Improve Ansible Roles with Molecule

Luis Cacho

Security Systems Administrator

@Rackspace

luiscachog.io | @luiscachog | github.com/luiscachog

Agenda

Ansible Review
- YAML Review
Test Automation
- Testing options for Ansible
Molecule
Demo!!

Ansible (1/4)

Use Cases	Attributes
Configuration Management	Simple
Software Provisioning	Powerful
Security and Compliance	Agentless
Application Deployment	Cross Platform
Orchestration	Over 450 Modules
Continuous Delivery	Big Community

Ansible (2/4)

    <img alt="" srcset="
           /media/slides/molecule-ansible/AnsibleArch_hu9b05440d76c0d355a47a803f97985562_45828_592cfc82e42d74a81521ea425cc4dce0.png 400w,
           /media/slides/molecule-ansible/AnsibleArch_hu9b05440d76c0d355a47a803f97985562_45828_0eae370b54e357843c08ae3cda296a72.png 760w,
           /media/slides/molecule-ansible/AnsibleArch_hu9b05440d76c0d355a47a803f97985562_45828_1200x1200_fit_lanczos_2.png 1200w"
           src="/media/slides/molecule-ansible/AnsibleArch_hu9b05440d76c0d355a47a803f97985562_45828_592cfc82e42d74a81521ea425cc4dce0.png"
           width="90%"
           height="454"
           loading="lazy" /></div>

Ansible (3/4)

    <img alt="" srcset="
           /media/slides/molecule-ansible/Ansible_Playbook_hu71a4b655fa9e885678be627396d3dcbe_40547_3fc6103a86554edd0ddee57a162d237d.png 400w,
           /media/slides/molecule-ansible/Ansible_Playbook_hu71a4b655fa9e885678be627396d3dcbe_40547_f0a96e4354f6e997c941890b47498a45.png 760w,
           /media/slides/molecule-ansible/Ansible_Playbook_hu71a4b655fa9e885678be627396d3dcbe_40547_1200x1200_fit_lanczos_2.png 1200w"
           src="/media/slides/molecule-ansible/Ansible_Playbook_hu71a4b655fa9e885678be627396d3dcbe_40547_3fc6103a86554edd0ddee57a162d237d.png"
           width="70%"
           height="622"
           loading="lazy" /></div>

Ansible (4/4)

Playbooks contain/connect roles
Roles contain plays
Plays contain tasks
Tasks execute a module
Tasks run sequencially
Handlers are triggered by tasks, runs once at the end of the play

Test Automation (1/2)

Reliable Code
Quality (Fast feedback)
Time and cost saving
Faster Development Cycle (CI/CD)
Repeatability (Test same change accross multiple environments (OS, Providers); multiple data sets)

Test Automation (2/2)

Testing options for Ansible

Ansible tasks - Test Ansible w/ Ansible

Test Kitchen - Test Ansible w/ Ruby

ansible-test - Test Ansible w/ Unmaintained Python

Molecule - Test Ansible w/ Python

Press S key to view - Algunas herramientas que revise, despues de ver la conferencia de Elana Hashman en en Ansible Fest 2017 son:

Testing Ansible with Ansible Tasks -> Test ansible with Ansible tasks Benefits:

As flexible and powerful as you need it Issues:
High development cost
Ansible can’t detect ansible bugs
Need to write your own provisioner

Testing Ansible with ansible-test -> Benefits:

Written in Python
Solves the provisioning problem in “Test ansible with Ansible”
Simple tool with small codebase Issues:
Onlys support docker provisioner on debian-based images
Does not apear to be actively maintained

Testing Ansible with Test Kitchen -> Benefits:

Large community
Supports Ansible
Supportw windows testing for Ansible Issues:
Written in Ruby
Verifiers are Ruby or bash based
Installs Ansible on the target host and runs it locally

Molecule (1/5)

Testing Ansible with Molecule

Tool designed to aid in the development and testing of Ansible roles.
Provides support for testing with multiple instances, operating systems, providers, test frameworks and testing scenarios.
Encourages an approach that results in consistently developed roles that are well-written, easily understood and maintained.

github.com/ansible/molecule | molecule.readthedocs.io

Molecule (2/5)

Testing Ansible with Molecule

Pros	Cons
- Written in Python	- No Windows support
- Ansible-Native	- No Dinamyc Inventory support
- Established community
- Open Source

Molecule (3/5)

Testing Ansible with Molecule

Creates nodes for testing
Run the playbook on the nodes
Run the playbook again to test idempotence
Lints the Ansible code with ansible-lint
Lint the Python code with flake8
Runs the verifier tests on the nodes to ensure the desired state

Molecule (4/5)

Testing Ansible with Molecule

    <img alt="" srcset="
           /media/slides/molecule-ansible/MoleculeProcess_hu0d810c2dbb019e53116861ccfaf3b4fa_79590_5fbef7b8c262abfe2c72c48f6a84c72c.jpeg 400w,
           /media/slides/molecule-ansible/MoleculeProcess_hu0d810c2dbb019e53116861ccfaf3b4fa_79590_1a8ebdd4b04ffb61270bb258233ba8cf.jpeg 760w,
           /media/slides/molecule-ansible/MoleculeProcess_hu0d810c2dbb019e53116861ccfaf3b4fa_79590_1200x1200_fit_q90_lanczos.jpeg 1200w"
           src="/media/slides/molecule-ansible/MoleculeProcess_hu0d810c2dbb019e53116861ccfaf3b4fa_79590_5fbef7b8c262abfe2c72c48f6a84c72c.jpeg"
           width="50%"
           height="760"
           loading="lazy" /></div>

Molecule (5/5)

Testing Ansible with Molecule

What can I test?
- Files exists and permissions
- Service are running
- User exists and is member of the correct groups
- Package installed
- Basic Software interaction (Test web server basic authentication)

Molecule Demo (1/3)

Let’s try it!!
- Creates 2 nodes
- Converge both nodes
- Check for idempotence
- Lint the Ansible and Python code
- Verify the role against some tests
Github Repo: github.com/luiscachog/elastic_stack (Thanks to GaRaGeD for provide a playbook to test)

Molecule Demo (2/3)

Terminal time!!

Molecule Demo (3/3)

TO-DO

Ansible-Vault implementation
Integrating Molecule into Travis CI, Circle CI, Jenkins, etc

Conclusion

There are different testing solutions for Ansible, but Molecule is an Ansible-native and the robust option.
Molecule allows you to create, converge, check idempotence, lint and verify your Ansible code.
Molecule help you to create the best playbooks possible.

Questions?

Talk links, references and resources can be found at: luiscachog.io/talk/improve-ansible-roles-with-molecule

Thank you

You can find me on:

luiscachog [at] gmail.com | luiscachog.io | github.com/luiscachog | @luiscachog