Ansible 2.0 launched

14 Jan '16

As a frequent Ansible user and (less frequent) contributor, I’m very excited that Ansible 2.0 has been launched. It’s definitely a huge milestone, and must have been stressful with the recent acquisition, so congratulations to the team.

While blocks in playbooks aren’t exactly a game-changer in the automation world, they do simplify writing playbooks while keeping them clean as ever. One of the reasons1 I converted to Ansible is that other tools, especially the Ruby based ones, simply devolve into Ruby scripts with a few extras and un-debuggable logic.

Of course, there’s still some work to be done. Recently, I’ve needed to deploy secrets (e.g. SSH keys), which lead me to look into Ansible Vault. The glaring weakness is that you can’t upload an encrypted file easily. Basically, only variables from encrypted YAML files are really supported. This could be solved with a method à la lookups, but alas none of the pull requests made it for 2.0. Luckily, it’s still been worked on.

There’s also the matter of using symmetric encryption, which means a single, and ideally secret key needs to be shared. This is a huge problem in (Dev)Ops: Say one guy leaves and you’ll have to rotate all keys. PGP/GPG keys solve this a bit more elegantly, and to be honest I trust asymmetric encryption more than symmetric AES 2. So GPG support would be nice. Of course, there’s no magic bullet and bootstrapping secrets securely remains as hard as ever.

  1. The second being that the agent-less architecture is so good for containers. 

  2. Although I’m no crypto expert, so that’s pretty much superstition. There’s a hint of truth to this, as in practice symmetric encryption “encourages” short keys that can be remembered (i.e. a password and password-based thinking). It takes ages to unlearn this and to use proper keys which are treated with paranoia and respect. It also doesn’t help that GPG is almost unusably complicated. 


Newer Older