Red Hat is buying Ansible(venturebeat.com) |
Red Hat is buying Ansible(venturebeat.com) |
- Chef and Puppet are too expensive for most companies to acquire, and have too much operational cost for too little revenue
- Ansible got a strong following in the SMB space, Red Hat probably thinks they can move that upmarket some
- Ansible's agentless configuration management has potentially strong applicability in a container world (why do I need a chunky agent to configure resources on my docker image? What if, for some reason, I need to affect change on running docker images? - I realize this is a bit of an anti-pattern for docker, but it was something I heard a lot from big enterprises)
$100m still sounds very high, kudos to the ansible folks who have come a long way in the last few years.
EDIT: one more piece I didn't think of here - the openstack side of things is an area where Red Hat has made big long-term bets for the future of the company, and it probably helps to justify the price in terms of backstopping their openstack support.
- Long-running processes where they don't want to destroy and redeploy every single time a fix or change gets deployed
- One is where they try to reduce the configuration sprawl by making configuration changes at runtime using something like ansible
- One is straight-up bigco stupidity (we must have a way to change the running configuration of a system because the audit team says so)
- separation of responsibilities - we have one team that builds "approved" docker images, and then dev teams can make changes based on that - it might be easier to deploy changes at launch time
Again, I'm not saying all of these make sense, but back when I was workign on docker strategy and interviewing really big companies, these are the types of concerns they had about implementing docker at scale.
Maybe that's not standard with Docker specifically.
Not saying that one is better than the other, just than there's more Python out there in sysadminland.
http://www.infoworld.com/article/2687553/devops/puppet-serve...
Ansible is growing its OpenStack support, and they might see an opportunity for the RDO product.
If anyone is wondering what the 'RDO' acronym stands for, from the FAQ[1]:
"RDO has no expansion or longer name, officially. It is not an acronym or abbreviation for anything.
However, RDO does focus on building a distribution of OpenStack specific to Red Hat operating systems (and clones of Red Hat operating systems). So, in some sense you can think of RDO as being a project started by Red Hat to build a distribution of OpenStack.
The 3 letter meaningless acronym sort of comes from that line of thinking."
http://michaeldehaan.net/post/118717252307/immutable-infrast...
My idea was to develop the infrastructure with Ansible, e.g. no ssh to change some httpd settings at all. Everything via Ansible. It worked very well as long as the playbooks and number of servers was very small.
His github contributions rate and depth for ansible while still the CEO in y2014 has been a great inspiration for me.
In fact the puppet side of Satellite is built around Foreman (http://theforeman.org/) which is an open source project that isn;t Red Hat controlled so even if Red Hat wanted to move 100% to Ansible it would be very hard work for little gain. It would also be a really bad commercial idea Puppet is by far the market leader and most of their customers buy satellite precisely because it integrates with their existing puppet manifiests.
So I expect Puppet to stay as Red Hat's goto configuration management tool, and ansible to be used more for its ad-hoc remote execution capabilities where puppet is nowhere near as good. RH already uses ansible in the installer for Open Shift for example because it can set up multiple boxes without needing an agent pre-installed.
Satellite 6 and Puppet Enterprise are direct competitors, and there is not much further upstream development on Puppet 3.6, so I expect Red Hat to have to take on the necessary development work during the life time of the product.
So, in essence almost a fork already, and in the future much more so. You already have to choose, you have to port your old codebase and tooling to one or the other.
Ordinary sysadmins can write their own ansible modules with ease. It's possible that cfengine has that now but ask sendmail about repairing an old reputation.
I hope that Redhat will accelerate the growth of this very well engineered platform.
Congrats to the Ansible team!
One thing I wonder is how much the project's priorities would shift away from (if at all) anything non-RHEL-centric.
Apart from the fact that it's been a shambles, Red Hat have been solidly pushing customers down the puppet route. I expect there will be some grumpy meetings in the next few weeks.
Going by projects like NetworkManager it'll work okay, but you'll need to be a paying RedHat customer to get any useful documentation.
Basically you lose a lot of time searching the web for how to do things that you already know how to do in shell, but the benefits are not so clear.
