Middleware Services converts to Ansible
Middleware Services had been using a legacy version of Puppet.
Middleware Services switched to Ansible to build new systems and add capacity to existing services. In addition, the group uses Ansible to deploy and enforce system configuration. In other words, when Middleware Services uses Ansible to set up or make changes to software configuration files, Ansible checks those same files to make sure they have the same configuration and state each time it runs. For example, if someone makes a change to the file directly but not through the Ansible workflow, the next time Ansible runs, it will change the file to the version it has in its repository. The same is true for permissions on a file or directory.
This is important for two reasons, said Stephen Braswell, Senior Solutions Engineer with Middleware Services. First, all servers in a group for a service have their configuration kept in sync. Second is security. Files and applications are expected to have certain permissions as part of securing a server or application. Ansible restores both the configuration files and the permissions on those files so only the allowed accounts on the system can read or write to a file or directory. This is particularly important for the group’s services because many of them are exposed to the public internet.
Middleware Services also uses Ansible to orchestrate system-level processes. Orchestration is the process of going through a workflow — often a set of tasks — to complete an action on a server. Examples include restarting an application, adding a new user account and deploying a new version of an application. As part of the automation that Ansible provides, it can do some orchestration as it performs actions on a server or one can dedicate some Ansible code to perform a particular, ad-hoc set of tasks.
ITS’ Ansible Tower installation provides an easy-to-use web interface on top of the Ansible software. It is used to manage controls for the 900-plus servers that ITS Global Systems UNIX manages and 80-plus templates that represent unique operations on those servers. Of those approximately 650 servers, about 330 are for services that Middleware Services runs, such as www.unc.edu, WordPress, Carolina CloudApps, Sakai, Single Sign-on, Splunk and SAS.
Ansible Tower also provides access control mechanisms that enable delegation of Ansible-managed processes. For all servers that host the group’s services, customers — even internal to ITS — are not allowed direct access to the servers. With this arrangement, Middleware Services must make any changes the customer requires to the server or applications.
Having Middleware Services staff be the single point for the changes doesn’t scale well for some services, Braswell said. Instead, Middleware Services uses Ansible and the web interface tool Ansible Tower to provide a mechanism for its customers to essentially click a button to make a change. An example is providing a button to deploy a new version of a developer’s code (say WordPress) to ITS’ services. The web interface tool — Ansible Tower — enables ITS to restrict what actions ITS has defined for the customer and which customers can access the action to click the button. Middleware Services is able to delegate tasks to the customer that it would normally have had to perform manually. Meanwhile, Middleware Services maintains security with the pre-defined Ansible code automatically setting the appropriate file and directory permissions on files, whereas a customer may forget to do so.
While Ansible does not help customers — students, faculty and staff — directly, the tool enables Middleware Services to easily make configuration changes to software and quickly add server capacity as needed. For example, say Sakai isn’t able to keep up with an increase in traffic on the servers at the start of Fall semester. Middleware Services can quickly add a new server and Ansible will configure the software on the server to be identical to the other servers already hosting Sakai.
Middleware Services does the hard work in the beginning when developing the Ansible code and then just adds minor tweaks over time as customers request software changes, Braswell said. Over the long term, the internal rewards are the ease of adding servers or making changes across numerous existing servers.
Key Partner(s): ITS Systems