.yml
{{ var }}
not $var
{{ var }}
not {{var}}
EDXAPP_FOO
test.yml
is included and run when a run_tests
var is set to validate the role installation on a single instance.deploy.yml
with a list of tasks that start with service stop and end with a service start that is run to deploy an application update. Every task in deploy.yml
should be tagged with deploy
deploy.yml
should affect the application statedeploy.yml
should be able to run as a user with limited sudo rule and not require root access.my_role
) not dashes (my-role
).my_path: /foo
not my_path: /foo/
. When concatenating paths, follow the same convention (e.g. {{ my_path }}/bar
not {{ my_path }}bar
)when:
for conditionals - To check if a variable is defined when: my_var is defined
or when: my_var is not defined
To verify return status (see conditionals)
- command: /bin/false register: my_result ignore_errors: True - debug: msg="task failed" when: my_result|failed |
Break long lines using yaml line continuation.
Reference: http://docs.ansible.com/playbooks_intro.html
- file: dest="{{ test }}" src="./foo.txt" mode=0077 state=present user="root" group="wheel" |
- file: > dest="{{ test }}" src="./foo.txt" mode=0077 state=present user="root" group="wheel" |
- file: dest: "{{ test }}" src: "./foo.txt" mode: 0077 state: present user: "root" group: "wheel" |
Every role should have a standard set of role directories, example that includes a python and ruby virtualenv:
edxapp_data_dir: "{{ COMMON_DATA_DIR }}/edxapp" edxapp_app_dir: "{{ COMMON_APP_DIR }}/edxapp" edxapp_log_dir: "{{ COMMON_LOG_DIR }}/edxapp" edxapp_venvs_dir: "{{ edxapp_app_dir }}/venvs" edxapp_venv_dir: "{{ edxapp_venvs_dir }}/edxapp" edxapp_venv_bin: "{{ edxapp_venv_dir }}/bin" edxapp_rbenv_dir: "{{ edxapp_app_dir }}" edxapp_rbenv_root: "{{ edxapp_rbenv_dir }}/.rbenv" edxapp_rbenv_shims: "{{ edxapp_rbenv_root }}/shims" edxapp_rbenv_bin: "{{ edxapp_rbenv_root }}/bin" edxapp_gem_root: "{{ edxapp_rbenv_dir }}/.gem" edxapp_gem_bin: "{{ edxapp_gem_root }}/bin" |
As a general policy we want to protect the following data:
Directory structure for the secure repository:
ansible
├── files
├── keys
└── vars
The default secure_dir
is set in group_vars/all
and can be overridden by adding another file in group_vars that corresponds to a deploy group name.
For templates or files that are secure use first_available_file
, example:
- name: xserver | install read-only ssh key for the content repo that is required for grading copy: src={{ item }} dest=/etc/git-identity force=yes owner=ubuntu group=adm mode=60 first_available_file: - "{{ secure_dir }}/files/git-identity" - "git-identity-example" |