Tool to create AMIs with Ansible
Project description
bossimage
=========
|Build Status|
Bossimage is a command line utility to convert an `Ansible
role <http://docs.ansible.com/ansible/playbooks_roles.html>`__ into an
`Amazon EC2
AMI <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html>`__.
Bossimage requires just one configuration file to be added to the base
directory of an Ansible role. Once that is done, Bossimage may be used
to build an EC2 instance, run the Ansible role on it, then "bake" it
into an AMI. After the AMI is created, Bossimage can also build a test
instance from it and run a test playbook on the instance.
Bossimage is inspired by both `Packer <https://www.packer.io/>`__ and
`Test Kitchen <http://kitchen.ci/>`__, but much simpler than either. If
you use both Ansible and AWS, you may find it useful.
Bossimage has been tested on both Linux and Windows targets in EC2.
Installation
============
Install from `PyPI <https://pypi.python.org/pypi>`__
----------------------------------------------------
::
pip install bossimage
Install from source
-------------------
::
git clone https://github.com/cloudboss/bossimage.git
cd bossimage
pip install -r requirements.txt
pip install .
Quick Start
===========
All interaction with Bossimage is done through an executable command
called ``bi``, which must always be run from the base directory of an
Ansible role.
This introduction to Bossimage will explain how to do three things:
1. Make an EC2 instance and run Ansible on it (``bi make build``).
2. Make an AMI from the EC2 instance (``bi make image``).
3. Make a test instance from the AMI and run a test Ansible playbook on
it (``bi make test``).
Later it will be explained how to do a few other things as well.
First, a small amount of configuration is necessary.
Note: in this guide, all commands to be run from the shell are shown
preceded by ``>`` to indicate the shell prompt.
Configuration
~~~~~~~~~~~~~
Bossimage requires a configuration file called ``.boss.yml`` to be
placed in the root directory of the Ansible role. A minimal example of
such a file is as follows:
::
platforms:
- name: amz-2015092
instance_type: t2.micro
build:
source_ami: amzn-ami-hvm-2015.09.2.x86_64-gp2
The example contains the most minimal configuration possible, using
defaults for all settings except those which are required: the platform
name, the `instance type <https://aws.amazon.com/ec2/instance-types/>`__
and the source AMI used for the ``build`` phase.
Although Bossimage creates resources in AWS, it does not include any AWS
authentication code, instead preferring to pass all authentication
through to the underlying
`SDK <http://boto3.readthedocs.io/en/latest/guide/configuration.html#guide-configuration>`__
using `standard environment
variables <https://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs>`__.
Here is an example of gaining credentials by setting ``AWS_PROFILE`` and
``AWS_DEFAULT_REGION`` environment variables, assuming a credentials
file has already been created.
::
> export AWS_PROFILE=uhuru
> export AWS_DEFAULT_REGION=us-west-1
If Bossimage is being run from an EC2 instance, an `IAM instance
profile <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html>`__
may be used instead of environment variables, as described later.
Running
~~~~~~~
Most ``bi`` subcommands require an *instance* argument to be passed to
them. The *instance* is derived from a *platform* together with a
*profile*, i.e., ``<platform>-<profile>``. In the ``.boss.yml``
configuration shown above, a single platform is defined with name
``amz-2015092``. The profile is not explicitly defined, and is therefore
``default``. So the instance is ``amz-2015092-default``, and that will
be the argument passed to the commands in this introduction.
Platforms and profiles will be described in more detail later.
bi make build
^^^^^^^^^^^^^
This builds an EC2 instance and runs the Ansible role on it. A unique
ssh keypair is also created and assigned to the instance. This command,
as with other ``bi`` commands, is idempotent and may be run multiple
times without creating a new instance each time. Subsequent runs will
simply run the Ansible role again on the existing instance.
Consider ``bi make build`` the entrypoint of Bossimage: it must be run
before ``bi make image`` or ``bi make test``.
::
> bi make build amz-2015092-default
Created keypair bossimage-oZL4NxUbAM
Created instance i-00000001
Waiting for instance to be running ... ok
Waiting for connection to 54.xxx.xxx.xxx:22 to be available ... ok
PLAY ***************************************************************************
TASK [setup] *******************************************************************
ok: [54.xxx.xxx.xxx]
TASK [test-role : add package httpd] *******************************************
changed: [54.xxx.xxx.xxx]
PLAY RECAP *********************************************************************
54.xxx.xxx.xxx : ok=1 changed=1 unreachable=0 failed=0
bi make image
^^^^^^^^^^^^^
The primary goal of Bossimage is to create an AMI from an Ansible role,
and that is what this command does. It may be run when ``bi make build``
has completed.
::
> bi make image amz-2015092-default
Created image ami-00000001 with name test-role.default.amz-2015092.hvm.x86_64.v2
Waiting for image to be available ... ok
Image is available
bi make test
^^^^^^^^^^^^
It is useful to test that ``bi make image`` generated a correct AMI, and
this is where ``bi make test`` comes into play.
This command is very similar to ``bi make build``, in that it creates an
EC2 instance and runs Ansible on it. However, it depends on a successful
outcome of the ``bi make image`` command, as it uses the AMI created by
that command as the source AMI of the EC2 test instance.
It also does not run the Ansible role on the instance, rather it runs a
test playbook, which by default is ``tests/test.yml``, relative to the
root of the Ansible role directory. When creating an Ansible role with
the ``ansible-galaxy`` command, this test playbook is added by default.