Edit: added link to mhartl's tutorial: http://www.learnenough.com/tutorial-writing
Alessandro
https://sysadmincasts.com/episodes/43-19-minutes-with-ansibl...
https://sysadmincasts.com/episodes/45-learning-ansible-with-...
https://sysadmincasts.com/episodes/46-configuration-manageme...
https://sysadmincasts.com/episodes/47-zero-downtime-deployme...
Here is the financial disclosure from RedHat. NOTICE THE FIRST SENTENCE.
The acquisition is expected to have no material impact to Red Hat's revenue for the third and fourth quarters of its fiscal year ending Feb. 29, 2016 (“fiscal 2016”). Management expects that non-GAAP operating expenses for fiscal 2016 will increase by approximately $2.0 million, or ($0.01) per share, in the third quarter and approximately $4.0 million, or ($0.02) per share, in the fourth quarter as a result of the transaction. Red Hat calculates non-GAAP operating expense by subtracting from GAAP operating expense the estimated impact of non-cash share-based compensation expense, which for fiscal 2016 is expected to increase by approximately $1 million for each of the third and fourth quarters, and amortization of intangible assets, which for fiscal 2016 is expected to increase by approximately $1 million for each of the third and fourth quarters, in addition to transaction costs related to business combinations, which are expected to increase by approximately $1 million in the third quarter. Management expects GAAP operating expense to increase for fiscal 2016 by approximately $5 million, or ($0.02) per share, in the third quarter and approximately $6 million, or ($0.02) per share, in the fourth quarter as a result of the transaction. Excluding the operating expense impact as noted above to GAAP and non-GAAP operating margin and GAAP and non-GAAP earnings per share, Red Hat is otherwise re-affirming its fiscal 2016 third quarter and full year guidance provided in its Sept. 21, 2015, earnings press release.
Or not implying anything but hoping someone here has an answer or analysis?
I hate ansible, it's just better than any of the alternatives for different reasons. Luckily we're moving away from needing any of them. Scripting an image build is a lot easier than updating a machine using CI: you start from a blank slate every time, and an out of date script isn't the catastrophe it is with CI since you have the images saved.
Using jinja2 for markup compounded the issue in my opinion, as it has no loops and logic is less than obvious (compared to mako for example).
Still I find its agentless model, the idempotent model, being able to use it on machines where you don't have root access etc... gives it a place that nobody had fulfilled.
This comment makes pretty much no sense at all. Example of a loop in jinja2:
{% for item in ("one", "two", "three") %}
item is {{ item }}
{% endfor %}The logic is pure python minus perhaps setting variables ie:
{% set name = "dorfsmay" %}
{% if name == "dorfsmay" or name.startswith("dorfs") %}
You're spreading FUD about jinja2
{% endif %}isn't a loop?
A dumb declarative language is easier to understand and easier to maintain. It can be used to help maintain a strict separation of concerns.
The smarter you try to make the language, the worse it becomes. Ant & MSBuild AFAIK are basically full programming languages in their own right so there was really no point to them actually being their own language.
Maybe because it can't be easily approached by the iterative development style that is in fashion these days.
Syntactically the problem I run into is that it's got it's own DSL in task definitions, so it can be hard to keep in mind what's YAML and what's the DSL.
Semantically loops and conditions are essential features so I don't have a problem with that. The inheritance could use some clarification, I was hit last year by a regression that remains unresolved.
I don't think it's self-important, but I do think it's important to note that you can't send someone an email at 9 PM on a friday and expect a response. Noting that they did not _immediately_ respond is an important differentiation between not responding at all.
Alternatively, "Answer me now, before someone else beats me to publication, oh god please ... c'mmooon it's almost deadline, pickuppickuppickuppickup ah dammit, too late."
Sure you can blame them for a rush to publish if you want. I think mainly they are trying to indicate they reached out to a relevant party and didn't hear back. And by saying didn't hear back immediately they are making clear that it may well be the party wasn't immediately available (not that they were not willing to respond at all).
