Hey All,

I posted some thoughts on deploying with Ansible, specifically some problems we tried to solve converting from Capistrano:

http://www.future500.nl/articles/2014/07/thoughts-on-deploying-with-ansible/

Michael de Haan pointed out that some of our “solutions” are deprecated for security reasons, so I post here to discuss other options, and deploying with Ansible in general.

Here is the role on ansible-galaxy: https://galaxy.ansible.com/list#/roles/732

I’d like to point to the “deploy” module specifically: https://github.com/f500/ansible-project_deploy/blob/master/library/deploy

• it creates a folder structure
• it generates a timestamp
• it generates facts (including the generated timestamp)
• it can remove n releases

Perhaps that does some work that makes life easier for deploys?

So several things I wanted to comment on.

(A) What Cap calls rollbacks aren’t - it would be a rollback if it magically understood how to undo every action. That being said, some sort of try/except facility is intended for 1.8. “Rollback” logic is up to you, but failing forward is a better approach. The guide on test strategy may also be instructive.

(B) The symlink pattern thing I’d like to make more idiomatic, though I don’t think it’s hard now. This might just be a docs example, but it might be a mini-module that has a couple of modes, one that makes a timestamp and another that moves the symlink or something. I don’t know. Example may be sufficient.

(C) Yes, adding key=value arguments to existing commands must now be intercepted for security reasons. In particular this part, which I don’t really understand what it’s doing in the playbook, can’t be a thing:

  action: "{{ item.module }} {{ item.parameters }}"

In all though, the topic I want to concentrate on the most is (B). If we were to make a module or two to make the “timestamp’d symlink thing” more idiomatic, what might the syntax look like, etc?

One of the major goals of Ansible is to not need another deployment tool on top, like Cap. In most cases, people are already able to drop Fabric/Cap - I’d say it’s significantly more common for people to adopt ansible for application deployment needs initially - and especially with regard to load balancing and such it was designed for the purpose.

So the question is, how do we make that even easier?

I’ll try to get some things out of the way before responding to your (B).

About the "rollback”:
The point wasn't really about wether Capistrano does rollbacks or not (I’ll accept that they’re not - I’m no expert on the subject), but more about how complex things can become if you’re trying to implement a central place for “rollback” in Ansible. In essence, avoiding the result of multiple tasks to influence flow of the role. Try/except would ease that pain a bit (but it wasn’t painful for us _not_ to have a central rollback at all).

About the “action:” syntax idea:
** never actually used **
It was an idea using (abusing) the old notation of Ansible to allow writing a more flexible role in Galaxy. The point is allowing certain moments where the consumer of the role can add their own actions, without having to copy the role.
— it is understood that this idea will not work.

** currently used in ansible-project_deploy role **
Having a configurable list, that is used “with_items” and the “command” module (could be shell module). The reason is the same, to allow consumers of the role to perform commands that are not part of the deploy role by default.

Answer to (B):
We worked hard to make an easy to re-use role. The only things we found worthy of adding to a module where:
- state=present: the automatic creation of the folder structure. The module will also create a new timestamp and return that in a fact, and delete any folders containing a “BUILD_UNFINISHED” file.
- state=clean: the automatic removal of old releases (which also makes assumptions on the folder structure).
- state=absent: removal of the entire deploy folder (just to be consistent, could be done with the file module already)

None of these are hard to implement - but I tried to show in the article that it does clean up the role a bit.

Moving the symlink *could* be part of the module. We didn’t really see a huge benefit, it’s just a single task.

All-in-all I think we went with your mantra when people start suggesting deploy modules: “It sounds like a role to me”
But the aim was to create a role in Galaxy that can cover most simple deploy scenarios.

. Try/except would ease that pain a bit (but it wasn’t painful for us
_not_ to have a central rollback at all).

