Ansible playbooks is a code: we check, test, continuously integrate. Ivan Ponomarev

I suggest that you familiarize yourself with the decoding of the report by Ivan Ponomarev, "Ansible playbooks is a code: we check, test, continuously integrate."

Code refactoring can be fun, especially if it is your infrastructure code. In addition, Ansible roles for some reason tend to quickly increase complexity. And this adds a twist to your task. Ivan will tell you how to overcome the complexity of Ansible-code through testing. In Docker containers.
As the code base grows, Ansible comes with familiar problems: the complexity of maintaining the code, errors, and fear of change. Familiar problems have a familiar solution: automated testing and CI. In the report, Ivan will show how to use the tools to solve the problems of "fragility" of Ansible code, perform static analysis, test Ansible scripts and configure CI systems to publish roles in Ansible Galaxy.

. , . , , - .

. . . . — «», - , . , , — DigitalOcean. : Terraform + Ansible. Terraform, Ansible .

Ansible , best practices. - — , , , , . .

, . best practices, . , -, - .

, . :

1. .
   
   • , .
   • . : , ? ?
2. , , .
3. . playbook, , .

CI. ? , unit-tests , Java Python. configuration is code. ?

, , , , .

— well-formedness: . , . YAMLLint, Ansible-lint Syntax check playbook. .

YAMLLint.

• YAML. YAML , . , .
• .
• UNIX-style.
• , YAML, , .

, Ansible, , . , Windows, Windows-style , . YAMLLint .

YAMLLint. : , - , -. YAMLLint YAML- , Ansible playbooks , - , .

Ansible-lint — , good practices.

:

• command module, — shell module? . Ansible-lint .
• command module, , Ansible. Ansible-lint , Ansible.
• idempotence () command shell. idempotence - . , Ansible, best practices .
• , , Python - , , .

. «». - , . , CI-. .

.

— Syntax check, Ansible. . «», , — CI, . Syntax check Syntax check, , . - , .

CI-. Jenkins, . pipeline. , . , Ansible-.

, , . -, , . ?

. Jeff Geerling — , Ansible-. , «Ansible for DevOps». , Travis , .

, docker-. .

Molecule. , - . . Ansible-.

OpenSource-, .

Python environment. ansible, molecule , Docker, — docker-py.

, . Ansible , . , . instances (, ), . , .

, playbook. Playbook — , , instances.

.

-, . molecule, . , readme-, , Ansible-. Molecule Default. , Default , .

molecule , . Default-. , . , Molecule, . .

, : molecule test. , Molecule . , . . , .

--debug, , docker-py. , docker-py . --debug : .

Test matrix. , Molecule . , . , syntax, converge, idempotence, instances, .

, , — , , Molecule , instances, ? — molecule.yml. Platforms instances, . , . Ansible converge , Ansible .

docker, image. , image . , systemd. - , systemd, , , docker , . , , systemd.

docker .

-, instances , , Ansible.

-, . .

Vagrant, .

Molecule, . docker — , .

: , . , .

requirements.yml, best practices Ansible. : . , dependency, .

, : YAMLLint, Ansible-lint, Syntax check.

converge instances playbook.yml. , . , - . converge playbook.yml. , - , .

- : converge , , , , — destroy=never ( « instances») docker, interactive- , .

converge. , , instances , . Molecule . , diff Ansible, Jeff Geerling : , . , , . , .

--diff. , , , , failed idempotence.

Molecule — . , , . , , . Molecule .

:

• Testinfra (Python, default).
• Serverspec (Ruby).
• Goss (written in Go, tests in YAML).

, - , Serverspec, Molecule.

, Testinfra, Python, Molecule Ansible, .

Testinfra Molecule. .

, , ? , , - , ? shell, - , .

. , host, host «run» return code stdout stderr .

assert, , , rc=0. - , assert , : , .

molecule test, — Ansible- instances. instances, destroy=never molecule verify. instances.

, . 2000 JUnit, Unit-, : «keep the bar green to keep your code clean». everything is code, .

? , . curl — - , curl.

Testinfra . , . Host.process , host. - , - , , : , root , - .

. , .

. , - , , - , . -, exists , , contains , - , , OK.

- TDD, , , Ansible, Ansible.

Ansible- , Java Python, .

, , - — Testinfra, — Ansible assert. , — Ansible-. Jython — Python JVM. , jython version, , - .

. , , Molecule, Molecule , . ? Ansible-lint. Ansible-lint , Molecule .

assert Ansible.