On some (maybe all, I don't know) sites, they then update the story if they get responses.
Also, I think Ansible's idempotent model actually works nicely with immutable infrastructure. Why? For development of your stack. While messing around with it, you probably don't want to rebuild the whole thing from scratch. Of course you can play funny games with caching of remote packages and so on, but that's getting into Ansible territory anyway.
So I think a good model for immutable infrastructure is to use a tool like Ansible to develop the stack, then in production you would use the same tool to spin up immutable instances.
I see Ansible as primarily an orchestration tool.
But what do you do when you want to change my MySQL config file? Create a new image and somehow transfer the data? Or are the datastores somehow externalized? Then how do you synchronize shutting down the old image, then starting the new updated one, preventing them from accessing the store at the same time?
The linked article kind of waves these issues away ('externalize state in Cassandra or RDS'). Then am I supposed to use two mechanisms/tools to run my infrastructure? Docker for stateless servers and something like Ansible for stateful servers?
I particularly like the definition that emerged:
'I see it as conceptually dividing your infrastructure into "data" and "everything else". Data is the stuff that's created and modified by the services you're providing. The elements of your infrastructure that aren't managed by the services can be treated as immutable: you build them, use them, but don't make changes to them. If you need to change an infrastructure element, you build a new one and replace the old one'
More in the actual full transcript and in the video
This can be mitigated somewhat by putting Ansible on the target machine, downloading all the necessary files to that machine, and then running Ansible locally... but that seems awfully fragile to me.
I am much more interested in Salt's ZeroMQ path these days. It seems to scale better, at least on paper and in my few small tests.
Finally, when using ControlPersist with pipelining mode in Ansible, it's as fast if not faster than zeromq or our own accelerated mode (which we will be deprecating at some future point when older SSH installs are not as common).
Disclaimer: I work in the Cloud Orchestration team at Rackspace.
[0]: https://github.com/openstack/heat-templates/tree/master/hot/...
That's why it has tags. So you can run just the settings states rather than running the whole 20 minute thing over and over again.
We eventually settled on having Ansible build an AMI for us that can then be spun up by as part of a Cloudformation template (also initiated by Ansible).
We've actually been moving further and further away from having Ansible handle the configuration management side of things, and deal with Orchestration primarily.
Completely wiping and reinstalling the main database servers (one after another of course) during the day while the system was in active use and completing the process with zero user intervention, that felt amazing.
Since then, whenever I had to reinstall a machine for one reason or another, I always appreciated the immense speed-up I gained by not having to ever manually re-do the configuration.
Better yet: All the years of growing the configuration, all the small insights learned over time, all the small fixes to the configuration: All are preserved and readily available. Even better: By using git, I can even go back in time and learn why I did what and when.
"Why am I using TCP for NFS? Oh right - that was back in december of 2012 when we were using UDP and we ran into that kernel deadlock" - that's next to impossible to do when you're configuring servers manually.
- script: /some/local/script.sh --some-arguments 1234
originally one of the selling points of ansible was that you could just include a shell script and run it.I've also often found much of my time wasted trying to get ansible to do something simple.
I did a fair bit of work based on the OpenStack tripleO project, which suffered from the OpenStack NIH syndrome. They could not agree on a CM tool, and wrote it in bash. Never, ever, ever again. Trying to cluster RabbitMQ / Percona across 3 different machines, via bash is an abomination, whereas in Ansible / Salt etc. it is pretty easy :)
However the config management stuff seems to come to light when you've got a mess on your hands and need to rationalise it and make it consistent.
I'm slightly leaning towards the "rebuild with known good baseline" state of affairs these days however even as a long time Ansible user. Rather than upgrade stuff, I build something new alongside and then do a switcheroo nearly every time.