Got it - yeah I want to have something for this in 1.8

About the “action:” syntax idea:
** never actually used **
It was an idea using (abusing) the old notation of Ansible to allow
writing a more flexible role in Galaxy. The point is allowing certain
moments where the consumer of the role can add their own actions, without
having to copy the role.
— it is understood that this idea will not work.

** currently used in ansible-project_deploy role **
Having a configurable list, that is used “with_items” and the “command”
module (could be shell module). The reason is the same, to allow consumers
of the role to perform commands that are not part of the deploy role by
default.

Answer to (B):
We worked hard to make an easy to re-use role. The only things we found
worthy of adding to a module where:
- state=present: the automatic creation of the folder structure. The
module will also create a new timestamp and return that in a fact, and
delete any folders containing a “BUILD_UNFINISHED” file.
- state=clean: the automatic removal of old releases (which also makes
assumptions on the folder structure).
- state=absent: removal of the entire deploy folder (just to be
consistent, could be done with the file module already)

Yep, I'm basically wanting to see this doable with a module, not a role, to
make it more adaptable by users that want different variations, and less
boilerplate to hop through when they do.

Having a module that has a couple of modes, one might be via action plugin
to register a consistent symlink timestamp, and another via standard module
to make one "the one", and to clean out older timestamps, seems to make a
lot of sense.

All-in-all I think we went with your mantra when people start suggesting
deploy modules: “It sounds like a role to me”

Yeah here I'm thinking there's enough of a pattern that we can get
something to smooth this out in core.

It also gives a good place to hang a common example.

Maybe down the right track:

# this would have to be a bypass host loop plugin or something to get a
consistent timestamp, but maybe we don't care
- deploy_prepare:
  register: deploy_timestamp

- deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base
  register: where_to

# git checkout to where_to.path

# symlink latest dir into live and remove other symlinks
- deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base
live=/opt/live clean=yes
  register

This is just me going through it really quick so I suspect we can come up
with cleaner argument names and workflow.

Having a module that has a couple of modes, one might be via action plugin to register a consistent symlink timestamp, and another via standard module to make one “the one”, and to clean out older timestamps, seems to make a lot of sense.

Maybe down the right track:

this would have to be a bypass host loop plugin or something to get a consistent timestamp, but maybe we don’t care

• deploy_prepare:
  register: deploy_timestamp

• deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base
  register: where_to

For the deploys we do with our galaxy role, a consistent timestamp is not an issue (small projects, single hosts). But for something in core, I would expect the ability to create a single timestamp for all hosts. I also really like the idea of a separate deploy_helper module that takes in this timestamp - but I remarked in my blogpost that a timestamp isn’t really required (I gave ‘commit hash’ as an example folder name).

Perhaps:

• deploy_helper: release_version={{ deploy_timestamp.time }} base=/opt/base
  register: where_to

Which allows for:

• deploy_helper: release_version={{ my_own_versioning_implementation }} base=/opt/base
  register: where_to

git checkout to where_to.path

I’m assuming “where_to.path” is the release-path-with-timestamp, and that this line is a placeholder for anything that goes on before the actual release is ready.

Question: does the deploy_helper assume a folder structure?
So in this case: would the where_to.path point to “/opt/base/releases/{{ timestamp }}” ?

Our role currently places a file called “BUILD_UNFINISHED” in the where_to.path, and uses that file to remove failed builds (any folder containing it will die in the startup of the next deploy). That helped us out also, not having to identify where the “current” symlink is pointing to. Does that sound logical?

Param: unfinished_file=BUILD_UNFINISHED (or yes/no, with a fixed value maybe)

symlink latest dir into live and remove other symlinks

• deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base live=/opt/live clean=yes

Again: does this assume a folder structure?
So in this case, the symlink would become: /opt/live → /opt/base/releases/{{ timestamp }} ?
And any old releases in /opt/base/releases would be removed?

(sorry for al the questions, I’m trying to map your example to my actual cases)

Just wanted to add; this is almost exactly how we deploy PHP-based apps (with a bunch of bash scripts currently :/) at my current workplace, and having a built-in way to tidy up the process would be awesome.

