WIXLIB

Ansible F5 Workshop

What You Will Learn What is Ansible, its common use casesHow Ansible works and terminologyRunning Ansible playbooksNetwork modulesAn introduction to rolesAn introduction to Ansible Galaxy

MANAGING NETWORKSHASN’T CHANGEDIN 30 YEARS.

Managing networks hasn't changed in 30 years Networks are mission criticalEvery network is a unique snowflakeAd-hoc changes that proliferateVendor specific implementationsTesting is expensive/impossible

According to GartnerSource: Gartner, Look Beyond Network Vendors for Network Innovation. January 2018. Gartner ID: G00349636. (n 64)

Automation considerations Compute is no longer the slowest link in the chainBusinesses demand that networks deliver at the speed of cloudAutomation of repeatable tasksBridge silos

What is Ansible?Red Hat Ansible network automation is enterprise software for automating andmanaging IT infrastructure.As a vendor agnostic framework Ansible can automate F5 (BIG-IP, BIG-IQ), Arista(EOS), Cisco (IOS, IOS XR, NX-OS), Juniper (JunOS), Open vSwitch and VyOS.Ansible Tower is an enterprise framework for controlling, securing and managingyour Ansible automation with a UI and RESTful API.

SIMPLEPOWERFULAGENTLESSHuman readable automationGather information and auditAgentless architectureNo special coding skills neededConfiguration managementUses OpenSSH and paramikoTasks executed in orderWorkflow orchestrationNo agents to exploit or updateGet productive quicklyManage ALL IT infrastructureMore efficient & more secure

Ansible: The Universal Automation FrameworkSYS/CLOUD ADMINNET OPSSTORAGEADMINSSERVERSNETWORKINGSTORAGE

ANSIBLE NETWORK AUTOMATION50700 tworking

Common use cases Backup and restore device configurationsUpgrade network device OSEnsure configuration complianceApply patches to address CVEGenerate dynamic documentationBasically anything an operator can do manually, Ansible can automate.

How Ansible WorksModule code isexecuted locallyon the controlnodeModule code iscopied to themanaged node,executed, thenremovedNETWORKINGDEVICESLINUX/WINDOWSHOSTS

PUBLIC / PRIVATECLOUDPUBLIC / PRIVATECLOUDCMDBANSIBLE AUTOMATION ITYANSIBLEPLAYBOOKCOREHOSTSNETWORKDEVICES

PUBLIC / PRIVATECLOUDPUBLIC / PRIVATECLOUDCMDBANSIBLE AUTOMATION ENGINEUSERSPLAYBOOKS ARE WRITTEN IN YAMLTasks are executed sequentiallyInvoke Ansible NSIBLEPLAYBOOKCOREHOSTSNETWORKDEVICES

PUBLIC / PRIVATECLOUDPUBLIC / PRIVATECLOUDCMDBANSIBLE AUTOMATIONMODULESENGINEARE “TOOLSIN THE TOOLKIT”Python, Powershell, or any languageExtend Ansible simplicy to the entire TYANSIBLEPLAYBOOKCOREHOSTSNETWORKDEVICES

PUBLIC / PRIVATECLOUDPUBLIC / PRIVATECLOUDCMDBPLUGINS ARE “GEARS IN THE ENGINE”Code that plugs into the core s uses & MUNITYANSIBLEPLAYBOOKCOREHOSTSNETWORKDEVICES

Understanding 68.1.2192.168.1.3

Understanding InventoryThere is always a group called "all" by defaultGroups can be nested[lb][DC:children]f5 ansible host 34.199.128.69lbwebservers[control]ansible ansible host st1 ansible host 107.22.141.4webservershost2 ansible host 54.146.162.192

Inventory - variables[all:vars]ansible user student2Group variables apply for all devicesin that groupansible ssh pass ansibleansible port 22[lb]f5 ansible host 34.199.128.69 ansible user admin private ip 172.16.26.136 ansible ssh pass admin[webservers]host1 ansible host 107.22.141.4 ansible user ec2-user private ip 172.16.170.190host2 ansible host 54.146.162.192 ansible user ec2-user private ip 172.16.160.13Host variables apply to the host andoverride group vars

A Sample Playbook--- name: BIG-IP SETUPhosts: lbconnection: localgather facts: false Playbook is a list of plays. Each play is a list of tasks. Tasks invoke modules. A playbook can contain moretasks:- name: CREATE NODESbigip node:server: "f5.ansible.com"user: "admin"password: "admin"server port: "8443"host: 192.168.0.1name: "webserver01"than one play.