For this default test playbook to work with Bossimage, only one small
change is needed: to changed the ``hosts`` in the playbook from
``localhost`` to ``test``.
::
> bi make test amz-2015092-default
Created instance i-00000002
Waiting for instance to be running ... ok
Waiting for connection to 52.xxx.xxx.xxx:22 to be available ... ok
PLAY [test] ********************************************************************
TASK [setup] *******************************************************************
ok: [52.xxx.xxx.xxx]
TASK [check that httpd is installed] *******************************************
ok: [52.xxx.xxx.xxx]
TASK [check that port 80 is listening] **********************************************
ok: [52.xxx.xxx.xxx]
PLAY RECAP *********************************************************************
52.xxx.xxx.xxx : ok=2 changed=0 unreachable=0 failed=0
Conclusion
~~~~~~~~~~
Having run these three commands, you will have seen the major
functionality of Bossimage. You will have created an AMI and then tested
it.
Continue reading to learn:
- How to build multiple "flavors" of AMIs for a given platform
- A shortcut for logging into build and test instances
- Clean up instances and keypairs used during the build and test phases
- Clean up AMIs that did not pass tests
Bossimage
=========
Instances, Platforms, and Profiles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Most of the ``bi`` subcommands, such as ``make build`` or ``make test``,
take an argument called the *instance*. An instance is defined by a
*platform* and a *profile*, such as ``rhel6-default``, where ``rhel6``
is the platform and ``default`` is the profile.
Platform
^^^^^^^^
The platform defines the source AMI and other settings related to
creating an EC2 instance, such as security groups and block device
mappings. It also defines connection settings for Ansible to reach the
instance, such as ssh or winrm ports and default username.
Profile
^^^^^^^
The profile defines variables that will be passed to Ansible through its
``--extra-vars`` argument. By defining multiple profiles, you can build
multiple flavors of AMIs for a given platform.
For example, here is a ``.boss.yml`` with one platform and two profiles.
::
platforms:
- name: ubuntu-16.04
build:
source_ami: ami-301f6f50
instance_type: t2.micro
inventory_args:
ansible_user: ubuntu
ansible_python_interpreter: /usr/bin/python3
security_groups: [bossimage]
profiles:
- name: apache
extra_vars:
packages:
- apache2
- name: nginx
extra_vars:
packages:
- nginx
Running ``bi list`` will produce the output:
::
ubuntu-16.04-apache Not created
ubuntu-16.04-nginx Not created
Each of these platform and profile combinations, or instances, can be
made into its own AMI.
If ``profiles`` is not defined, every platform has an implicit profile,
called ``default``. The ``default`` profile does not define any
variables. Note that if ``profiles`` is defined, there is no longer any
implicit ``default`` profile. In such cases you can define one that has
no ``extra_vars`` attribute, if desired.
.boss.yml
---------
The ``.boss.yml`` file is placed in the root directory of an Ansible
role. It is the only configuration necessary for using Bossimage.
To start, here is a full example for reference.
::
defaults:
instance_type: m3.large
platforms:
- name: centos-6
instance_type: t2.micro
connection_timeout: 600
inventory_args:
ansible_user: centos
build:
source_ami: 'CentOS Linux 6 x86_64 HVM EBS 1602-74e73035-3435-48d6-88e0-89cc02ad83ee-ami-21e6d54b.3'
test:
instance_type: m3.medium
tags:
Billing: xyz
Description: Centos 6 Build Instance
- name: amz-2015092
build:
source_ami: amzn-ami-hvm-2015.09.2.x86_64-gp2
image:
ami_name: '%(role)s-%(profile)s-%(version)s-%(platform)s'
block_device_mappings:
- device_name: /dev/sdf
ebs:
volume_size: 100
volume_type: gp2
delete_on_termination: true
tags:
Billing: xyz
Description: Amazon Linux 201509 Build Instance
- name: win-2016
build:
source_ami: ami-2d360152
become: false
inventory_args:
ansible_connection: winrm
ansible_port: 5985
ansible_user: Administrator
image:
ami_name: '%(role)s-%(profile)s-%(version)s-%(platform)s'
tags:
Billing: xyz
Description: Windows Server 2016 Build Instance
profiles:
- name: default
- name: nginx
extra_vars:
packages:
- nginx
- tcpdump
A ``.boss.yml`` file has three possible sections:
- ``defaults``: This section is optional, and contains default values
to be used within ``platforms`` when not provided there.
- ``platforms``: This section is required, and defines a list of
platforms to build instances from. There must be at least one
platform defined in a ``.boss.yml`` configuration. Each platform
defined in the ``platforms`` section contains its own subsections for
each of the three phases ``build``, ``image``, and ``test``.
- ``profiles``: This section is optional. In here, sets of variables
may be defined to modify each platform defined in the ``platforms``
section. If this section is not given, each platform will have a
profile called ``default``, with no additional variables set.
defaults
~~~~~~~~
The ``defaults`` section may contain the following variables.
- ``instance_type`` - type: *string*, default: ``t2.micro``
The EC2 instance type.
- ``username`` - type: *string*, default: ``ec2-user``
The user that Ansible will use to connect to the instance. If
``inventory_args`` is defined, this value will be ignored, and
``ansible_user`` should be put into ``inventory_args`` instead.
- ``connection`` - type: *string*, default: ``ssh``
The type of `connection that Ansible will
use <https://docs.ansible.com/ansible/2.6/plugins/connection.html>`__.