Having a module that has a couple of modes, one might be via action plugin

to register a consistent symlink timestamp, and another via standard module
to make one "the one", and to clean out older timestamps, seems to make a
lot of sense.

Maybe down the right track:

# this would have to be a bypass host loop plugin or something to get a
consistent timestamp, but maybe we don't care
- deploy_prepare:
  register: deploy_timestamp

- deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base
  register: where_to

For the deploys we do with our galaxy role, a consistent timestamp is not
an issue (small projects, single hosts). But for something in core, I would
expect the ability to create a single timestamp for all hosts. I also
really like the idea of a separate deploy_helper module that takes in this
timestamp - but I remarked in my blogpost that a timestamp isn't really
required (I gave 'commit hash' as an example folder name).

Yeah, good point, and may not be an issue anywhere really because of the
symlink, if there's good enough cleanup options.

Not requiring that seems like it would be a nice shortcut, provided that
the module could be called to register what the "latest" was if you didn't
pass too many arguments.

Perhaps:
- deploy_helper: *release_version*={{ deploy_timestamp.time }}
base=/opt/base
  register: where_to

Which allows for:
- deploy_helper: release_version={{ my_own_versioning_implementation }}
base=/opt/base
  register: where_to

# git checkout to where_to.path

I'm assuming "where_to.path" is the release-path-with-timestamp, and that
this line is a placeholder for anything that goes on before the actual
release is ready.

Question: does the deploy_helper assume a folder structure?
So in this case: would the where_to.path point to "/opt/base/releases/{{
timestamp }}" ?

I think it would only assume a timestamp dir in base, but it could default
to make a subdir called "releases", sure.

I think as long as we document what it does we could make up a convention,
because it's going to change the way you deploy your app a little bit, and
you would not have to use unless you wanted...

Our role currently places a file called "BUILD_UNFINISHED" in the
where_to.path, and uses that file to remove failed builds (any folder
containing it will die in the startup of the next deploy). That helped us
out also, not having to identify where the "current" symlink is pointing
to. Does that sound logical?

Param: unfinished_file=BUILD_UNFINISHED (or yes/no, with a fixed value
maybe)

This sounds pretty cool to me.

# symlink latest dir into live and remove other symlinks

- deploy_helper: timestamp={{ deploy_timestamp.time }} base=/opt/base
live=/opt/live clean=yes

Again: does this assume a folder structure?
So in this case, the symlink would become: /opt/live ->
/opt/base/releases/{{ timestamp }} ?
And any old releases in /opt/base/releases would be removed?

I think maybe you might need to pass a parameter to remove the other ones,
and it could be optional.

(sorry for al the questions, I'm trying to map your example to my actual
cases)

Yeah something like what you have, if not exactly, as a module seems really
really cool to me.

Hi all!

A little introduction for context: I'm a college/employee of Ramon de la Fuente, and we both maintain the f500.* roles in Galaxy. So when I refer to "our module", that's the same module as the one Ramon refers to.

I'd like to sum up my thoughts on the discussion so far:

- We choose to use the same directory layout as Capistrano does:

/opt/base/current -> /opt/base/releases/{timestamp}
/opt/base/releases/
/opt/base/shared/

"shared" is used for stuff that needs to survive a deploy (uploads, etc).

The main reason we chose this is because it will be familiar to people who have used Capistrano. Plus we didn't see anything wrong with this layout, it suits our needs perfectly.

We could make the exact file/directory names configurable though.

- I agree we need something to create a consistent timestamp (or whatever) to be used on all hosts.

And this probably doesn't have to be a timestamp. The reason we choose a timestamp is because it helps determine which releases should be cleaned up. We can simple order them and keep the latest X.

I suspect it should be possible to stat those directories for a creation-date, and use them for the cleanup. The directory name itself can then be whatever you like (unix timestamp, yyyymmddhhmmss style timestamp, commit hash, uuid, etc).

