martin f. krafft | 42c475d | 2013-06-26 18:39:06 +0200 | [diff] [blame^] | 1 | ============================================================= |
| 2 | reclass — recursive external node classification |
| 3 | ============================================================= |
| 4 | reclass is © 2007–2013 martin f. krafft <madduck@madduck.net> |
| 5 | and available under the terms of the Artistic Licence 2.0 |
| 6 | ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' |
| 7 | |
| 8 | Please make sure to read the generic information in the README file first, or |
| 9 | alongside this document. |
| 10 | |
| 11 | Quick start with Salt |
| 12 | ~~~~~~~~~~~~~~~~~~~~~ |
| 13 | The following steps should get you up and running quickly. You will need to |
| 14 | decide for yourself where to put your reclass inventory. This can be |
| 15 | /etc/reclass, or it could be /srv/salt, for instance if /srv/salt/states is |
| 16 | where your Salt file_roots live. The following shall assume the latter. |
| 17 | |
| 18 | Or you can also just look into ./examples/salt of your reclass checkout, |
| 19 | where the following steps have already been prepared. |
| 20 | |
| 21 | /…/reclass refers to the location of your reclass checkout. |
| 22 | |
| 23 | 1. Symlink /…/reclass/adapters/ansible to /etc/ansible/hosts (or |
| 24 | ./hacking/hosts) |
| 25 | |
| 26 | 2. Copy the two directories 'nodes' and 'classes' from the example |
| 27 | subdirectory in the reclass checkout to /etc/ansible |
| 28 | |
| 29 | If you prefer to put those directories elsewhere, you can create |
| 30 | /etc/ansible/reclass-config.yml with contents such as |
| 31 | |
| 32 | storage_type: yaml_fs |
| 33 | nodes_uri: /srv/reclass/nodes |
| 34 | classes_uri: /srv/reclass/classes |
| 35 | |
| 36 | Note that yaml_fs is currently the only supported storage_type, and it's |
| 37 | the default if you don't set it. |
| 38 | |
| 39 | 3. Check out your inventory by invoking |
| 40 | |
| 41 | ./hosts --list |
| 42 | |
| 43 | which should return 5 groups in JSON-format, and each group has exactly |
| 44 | one member 'localhost'. |
| 45 | |
| 46 | 4. See the node information for 'localhost': |
| 47 | |
| 48 | ./hosts --host localhost |
| 49 | |
| 50 | This should print a set of keys and values, including a greeting, |
| 51 | a colour, and a sub-class called 'RECLASS'. |
| 52 | |
| 53 | 5. Execute some ansible commands, e.g. |
| 54 | |
| 55 | ansible -i hosts \* --list-hosts |
| 56 | ansible -i hosts \* -m ping |
| 57 | ansible -i hosts \* -m debug -a 'msg="${greeting}"' |
| 58 | ansible -i hosts \* -m setup |
| 59 | ansible-playbook -i hosts test.yml |
| 60 | |
| 61 | 6. You can also invoke reclass directly, which gives a slightly different |
| 62 | view onto the same data, i.e. before it has been adapted for Ansible: |
| 63 | |
| 64 | /…/reclass.py --pretty-print --inventory |
| 65 | /…/reclass.py --pretty-print --nodeinfo localhost |
| 66 | |
| 67 | Integration with Salt |
| 68 | ~~~~~~~~~~~~~~~~~~~~~ |
| 69 | The integration between reclass and Ansible is performed through an adapter, |
| 70 | and needs not be of our concern too much. |
| 71 | |
| 72 | However, Ansible has no concept of "nodes", "applications", "parameters", and |
| 73 | "classes". Therefore it is necessary to explain how those correspond to |
| 74 | Ansible. Crudely, the following mapping exists: |
| 75 | |
| 76 | nodes hosts |
| 77 | classes groups |
| 78 | applications playbooks |
| 79 | parameters host_vars |
| 80 | |
| 81 | reclass does not provide any group_vars because of its node-centric |
| 82 | perspective. While class definitions include parameters, those are inherited |
| 83 | by the node definitions and hence become node_vars. |
| 84 | |
| 85 | reclass also does not provide playbooks, nor does it deal with any of the |
| 86 | related Ansible concepts, i.e. vars_files, vars, tasks, handlers, roles, etc.. |