If ``inventory_args`` is defined, this value will be ignored, and
``ansible_connection`` should be put into ``inventory_args`` instead.
Note: Bossimage is known to work for ``ssh`` and ``winrm`` connections,
but other types may need additional testing and development.
- ``connection_timeout`` - type: *integer*, default: ``300``
The amount of time in seconds before Bossimage will give up trying to
make an Ansible connection.
- ``port`` - type: *integer*, default: 22
The port used to connect with Ansible. If ``inventory_args`` is defined,
this value will be ignored, and ``ansible_port`` should be put into
``inventory_args`` instead.
- ``associate_public_ip_address`` - type: *bool*, default: ``true``
Whether or not to associate a public IP address to the instance.
- ``subnet`` - type *string*
The subnet in which the instance will be located.
- ``security_groups`` - type *list* of *string*, default ``[]``
The security groups that are associated with the instance.
- ``iam_instance_profile`` - type *string*
The name of the IAM instance profile to assign to the instance.
- ``inventory_args`` - type *map* of *string* to *string*
A map of key/value pairs which will be used for building the Ansible
inventory. See `the official Ansible
documentation <https://docs.ansible.com/ansible/2.3/intro_inventory.html#list-of-behavioral-inventory-parameters>`__
for more details on available options. If this variable is defined, the
``connection``, ``username``, and ``port`` variables will be ignored if
used, and should be replaced with inventory arguments
``ansible_connection``, ``ansible_user``, and ``ansible_port``,
respectively.
Note: Bossimage normally sets ``ansible_password`` and
``ansible_ssh_private_key_file`` in the inventory based on runtime
generated values, so it is not advised to define them in
``inventory_args`` unless you have good reason.
- ``tags`` - type *map* of *string* to *string*, default ``{}``
A map of key/value pairs to be used for tagging the instance.
- ``user_data`` - type: *map* or *string*, default: ``''``
This is the `user
data <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`__
that will be passed into the EC2 instance. If it is given as a map, then
it must have the key ``file``, which is the path to a file containing
the user data.
If the type is a string, then it is passed verbatim as the user data for
the instance.
Examples:
::
defaults:
user_data:
file: ./user-data.txt
::
defaults:
user_data: |
#!/bin/sh
yum update -y
- ``block_device_mappings`` - type: *list* of *map*, default: ``[]``
Devices to be attached to the EC2 instance that will be part of a baked
image.
Each item in the list is a map as described in the
`BlockDeviceMappings <http://boto3.readthedocs.io/en/latest/reference/services/ec2.html#EC2.ServiceResource.create_instances>`__
property passed to the boto3 create\_instances operation. The only
difference is that in. boss.yml, "CamelCase" properties should be
converted to "snake\_case".
platforms
~~~~~~~~~
The ``platforms`` section contains a list of configurations, one for
each defined platform. Each platform configuration must have the keys:
- ``name`` - type *string*, required
- ``build`` - type *map*, required
See `build <#build>`__ below.
- ``image`` - type *map*, optional
See `image <#image>`__ below.
- ``test`` - type *map*, optional
See `test <#test>`__ below.
The platform configuration may also contain any of the variables from
``defaults``, and will override any of the definitions from there.
build
^^^^^
The ``build`` section of a platform is required and may include any of
the variables from ``defaults``. They will override any of the
definitions given there or in the parent platform.
The ``build`` section also has the following keys:
- ``source_ami`` - type: *string*, required
This is the source AMI to build the instance from. It may be given as an
AMI ID or name, from which the ID will be found.
- ``become`` - type: *boolean*, default: ``true``
This tells Ansible whether or not to "become" the superuser.
image
^^^^^
The ``image`` section of a platform may have the following key:
- ``ami_name`` - type: *string*, default:
``'%(role)s.%(profile)s.%(platform)s.%(vtype)s.%(arch)s.%(version)s'``
This is a `Python formatting
string <https://docs.python.org/2/library/stdtypes.html#string-formatting>`__
to use for generating the AMI name. The string may contain any of the
variables:
- ``role``: Name of Ansible role
- ``profile``: Name of profile used from ``.boss.yml``
- ``platform``: Name of platform used from ``.boss.yml``
- ``vtype``: Virtualization type, e.g. ``hvm``
- ``arch``: Architecture, e.g. ``x86_64``
- ``version``: Ansible role version, see `Role
Versions <#role-versions>`__.
- ``hv``: Hypervisor, e.g. ``xen``
Of course, ``ami_name`` may also be a string used verbatim without any
interpolated variables in it.
test
^^^^
The ``test`` section of a platform may include any of the variables from
``defaults``. They will override any of the definitions given there or
in the parent platforms.
In addition, the ``test`` section may have the following key:
- ``playbook`` - type: *string*, default: ``tests/test.yml``
This is the playbook to run during the test phase. The default value is
the same as the test playbook that is created by running
``ansible-galaxy init`` to create a new Ansible role.
Commands
--------
The ``bi`` command must always be run from the root directory of an
Ansible role, where the ``.boss.yml`` file is located.
bi list
^^^^^^^
List instances available to be built that are configured in .boss.yml.
The status of the instance is shown, which may be either ``Created`` or
``Not created``.
::
> bi list
amz-2015092-default Created
ubuntu-16.10-default Not created
bi make build
^^^^^^^^^^^^^
::
> bi make build <instance> [-v|--verbosity]
This builds an EC2 instance and runs the Ansible role on it. A unique
ssh keypair is also created and assigned to the instance. This command
is idempotent and may be run multiple times without creating a new
instance each time. Subsequent runs will simply run the Ansible role
again on the existing instance.