- Our current role also sets some facts, which are really convenient to have around:

base_path: <must be provided through a required option>
current_symlink: <base_path>/current
releases_path: <base_path>/releases
shared_path: <base_path>/shared
current_release: <the release-timestamp/whatever that current_symlink points to>
current_release_path: <base_path>/releases/<current_release>
new_release: <the given/generated release-timestamp/whatever>
new_release_path: <base_path>/releases/<new_release>
unfinished_file: BUILD_UNFINISHED

I'd like the core module to have these as well. Any thoughts on additions or changes are more than welkom!

- The cleanup process we use is 2-fold: First we remove any releases that still contain the BUILD_UNFINISHED file. Next we remove any releases that exceed a configurable amount (keep 5 releases for example).

This 2-fold process is very important to us, because we don't want to accidentally fail 5 releases in a row and have the cleanup process remove any older releases, therefor be left with only broken releases. The releases that are kept must be successful ones.

And, we don't have this yet, but I think the cleanup should never remove the active release (the one the symlink points to), even if it's considered old). So it has to safeguard that.

Hello,

Again, a very BIG thank you for your efforts on the deploy module.

I would like to share my suggestion, perhaps as an idea to generate a future pull request:
With capistrano, it is possible to run some of the tasks only on specific hosts. Any plans for such a feature?
Problem is that in the /shared folder, I have stuff that’s being shared between releases but ALSO some mounted nfs shares. I think I will create another directory in deployment root called /mounts for the NFS purposes, to avoid confusion and workarounds.
Regardless, I think the host filter feature would come in handy.

P.S. for us, it’s important to have a simple rollback functionality so you might see a fork/pr soon.

“With capistrano, it is possible to run some of the tasks only on specific hosts. Any plans for such a feature?”

This has been a feature in Ansible since day 1.

• hosts: hostnames
• hosts: otherhostnames

Etc

That’s right. But I was referring to another thing.

Basically, I’m trying to use their deployment role as a whole, to perform certain operations only on certain hosts, while leaving all the hosts/groups, listed in the the main ‘hosts’ directive.

In my other roles, I’ve been using host_vars or even defined the host vars in the ‘hosts’ file and used those vars as flags for acting or not on some particular tasks.

To nail it down, I am deploying on 10 nodes and each is having a custom connection string to its own Redis node. That would be handled via the /private folder, but I can’t see a built-in way for their deployment role to do this.

Perhaps I’m not looking at it from the right angle.

"
Basically, I’m trying to use their deployment role as a whole, to perform certain operations only on certain hosts, while leaving all the hosts/groups, listed in the the main ‘hosts’ directive."

This is there too

ansible-playbook foo.yml --limit groupname
ansible-playbook foo.yml --limit hostname

“To nail it down, I am deploying on 10 nodes and each is having a custom connection string to its own Redis node. That would be handled via the /private folder, but I can’t see a built-in way for their deployment role to do this.”

This doesn’t seem related.

I’d just do host_vars/ for this, and that’s a different concept, but does not interfere with --limit.

Hey All,

Sorry about the radio silence on this thread, I kind of dropped the ball on this one

I’m picking up where I left off, I’ll work out the options for the module to move this thing forward. I think my last ideas revolved around two options for the module, one where we have a (semi) fixed folder structure - and one where we’re only interested in the symlink and cleanup.

If anyone has had thoughts about it since august, feel free to add them - I’ll be working on this next week.

Kind regards,

Ramon

Nice, very much looking forward to this.

If you have a PR ready maybe reply to the list so you can make sure to get our attention on it.

Thanks!!!

Hey Michael (and anyone else interested),

I’ve been working on the deploy_helper module, but it’s not ready for a pull-request just yet.

From the perspective of a consumer, I think a common deploy role looks something like this (following along the lines of a deploy procedure that uses releases and a ‘current’ symlink):
The numbers are a guess at the number of tasks it would take to complete the task.

