AGENTLESS ARCHITECTURE

Similar documents
IN DEPTH INTRODUCTION ARCHITECTURE, AGENTS, AND SECURITY

Ansible in Depth WHITEPAPER. ansible.com

Ansible Bootcamp. Bruce Becker: Coordinator, Africa-Arabia ROC

AUTOMATION ACROSS THE ENTERPRISE

Getting Started with Ansible - Introduction

INTRODUCTION WHY CI/CD

ANSIBLE TOWER IN THE SOFTWARE DEVELOPMENT LIFECYCLE

INTRODUCTION CONTENTS BEGINNER S GUIDE: CONTROL WITH RED HAT ANSIBLE TOWER

Ansible Tower Quick Setup Guide

OPEN SOURCING ANSIBLE

Get Automating with Infoblox DDI IPAM and Ansible

AUTOMATING THE ENTERPRISE WITH ANSIBLE. Dustin Boyd Solutions Architect September 12, 2017

MULTI CLOUD AS CODE WITH ANSIBLE & TOWER

ANSIBLE AUTOMATION AT TJX

Cloud and Devops - Time to Change!!! PRESENTED BY: Vijay

Enhancing Secrets Management in Ansible with CyberArk Application Identity Manager

ANSIBLE TOWER OVERVIEW AND ROADMAP. Bill Nottingham Senior Principal Product Manager

Ansible Tower Quick Setup Guide

Red Hat Ansible Workshop. Lai Kok Foong, Kelvin

HASHICORP TERRAFORM AND RED HAT ANSIBLE AUTOMATION Infrastructure as code automation

SELF-SERVICE IT WITH ANSIBLE TOWER & MICROSOFT AZURE. Chris Houseknecht Dave Johnson. June #redhat #rhsummit

Splunk and Ansible. Joining forces to increase implementation power. Rodrigo Santos Silva Head of Professional Services, Tempest Security Intelligence

Infoblox and Ansible Integration

Ansible Tower Quick Install

Ansible. -- Make it so

Ansible Tower on the AWS Cloud

Housekeeping. Timing Breaks Takeaways

Ansible and Ansible Tower by Red Hat

Ansible: Server and Network Device Automation

WHAT IS ANSIBLE AND HOW CAN IT HELP ME?

GIVING POWER TO THE PEOPLE With General Mills

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks

Building and Managing Clouds with CloudForms & Ansible. Götz Rieger Senior Solution Architect January 27, 2017

Ansible Essentials 5 days Hands on

Introduction to Ansible

Automation and configuration management across hybrid clouds with CloudForms, Satellite 6, Ansible Tower

Ansible F5 Workshop +

Ansible. Go directly to project site 1 / 36

Contents. Prerequisites 1. Linux 1. Installation 1. What is Ansible? 1. Basic Ansible Commands 1. Ansible Core Components 2. Plays and Playbooks 8

Ansible Tower Quick Install

Study Guide. Expertise in Ansible Automation

Zero Touch Provisioning of NIOS on Openstack using Ansible

Getting Started with Ansible for Linux on z David Gross

Ansible at Scale. David Melamed Senior Research Engineer, CTO Office, CloudLock

RED HAT TECH EXCHANGE HOUSE RULES

Automate Patching for Oracle Database in your Private Cloud

mastering ansible A622DFD780311BCF8921DE033F8C7977 Mastering Ansible 1 / 6

Harnessing your cluster with Ansible

Choosing an orchestration tool: Ansible and Salt. Ken Wilson Opengear. Copyright 2017 Opengear, Inc. 1

Ansible and Firebird

An introduction to ANSIBLE. Anand Buddhdev RIPE NCC

Splunk ConfiguraAon Management and Deployment with Ansible

Dell EMC OpenManage Ansible Modules. Version 1.0 Installation Guide

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other

AUTOMATION FOR EVERYONE Accelerating your journey to the Hybrid Cloud with Ansible Tower

Zabbix Ansible Module. Patrik Uytterhoeven

Introduction to CLI Automation with Ansible

(Almost) Instant monitoring

Ansible + Hadoop. Deploying Hortonworks Data Platform with Ansible. Michael Young Solutions Engineer February 23, 2017

Behind the scenes of a FOSS-powered HPC cluster at UCLouvain

Automation: Making the Best Choice for Your Organization

Infrastructure as Code CS398 - ACC

ansible-workshop Documentation

Ansible - Automation for Everyone!