Lab TimeExploring the Lab EnvironmentIn this lab you will explore the lab environment and buildfamiliarity with the lab inventory.Approximate time: 10 mins

Playbook definition for network automation Target play execution using hostsDefine the connection : localAbout gather facts

Running a playbook[student1@ansible ] ansible-playbook bigip-facts.ymlPLAY [GRAB F5 FACTS] *********TASK [COLLECT BIG-IP FACTS] **ok: [f5]PLAY RECAP *******************f5: ok 1changed 0unreachable 0failed 0

Displaying outputUse the optional verbose flag during playbook execution[student1@ansible ] ansible-playbook bigip-facts.yml -vTASK [COLLECT BIG-IP ***********************************changed: [f5] {"changed": true, "system info": {"base mac address":"0a:54:53:51:86:fc", "chassis serial": "685023ec-071e-3fa0-3849dcf70dff","hardware information": [{"model": "Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz","name": "cpus", "type": "base-board", "versions": [{"name": "cpu stepping","version": "2"},. output truncated for readability

Limiting Playbook executionPlaybook execution can be limited to a subset of devices using the --limit flag. ansible-playbook bigip-facts.yml --limit f5node1Forget a flag / option ?Just type ansible-playbook then press enterUse the --help flag

Quick Refresher on JSONStructured Data is easy to work with"system info": {"base mac address": "0a:54:53:51:86:fc","chassis serial":"685023ec-071e-3fa0-3849dcf70dff","product version": "13.1.0.7",}00a:54:53:51:86:fcbigip facts['system info']['base mac address']

Registering the outputThe register parameter is used to collect the output of a task execution. The output of the taskis 'registered' in a variable which can then be used for subsequent tasks.- name: COLLECT BIG-IP FACTSbigip device facts :gather subset :- system infoserver: "{{private ip}}"user: "{{ansible user}}"password: "{{ansible ssh pass}}"server port : 8443register: bigip device facts

Displaying output - The "debug" moduleThe debug module is used like a "print" statement in most programming languages.- name: DISPLAY ONLY THE MAC ADDRESSdebug:var: bigip device facts['system info']['base mac address']TASK [DISPLAY ONLY THE MAC k: [f5] {"bigip device facts['system info']['base mac address']": "0a:54:53:51:86:fc"}

Limiting tasks within a play Tags allow the user to selectively execute tasks within a play.Multiple tags can be associated with a given task.Tags can also be applied to entire plays or roles.- name: DISPLAY THE VARIABLE OUTPUTdebug:var: output variabletags: debugTags are invoked using the --tags flag while running the playbook[user@ansible] ansible-playbook bigip-facts.yml --tags debug

Limiting tasks within a play - or skip them! --skip-tags allows you to skip everything- name: DISPLAY THE VARIABLE OUTPUTdebug:var: output variabletags: debugTags are invoked using the --tags flag while running the playbook[user@ansible] ansible-playbook bigip-facts.yml --skip-tags debug

A note about variablesOther than the user defined variables, Ansible supports many inbuilt variables. For example:VariableExplanationansible *Output of fact gatheringinventory hostnamemagic inbuilt variable that is the name ofthe host as defined in inventoryhostvarsmagic inbuilt variable dictionary variablewhose key is inventory hostnamee.g.hostvars[webserver1].my variable

Lab TimeExercise 1.1 -Using Ansible to gather data from F5 BIG-IPIn this lab you will write your first playbook and run it to gather facts from a F5BIG-IP load balancer.Approximate time: 15 mins

ModulesModules do the actual work in Ansible, they are what gets executed ineach playbook task. Typically written in Python (but not limited to it)Modules are idempotentModules take user input in the form of parameters

Network modulesAnsible modules for network automation typically references the vendor OS followed by themodule name.Arista EOS eos * * facts* command* configMore modules depending onplatformCisco IOS/IOS-XE ios *Cisco NX-OS nxos *Cisco IOS-XR iosxr *F5 BIG-IP bigip *F5 BIG-IQ bigiq *Juniper Junos junos *VyOS vyos *

Modules Documentationhttps://docs.ansible.com/

Modules DocumentationDocumentation right on the command line[user@ansible] ansible-doc bigip device facts BIGIP DEVICE FACTS network/f5/bigip device facts.py)Collect facts from F5 BIG-IP devices.OPTIONS ( is mandatory): gather subsetWhen supplied, this argument will restrict the facts returned to a given subset.Can specify a list of values to include a larger subset.