1. create the project root folder
2. create a timestamp
3. create a releases folder
4. create the shared folder

1. remove build in progress file
1. create a symlink
3. delete the old releases [find, filter, delete]

When we take a “deploy_helper" module into account, it could look like
this:

1. deploy state=present path=/path/to/root
    - creates project root folder
    - returns a timestamp
    - creates the releases folder
    - creates the shared folder (optional)
~~~ clone, build, prepare ~~~ (outside of the scope of the module)
1. deploy state=finalize
    - removes build in progress file
    - creates a symlink
    - optionally does cleanup
-----------------------------------------
This could be done in 2 tasks (+1 if we exclude the ‘shared' folder
creation from the module)

This looks really good to me.

I much prefer the idea of a mostly self-contained module as it makes the
amount of work everyone has to do to use the above much more condensed.

If 2000 people use it, we might have saved the world 20,000 minutes or
more, etc

Looking at the options required, the module might take on this signature:

deploy_helper parameters:
required:
    path= /path/to/project-root

not required:
    release= (default: timestamp)
    owner= (default: null)
    group= (default: null)
    mode= (default: null)
    keep_releases= (default: 5)
    create_shared_folder= (default: true)
    releases_path= (default: {{ path }}/releases)
    shared_path= (default: {{ path }}/shared)
    current_path= (default: {{ path }}/current)
    unfinished_filename= (default: DEPLOY_UNFINISHED)

I may be a little unclear on what the "shared path" is. Can you remind

me?

    state=[ present, absent, clean, finalize, query ] (default: present)

Besides your general opinion, I was pondering the following practical
questions:

1: What category of module would this module be under? File?

"web infrastructure" seems ideal for now. We may decide to reorganize

the categories in the near future.

2: Should the (optional) creation of a shared folder be part of a deploy
module?

see my question above as I'm not quite remembering what a shared folder

is right now

3: Should we even be duplicating code like creation of the symlink? The
file module already does that...

There should be common code for this in module_utils. If not, we can

move the file code there and make it use that,
to avoid duplication.

I do believe it's important to represent the "idea" (atomic deploys with
timestamps) versus the "how", and saving as many steps as possible.

Thanks for any feedback, kind regards,

Thanks a ton for building this!

Hey Michael,

Quick reply regarding the “shared folder”

With most projects there’s some form of state kept between releases. With web projects this usually means server-side session files, but possibly also user-generated content like uploaded files and such. All our projects have at least one shared folder.

root/releases/1/sessions → root/shared/sessions

root/releases/1/uploads → root/shared/uploads

root/releases/2/sessions → root/shared/sessions

root/releases/2/uploads → root/shared/uploads

Our deploy role takes care of creating and linking to the subfolders of /shared, but creation of the shared folder itself could be part of the role. Not really that big of a deal though, it saves just one task - and maybe adds some confusion as to what it is and what it should do.

Kind regards,

Ramon

I see yeah, the symlink for the shared folder could be part of the module, but could be outside it too.

I’m fine with it being there if that’s an example.

Ok, Michael, and everyone else of course,

I’ve proposed the new module in a pull-request.

The module can be found here:
https://github.com/ansible/ansible-modules-extras/pull/110

The documentation (I chose to make an additional guide in the manual):
https://github.com/ansible/ansible/pull/9566

And optionally, tests for the module:
https://github.com/ansible/ansible/pull/9567

I split the manual and the tests up into separate pull requests, because I’m not sure if you guys want them or not…

I hope you like it, let me know what you think.

Thanks for this!

My first thought is try to clean up the examples section so there’s no “…” … make something real world in there, and seperate it out by use case.

I would not like to see a seperate guide for this module as it sets a bit of a strange precedent, so it would be better to just show a basic set of playbooks in the examples.

We can take a look further at implementation/usage once those get fleshed out a bit, so we can tell how to run them.

Thanks!