DDevelopment & Design

Real-life Ansible – chapter one – how to run playbooks on production (more) safely

This is the first blog post in a series presenting some various real-life examples of Ansible in our projects. If you are interested in Ansible going production-ready – stay tuned!

Problem definition

We have a few inventories, like dev, stage and prod. For some of them, stability is not as important as for the others. On the other hand, our playbooks may contain several parameters, and we also want to pass some ansible-playbook parameters (e.g. tags), so a command to perform some action could be pretty long. It’s easy to overlook the crucial ones, especially for the production environment.

ansible-playbook -i inventories/dev app1.yml -e app_version=snapshot -t app --skip-tags maintenance -e serial=2

In such a situation there is a very high risk that we find a command in our shell history and run a playbook forgetting to change the inventory. While running the wrong command on dev is not so painful, we want to prevent accidental playbook running on production.

Confirmation on production

In the next few paragraphs I will show you our solution of making our playbooks production-aware.

Dedicated role

We decided to create a dedicated role named confirm, which is responsible for confirming our production actions. Why a dedicated role? Because we can include it in all playbooks that require confirmation. So to ensure confirmation is prompted, it’s enough to add a role to your playbook.

- hosts: app1 gather_facts: no roles: - confirm tags: - always

We can skip the fact-gathering stage, as we do not depend on any system parameter. Most importantly, by using the always tag, we run this role always, regardless of the tags given in the command line.

Role tasks

I will show you the tasks’ evolution leading to the final version. Firstly, there might be just two simple tasks:

- name: wait for confirmation if required pause: prompt: "You are running playbook for {{ env }}, type environment name to confirm" register: confirm_response - name: fail if wrong confirmation fail: msg: "Aborting due to incorrect input, given <<{{ confirm_response.user_input }}>>, expected <<{{ env }}>>" when: env != confirm_response.user_input

The snippet above shows a simple prompt asking a person to type the environment name to confirm their actions. This gives us the solution to our main goal – getting rid of playbooks that are running mindlessly. After prompt, you must type again the environment name (e.g. prod), so you must be aware that the playbook is run on production. If the confirmation response is wrong, the playbook is aborted.

Running multiple playbooks at once

Sometimes we need to run multiple playbooks at once, e.g.:

ansible-playbook -i inventories/dev app1.yml app2.yml app3.yml

In the solution above, we should confirm our actions in each playbook. To avoid this drawback, let’s introduce a slight modification:

- name: wait for confirmation if required pause: prompt: "You are running playbook for {{ env }}, type environment name to confirm" register: confirm_response when: confirm_response_user_input is not defined - set_fact: confirm_response_user_input: "{{ confirm_response.user_input }}" when: confirm_response_user_input is not defined - name: fail if wrong confirmation fail: msg: "Aborting due to incorrect input, given <<{{ confirm_response_user_input }}>>, expected <<{{ env }}>>" when: env != confirm_response_user_input

Now, we save the confirmation to the variable, so we can confirm only once. Why a dedicated variable? Why can’t we use confirm_response? Because if we skip the first task, confirm_response would contain info about the skipped first task instead of previous user input.

Securing only prod

Securing all playbooks would give us some inconvenience – it’s only important in a prod environment. To run security only on prod, we can wrap all tasks in a block, where we would test if this environment needs securing.

- block: - name: wait for confirmation if required pause: prompt: "You are running playbook for {{ env }}, type environment name to confirm" register: confirm_response when: confirm_response_user_input is not defined - set_fact: confirm_response_user_input: "{{ confirm_response.user_input }}" when: confirm_response_user_input is not defined - name: fail if wrong confirmation fail: msg: "Aborting due to incorrect input, given <<{{ confirm_response_user_input }}>>, expected <<{{ env }}>>" when: env != confirm_response_user_input when: confirm_actions is defined and confirm_actions delegate_to: localhost run_once: true

Now, only production has the variable defined as confirm_actions: true and only production needs manual confirmation before running. We must delegate the whole block to localhost, because we need to set fact – and we want to do it once and for all hosts.