SDN Architecture 1.0 Overview. November, 2014

Getting started with Ansible and Oracle

Stress Testing the OpenSimulator Virtual World Server

Scalable and Lightweight CTF Infrastructures Using Application Containers

Ansible Tower 3.0.x Upgrade and Migration

ANSIBLE SERVICE BROKER Deploying multi-container applications on OpenShift Todd Sanders John Matthews OpenShift Commons Briefing.

Henry Stamerjohann. Apfelwerk GmbH & Co. #macadmins

Ansible. For Oracle DBAs. Alexander Hofstetter Trivadis GmbH

The Future is Proximal Why cloud fails IoT

SAP Dynamic Edge Processing IoT Edge Console - Administration Guide Version 2.0 FP01

Dominating Your Systems Universe with Ansible Daniel Hanks Sr. System Administrator Adobe Systems Incorporated

Outernet L-band for Linux Documentation

glideinwms Training HTCondor Overview by Igor Sfiligoi, UC San Diego Aug 2014 HTCondor Overview 1

Managing Microservices using Terraform, Docker, and the Cloud

TACKLING BIG-IP BLUE-GREEN DEPLOYMENTS IN PRIVATE CLOUD USING F5 & VMWARE ANSIBLE MODULES

Malaysian Open Source Conference (The) Multi Facets of the Open Source Tools. Muhammad Najmi Ahmad Zabidi

How to avoid boring work - Automation for DBAs

Deploying MySQL HA. with Ansible and Vagrant (101) Daniel Guzman Burgos (Percona) Robert Barabas (Percona)

An IoT Based Real-Time Environmental Monitoring System Using Arduino and Cloud Service

Button Push Deployments With Integrated Red Hat Open Management

Sanjay Shitole, Principle Solutions Engineer

Automate DBA Tasks With Ansible

DevOPS, Ansible and Automation for the DBA. Tech Experience 18, Amsersfoot 7 th / 8 th June 2018

Unix for Software Developers

IBM PowerVM Express Edition and IBM Management Edition for AIX offerings help allocate systems resources to where they are needed

Standardised Ground Data Systems Implementation: A Dream?

Ansible in Operation. Bruce Becker: Coordinator, SAGrid

Ask an Expert: Ansible Network Automation

Field Device Manager Express

BIM 360 with AutoCAD Civil 3D, Autodesk Vault Collaboration AEC, and Autodesk Buzzsaw

Infrastructure Configuration and Management with Ansible. Kaklamanos Georgios

Table of Contents HOL ADV

Managing 15,000 network devices with Ansible. Landon Holley & James Mighion May 8, 2018

COALESCE V2 CENTRAL COALESCE CENTRAL USER GUIDE WC-COA 24/7 TECHNICAL SUPPORT AT OR VISIT BLACKBOX.COM. Display Name.

Infrastructure As Code. Managing BSD systems with Ansible. Overview. Introduction to Ansible

Be smart. Think open source.

Transcription:

ansible.com +1 919.667.9958 WHITEPAPER THE BENEFITS OF AGENTLESS ARCHITECTURE A management tool should not impose additional demands on one s environment in fact, one should have to think about it as little as possible. YOU SHOULDN T HAVE TO MANAGE YOUR MANAGEMENT SYSTEM Ansible is an open source IT configuration management, deployment, and orchestration tool. It is unique from other management tools in many respects, aiming to provide large productivity gains to a wide variety of automation challenges. While Ansible provides more productive drop-in replacements for many core capabilities in other automation solutions, it also seeks to solve other major unsolved IT challenges by unifying configuration, deployment, and complex IT process orchestration. One of the most important challenges in this environment is to do all of the above while providing a robust, easy to manage architecture a problem that is frequently not well solved in this application space. A management tool should not impose additional demands on one s environment in fact, one should have to think about it as little as possible. It should be transparent and maximize productivity gains. You shouldn t have to manage your management system. Let s see how Ansible achieves these gains using a unique agentless architecture. TECHNOLOGY OVERVIEW The core Ansible project manages systems by connecting to them over existing transport mechanisms already in use for your machines. For Linux and Unix machines, this means using SSH, either using OpenSSH, or in constrained environments, paramiko (a Python library). For Windows hosts, this means using Windows Remote Management via PowerShell remoting. Modules, which are small Ansible programs containing baked-in arguments, are transferred over these transport mechanisms to a temporary directory on the remote machine, executed, and then removed in one action. The modules return JSON over standard output, and this return data is processed by the Ansible program on the controlling machine.