If your Ansible role has a ``requirements.yml`` file, then the
``ansible-galaxy`` command will be used to install the dependencies
listed there.
The ``-v``, or ``--verbosity`` option, gets passed through to Ansible.
It may be repeated up to four times to increase Ansible's verbosity.
bi make image
^^^^^^^^^^^^^
::
> bi make image <instance> [--no-wait]
This builds an AMI from the instance created by running
``bi make build``. This command will not run unless ``bi make build``
has run and written its state to ``.boss/<instance>-state.yml``.
By default this command will complete when the image is available. You
may pass the option ``--no-wait`` to this command so that it does not
wait for the image to be available.
bi make test
^^^^^^^^^^^^
::
> bi make test <instance> [-v|--verbosity]
This builds an EC2 instance from the AMI created by running
``bi make image``, then runs the test playbook on it. This command will
not run unless ``bi make image`` has run and written its state to
``.boss/<instance>-state.yml``.
As with ``bi make build``, ``ansible-galaxy`` will be used to install
any role dependencies used by the test playbook, but ``ansible-galaxy``
will look for them in ``tests/requirements.yml``.
The ``-v``, or ``--verbosity`` option, gets passed through to Ansible.
It may be repeated up to four times to increase Ansible's verbosity.
bi clean build
^^^^^^^^^^^^^^
::
> bi clean build <instance>
This deletes the instance created by ``bi make build``.
bi clean image
^^^^^^^^^^^^^^
::
> bi clean image <instance>
This deletes the AMI created by ``bi make image``.
bi clean test
^^^^^^^^^^^^^
::
> bi clean test <instance>
This deletes the instance created by ``bi make build``.
bi login
^^^^^^^^
::
> bi login <instance>
This command works only on instances where the platform is configured
for ssh connections, which is the default. By default this command logs
into the ``build`` phase instance, but this may be changed by passing
the ``-p|--phase`` argument, which may be either ``build`` or ``test``.
::
> bi login -p test <instance>
bi version
^^^^^^^^^^
The command outputs the version of Bossimage.
Role Versions
-------------
Ansible Galaxy does not provide a way to define a role's version in its
metadata, it relies on git tags for versioning. So Bossimage does not
have anything it can parse to discover the version of a role.
Instead, you can put a file in the root of the repository called
``.role-version`` which contains the version string. Bossimage also
supports defining the version in the environment variable
``BI_ROLE_VERSION``.
If neither the ``.role-version`` file or the ``BI_ROLE_VERSION``
environment variable are present, then a default version ``unset`` is
used.
Authenticating with AWS
-----------------------
``bossimage`` uses standard AWS SDK environment variables for
authentication, which are described in the `boto3
documentation <http://boto3.readthedocs.org/en/latest/guide/configuration.html#configuration>`__.
The simplest way to authenticate if you are not running ``bossimage`` on
an EC2 instance is to configure ``~/.aws/credentials`` with a
`profile <http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles>`__
and pass its name in the environment variable ``AWS_PROFILE``.
If you are running ``bossimage`` on an EC2 instance, you may assign the
instance an `IAM
role <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html>`__
upon creation, and then you do not need to pass any credentials. The IAM
role should have the policy shown below.
::
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
Region
------
You must set the AWS region you are running in. To do this, set the
``AWS_DEFAULT_REGION`` environment variable.
Rationale
=========
All I want is to spin up an EC2 instance in AWS, run an
`Ansible <http://docs.ansible.com/ansible/index.html>`__ role on it,
bake it into an image, and run some tests to verify the correctness of
the image.
Comparison with Packer
~~~~~~~~~~~~~~~~~~~~~~
Packer is a tool for creating VM and Docker images for a multitude of
cloud providers and for local use.
Packer does more than I need; I only need to create EC2 AMIs. But still
it doesn't do quite enough: it doesn't provide a development phase for
rapid iterative development of an Ansible role. You always have to start
from the beginning with a new instance.
Bossimage creates EC2 images and provides a development phase before
creating an image, and a testing phase for when the image has been
created.
Comparison with Test Kitchen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Test Kitchen is a tool for testing Chef cookbooks, but can be used to
test Ansible and other configuration management tools using third party
plugins. It can create VM instances with Vagrant and various cloud
providers to use for developing.
Test Kitchen does more than I need; I only need to test Ansible in EC2.
But still it doesn't do quite enough: it doesn't provide an AMI creation
phase.
Bossimage creates EC2 instances and runs Ansible on them, and provides
image creation and image testing phases.
.. |Build Status| image:: https://travis-ci.org/cloudboss/bossimage.svg?branch=master
:target: https://travis-ci.org/cloudboss/bossimage
=========
|Build Status|
Bossimage is a command line utility to convert an `Ansible
role <http://docs.ansible.com/ansible/playbooks_roles.html>`__ into an
`Amazon EC2
AMI <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html>`__.
Bossimage requires just one configuration file to be added to the base
directory of an Ansible role. Once that is done, Bossimage may be used
to build an EC2 instance, run the Ansible role on it, then "bake" it
into an AMI. After the AMI is created, Bossimage can also build a test
instance from it and run a test playbook on the instance.
Bossimage is inspired by both `Packer <https://www.packer.io/>`__ and
`Test Kitchen <http://kitchen.ci/>`__, but much simpler than either. If
you use both Ansible and AWS, you may find it useful.
