Hello All.

I did not follow the recent Ansible developments, but at the time when I researched it looked like a fancy SSH playbook library (a "better" fabric) rather than "configuration management" system. This is not always bad depending on what we want.

1. The strongest benefit of the Ansible is that it is easy to start using it for anybody knowing Python, same way as fabric it is essentially SSH client with imperative Python code that sequentially execute the actions. They claim the concept of idempotence, but it is not desired state system like Puppet, so instead of declaring a desired state and letting the computer do the magic, you just list the steps to execute it imperatively and if done right several runs won't break anything due to idempotence.

2. Also it is push approach and uses SSH so unless we want to execute it from personal laptops as with fabric we will have to have a central server with root SSH access to all our Ansible-managed servers where we can execute it. There were orchestration tools such as Tower, but they were not open source and looks like are not open source yet. Maybe there is something other I am not aware about, please let me know.

Given those two items I really not sure we can use Puppet and Ansible systems together as  configuration management tools. The only ways to use them together that I see are: 

1. Use Ansible as a fabric replacement - to run things ad hoc (e.g. running yum upgrade openssl) This does not work for mailman3 as it will be "unpuppetized" in our terms.
2. Use Ansible only on part of the hosts. This works for mailman3, but for us those host will leave as "unpuppetized" again plus we have to come up with infra to support those hosts deployment due to luck of foreman support. In addition we have to develop a way to transfer our users (puppet classes + hiera now) to those servers that complicates deployment even more.

However it is not all or nothing problem, so the short term solution I would propose and  agree with:

It is ok to use Ansible for a limited set of hosts because it is easier for people to learn and use it and hence - contribute deployment instructions to us. But I would treat those hosts as "unpuppetized" on our side. The motivation for that is that well, we do have a bunch of unpuppetized hosts and obviously puppetizing everything is not a one day effort deal. Myabe it should not block PHX migration. If somebody wants to use Ansible instead of manually configuring hosts over SSH it is great. The host is still unpuppetzied, but same way we have deployment instructions as a playbook in SCM. And to get our users on the host we can use foreman + puppet infra classes the same way we do for manually installed servers. So the requirement for PHX migration than will be relaxed: deployment should be reproducible + the host should support our infra tools such as foreman and user classes.

Anton.


--
Anton Marchukov
Senior Software Engineer - RHEV CI - Red Hat