With SSH and Ansible I can send commands to 500 servers without having even used the servers before. The result of this is that a very large amount of remote activity can occur with a minimum of traffic interchange. Modules manage idempotent resources and are not simply commands or scripts. For instance, a module can decide that a package should be installed at a particular version, and knows not to execute any commands if the system is already in the proper working state. MARK MAAS UNIX/LINUX SYSTEMS ADMINISTRATOR, BINCK BANK IMPROVED NETWORK SECURITY By not requiring any remote (or even central, technically) server agents, Ansible has a very low attack surface. The only program you need to run is the OpenSSH daemon or WinRM service - both of these are among the most critically reviewed programs in the entire world, and are the foundation of secure access on their platforms. Ansible recognizes that cryptography is an extremely difficult thing to get right, so it does not use its own daemon and certificate system, but rather relies on the most secure remote management system available for its managed platforms. OpenSSH is available for an extremely wide variety of distributions and is very lightweight. When security issues in OpenSSH are discovered, they are patched extremely quickly. Similarly, Windows Remote Management is how Microsoft s own management stack manages Windows. While we recognize that it is possible to write a secure OpenSSL implementation, we also note a track record of remote exploits against similar tooling in this application space, and wish to avoid such problems as much as possible. ENABLING NON-ROOT LEVEL ACCESS (AND SUDO) Ansible playbooks can log in remotely as any user account. From this account, they can run modules as the user that initiated the connection, or they can use standard privilege escalation mechanisms (such as su or sudo ) to become any other user (including root). Direct root login, if desired, is also supported. Sudo with password, or password-less sudo, is supported equally. These approaches are ideal when managing parts of a system where root login is not allowed at all, or if root login is not allowed but users can sudo to root. One such example is an unprivileged user can manage content in their home directory with Ansible, even if they do not have root or sudo privileges on their machine. File transfer is not limited even when using sudo. Ansible also contains a sudo-compatible file transfer facility, where content is transferred as normal with SFTP, and then Ansible moves the file into place with credentials. Ansible is also intelligent enough to not transfer files that do not need to be transferred if the source and target checksums already match. LIMITING TRANSFER OF POTENTIALLY SENSITIVE DATA Ansible transfers a bare minimum of data to machines it manages. Since the central server is in control of decision-making logic, only variables needed by remote nodes are sent to them. For instance, if there is a global variable set called foo, this variable is never sent to the remote server unless it is explicitly used in a resource or template (all templates are evaluated on the central management machine). As such Ansible pushes out only what remote nodes need to see the bare minimum. 2

Similarly, Ansible contains no custom file server implementation. It moves files using SFTP, SCP, WinRM, and (serverless) rsync (over SSH), and only files that need to be transferred in the playbook. The result is that it impossible for a managed host to request files or templates meant for another machine and to access sensitive data not meant for it. There is no way for a remote host to browse what data may apply to other computer systems. This makes Ansible ideal for environments where data is extremely sensitive, including when working with privacy-sensitive data, security workloads, healthcare, and government applications. CREDENTIAL SEGREGATION Ansible is useful in environments where different users have different levels of trust. It is possible to make a common definition of manageable hosts available, and then use the individual access credentials of users to allow them access to remote machines. This can allow, for instance, developers to have managed access to development machines, QA engineers to QA machines, and administrators to production machines, without the accidental risk of a developer pushing content to production. Ansible transfers a bare minimum of data to machines it manages. NO MANAGING THE MANAGEMENT One of the major problems of many configuration management solutions is one of Managing The Management. In order to start managing machines, software must be installed on the remote machines (see Zero Bootstrapping ). When updating the management software, often the various agents must be updated first (and many systems cannot self update). Sometimes, compatibility problems arise between server and agent versions, or between agent and language runtime versions. Ansible avoids this problem of transferring modules over SSH and WinRM, which are services that are already part of the OS and are at the core of every major operating system. Further, by not requiring any agents, any sort of agent crash scenario is avoided, so you will have low risks of severing your ability to manage the box. CENTRAL SERVER SCALABILITY Since Ansible pushes out changes to remote servers, Ansible is immune to the thundering herd management problem. In some other solutions, management agents checking in periodically hammer the server, often overwhelming it and causing the need to scale out the management control system horizontally and vertically. Further, the management server frequently has to do very expensive computations for the remote nodes. Ansible solves this problem by being push oriented, and only has to talk to a finite, but configurable number of nodes at one time. It offloads a maximum amount of remote computing needs to remote nodes, therefore sharing the workload among computer systems. This makes centralizing your Ansible deployment platform, if desired, a much less resource-intensive task. 3