One day, hopefully containers will allow us to have consistent state everywhere.
if [ ! -d /opt/foothing ]
then rm -f /opt/foothing && mkdir /opt/foothing
fi
cd /opt/foothing
tar xf /tmp/instpkg.tar.gz
sed -e s/QQQbarvalQQQ/$BAR_SETTING/ -i /opt/foothing/config
…
Normally, one just wants to install & configure foothing. Abstracting that away in shell is possible but a pain: it doesn't really have a rich language for composing paths and other variable values; quoting is a right royal pain; by the time one's written a fully-working shell script (note that the snippet above has no error-handling, breaks if /opt doesn't exist, breaks if $BAR_SETTING contains whitespace and doesn't enable one to override the foothing installation location), it's nearly impossible to read & understand.The Right Answer would involve a language which enabled one to create one's own syntactic abstractions in order to satisfy the general and specific needs of software installation. As an example, it'd be nice to have a WITH-INSTALLATION-DIRECTORY construct, which ensures that a directory exists, ensures that it's owned by the appropriate user, ensures that no other package already claims it (except that a previous version of the currently-being-installed package is okay), registers the directory and everything created in it during WITH-INSTALLATION-DIRECTORY as belonging to the currently-being-installed package, handles errors in a well-defined and useful manner for calling code, and so on and on and on.
And of course even that isn't high-level enough: If I'm installing bazit, which depends on foothing and quuxstuff, then I'll want to call something which ensures they exist. Or maybe there's an optional 'dependency,' and I want to do certain things if they exist and certain if not.
And maybe it's not low-level enough either. What if I want to override one particular sort of installation behaviour, but not the rest? What if I want to install a package in my own account, as myself? Wouldn't it be cool if I could set a few variables and the package manager Just Worked™?
As another user indicated, what all these tools really need is to be Lisp: versionable data which is code. As Shiver's work with scsh demonstrated, a Lisp-like language can be very pleasant to write POSIX applications in. Macros enable one to create useful syntactic constructs which make meaning, rather than details, clear. Dynamic variables (as in Common Lisp) easily enable customisation based on the call stack. CL's condition and restart systems are the gold standard for error signalling and recovery.
We originally tried the docker module in Ansible but found it had a few problems. There's been a lot of work on it since, and I expect it will be in a much better state when Ansible 2.0 is released.
If you aren't using Rails for your web-stack, I suspect you might not be using any Ruby at all on a server. It isn't even part of the CentOS minimal install. Python is. I'm not sure about how Ruby is used in Ubuntu, maybe it's more common there.
However, language choice alone makes Ansible more "compatible" with the rest of the RHEL stack.
There is no Ruby installed by default in Ubuntu - or Debian last time I looked. Also (like Redhat) a significant chunk of the userspace distro code is written in Python.
Currently Vagrant is the only Ruby tool I use in sysadmin/devops land, and it's a workstation only installation rather than a server one.
Not having to deploy a whole new language runtime for your devops tooling is why I preferred Ansible and Salt over Chef and Puppet.
I've been in IT since 1997, ops for a great portion of that and now "devops" since before that was a thing...
Never heard anyone say Ruby is anything... unless you were building or working for a Heroku based service or company I guess...
https://fedoraproject.org/wiki/Red_Hat_contributions
http://www.redhat.com/en/about/blog/red-hat-leads-open-source-contributions-to-kernel(E.g. http://www.slideshare.net/cfengine/15-nice-reports-with-cf-e...)
For example, I wrote a report to inventory which hosts are connected to Active Directory, and had a pretty pie chart for management in minutes (across 2K+ hosts).
Also I used to work with Puppet in an 8000 server environment and Ansible and Salt both are so much more fun and easy to use than Puppet. I hear the same thing over Chef too.
Last Ansible is the only one that doesn't require any agents installed and does everything via SSH. At first I didn't think I'd like that coming from Puppet but, I can do everything I need to without another daemon to worry about.
But development of the project has been fueled by skyrocketing participation. Myself and a friend of mine have both contributed small bits of code to the project without being professional developers, and looking at the github contributors they are in the thousands for a 3 year old project. Compare that to cfengine's 73 contributors.
It's definitely good to not be forced to use agents everywhere + a dedicated "mothership" instance, but sometimes I do wish I had Ansible agents on my instances, just so I could "git push" the whole thing and forget about it.
Looking forward to Red Hat following on their good old habits and open-sourcing Tower.
