Johanna Toikkanen // August 01 2017
Visiting AnsibleFest 2017 in London
A sunny Wednesday afternoon I arrived in London for Thursday’s AnsibleFest 2017. I was so excited to be attending the happening with over 800 attendees that it feelt more like a vacation than a business flight.
On Thursday, after the welcoming words and state update from Mark Phillips and Justin Nemmers, Jason McKerr gave us a sneak peak at Ansible Core 2.4. It will have more features to cloud, Windows, Networking, containers and using Python 3.
The customer presentations started with HSBC’s Richard Henshall telling us about how to find balance between control and flexibility. The regulations, be it for banking, or for other sensitive informational reasons, are there to make it easier for us to keep data secure. This does not mean you cannot share with the community. You just need to create Ansible Roles which are truly reusable and also shareble to the Ansible Galaxy community, not only because someone else can use them but also because you have not shared any secrets, only your expertise in creating good roles. In Mr. Henshall’s words: “Open up, go play, but play in a controlled format.” Don’t force people; instead give them a good selection of controlled tools that help everyone accomplish what they need to do.
Even though there wasn’t any need to stay in one track for the whole time, the Tech Deep Dive seemed the most interesting track for me. It wasn’t a boring start with Doug Bridgens from Far Oeuf, who gamified the audience to show why it is better to use access tokens with identities instead of knowing one password or key that opens the vault for all passwords and authentication keys. That was the introduction to HashiCorp’s Vault, which he kept separated from Ansible Vault by calling it HashiVault.
To create idempotent HashiVaults he uses two keys to unseal the vault and check the seal status, and consider the vault open according to its state. Add there also an automatically generated secret with a lifetime and even Mr. Henshall should be quite settled with HSBC’s regulators.
In the afternoon Gaurav Rastogi from Avi Networks explained how even when you use Ansible and have access to an API, a real, idempotent, Ansible module for the API is the way to go. Then you do not really need to know the API, only the resource, and the module takes care of the rest. The biggest benefit is the speed of integration, a few weeks instead of a few months, as you do not really need to know the internals of the API. Other benefits are good documentation, audit trail and dry-run possibility.
The curio of the day came from Ansible’s Matt Davis who elaborated on the ongoing work of managing Windows hosts with Ansible. Hopefully this part of Ansible will gain more interest and awareness. It used to sound like a long haul, but nowadays with Microsoft getting more and more into Open Source, it isn’t that far fetched. Everyone in operations that need to update both Linux and Windows servers most certainly would like to see everything usable from one place. Then it’s not a big deal even though that one place is a Linux server running Ansible, logging into Windows servers using WinRM (Windows Remote Management). Use win chocolatey to do package management on Windows and the action plugin win_reboot when you need to reboot a Windows server. If you’re interested in developing Ansible for Windows, just give Matt Davis a shout. I’m quite sure there aren’t too many Windows gurus exploring this avenue.