I previously wrote a blog post on Automation in IT and how it can help both organizations and also IT professionals. In this Post we will look at some of the features the pros and cons of Ansible automation platform (Ansible Tower), Ansible AWX, Saltstack and Rundeck. All these Automation tools have a lot in common but at the same time distinct in their own space. Click here to read my previous post on Automation in IT. If you are as excited as I am then let’s dive in now.
The First Automation tool we will look at is Ansible Automation Platform:-
Ansible automation platform AKA Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible. Centralize your Ansible infrastructure from a modern UI, featuring role-based access control, job scheduling, and graphical inventory management. Tower’s REST API and CLI make it easy to embed Tower into existing tools and processes. Tower now includes real-time output of playbook runs, an all-new dashboard and expanded out-of-the-box cloud support.
Some of the important features of Ansible Tower are listed below.
Role-based access control: you can set up teams and users in various roles. These can integrate with your existing LDAP or AD environment.
Job scheduling: schedule your jobs and set repetition options. This makes it easy to Schedule all those daily tasks or maintenance that are needed on systems.
Portal mode or Easy to Use: this is a simplified view of automation jobs for newbies and less experienced Ansible users. This is an excellent feature as it truly lowers the entry barriers to starting to use Ansible.
Fully documented REST API: This is one of the features that I like the most as it allows you to integrate Ansible into your existing toolset and environment. Think of Jenkins, Terraform and many more.
Tower Dashboard: use this to quickly view a summary of your entire environment. Simplifies things for sysadmins while sipping their coffee.
Cloud integration: Tower is compatible with the major cloud environments: Amazon EC2, Rackspace, Azure.
Multi-playbook workflow – This is also a cool feature where you get to create a playbook workflow or a pipeline if you want and have a layer of approval. So just like any CI Pipeline a playbook can run after a successful run of another play.
Notifications – Ansible Tower allows you to setup notifications to individuals or even teams on the status of a job run. This is handy as you are notified upon successful completion of a job or if a Job run failed and requires your attention. It integrates with Platforms like slack, email and many more. See Snip below.
Authentication – Ansible Tower allows you to integrate into your existing Authentication Mechanism and you can have a SSO functionality. See below for examples of the Authentications.
Execution Environments – with the Introduction of Automation Platform that is now replacing Tower ansible introduced the use of execution environments where you can have separate Environments for different uses and teams. Say a development team wants to have Python 2.7 for a legacy application you can set that up with its own execution environment and not mess with the Default environment that has Python 3.8. That’s a cool feature.
Organizations – Together with execution environments comes the Organization feature where you can have an entire Organization setup as needed with its own teams and users and plays and all that is needed for an organization.
In short, Ansible Tower is a remarkably useful add-on to Ansible, able to do much of what can be done on the CLI. It will complement, not replace, the main application by automating and presenting some of the main tasks graphically – especially the monitoring-dashboard types of tasks. As a major bonus, it also greatly helps to reduce the intimidation factor for those new to Ansible by presenting a much easier to understand visual tool. But for playbook creation, Ansible’s CLI is still your best option.
The control plane for Ansible Automation Platform is the automation controller (replacing Ansible Tower). It includes a user interface (UI), role-based access control (RBAC), workflows, and continuous integration and continuous delivery (CI/CD) for helping your team scale with more efficiency and flexibility.
Automation controller helps standardize how automation is deployed, initiated, delegated, and audited, allowing enterprises to automate with confidence while reducing sprawl and variance. Manage inventory, launch and schedule workflows, track changes, and integrate into reporting, all from a centralized user interface and RESTful API.
With all these great features comes a number of drawbacks. Let’s look at some of the Drawbacks of Ansible Tower –
• Price of Licensing – This has been the biggest drawback of Ansible Tower. The current License for the tower is so expensive and it is a per node Licensing module.
• You may need more than 10 nodes for a dev/POC environment – Since the free trial only allows for 10 nodes and sometimes you might need more than 10 nodes there by forcing you to get license
• May sometimes be overkill for what you are trying to do, and that is due to the fact that you might just need like a Dev environment and not need all the features that Tower comes with so that makes it an Overkill.
The Second Automation tool we will look at is RUNDECK : –
Rundeck similar to Ansible tower is an open-source software Job scheduler and Run Book Automation system for automating routine processes across development and production environments. It combines task scheduling multi-node command execution workflow orchestration and logs everything that happens.
Some of the important features of Rundeck are listed below:
• Web API
• distributed command execution
• pluggable execution system (SSH by default)
• multi-step workflows
• job execution with on demand or scheduled runs
• graphical web console for command and job execution
• role-based access control policy
• history and auditing logs
• command line interface tools
Let’s explain some in detail.
- Role-based Access Control Policies: A Rundeck access control policy grants users and user groups certain privileges to perform actions against rundeck resources like projects, jobs, nodes, commands and API. Workflows can be delegated to other users to provide self-service or reduce request load from operations teams. Rundeck provides fine-grained role-based access control policy to safely grant or deny access to job workflows, nodes or activity logs.
- Rundeck Graphical Console: The Rundeck page header contains global navigation control to move between tabbed pages: Jobs, Nodes, Commands and Activity. It also has links to Configure the project, logout, view your user profile and a link to online help.
- Notifications: The start, success or failure of a job workflow can be forwarded to interested parties via Notifications. Email, webhooks or a variety of plugins can be configured to be sent by each Job.
So as usual there are drawbacks as well when it comes to Rundeck.
- The API is not a RESTful-API: – The Api mechanism is not a restful-Api as you may expect. That is of course because you can implement many, many “steps” in one job which may take quite some time. You do not want to wait 30 / 40 minutes before your API can actually display a final result.