Inventory - Revisiting Variables[lb]f5 ansible host 34.199.128.69 ansible user admin private ip 172.16.26.136ansible ssh pass adminansible host34.199.128.69ansible useradminprivate ip172.16.26.136ansible ssh passadmin

Using the F5 bigip node module- name: CREATE NODESbigip node:server: "{{private ip}}"user: "{{ansible user}}"password: "{{ansible ssh pass}}"server port: "8443"validate certs: "no"host: "{{hostvars[item].ansible host}}"name: "{{hostvars[item].inventory hostname}}"loop: "{{ groups['webservers'] }}"

Using the F5 bigip node module- name: CREATE NODESbigip node:server: "{{private ip}}"Information for connectingto F5 BIG-IP load balanceruser: "{{ansible user}}"password: "{{ansible ssh pass}}"server port: "8443"validate certs: "no"host: "{{hostvars[item].ansible host}}"name: "{{hostvars[item].inventory hostname}}"loop: "{{ groups['webservers'] }}"

Using the F5 bigip node module- name: CREATE NODESbigip node:server: "{{private ip}}"nodes being added host refers to the web server IPaddress name is a human identifiable traitcan be the DNS name but does not depend on ituser: "{{ansible user}}"password: "{{ansible ssh pass}}"server port: "8443"validate certs: "no"host: "{{hostvars[item].ansible host}}"name: "{{hostvars[item].inventory hostname}}"loop: "{{ groups['webservers'] }}"

Using the F5 bigip node module- name: CREATE NODESbigip node:server: "{{private ip}}"user: "{{ansible user}}"password: "{{ansible ssh pass}}"Loops over all the web servers inthe group webserversserver port: "8443"validate certs: "no"host: "{{hostvars[item].ansible host}}"name: "{{hostvars[item].inventory hostname}}"loop: "{{ groups['webservers'] }}"

Lab TimeExercise 1.2 -Adding nodes to F5 BIG-IPIn this lab you will creating a playbook that makes use of the BIG-IP nodemodule to add two RHEL (Red Hat Enterprise Linux) web servers as nodes forthe BIG-IP load balancer.Approximate time: 15 mins

Using the F5 bigip pool module- name: CREATE POOLbigip pool: login info removed for brevity name: "http pool"lb method: "round-robin"monitors: "/Common/http"monitor type: "and list"

Using the F5 bigip pool module- name: CREATE POOLbigip pool: login info removed for brevity name: "http pool"lb method: "round-robin"monitors: "/Common/http"monitor type: "and list"The name is a user defined namethat we will add nodes to in a laterexercise

Using the F5 bigip pool module- name: CREATE POOLbigip pool: login info removed for brevity name: "http pool"lb method: "round-robin"monitors: "/Common/http"monitor type: "and list"The lb method refers to the loadbalancing method, a full list isprovided on the moduledocumentation

Using the F5 bigip pool module- name: CREATE POOLbigip pool: login info removed for brevity name: "http pool"lb method: "round-robin"monitors: "/Common/http"monitor type: "and list"The monitors parameter refersto the protocol that the F5 BIG-IPload balancer will be listening on

Using the F5 bigip pool module- name: CREATE POOLbigip pool: login info removed for brevity name: "http pool"lb method: "round-robin"monitors: "/Common/http"monitor type: "and list"This monitor type parameter istechnically the default. We canactually configure multiplemonitors (protocols)simultaneously

F5 Web GUI

F5 Web GUI - ConfigurationClick on the pool to get more information.Monitor ‘http’ assigned to the pool.

Lab TimeExercise 1.3 -Adding a load balancing poolDemonstrate use of the BIG-IP pool module to configure a load balancing poolin BIG-IP device. A load balancing pool is a logical set of devices, such as webservers, that you group together to receive and process traffic.Approximate time: 15 mins