Innovative Minds - On Point - One Group  

ISP Blog

26
Sep
2018

VMware Provisioning and Automation with Ansible

By:

All, in just a week I am going to be at AnsibleFest in Austin, TX to give a talk and see what others are doing. As part of Fest this year, Ansible wants people to share their automation stories. I wanted to give a quick look at mine as a way of introducing the VMWare Provisioning and Automation with Ansible talk I will be co-presenting with Abhijeet Kasurde.

About 6 years ago I was working on a project for the Federal government in which we were providing security for the largest cloud migration at the time. The team had to migrate an entire datacenter (more than 100 applications) to AWS in the span of about 13 weeks. Ansible was still pretty early in its development at the time, but was mature enough that some of the application developers on the team started using it to automate and orchestrate the work being done to build environments in AWS, deploy services, and migrate data.

As the lead for the security team, I was learning what AWS was, and figuring out how to apply traditional government security requirements to cloud systems and services. I was getting a crash course in what “cloud native” meant, and was getting familiar with new toolsets as well. The value of Ansible was apparent almost from the moment I was introduced to it. From a security perspective it meant being able to enforce configuration management and avoid wild west style system administration. From an operational perspective, it meant being able to do things faster and more reliably.

Fast forward to my next role which was leading the transformation of a government Tier 2 Security Operations Center (SOC). The environment was drastically different. There was nothing deployed to the cloud, nor would there be in the near future. But the ability to deploy and manage tools reliably and quickly, make tools already in operation more reliable and resilient, and to enable users who are on the front lines in a constant battle with Advanced Persistent Threats (APTs) made bringing that same automation power to bear just as, if not more relevant.

So, with the backdrop of several years of getting to know and being a casual user of Ansible in a cloud-only environment, now I had to be the one leading the implementation in an environment where:

  • We were 100% deployed on-prem;
  • We used VMware as our virtualization platform; and
  • We were building new tooling completely from scratch.

We had a lot of great success in doing this, and Ansible was the catalyst that allowed us to overhaul several enterprise security systems in a short time, to demonstrate measurable improvements in both performance and reliability, and to bring transparency to what we built and how we built it. There are a couple things from this effort that have led to the talk I’ll be co-presenting.

  1. Using and managing a VMware farm/environment can get expensive. We obviously had some base licensing we needed just to get our farm going, but there are a lot of add-ons like Operations Manager and vRealize Automation that many folks consider “must-haves.” If you are constrained by budget or just want to get the most out of your investment in Ansible, how much is possible?
  2. With any environment- cloud or on-prem virtualization farm- you will have machine templates. Guess what? Now you have to take care of them. The most common thing I have seen is that there are a lot of VM templates in vSphere (one for RHEL6 base, one for RHEL7 base, one for RHEL7 w/ mySQL, and so on). Being a responsible admin or just one who gets audited regularly, you are going to have to dedicate a bunch of time to maintaining those templates. Once a month, you have to boot up a VM from each one, patch it, and then regenerate a new template. This can quickly become many hours of work every month. How can we use Ansible to optimize this process?
  3. In a cloud environment we never had to care about basic stuff like storage size, the amount of RAM, cores of CPU, etc when we provisioned new machines. We just picked the right sized AMI off a menu, and at any time we could expand disks magically. In a VMWare environment this can be somewhere between that cloud magic and having physical hardware that needs significant downtime to reconfigure. How can you make your platform more closely resemble the cloud by building Ansible playbooks that give you the hooks you need?

In any case, on that project I learned a lot about using Ansible with VMWare. Throughout that time I felt like most of the “cool technology” glory goes to those working in the cloud. However, having spent most of my career working for the Federal government, I know that there are still a lot of VMware centric shops out there, and based on my experience transforming an enterprise SOC, I hope to be able to share that there are still major benefits to bringing new tooling and concepts to these “legacy” virtualization environments.

Innovation is still possible, even in our “traditional ways” of doing things.

I hope to see plenty of people out there. If any of you are Ansible-ers who work in a VMware environment I hope to see you at my talk.


Click this link to learn more about Matt’s presentation at AnsibleFest.

Interested in learning more about our Security Through Automation Services?  Click this link

 

Matt Shepherd

Vice President at MindPoint Group
Matt Shepherd is one of the founding partners of MindPoint Group where he leads the development of security solutions for clients. He has been a contributing author or technical editor for several security books, is a member of the CFCP Exam Advisory Board, and is always learning.
Categories: Cloud, Configuration Management, Engineering and Architecture, ISP Blog, Open Source, Security Operations Center, SOC and tagged , , , , ,
Share:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your data is processed.