- You cannot “version” a job, so an Api-call is just the latest available job, you cannot run a previous job.
- Unfriendly RBAC: – The OSS-version is not so user-friendly to set these ACL’s.
- It is not Highly Available. That Option should be available in the enterprise version, but you can also use a SAAS-solution from PagerDuty. That way they are responsible for all that HA, update etc.
Let us now dive into SALTSTACK: –
The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.
Some important features of Saltstack includes: –
- Remote Execution: – Running commands on remote systems is the core function of Salt. Salt can execute commands across thousands of systems in seconds.
- Configuration Management: – Salt contains a robust and flexible configuration management framework that allows effortless, simultaneous configuration of tens of thousands of systems.
• It is Simple – easy to administer.
• Extensible – easy to add custom modules or extend existing states.
• It is deterministic which means it executes in the same way every time.
• It is also Layerable, hmmm is that even a word but this means it provides layers of data abstraction (such as states calling execution modules - Event driven Infrastructure: – Salt is built around an event infrastructure that can drive reactive provisioning, configuration, and management across all systems in your infrastructure.
- Automation and Orchestration: – Executing remote management and configuration on a system is perfect when you want to ensure that it is configured and running the way you want. Sometimes, however, you want to configure a set of systems at once. For example, if you want to set up a load balancer in front of a cluster of web servers, you can ensure the load balancer is set up first. You can then apply the same matching configuration consistently across the whole cluster, which is known as orchestration.
- High-speed Communication Bus: – One of the greatest strengths of Salt is the speed of execution. The event system’s communication bus is more efficient than running a higher-level web service (such as HTTP). The remote execution system is the component that all components are built upon, allowing for decentralized remote execution to spread load across resources.
SALTSTACK Comes with SaltStack Config just as Ansible has Ansible Tower. So, what is Saltstack config?
SaltStack Config provides an intuitive user interface to perform complex functions like configuration management and orchestration. Jobs in SaltStack Config can be built, stored, and scheduled so you spend less time and fewer resources executing routine functions. It also allows distributing the work to other skill-level employees and teams while securing your system and guarding the environment from the misuse of powerful tools.
SaltStack Config features include:
• A web-based user interface
• Role-based access control
• Multi-master support
• Central job and event cache
• LDAP, SAML, OIDC, & Active Directory integration
• Security policies with industry-standard compliance profiles, such as CIS and DISA STIGS
• Reporting
• An enterprise API (eAPI)
Now what are some of the Drawbacks of SaltStack
The installation process can be complicated for new users.
• It is difficult to manage and check the documentation.
• The web interface offers limited functions and opportunities.
• It is not a good solution for other operating systems than Linux.
• The platform is new and not mature compared to other platforms out there.
Finally, Ansible AWX: –
AWX is built to run on top of the Ansible project, enhancing the already powerful automation engine. AWX adds a web-based user interface, job scheduling, inventory management, reporting, workflow automation, credential sharing, and tooling to enable delegation.
Below are some of the features that AWX has to offer.
- Access Reporting
Now that you have users, you’ll need tools for tracking playbook runs and troubleshooting problems. AWX adds a custom callback plugin to Ansible playbook runs that captures event and output data in real time. A high-level summary of the stored output is presented on a dashboard, providing an overview of job executions, failures, and successes, as well as a breakdown of inventory successes and failures. You’ll immediately know what playbooks have run and any trouble spots needing attention, and you can immediately click into the details.
At the playbook level, you’ll be able to access the results and output down to an individual task on a specific host. So, if the new environment the development team attempted to create didn’t provision exactly as expected, you can quickly troubleshoot, and correct the problem.
- Schedule Workflow
You’ll bring together credentials, playbooks and inventory by creating a job template. The template represents the command line execution of ‘ansible playbook,’ except you no longer need to touch the command line. Instead, you can run the job template on demand, and watch real-time playbook output in your web browser or schedule it to run later, or even on a recurring basis, and get full access to the output whenever you need it.
In addition to running a single playbook, you can create a job template with the workflow editor that chains together multiple playbooks run. Add a step that reads the latest set of hosts from your public cloud inventory, add another that automatically pulls the latest copy of the playbooks from your source repository, and add a final step to send notifications when everything is done. And just as before, run it on demand, or schedule it in the future.
- Automate Through an API
At the heart of AWX is a powerful restful API. In fact, the user interface communicates with the backend entirely through the API, demonstrating its power and completeness. Anything you can do through the web browser you can affect through API calls.
With full access to the API, and help from the Tower CLI, it’s possible to integrate AWX with other applications like ticketing tools, source code management, continuous integration systems, and shell scripts. It gives you the ability to easily automate deployment, maintenance, and mitigation tasks that previously would have been difficult, if not impossible, with just an Ansible Playbook.
Some of the Disadvantages are:
• Not supported and that will mean it has a High Security flaws
• Multiple releases in a single day are possible
• Not yet in lock-step with Ansible Tower releases
• Not a good choice for production environments
This is what I think when looking at Ansible Tower vs Ansible AWX for Automation, it comes down to stability and support and where your needs may be. While you can use Ansible AWX for production, you will be running without the support and stability that comes with a well-tested software release. Ansible Tower is the fully tested GUI platform for providing centralized management, RBAC, and API access for production environments.
So, in a Nutshell when it comes to choosing the right Automation tool for a Task it all boils down to the Need and if the chosen tool can deliver to expectations.
Who Am I to Compare?
I am Abdul Razak, and I am a seasoned DevOps Engineer / SRE who enjoys taking the complications and pain out of every IT situation and making it robust, scalable and simple. I love to Automate Processes so businesses can have the peace of mind they need. You can reach out to me if you have a complex IT issue and needs it automated and simplified.