Summary

Using the solution given above, we achieved the following goals:

  • Confirmation is required before running a playbook on production.
  • Even if we run a few playbooks at once, only single confirmation is required.
  • It’s easy to secure additional roles.

— Previous article

TouK Hackathon - April 2021

Next article —

TouK hackathon (TouKathon) - April 2022

You May Also Like
DDevelopment & Design

Drawing arrows in JavaFX

Some time in the past, I was wondering what's the easiest solution for drawing arrowconnections between shapes. The problem boils down to computing boundary point for given shape, which intersects with connecting line. The solution is not so difficult ...Some time in the past, I was wondering what's the easiest solution for drawing arrowconnections between shapes. The problem boils down to computing boundary point for given shape, which intersects with connecting line. The solution is not so difficult ...
DDevelopment & Design

How to automate tests with Groovy 2.0, Spock and Gradle

This is the launch of the 1st blog in my life, so cheers and have a nice reading!

y u no test?

Couple of years ago I wasn't a big fan of unit testing. It was obvious to me that well prepared unit tests are crucial though. I didn't known why exactly crucial yet then. I just felt they are important. My disliking to write automation tests was mostly related to the effort necessary to prepare them. Also a spaghetti code was easily spotted in test sources.

Some goodies at hand

Now I know! Test are crucial to get a better design and a confidence. Confidence to improve without a hesitation. Moreover, now I have the tool to make test automation easy as Sunday morning... I'm talking about the Spock Framework. If you got here probably already know what the Spock is, so I won't introduce it. Enough to say that Spock is an awesome unit testing tool which, thanks to Groovy AST Transformation, simplifies creation of tests greatly.

An obstacle

The point is, since a new major version of Groovy has been released (2.0), there is no matching version of Spock available yet.

What now?

Well, in a matter of fact there is such a version. It's still under development though. It can be obtained from this Maven repository. We can of course use the Maven to build a project and run tests. But why not to go even more "groovy" way? XML is not for humans, is it? Lets use Gradle.

The build file

Update: at the end of the post is updated version of the build file.
apply plugin: 'groovy'

apply plugin: 'idea'


def langLevel = 1.7


sourceCompatibility = langLevel

targetCompatibility = langLevel


group = 'com.tamashumi.example.testwithspock'

version = '0.1'


repositories {

    mavenLocal()

    mavenCentral()

    maven { url 'http://oss.sonatype.org/content/repositories/snapshots/' }

}


dependencies {

    groovy 'org.codehaus.groovy:groovy-all:2.0.1'

    testCompile 'org.spockframework:spock-core:0.7-groovy-2.0-SNAPSHOT'

}


idea {

    project {

        jdkName = langLevel

        languageLevel = langLevel

    }

}
As you can see the build.gradle file is almost self-explanatory. Groovy plugin is applied to compile groovy code. It needs groovy-all.jar - declared in version 2.0 at dependencies block just next to Spock in version 0.7. What's most important, mentioned Maven repository URL is added at repositories block.

Project structure and execution

Gradle's default project directory structure is similar to Maven's one. Unfortunately there is no 'create project' task and you have to create it by hand. It's not a big obstacle though. The structure you will create will more or less look as follows: 
<project root>


├── build.gradle

└── src

    ├── main

    │   ├── groovy

    └── test

        └── groovy
To build a project now you can type command gradle build or gradle test to only run tests.

How about Java?

You can test native Java code with Spock. Just add src/main/java directory and a following line to the build.gradle: 
apply plugin: 'java'
This way if you don't want or just can't deploy Groovy compiled stuff into your production JVM for any reason, still whole goodness of testing with Spock and Groovy is at your hand.

A silly-simple example

Just to show that it works, here you go with a basic example.