Bossimage has been tested on both Linux and Windows targets in EC2.
Installation
============
Install from `PyPI <https://pypi.python.org/pypi>`__
----------------------------------------------------
::
pip install bossimage
Install from source
-------------------
::
git clone https://github.com/cloudboss/bossimage.git
cd bossimage
pip install -r requirements.txt
pip install .
Quick Start
===========
All interaction with Bossimage is done through an executable command
called ``bi``, which must always be run from the base directory of an
Ansible role.
This introduction to Bossimage will explain how to do three things:
1. Make an EC2 instance and run Ansible on it (``bi make build``).
2. Make an AMI from the EC2 instance (``bi make image``).
3. Make a test instance from the AMI and run a test Ansible playbook on
it (``bi make test``).
Later it will be explained how to do a few other things as well.
First, a small amount of configuration is necessary.
Note: in this guide, all commands to be run from the shell are shown
preceded by ``>`` to indicate the shell prompt.
Configuration
~~~~~~~~~~~~~
Bossimage requires a configuration file called ``.boss.yml`` to be
placed in the root directory of the Ansible role. A minimal example of
such a file is as follows:
::
platforms:
- name: amz-2015092
instance_type: t2.micro
build:
source_ami: amzn-ami-hvm-2015.09.2.x86_64-gp2
The example contains the most minimal configuration possible, using
defaults for all settings except those which are required: the platform
name, the `instance type <https://aws.amazon.com/ec2/instance-types/>`__
and the source AMI used for the ``build`` phase.
Although Bossimage creates resources in AWS, it does not include any AWS
authentication code, instead preferring to pass all authentication
through to the underlying
`SDK <http://boto3.readthedocs.io/en/latest/guide/configuration.html#guide-configuration>`__
using `standard environment
variables <https://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs>`__.
Here is an example of gaining credentials by setting ``AWS_PROFILE`` and
``AWS_DEFAULT_REGION`` environment variables, assuming a credentials
file has already been created.
::
> export AWS_PROFILE=uhuru
> export AWS_DEFAULT_REGION=us-west-1
If Bossimage is being run from an EC2 instance, an `IAM instance
profile <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html>`__
may be used instead of environment variables, as described later.
Running
~~~~~~~
Most ``bi`` subcommands require an *instance* argument to be passed to
them. The *instance* is derived from a *platform* together with a
*profile*, i.e., ``<platform>-<profile>``. In the ``.boss.yml``
configuration shown above, a single platform is defined with name
``amz-2015092``. The profile is not explicitly defined, and is therefore
``default``. So the instance is ``amz-2015092-default``, and that will
be the argument passed to the commands in this introduction.
Platforms and profiles will be described in more detail later.
bi make build
^^^^^^^^^^^^^
This builds an EC2 instance and runs the Ansible role on it. A unique
ssh keypair is also created and assigned to the instance. This command,
as with other ``bi`` commands, is idempotent and may be run multiple
times without creating a new instance each time. Subsequent runs will
simply run the Ansible role again on the existing instance.
Consider ``bi make build`` the entrypoint of Bossimage: it must be run
before ``bi make image`` or ``bi make test``.
::
> bi make build amz-2015092-default
Created keypair bossimage-oZL4NxUbAM
Created instance i-00000001
Waiting for instance to be running ... ok
Waiting for connection to 54.xxx.xxx.xxx:22 to be available ... ok
PLAY ***************************************************************************
TASK [setup] *******************************************************************
ok: [54.xxx.xxx.xxx]
TASK [test-role : add package httpd] *******************************************
changed: [54.xxx.xxx.xxx]
PLAY RECAP *********************************************************************
54.xxx.xxx.xxx : ok=1 changed=1 unreachable=0 failed=0
bi make image
^^^^^^^^^^^^^
The primary goal of Bossimage is to create an AMI from an Ansible role,
and that is what this command does. It may be run when ``bi make build``
has completed.
::
> bi make image amz-2015092-default
Created image ami-00000001 with name test-role.default.amz-2015092.hvm.x86_64.v2
Waiting for image to be available ... ok
Image is available
bi make test
^^^^^^^^^^^^
It is useful to test that ``bi make image`` generated a correct AMI, and
this is where ``bi make test`` comes into play.
This command is very similar to ``bi make build``, in that it creates an
EC2 instance and runs Ansible on it. However, it depends on a successful
outcome of the ``bi make image`` command, as it uses the AMI created by
that command as the source AMI of the EC2 test instance.
It also does not run the Ansible role on the instance, rather it runs a
test playbook, which by default is ``tests/test.yml``, relative to the
root of the Ansible role directory. When creating an Ansible role with
the ``ansible-galaxy`` command, this test playbook is added by default.
For this default test playbook to work with Bossimage, only one small
change is needed: to changed the ``hosts`` in the playbook from
``localhost`` to ``test``.
::
> bi make test amz-2015092-default
Created instance i-00000002
Waiting for instance to be running ... ok
Waiting for connection to 52.xxx.xxx.xxx:22 to be available ... ok
PLAY [test] ********************************************************************
TASK [setup] *******************************************************************
ok: [52.xxx.xxx.xxx]
TASK [check that httpd is installed] *******************************************
ok: [52.xxx.xxx.xxx]
TASK [check that port 80 is listening] **********************************************
ok: [52.xxx.xxx.xxx]
PLAY RECAP *********************************************************************
52.xxx.xxx.xxx : ok=2 changed=0 unreachable=0 failed=0
Conclusion
~~~~~~~~~~
Having run these three commands, you will have seen the major
functionality of Bossimage. You will have created an AMI and then tested
it.
