/roles/VPN_Headend/defaults/main.yml diff --git a/examples/ansible/roles/VPN_Headend/meta/main.yml b/old_ansible/roles/VPN_Headend/meta/main.yml similarity index 100% rename from examples/ansible/roles/VPN_Headend/meta/main.yml rename to old_ansible/roles/VPN_Headend/meta/main.yml diff --git a/examples/ansible/roles/VPN_Headend/tasks/main.yml b/old_ansible/roles/VPN_Headend/tasks/main.yml similarity index 100% rename from examples/ansible/roles/VPN_Headend/tasks/main.yml rename to old_ansible/roles/VPN_Headend/tasks/main.yml diff --git a/examples/ansible/roles/VPN_Headend/templates/main.yml b/old_ansible/roles/VPN_Headend/templates/main.yml similarity index 100% rename from examples/ansible/roles/VPN_Headend/templates/main.yml rename to old_ansible/roles/VPN_Headend/templates/main.yml diff --git a/examples/ansible/roles/VPN_Headend/templates/vpn_edge.conf.js b/old_ansible/roles/VPN_Headend/templates/vpn_edge.conf.js similarity index 100% rename from examples/ansible/roles/VPN_Headend/templates/vpn_edge.conf.js rename to old_ansible/roles/VPN_Headend/templates/vpn_edge.conf.js diff --git a/examples/ansible/setpath.sh b/old_ansible/setpath.sh similarity index 100% rename from examples/ansible/setpath.sh rename to old_ansible/setpath.sh diff --git a/proctor/Vagrantfile b/proctor/Vagrantfile index e69de29..4430caf 100644 --- a/proctor/Vagrantfile +++ b/proctor/Vagrantfile @@ -0,0 +1,64 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" + +require "vagrant-host-shell" +require "vagrant-junos" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + #disable filder sharing by default + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "ndo", primary: true do |ndo| + ndo.vm.box = "juniper/netdevops-ubuntu1404" + ndo.vm.hostname = "NetDevOps-Proctor" + ndo.vm.network "private_network", + ip: "10.10.0.10", + virtualbox__intnet: "NetDevOps-StudentInternal" + config.vm.synced_folder "", "/vagrant", disabled: false + + ndo.vm.provider "virtualbox" do |v| + # v.gui = true + # v.customize ["modifyvm", :id, "--nic1", "hostonly"] + end + + ndo.ssh.shell = 'sh' + + ndo.vm.provision "shell" do |s| + # TODO: DO THIS STUFF!!!!! + # add this to the shell + # export ANSIBLE_LIBRARY=/etc/ansible/roles/ + # set routes for 10.10.0.0/24 and 192.168.10.0/24 to 172.16.0.1 + s.path = "scripts/ifbounce.sh" + end + end + + config.vm.define "srx" do |srx| + srx.vm.box = "juniper/ffp-12.1X47-D20.7" + srx.vm.hostname = "NetDevOps-SRX01" + srx.vm.provider "virtualbox" do |v| + #v.gui = true + end + srx.vm.network "private_network", + ip: "192.168.10.10", + virtualbox__intnet: "NetDevOps-Private", + nic_type: 'virtio' + srx.vm.network "private_network", + ip: "10.10.0.10" + virtualbox__intnet: "NetDevOps-Public", + nic_type: 'virtio' + + srx.vm.synced_folder "", "/vagrant", disabled: true + + srx.ssh.username = 'root' + srx.ssh.shell = 'sh' + srx.ssh.insert_key = false + + srx.vm.provision "file", source: "scripts/srx-setup.sh", destination: "/tmp/srx-setup.sh" + srx.vm.provision :host_shell do |host_shell| + host_shell.inline = 'vagrant ssh srx -c "/usr/sbin/cli -f /tmp/srx-setup.sh"' + end + end +end