, . , , , , , , .

. - production - , , Ansible playbooks .

, -. , , , Testinfra, . , Ansible- .

. . — Galaxy. GitHub, OpenSource, GitHub , , GitHub- CI . , Master, . - , - Master, .

? Molecule CI-. Jenkins, «». Jenkins Multibranch, checkout MyRole, , Ansible , : MyRole, . : symlink , .

Molecule .

, Jenkins. - - , , . , . , , , molecule test.

, , OpenSource, , — Travis. . services docker, , Ansible Molecule docker-py. , — , , , .

— molecule test, , , GitHub-.

, webhook, Ansible Galaxy , : build passing build failing.

Galaxy . , GitHub, Ansible Galaxy. , Travis webhook. CI , , , — . Travis.

, ? — - , - , copy-paste-modify .

. , , Galaxy, . , Molecule, , .

, , linting. — YAMLLint, Ansible-lint Syntax Check. , .

: - ? , Ansible Galaxy Molecule, , Molecule . , , , , . , , YAML well format, .

- ? ? , Molecule — . , , Molecule .

, , , , .

, , .

— Heisenbug. , .

- . , ?

• . , , - , , , URL, URL.
• , .
• . , , , , Ansible .
• . , , , instances - , , failsafe. , , instances?

: , framework, pytest. , , . , .

, ? , pytest, , — , , — . asserts : , . . : Python, values- , .

, , ? . , , , ‘port$’. «var_values», , -, Ansible playbooks, var_values , «port», , , , , .

var_values? Python . YAML-. , YAML Ansible, , .

, , , , , .

? . port_var_values, , , .

, : «keep the bar green to keep the configuration clean». , .

: , . , . , . , . , . , , .

— , «» . -, - , .

: «password», «pass», «pwd». -, , placeholder, -, - , Vault. , .

. pull request. . : k=’myskq_root_password’, v=’12345’. , password «12345», , GitHub . , pull request .

.

— Ansible.

• -, : YAMLLint + Ansible-lint + Syntax check — . - Ansible-, - , , , , . , . Ansible-lint , , best practices .
• Molecule.
• . playbook failed fast. , , - , .
• .

• - — Molecule. : pip install molecule, molecule init, molecule test.
• ? converge idempotence.
• converge idempotence? .

, : , , . — ? , Git, , pipeline, quality gates, .

, , — GitHub + Travis + Galaxy. OpenSource. , OpenSource. Jenkins Multibranch .

, , , .

• . Ansible- Molecule Jenkins https://habr.com/post/351974/
• Jeff Geerling. Testing Ansible Roles with Travis CI on GitHub https://www.jeffgeerling.com/blog/testing-ansible-roles-travis-cigithub
• Werner Dijkerman. Continuous deployment of Ansible Roles https://werner-dijkerman.nl/2017/09/17/continuous-deployment-ofansible-roles/

: ! . : , , , ? , Ansible? Ansible , Python, Testinfra, Molecule. , Python, , .

: ? , Java. pull request — : . , — - , . , - , , , . . playbooks . , . - , ? . , - , . - shell, shell - . , .

: Ansible Windows? Ansible playbook Windows. ? , ?

: , Ansible - Windows Testinfra. Windows, Ansible cygwin . Linux- , . , . .

: , . — . , ? . changed_when, ?

: , -, - , , ?

: , , , . , .

: , asserts, . . . command shell, , . , , . — , — , . , . Ansible . , , , . .

: . , Ansible gathering facts study, , …

: .

: , , JUnit , — , , gathering tasks, , , ?

: . , . -, -. -, ? , -. , , , , , - . - . , : , , ? .

: , , GitHub , . , version. , .

: . . Molecule , .

: . , ? , - , - , , , .

: . , service is running. , «»?

: , — , . , , …

: , , , -, - . , «200» , - . . selenium- . , Ansible : « ». , , «200» , , , pipeline.

: production Ansible Galaxy ? .

: , . , nginx, PostgreSQL. . Oracle Java Ansible Galaxy. . . , , . , Ansible build pipeline. Molecule, Travis . , , Jeff Geerling.

: playbook Ansible Galaxy?

: , , . . , , , . , 150000 , , 150 . 150000 , , , - production.

: Jinja. , Jinja , hosts. ?

: , Molecule , Molecule , . inventory. Molecule , , . - … Molecule? Molecule - , playbook.yml. playbook.yml, , , playbook. - Jinja, — . , . Molecule .