Continue reading to learn:
- How to build multiple "flavors" of AMIs for a given platform
- A shortcut for logging into build and test instances
- Clean up instances and keypairs used during the build and test phases
- Clean up AMIs that did not pass tests
Bossimage
=========
Instances, Platforms, and Profiles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Most of the ``bi`` subcommands, such as ``make build`` or ``make test``,
take an argument called the *instance*. An instance is defined by a
*platform* and a *profile*, such as ``rhel6-default``, where ``rhel6``
is the platform and ``default`` is the profile.
Platform
^^^^^^^^
The platform defines the source AMI and other settings related to
creating an EC2 instance, such as security groups and block device
mappings. It also defines connection settings for Ansible to reach the
instance, such as ssh or winrm ports and default username.
Profile
^^^^^^^
The profile defines variables that will be passed to Ansible through its
``--extra-vars`` argument. By defining multiple profiles, you can build
multiple flavors of AMIs for a given platform.
For example, here is a ``.boss.yml`` with one platform and two profiles.
::
platforms:
- name: ubuntu-16.04
build:
source_ami: ami-301f6f50
instance_type: t2.micro
inventory_args:
ansible_user: ubuntu
ansible_python_interpreter: /usr/bin/python3
security_groups: [bossimage]
profiles:
- name: apache
extra_vars:
packages:
- apache2
- name: nginx
extra_vars:
packages:
- nginx
Running ``bi list`` will produce the output:
::
ubuntu-16.04-apache Not created
ubuntu-16.04-nginx Not created
Each of these platform and profile combinations, or instances, can be
made into its own AMI.
If ``profiles`` is not defined, every platform has an implicit profile,
called ``default``. The ``default`` profile does not define any
variables. Note that if ``profiles`` is defined, there is no longer any
implicit ``default`` profile. In such cases you can define one that has
no ``extra_vars`` attribute, if desired.
.boss.yml
---------
The ``.boss.yml`` file is placed in the root directory of an Ansible
role. It is the only configuration necessary for using Bossimage.
To start, here is a full example for reference.
::
defaults:
instance_type: m3.large
platforms:
- name: centos-6
instance_type: t2.micro
connection_timeout: 600
inventory_args:
ansible_user: centos
build:
source_ami: 'CentOS Linux 6 x86_64 HVM EBS 1602-74e73035-3435-48d6-88e0-89cc02ad83ee-ami-21e6d54b.3'
test:
instance_type: m3.medium
tags:
Billing: xyz
Description: Centos 6 Build Instance
- name: amz-2015092
build:
source_ami: amzn-ami-hvm-2015.09.2.x86_64-gp2
image:
ami_name: '%(role)s-%(profile)s-%(version)s-%(platform)s'
block_device_mappings:
- device_name: /dev/sdf
ebs:
volume_size: 100
volume_type: gp2
delete_on_termination: true
tags:
Billing: xyz
Description: Amazon Linux 201509 Build Instance
- name: win-2016
build:
source_ami: ami-2d360152
become: false
inventory_args:
ansible_connection: winrm
ansible_port: 5985
ansible_user: Administrator
image:
ami_name: '%(role)s-%(profile)s-%(version)s-%(platform)s'
tags:
Billing: xyz
Description: Windows Server 2016 Build Instance
profiles:
- name: default
- name: nginx
extra_vars:
packages:
- nginx
- tcpdump
A ``.boss.yml`` file has three possible sections:
- ``defaults``: This section is optional, and contains default values
to be used within ``platforms`` when not provided there.
- ``platforms``: This section is required, and defines a list of
platforms to build instances from. There must be at least one
platform defined in a ``.boss.yml`` configuration. Each platform
defined in the ``platforms`` section contains its own subsections for
each of the three phases ``build``, ``image``, and ``test``.
- ``profiles``: This section is optional. In here, sets of variables
may be defined to modify each platform defined in the ``platforms``
section. If this section is not given, each platform will have a
profile called ``default``, with no additional variables set.
defaults
~~~~~~~~
The ``defaults`` section may contain the following variables.
- ``instance_type`` - type: *string*, default: ``t2.micro``
The EC2 instance type.
- ``username`` - type: *string*, default: ``ec2-user``
The user that Ansible will use to connect to the instance. If
``inventory_args`` is defined, this value will be ignored, and
``ansible_user`` should be put into ``inventory_args`` instead.
- ``connection`` - type: *string*, default: ``ssh``
The type of `connection that Ansible will
use <https://docs.ansible.com/ansible/2.6/plugins/connection.html>`__.
If ``inventory_args`` is defined, this value will be ignored, and
``ansible_connection`` should be put into ``inventory_args`` instead.
Note: Bossimage is known to work for ``ssh`` and ``winrm`` connections,
but other types may need additional testing and development.
- ``connection_timeout`` - type: *integer*, default: ``300``
The amount of time in seconds before Bossimage will give up trying to
make an Ansible connection.
- ``port`` - type: *integer*, default: 22
The port used to connect with Ansible. If ``inventory_args`` is defined,
this value will be ignored, and ``ansible_port`` should be put into
``inventory_args`` instead.
- ``associate_public_ip_address`` - type: *bool*, default: ``true``
Whether or not to associate a public IP address to the instance.
