[Note] Build Docker image cho các Openstack's services bằng Ansible

Build Docker image cho các Openstack's services bằng Ansible

Yêu cầu: infrastructure-as-code, fully-automation, secure, immutable.
Source-code của các openstack-service được get từ Github hoặc git.openstack.org & checkout branch/commit-id --> đảm bảo source-code tất định hơn so với apt-get install....

Cach 1: build by Command/Shell module
playbook1.yml

- hosts: thishost
  tasks:
  - name: build Docker image
    shell: docker build -t built-by-ansible:ex2 "$(pwd)"

`# ansible-playbook -c local playbook1.yml

Nếu dùng kết hợp với docker-machine thì có thể run ansible locally và communicate với docker host qua https:
san ansible, vi' du: https://hub.docker.com/r/scottmiller171/ansible-docker-images/
Run container = image nay
^ ko được hay lắm.

Cach 2A: Run playbook inside container
Base tren 1 docker-images da co caisan ansible, vi' du: https://hub.docker.com/r/scottmiller171/ansible-docker-images/
Trong Dockerfile co' ADD workdir co' san Playbook, secret-vault file va
password-vault file (last RUN trong Dockerfile se xoa' file password-vault)
^ ko secure vi` tat ca deu luu tren code repo!

Cach 2B:
Base tren 1 docker-images da co caisan ansible, vi' du: https://hub.docker.com/r/scottmiller171/ansible-docker-images/
Run container = image nay
nhung mount them volume chứa Playbook & secret-vault file.
Run ansible trong container này để deploy code & config.
Khi nào xong thì từ docker host ta "docker commit", rồi push len registry.
--> Khong auto ti nao, dc cai secure hon.

Cach 3: Dung` docker module cua ansible
(chưa nghiên cứu)

Cách 4: Config running container
Image chỉ chứa các package & sourcecode của service.
Khi launch thành container rồi thì trong container sẽ dùng ansible-pull để config service (nhung password cua service thi sao?)

Cach 5: Dung` ket hop voi Hashicorp Vault + Consul Template

Ref:
https://www.hashicorp.com/blog/introducing-consul-template.html
https://www.hashicorp.com/blog/using-vault-with-consul-template.html


My feeling:

  • Ansible not secure enough because "minion" can be control from anywhere.
  • Ansible not automate/reactive enough because of its inventory (dynamic inventory is still not "dynamic" enough) & because of push-model.
  • Ansible-pull mode not very helpful.