Java simple example class:

public class SimpleJavaClass {


    public int sumAll(int... args) {


        int sum = 0;


        for (int arg : args){

            sum += arg;

        }


        return sum;

    }

}

Groovy simple example class:

class SimpleGroovyClass {


    String concatenateAll(char separator, String... args) {


        args.join(separator as String)

    }

}

The test, uhm... I mean the Specification:

class JustASpecification extends Specification {


    @Unroll('Sums integers #integers into: #expectedResult')

    def "Can sum different amount of integers"() {


        given:

            def instance = new SimpleJavaClass()


        when:

            def result = instance.sumAll(* integers)


        then:

            result == expectedResult


        where:

            expectedResult | integers

            11             | [3, 3, 5]

            8              | [3, 5]

            254            | [2, 4, 8, 16, 32, 64, 128]

            22             | [7, 5, 6, 2, 2]

    }


    @Unroll('Concatenates strings #strings with separator "#separator" into: #expectedResult')

    def "Can concatenate different amount of integers with a specified separator"() {


        given:

            def instance = new SimpleGroovyClass()


        when:

            def result = instance.concatenateAll(separator, * strings)


        then:

            result == expectedResult


        where:

            expectedResult     | separator   | strings

            'Whasup dude?'     | ' ' as char | ['Whasup', 'dude?']

            '2012/09/15'       | '/' as char | ['2012', '09', '15']

            'nice-to-meet-you' | '-' as char | ['nice', 'to', 'meet', 'you']

    }

}
To run tests with Gradle simply execute command gradle test. Test reports can be found at <project root>/build/reports/tests/index.html and look kind a like this.


Please note that, thanks to @Unroll annotation, test is executed once per each parameters row in the 'table' at specification's where: block. This isn't a Java label, but a AST transformation magic.

IDE integration

Gradle's plugin for Iintellij Idea

I've added also Intellij Idea plugin for IDE project generation and some configuration for it (IDE's JDK name). To generate Idea's project files just run command: gradle idea There are available Eclipse and Netbeans plugins too, however I haven't tested them. Idea's one works well.

Intellij Idea's plugins for Gradle

Idea itself has a light Gradle support built-in on its own. To not get confused: Gradle has plugin for Idea and Idea has plugin for Gradle. To get even more 'pluginated', there is also JetGradle plugin within Idea. However I haven't found good reason for it's existence - well, maybe excluding one. It shows dependency tree. There is a bug though - JetGradle work's fine only for lang level 1.6. Strangely all the plugins together do not conflict each other. They even give complementary, quite useful tool set.

Running tests under IDE

Jest to add something sweet this is how Specification looks when run with jUnit  runner under Intellij Idea (right mouse button on JustASpecification class or whole folder of specification extending classes and select "Run ...". You'll see a nice view like this.

Building web application

If you need to build Java web application and bundle it as war archive just add plugin by typing the line 
apply plugin: 'war'
in the build.gradle file and create a directory src/main/webapp.

Want to know more?

If you haven't heard about Spock or Gradle before or just curious, check the following links:

What next?

The last thing left is to write the real production code you are about to test. No matter will it be Groovy or Java, I leave this to your need and invention. Of course, you are welcome to post a comments here. I'll answer or even write some more posts about the subject.

Important update

Spock version 0.7 has been released, so the above build file doesn't work anymore. It's easy to fix it though. Just remove last dash and a word SNAPSHOT from Spock dependency declaration. Other important thing is that now spock-core depends on groovy-all-2.0.5, so to avoid dependency conflict groovy dependency should be changed from version 2.0.1 to 2.0.5.
Besides oss.sonata.org snapshots maven repository can be removed. No obstacles any more and the build file now looks as follows: 
apply plugin: 'groovy'

apply plugin: 'idea'


def langLevel = 1.7


sourceCompatibility = langLevel

targetCompatibility = langLevel


group = 'com.tamashumi.example.testwithspock'

version = '0.1'


repositories {

    mavenLocal()

    mavenCentral()

}


dependencies {

    groovy 'org.codehaus.groovy:groovy-all:2.0.5'

    testCompile 'org.spockframework:spock-core:0.7-groovy-2.0'

}


idea {

    project {

        jdkName = langLevel

        languageLevel = langLevel

    }

}