| 87 | |
| 88 | Let it be said at this point that you'll probably want to stop using |
| 89 | host_vars, group_vars and vars_files altogether, and if only because you |
| 90 | should no longer need them, but also because the variable precedence rules |
| 91 | of Ansible are full of surprises, at least to me. |
| 92 | |
| 93 | reclass' Ansible adapter massage the reclass output into Ansible-usable data, |
| 94 | namely: |
| 95 | |
| 96 | - Every class in the ancestry of a node becomes a group to Ansible. This is |
| 97 | mainly useful to be able to target nodes during interactive use of |
| 98 | Ansible, e.g. |
| 99 | |
| 100 | ansible debiannode@wheezy -m command -a 'apt-get upgrade' |
| 101 | → upgrade all Debian nodes running wheezy |
| 102 | |
| 103 | ansible ssh.server -m command -a 'invoke-rc.d ssh restart' |
| 104 | → restart all SSH server processes |
| 105 | |
| 106 | ansible mailserver -m command -a 'tail -n1000 /var/log/mail.err' |
| 107 | → obtain the last 1,000 lines of all mailserver error log files |
| 108 | |
| 109 | The attentive reader might stumble over the use of singular words, whereas |
| 110 | it might make more sense to address all 'mailserver*s*' with this tool. |
| 111 | This is convention and up to you. I prefer to think of my node as |
| 112 | a (singular) mailserver when I add 'mailserver' to its parent classes. |
| 113 | |
| 114 | - Every entry in the list of a host's applications might well correspond to |
| 115 | an Ansible playbook. Therefore, reclass creates a (Ansible-)group for |
| 116 | every application, and adds '_hosts' to the name. This postfix can be |
| 117 | configured with a CLI option (--applications-postfix) or in the |
| 118 | configuration file (applications_postfix). |
| 119 | |
| 120 | For instance, the ssh.server class adds the ssh.server application to |
| 121 | a node's application list. Now the admin might create an Ansible playbook |
| 122 | like so: |
| 123 | |
| 124 | - name: SSH server management |
| 125 | hosts: ssh.server_hosts ← SEE HERE |
| 126 | tasks: |
| 127 | - name: install SSH package |
| 128 | action: … |
| 129 | … |
| 130 | |
| 131 | There's a bit of redundancy in this, but unfortunately Ansible playbooks |
| 132 | hardcode the nodes to which a playbook applies. |
| 133 | |
| 134 | It's now trivial to apply this playbook across your infrastructure: |
| 135 | |
| 136 | ansible-playbook ssh.server.yml |
| 137 | |
| 138 | My suggested way to use Ansible site-wide is then to create a 'site' |
| 139 | playbook that includes all the other playbooks (which shall hopefully be |
| 140 | based on Ansible roles), and then to invoke Ansible like this: |
| 141 | |
| 142 | ansible-playbook site.yml |
| 143 | |
| 144 | or, if you prefer only to reconfigure a subset of nodes, e.g. all |
| 145 | webservers: |
| 146 | |
| 147 | ansible-playbook site.yml --limit webserver |
| 148 | |
| 149 | Again, if the singular word 'webserver' puts you off, change the |
| 150 | convention as you wish. |
| 151 | |
| 152 | And if anyone comes up with a way to directly connect groups in the |
| 153 | inventory with roles, thereby making it unnecessary to write playbook |
| 154 | files (containing redundant information), please tell me! |
| 155 | |
| 156 | - Parameters corresponding to a node become host_vars for that host. |
| 157 | |
| 158 | It is possible to include Jinja2-style variables like you would in Ansible, |
| 159 | in parameter values. This is especially powerful in combination with the |
| 160 | recursive merging, e.g. |
| 161 | |
| 162 | parameters: |
| 163 | motd: |
| 164 | greeting: Welcome to {{ ansible_fqdn }}! |
| 165 | closing: This system is part of {{ realm }} |
| 166 | |
| 167 | Now you just need to specify realm somewhere. The reference can reside in |
| 168 | a parent class, while the variable is defined e.g. in the node. |