Why not? Configurations are collections of items, and among the things Lisp excels at is…lists of atoms.
Take a look at https://github.com/ansible/ansible-examples/tree/master/lamp... (a simple LAMP stack implemented in Ansible).
It uses a .ini-style file to manage lists of hosts, e.g.:
[webservers]
localhost
[dbservers]
bensible
sensible
Why not put that in a list? (hosts
(webservers localhost)
(dbservers bensible sensible))
The Ansible playbooks are YAML lists. There's no particular reason that: ---
# This playbook deploys the whole application stack in this site
- name: apply common configuration to all nodes
hosts: all
remote_user: root
roles:
- common
…
is more readable than: (playbook
"This playbook deploys the whole application stack in this site"
(play
"apply common configuration to all nodes"
(hosts all)
(remote-user root)
(roles common)
…)
or: (playbook '((all '(common) :user root :comment "apply common configuration to all nodes") …)
:comment "This playbook deploys the whole application stack in this site")
In fact, I'd argue that both Lispy representations are much more readable.Ansible is great stuff, but some of those decisions were quite weird.
For large datasets that can take hours / days.
There are many potential situations where not running a full inventory against a running machine results in a machine not being properly configured.
Then you'll probably be running the whole playbook again, including those settings changes you made before.
>Or of a machine was temporarily offline when a tag was run
Then it'll fail and give you a warning. Shrug your shoulders and run it again?
It's like make vs a shell script. If you use scripts to build your programs, you either have to write your own checks to test whether every step is necessary or not (cumbersome, error prone, and quite complex) or you just script it to build from scratch every time (inefficient).
But for systems management, rebuilding from scratch can be worse than just inefficient. Imagine if your script reinstalled MySQL from scratch every time you ran it...
If you run "apt-get -y install foo" that means that you want "foo" to be installed. If it's already installed, it just does nothing.
In Ansible, you'd use "apt: name=foo state=present" which does exactly the same thing as the apt-get command, but requires a web search to figure out how to write (assuming you know normal Linux system usage but haven't memorized Ansible).
The only differences seem to be that Ansible tells you whether the command made a change or not, and that you can parse the Ansible configuration with an external tool (assuming there are no loops/variable/etc.), but both of these things don't really seem that useful in practice.
not really. If you do that it means that you want to update foo to the latest version the system knows about.
And other commands fail if the thing they are supposed to to is already done. Like `adducer`. So you could still run it and assume a failure to mean "the user already exists" - but it could of course also mean: "the user didn't exist, but creating it failed".
Then you start to have a look at the exit code which may be different between the two cases.
But every command behaves differently, so you need to learn all of this.
With Ansible (or puppet), the syntax is always the same and the actually needed operations are abstracted away.
I still use Salt instead of shell scripts, but that's mostly to have the authenticated/encrypted channels and only have to push my code to one place to run it globally.
In a S-expression-based configuration language, one would either embed an S-expression-based programming language, or generate the S-expressions with a programming language which can manipulate S-expressions.
I don't think that it's that easy to get away from needing Turing-completeness in general. No reason you can't still support rollbacks, dependencies and diffs anyway.
Also there's this school of thought that attributes most security problems to people accidentally using Turing-complete languages where they meant to use something less powerful. Consider vulnerability to arbitrary code execution through user input injection, which could be interpreted by your program being a "parser" (so-called "shotgun parser" - it's implicitly distributed throughout your code base) for a Turing-complete superset of what was supposed to be a list of accepted inputs. There are pretty good talks about this line of thought and I personally find it pretty interesting.
But none of this affects the fact that in complicated enough programs, you need "configuration" to be more code than data, which leads people not knowing of Lisp to reinvent a subset of it in XML or JSON or something similar.
You missed more Ansible strengths, like detecting changes and restarting only affected services for example. Show me the idempotent shell script which does apt-get to install some dependency, updates some configuration file, and then starts or restarts a service depending on both the current state of the service (was it already running?) and whether the apt-get or config file change actuallly modified things.
Then scale that up. A lot.
There is even more. If you care to learn it before dismissing it.