- ``subnet`` - type *string*
The subnet in which the instance will be located.
- ``security_groups`` - type *list* of *string*, default ``[]``
The security groups that are associated with the instance.
- ``iam_instance_profile`` - type *string*
The name of the IAM instance profile to assign to the instance.
- ``inventory_args`` - type *map* of *string* to *string*
A map of key/value pairs which will be used for building the Ansible
inventory. See `the official Ansible
documentation <https://docs.ansible.com/ansible/2.3/intro_inventory.html#list-of-behavioral-inventory-parameters>`__
for more details on available options. If this variable is defined, the
``connection``, ``username``, and ``port`` variables will be ignored if
used, and should be replaced with inventory arguments
``ansible_connection``, ``ansible_user``, and ``ansible_port``,
respectively.
Note: Bossimage normally sets ``ansible_password`` and
``ansible_ssh_private_key_file`` in the inventory based on runtime
generated values, so it is not advised to define them in
``inventory_args`` unless you have good reason.
- ``tags`` - type *map* of *string* to *string*, default ``{}``
A map of key/value pairs to be used for tagging the instance.
- ``user_data`` - type: *map* or *string*, default: ``''``
This is the `user
data <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`__
that will be passed into the EC2 instance. If it is given as a map, then
it must have the key ``file``, which is the path to a file containing
the user data.
If the type is a string, then it is passed verbatim as the user data for
the instance.
Examples:
::
defaults:
user_data:
file: ./user-data.txt
::
defaults:
user_data: |
#!/bin/sh
yum update -y
- ``block_device_mappings`` - type: *list* of *map*, default: ``[]``
Devices to be attached to the EC2 instance that will be part of a baked
image.
Each item in the list is a map as described in the
`BlockDeviceMappings <http://boto3.readthedocs.io/en/latest/reference/services/ec2.html#EC2.ServiceResource.create_instances>`__
property passed to the boto3 create\_instances operation. The only
difference is that in. boss.yml, "CamelCase" properties should be
converted to "snake\_case".
platforms
~~~~~~~~~
The ``platforms`` section contains a list of configurations, one for
each defined platform. Each platform configuration must have the keys:
- ``name`` - type *string*, required
- ``build`` - type *map*, required
See `build <#build>`__ below.
- ``image`` - type *map*, optional
See `image <#image>`__ below.
- ``test`` - type *map*, optional
See `test <#test>`__ below.
The platform configuration may also contain any of the variables from
``defaults``, and will override any of the definitions from there.
build
^^^^^
The ``build`` section of a platform is required and may include any of
the variables from ``defaults``. They will override any of the
definitions given there or in the parent platform.
The ``build`` section also has the following keys:
- ``source_ami`` - type: *string*, required
This is the source AMI to build the instance from. It may be given as an
AMI ID or name, from which the ID will be found.
- ``become`` - type: *boolean*, default: ``true``
This tells Ansible whether or not to "become" the superuser.
image
^^^^^
The ``image`` section of a platform may have the following key:
- ``ami_name`` - type: *string*, default:
``'%(role)s.%(profile)s.%(platform)s.%(vtype)s.%(arch)s.%(version)s'``
This is a `Python formatting
string <https://docs.python.org/2/library/stdtypes.html#string-formatting>`__
to use for generating the AMI name. The string may contain any of the
variables:
- ``role``: Name of Ansible role
- ``profile``: Name of profile used from ``.boss.yml``
- ``platform``: Name of platform used from ``.boss.yml``
- ``vtype``: Virtualization type, e.g. ``hvm``
- ``arch``: Architecture, e.g. ``x86_64``
- ``version``: Ansible role version, see `Role
Versions <#role-versions>`__.
- ``hv``: Hypervisor, e.g. ``xen``
Of course, ``ami_name`` may also be a string used verbatim without any
interpolated variables in it.
test
^^^^
The ``test`` section of a platform may include any of the variables from
``defaults``. They will override any of the definitions given there or
in the parent platforms.
In addition, the ``test`` section may have the following key:
- ``playbook`` - type: *string*, default: ``tests/test.yml``
This is the playbook to run during the test phase. The default value is
the same as the test playbook that is created by running
``ansible-galaxy init`` to create a new Ansible role.
Commands
--------
The ``bi`` command must always be run from the root directory of an
Ansible role, where the ``.boss.yml`` file is located.
bi list
^^^^^^^
List instances available to be built that are configured in .boss.yml.
The status of the instance is shown, which may be either ``Created`` or
``Not created``.
::
> bi list
amz-2015092-default Created
ubuntu-16.10-default Not created
bi make build
^^^^^^^^^^^^^
::
> bi make build <instance> [-v|--verbosity]
This builds an EC2 instance and runs the Ansible role on it. A unique
ssh keypair is also created and assigned to the instance. This command
is idempotent and may be run multiple times without creating a new
instance each time. Subsequent runs will simply run the Ansible role
again on the existing instance.
If your Ansible role has a ``requirements.yml`` file, then the
``ansible-galaxy`` command will be used to install the dependencies
listed there.
The ``-v``, or ``--verbosity`` option, gets passed through to Ansible.
It may be repeated up to four times to increase Ansible's verbosity.
bi make image
^^^^^^^^^^^^^
::
> bi make image <instance> [--no-wait]
This builds an AMI from the instance created by running
``bi make build``. This command will not run unless ``bi make build``
has run and written its state to ``.boss/<instance>-state.yml``.
By default this command will complete when the image is available. You
may pass the option ``--no-wait`` to this command so that it does not
wait for the image to be available.
bi make test
^^^^^^^^^^^^
::
> bi make test <instance> [-v|--verbosity]
This builds an EC2 instance from the AMI created by running
``bi make image``, then runs the test playbook on it. This command will
not run unless ``bi make image`` has run and written its state to
``.boss/<instance>-state.yml``.
As with ``bi make build``, ``ansible-galaxy`` will be used to install
any role dependencies used by the test playbook, but ``ansible-galaxy``
will look for them in ``tests/requirements.yml``.
The ``-v``, or ``--verbosity`` option, gets passed through to Ansible.
It may be repeated up to four times to increase Ansible's verbosity.
bi clean build
^^^^^^^^^^^^^^
::
> bi clean build <instance>
This deletes the instance created by ``bi make build``.
bi clean image
^^^^^^^^^^^^^^
::
> bi clean image <instance>
This deletes the AMI created by ``bi make image``.
bi clean test
^^^^^^^^^^^^^
::
> bi clean test <instance>
This deletes the instance created by ``bi make build``.
bi login
^^^^^^^^
::
> bi login <instance>
This command works only on instances where the platform is configured
for ssh connections, which is the default. By default this command logs
into the ``build`` phase instance, but this may be changed by passing
the ``-p|--phase`` argument, which may be either ``build`` or ``test``.
::
> bi login -p test <instance>
bi version
^^^^^^^^^^
The command outputs the version of Bossimage.
Role Versions
-------------
Ansible Galaxy does not provide a way to define a role's version in its
metadata, it relies on git tags for versioning. So Bossimage does not
have anything it can parse to discover the version of a role.
Instead, you can put a file in the root of the repository called
``.role-version`` which contains the version string. Bossimage also
supports defining the version in the environment variable
``BI_ROLE_VERSION``.
If neither the ``.role-version`` file or the ``BI_ROLE_VERSION``
environment variable are present, then a default version ``unset`` is
used.
Authenticating with AWS
-----------------------
``bossimage`` uses standard AWS SDK environment variables for
authentication, which are described in the `boto3
documentation <http://boto3.readthedocs.org/en/latest/guide/configuration.html#configuration>`__.
The simplest way to authenticate if you are not running ``bossimage`` on
an EC2 instance is to configure ``~/.aws/credentials`` with a
`profile <http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles>`__
and pass its name in the environment variable ``AWS_PROFILE``.
If you are running ``bossimage`` on an EC2 instance, you may assign the
instance an `IAM
role <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html>`__
upon creation, and then you do not need to pass any credentials. The IAM
role should have the policy shown below.
::
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
Region
------
You must set the AWS region you are running in. To do this, set the
``AWS_DEFAULT_REGION`` environment variable.
Rationale
=========
All I want is to spin up an EC2 instance in AWS, run an
`Ansible <http://docs.ansible.com/ansible/index.html>`__ role on it,
bake it into an image, and run some tests to verify the correctness of
the image.
Comparison with Packer
~~~~~~~~~~~~~~~~~~~~~~
Packer is a tool for creating VM and Docker images for a multitude of
cloud providers and for local use.
Packer does more than I need; I only need to create EC2 AMIs. But still
it doesn't do quite enough: it doesn't provide a development phase for
rapid iterative development of an Ansible role. You always have to start
from the beginning with a new instance.
Bossimage creates EC2 images and provides a development phase before
creating an image, and a testing phase for when the image has been
created.
Comparison with Test Kitchen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Test Kitchen is a tool for testing Chef cookbooks, but can be used to
test Ansible and other configuration management tools using third party
plugins. It can create VM instances with Vagrant and various cloud
providers to use for developing.
Test Kitchen does more than I need; I only need to test Ansible in EC2.
But still it doesn't do quite enough: it doesn't provide an AMI creation
phase.
Bossimage creates EC2 instances and runs Ansible on them, and provides
image creation and image testing phases.
.. |Build Status| image:: https://travis-ci.org/cloudboss/bossimage.svg?branch=master
:target: https://travis-ci.org/cloudboss/bossimage
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
bossimage-0.6.3.tar.gz
(37.3 kB
view details)
Built Distribution
bossimage-0.6.3-py2-none-any.whl
(18.3 kB
view details)
File details
Details for the file bossimage-0.6.3.tar.gz
.
File metadata
- Download URL: bossimage-0.6.3.tar.gz
- Upload date:
- Size: 37.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/40.4.1 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/2.7.14
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c6a1619b9695bd8b28866c1fb99db857e242eebbcd7fc52835adf142fb2ea78e |
|
MD5 | fe05b0ac2d9d2a57c340e49b80a443c4 |
|
BLAKE2b-256 | bf886c30ee7e955a297f01c86a8274f6f1b857ff11f04e338bf4f46ce2282348 |
File details
Details for the file bossimage-0.6.3-py2-none-any.whl
.
File metadata
- Download URL: bossimage-0.6.3-py2-none-any.whl
- Upload date:
- Size: 18.3 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/40.4.1 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/2.7.14
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2f20ec0e4ac39fd9e6a757f4fbdee4858ff63717ed151b6744c0a470505a76c9 |
|
MD5 | 90987df6b0fa9a766a6768b6846fbd33 |
|
BLAKE2b-256 | a947db0fb343e65ef3c93434c500cc0387747c55b943a219d1e3abdaedb8957e |