
Red Hat releases Ansible 2.3 with network automation capabilities - rbanffy
http://sdtimes.com/red-hat-releases-ansible-2-3-network-automation-capabilities/?utm_content=buffer26d92&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
======
dkhenry
Now if only they could merge in modules that have been sitting in Pull
Requests for months at a time. I submitted a module that has been requested
since 2015 and it can't seem to find its way into the main project
([https://github.com/ansible/ansible/pull/22097](https://github.com/ansible/ansible/pull/22097))

Also there are currently over 1000 open PR's. RH needs to devote more bandwith
to community integration then they have been.

~~~
jimi_c
(Ansible lead here) As I responded to a similar comment on Twitter the other
day, part of the issue is our volume. When I looked, we had merged 395 PRs in
the last month (via github pulse), which is ~33/day, assuming we work every
day (which some of us do). That also includes a large period of time in which
we were in a feature freeze for 2.3, meaning we weren't merging things in for
a bit of the time. That's still about 3 prs per day per team member working on
the code on top of everything else we do. This does not take into account the
triaging of new issues, dealing with existing open issues, the mailing list,
IRC questions, running public meetings... We've grown the team quite a bit
(and are continuing to do so), but you can only do so much so fast.

We have recently enhanced ansibot to automerge PRs much more quickly without a
core team member needing to be in the loop (the community is responsible for
getting things automerged), so this will hopefully help even more so with
getting PRs merged.

As for your PR, I'm a little confused as it says it was submitted on Feb 28th?
Was that moved over from one of the modules repos? If so, I couldn't find any
references to `iam_managed_policy` in either the -core or -extras repos.

~~~
rmetzler
I also submitted a very simple module which might benefit from improvement by
other developers in a PR. It just integrates Facebook's osquery with the
Ansible facts.

I'm pretty sure it is nothing special. It was my first Ansible module and
later on I discovered the library pattern (putting modules in ./library makes
them accessible to ansible and ansible-playbook).

So I propose to have a more open ansible-library repository which users would
be able to git clone or symlink to ./library. This should increase eyeballs on
the new modules and maybe we could have a voting system in place to promote
modules from there into the main repository.

------
Ao7bei3s
Great!

But I wonder if/when Ansible Tower is going to get open sourced.

I remember some posts from RedHat people saying it'd be open sourced "very
soon" ~1.5 years ago, but other than a landing page nothing has come of it...

~~~
Androider
I was always surprised that Ansible didn't ever think to offer Tower as SaaS.
I'd like to use it, but I'm really not interested in managing another box just
for it.

~~~
user5994461
This is really a thing that cannot be SaaS. You can't allow a remote software
in a random place in the world ssh to your servers as root and execute random
commands.

~~~
Androider
That just shows a lack of imagination, I can think of many ways to do it
securely. Also, in many cases there is no longer any "on-site" location to run
things from. If your servers are in AWS, your code in GitHub/BitBucket/AWS
CodeCommit, your CI pipeline is in Circle/Travis/Codeship/AWS CodePipeline...
running an Ansible playbook on a service professionally managed by Red Hat is
fine. It's likely to be better managed and more secure than your average
never-been-patched ad-hoc on-site Jenkins box or your devops guy running the
play from his MacBook.

~~~
user5994461
Just because it's possible doesn't mean it's a good idea.

RFC 1925:
[https://www.ietf.org/rfc/rfc1925.txt](https://www.ietf.org/rfc/rfc1925.txt)

    
    
            With sufficient thrust, pigs fly just fine. However, this is
            not necessarily a good idea. It is hard to be sure where they
            are going to land, and it could be dangerous sitting under them
            as they fly overhead.

~~~
Androider
Unless you are doing deploys from on-prem, to on-prem servers (a shrinking
market), I think it is a good idea for the average company to let a
professional company manage the infrastructure for them. I've never seen a
self-hosted git, CI, etc. be more reliable or secure than the SaaS equivalent
in any of the companies I've been, big or small.

~~~
frik
> I've never seen a self-hosted git, CI, etc. be more reliable or secure

E.g. a self hosted subversion repo sitting on a network share is 100%
reliable. What's so special about such things. It's a solved problem.

------
ytjohn
Here is a more detailed article from Ansible:
[https://www.ansible.com/blog/network-device-
authentication-w...](https://www.ansible.com/blog/network-device-
authentication-with-ansible-2-3)

I wonder why they didn't just work on improving integration with napalm.

[https://github.com/napalm-automation/napalm-
ansible](https://github.com/napalm-automation/napalm-ansible)

~~~
ytjohn
[https://napalm.readthedocs.io/en/latest/index.html](https://napalm.readthedocs.io/en/latest/index.html)

------
jlgaddis
Official press release from Red Hat is at [0].

[0]: [https://www.ansible.com/press/advanced-network-automation-
wi...](https://www.ansible.com/press/advanced-network-automation-with-2-3)

------
xienze
> This includes enhanced network capabilities such as persistent connections
> framework, which allows for one SSH connection to stay active across
> multiple Ansible tasks. This reduces the total time for completion, and
> according to Cramer, it improves performance as well.

Can confirm, this helps tremendously.

~~~
Florin_Andrei
How is this different from pipelining?

~~~
jctanner_awx
Pipelining is a method to stream the module code over the ssh connection
straight into the interpreter without first writing it to disk.

Connection persistence is identical to openssh's controlpersist mechanisms to
reduce the amount of setup/teardown on connections. The networking modules in
ansible make use of paramiko for ssh, which could not take advantage of
controlpersist. In ansible 2.3 we wrote a tool to emulate controlpersist for
paramiko.

------
jensenbox
I tried to browse to the article using the link on the headline and was
presented with an odd message:

Bad Request

Your browser sent a request that this server could not understand.

Request header field is missing ':' separator. Mozilla/5.0 (Windows NT 10.0;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chro Apache/2.4.7 (Ubuntu)
Server at sdtimes.com Port 80

A better link is: [http://sdtimes.com/red-hat-releases-ansible-2-3-network-
auto...](http://sdtimes.com/red-hat-releases-ansible-2-3-network-automation-
capabilities/)

Looks like the poster is trying some special tracking that is breaking on
Chrome on Mint.