RESOURCE UTILIZATION When Ansible is not managing remote nodes, it is not doing anything on those nodes. This means there is no daemon to consume memory or CPU. It has been reported that, with some solutions, application servers can yield visible performance degradation (per monitoring data) during wake up configuration windows, or with agents that can consume 400MB+ of memory each. In a virtualized environment, all of this resource consumption can quickly add up, requiring more hardware outlays. Ansible allows your performance-critical workloads to use all of your CPU, and you can choose when you wish to run your management intervals there is no chance of memory leak or agents that may also crash, cutting off your ability to manage the box. FIREWALL FRIENDLY Some message-bus based systems In production require keeping connections open to the managed services. This can play havoc with firewalls who do not like long lived connections. Sometimes when connections drop management connectivity to these applications cannot be reset until the agents are restarted. Ansible s push-on-demand model does not need to hold persistent connections open between the management machine and central node and therefore avoids this problem. Running an agent-based management model also requires firewall configuration in constrained environments. You may need to create specific firewall rules solely for your management agents to contact their central server, and you may also need custom firewall rules for your management system s custom protocol. By operating in an agentless manner over SSH and WinRM, Ansible avoids this problem -- all connections are done over the standard remote-access services that you already have configuration for. Ansible can start managing remote machines immediately, without any agent software installed ZERO BOOTSTRAPPING Ansible can start managing remote machines immediately, without any agent software installed. In a brown field deployment scenario, a site may have thousands of existing machines and need to deploy a software change to all of these systems. Ansible can start communicating to all of these machines right away, reaching out and managing them without a lengthy setup process. The ability to manage systems without installation of additional agents also makes Ansible a consultant or vendor s best friend. Often a customer may be running any number of software systems and may not want to commit to adopting a particular new system for management. Writing automation in Ansible ensures that when configuration is done, the customer will not have to maintain the deployment system unless they want to. Of course, if they want, they can keep using Ansible and the simplicity should be appealing. 4

Writing automation in Ansible ensures that when configuration is done, the customer will not have to maintain the deployment system unless they want to. Of course, if they want, they can keep using Ansible and the simplicity should be appealing. USE THE EXISTING FEATURES YOU RE ALREADY USING When used with the native OpenSSH transport, Ansible supports Kerberos authorization. For users with Kerberos environments, this provides excellent security features and very clean central administration. Also when using the native OpenSSH transport, Ansible can take advantage of user configured SSH jump hosts (bastion hosts) and tunneling, as set up in the user s SSH configuration file. In cases where IT policies require logging in to one host to get at others, Ansible can make this experience be as seamless as possible. AGENTLESS MANAGEMENT SUCCESS As mentioned previously, Ansible achieves its agentless support by leveraging SSH and Windows Remote Management, by transferring compact auto-generated modules to remote machines that self destruct, rather than actually executing Unix commands. These modules describe desired states, as well as ordered processes, and return JSON data. Because of the way operations are executed, this is a very efficient approach that can reuse connections and uses a minimal amount of network traffic. This approach adds numerous security benefits, and improves both client and central management server resource utilization while eliminating all of the concerns of managing the management that comes with classic agent based systems. Additional options such as non-root access and a reduced attack surface further add to the appeal of the configuration. ABOUT ANSIBLE Ansible, an open source community project sponsored by Red Hat, is the simplest way to automate IT. Ansible is the only automation language that can be used across entire IT teams from systems and network administrators to developers and managers. Ansible by Red Hat provides enterprise-ready solutions to automate your entire application lifecycle from servers to clouds to containers and everything in between. Ansible Tower by Red Hat is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments. READY TO AUTOMATE? info@ansible.com +1 919.667.9958 ansible.com Copyright 2016 Red Hat, Inc. Red Hat, the Shadowman logo, and Ansible are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback