Template/File path for dependencies
Paul Oyston
# file: /etc/ansible/roles/example.app/meta/main.yml
---
dependencies:
- role: example.nginx
server_template: server.conf.j2# file: /etc/ansible/roles/example.app/meta/main.yml
---
dependencies:
- role: example.nginx
server_template: /etc/ansible/roles/example.app/templates/server.conf.j2
Michael DeHaan
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f4f5ca9c-fc82-4d55-a471-2f3cdee70f03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Petros Moisiadis
> Really, role deps shouldn't be looked at like inheritance though -
> they are simply NOT inheritance. They are things to do *first*.
>
> It might be better to pass a parameter into the role instead (like you
> have) with what filename to use, I'm unclear as to why you think it
> needs an absolute path though.
injections. Judging by discussions in several related topics, it seems
that this would be a feature that people would want to have, so I do not
understand why you are against some little level of inheritance for the
templates. In fact, I can see great potential if we make role
dependencies smart enough to allow template inheritance between
dependent roles. Jinja already has this power built-in. Why don't we
take advantage of it? Imagine an 'apache' role that provides a vhost
template with a "{% block extra %}{% endblock %}" jinja block and a
'wsgi_app' role which depends on 'apache' role and provides content for
that 'extra' block. That would allow for a really modular design of
roles, instead of having to maintain huge, monolithic roles that do
everything with a lot of conditional includes and passing "strange" role
parameters. Role parameters are exactly what you want for things such as
'http_port' or 'bind_address', but using them for practically choosing a
"more specific role for the role" is far from elegant design.
Michael DeHaan
injections"
dependent roles. "
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5384D232.9000106%40yahoo.gr.
Petros Moisiadis
"But we could make role dependencies allow for template overrides /
injections"
I find this kind of language hard to understand.
", I can see great potential if we make roledependencies smart enough to allow template inheritance between
dependent roles. "
I don't even know what this means.
Ansible isn't a programing language, I would find this easier if we did not try to use the phrase "inheritance" where it didn't make sense.
Did you mean including a template in another template?
"Template inheritance allows you to build a base “skeleton” template that contains all the common elements of your site and defines blocks that child templates can override."
So, what I am suggesting is adding a new possibility on top of role dependencies, which would allow to write a template in a dependent role that extends a template of a role it depends to. In other words, a role would be allowed to have child templates that provide content for blocks defined in a 'skeleton' template of a role it depends to. That means when a role is being deployed because of a role dependency, its template tasks could use blocks possibly provided by any role that depends on it and is included in the active dependency chain. I have already given an example of a 'wsgi_app' role that depends on an 'apache_role'. The 'apache_role' would provide a template with all common things as well as an "extra" block, which could be overridden by the "wsgi_app" role in order to provide wsgi-specific functionality to the apache configuration.
All this allows for a really modular design of roles. An 'apache' role with a good skeleton template would allow to have a great variety of dependent roles such as 'fastcgi_app', 'wsgi_app', 'django_app', 'ruby_on_rails_app', etc., without having to repeat common functionality on each role and avoiding the creation of a huge 'apache' role that would try to do everything driven by a great amount of parameters for choosing the appropriate templates and a spaghetti of conditional includes.
Ansible is not a programming language, but it already contains a powerful template language. Why not take full advantage of it for the benefit of a better role design?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgwKB6HCf%2Bj_6P4X2h8ZYcgc6dyT45fj8%3DYvfH90bOM2kw%40mail.gmail.com.
Michael DeHaan
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/53859C4F.8070205%40yahoo.gr.
James Cammarata
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxo04S-s8qdo_aOBeBmQJT8h4oTT-sBue-c7ecAi14N0g%40mail.gmail.com.
Petros Moisiadis
"That means when a role is being deployed because of a role dependency, its template tasks could use blocks possibly provided by any role that depends on it and is included in the active dependency chain."
The problem is 95% of our users including myself have trouble with this wording :)
We avoid things we can't explain, and that would confuse everyone when they read it.
It's worked pretty well as a guideline in making every language decision in this project so far :)
I would still maintain that there are some (usually mostly coming from Chef) that try to solve too many problems with role dependencies. They were added to end a certain class of repeated question, but in general, they are overused and mostly *not* needed.
Role dependences are not an inheritance mechanism, they are a "run these roles before these roles" mechanism.
Please, think of this workflow:
- You define an empty block called 'extra' in a template file named "mytemplate.j2" belonging to role A.
- You write a role B that depends on role A. In the dependency statement you state that:
a) Role B depends on role A
b) Templates of role A can be overridden by templates provided by role B.
- You define a block named "extra" in a template file also named "mytemplate.j2", but belonging to role B. Obviously, you put in that block content that is specific for role B.
- When role B is applied, it first calls role A.
- Role A, when it is called by role B, renders "mytemplate.j2" with the "extra" block overridden with content provided by role B's "mytemplate.j2".
Do you really think that the above is something that normal users could not understand?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxo04S-s8qdo_aOBeBmQJT8h4oTT-sBue-c7ecAi14N0g%40mail.gmail.com.
Petros Moisiadis
Absolutely. Role dependencies are more like package dependencies - if package A depends on package B, it means you need to install package B first.
In no circumstances should package B include files that package A is going to overwrite. It would make things extremely confusing and impossible to implement, especially when you start talking about multiple levels of dependencies, and what should happen if there are multiple dependencies (package B and C require package A, but both override a file in A, who wins?).
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFhOo_vsgRpbfg%3DuBJ_hhbeQ_Tnw0H9RZ%3Dp_OZvw_F%3DsPA%40mail.gmail.com.
Michael DeHaan
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5385E149.8010804%40yahoo.gr.
Adam Morris
Then the wsgi role just needs to drop a fragment or a complete file.
Template encapsulation seems like it could get complicated fast. Particularly if you have dependency chains... how far back should it go?
So is there another use case that we can discuss.
I'm thinking that they wish they'd called them prerequisites not dependencies now. :-)
Adam
Petros Moisiadis
Ok so it's still not "inheritance" (this is an uneducated misuse of the term by Jinja, it's encapsulation, quite a different concept), ansible roles themselves are definitely not inheritance.
(I've also written a lot in Django)
Ultimately the problem is we have an irresolveable communication gap about how you are describing your technical idea.
It seems to me you are saying when a template includes another template it should also look in the "template/" directories that belong to the dependent roles, so it can find things there, but this should only apply when a template includes another template.
Ultimately, I don't think this applies well to Ansible.
Ansible looks at role dependencies just like package managers look at package dependencies. They are things that need to be applied first, but there is no concept of search paths or inheritance/encapsulation applied.
Also, since I propose for an explicit directive in the dependency statement, current Ansible projects are not going to be affected and, without that directive being explicitly set, Ansible would still look at role dependencies the way it does now.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzGpgMENkBgxG96C1CLR34AsMyZR%3D6J93EibXao-8gjtQ%40mail.gmail.com.
Petros Moisiadis
> For the specific example given: apache role and wsgi role there may be a simple, elegant, solution. Apache can include other configuration files, I don't know if it can include directories. If so include a directory. If not use the assemble module to create your included file.
>
> Then the wsgi role just needs to drop a fragment or a complete file.
>
> Template encapsulation seems like it could get complicated fast. Particularly if you have dependency chains... how far back should it go?
help, but it become less helpful as you add more levels in ther hierarchy
For example, consider a tree like this:
'apache' role
|
+-------------------------+-------------------------+
| |
|
'wsgi_app' role 'php_app' role
'passenger_app'
| |
+-----------------------+
+------------------------+
| | |
|
'django_app' role 'flask_app' role 'redmine_app'
role 'gitlab_app' role
Deploying all or a subset of the above roles on the same server could be
most easily done if my proposal for template encapsulation was available.
> So is there another use case that we can discuss.
luster nodes I also add lines for all nodes in the cluster. Now I am
using a really ugly loop around lineinfile for this that took me some
time before I made it place the content properly. Try to use lineinfile
with a relatively complex data structure and you will remember my words.
Instead, it would be far more easy to write an "extra_hosts" block and
do things in pure jinja.
Petros Moisiadis
Maciej Delmanowski
Sorry, replying from phone.
28 maj 2014 16:59 "'Petros Moisiadis' via Ansible Project" <ansible...@googlegroups.com> napisał(a):
>
> On 05/28/14 16:50, Adam Morris wrote:
> > For the specific example given: apache role and wsgi role there may be a simple, elegant, solution. Apache can include other configuration files, I don't know if it can include directories. If so include a directory. If not use the assemble module to create your included file.
> >
> > Then the wsgi role just needs to drop a fragment or a complete file.
> >
> > Template encapsulation seems like it could get complicated fast. Particularly if you have dependency chains... how far back should it go?
>
> It is true that software that has support for include directories can
> help, but it become less helpful as you add more levels in ther hierarchy
>
> For example, consider a tree like this:
>
> 'apache' role
> |
> +-------------------------+-------------------------+
> | |
> |
> 'wsgi_app' role 'php_app' role
> 'passenger_app'
> | |
> +-----------------------+
> +------------------------+
> | | |
> |
> 'django_app' role 'flask_app' role 'redmine_app'
> role 'gitlab_app' role
>
>
> Deploying all or a subset of the above roles on the same server could be
> most easily done if my proposal for template encapsulation was available.
Maybe most easily, but definitely not impossible. Currently I can deploy gitlab, gitlab-ci, phpmyadmin, phpipam, etherpad, owncloud, all on the same server behind nginx. I don't see how including templates in nginx role from other roles to make that possible could help me.
>
> > So is there another use case that we can discuss.
>
> I have a 'common' role that deploys /etc/hosts. In 'cluster node' role
> luster nodes I also add lines for all nodes in the cluster. Now I am
> using a really ugly loop around lineinfile for this that took me some
> time before I made it place the content properly. Try to use lineinfile
> with a relatively complex data structure and you will remember my words.
> Instead, it would be far more easy to write an "extra_hosts" block and
> do things in pure jinja.
Why not deploy for example dnsmasq? I mean, using /etc/hosts for DNS in a multiple host environment is so 1960...
>
> > I'm thinking that they wish they'd called them prerequisites not dependencies now. :-)
Seconded. :)
Maciej
> >
> > Adam
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5385F9DB.9030903%40yahoo.gr.
Petros Moisiadis
Sorry, replying from phone.
28 maj 2014 16:59 "'Petros Moisiadis' via Ansible Project" <ansible...@googlegroups.com> napisał(a):
>
> On 05/28/14 16:50, Adam Morris wrote:
> > For the specific example given: apache role and wsgi role there may be a simple, elegant, solution. Apache can include other configuration files, I don't know if it can include directories. If so include a directory. If not use the assemble module to create your included file.
> >
> > Then the wsgi role just needs to drop a fragment or a complete file.
> >
> > Template encapsulation seems like it could get complicated fast. Particularly if you have dependency chains... how far back should it go?
>
> It is true that software that has support for include directories can
> help, but it become less helpful as you add more levels in ther hierarchy
>
> For example, consider a tree like this:
>
> 'apache' role
> |
> +-------------------------+-------------------------+
> | |
> |
> 'wsgi_app' role 'php_app' role
> 'passenger_app'
> | |
> +-----------------------+
> +------------------------+
> | | |
> |
> 'django_app' role 'flask_app' role 'redmine_app'
> role 'gitlab_app' role
>
>
> Deploying all or a subset of the above roles on the same server could be
> most easily done if my proposal for template encapsulation was available.Maybe most easily, but definitely not impossible. Currently I can deploy gitlab, gitlab-ci, phpmyadmin, phpipam, etherpad, owncloud, all on the same server behind nginx. I don't see how including templates in nginx role from other roles to make that possible could help me.
>
> > So is there another use case that we can discuss.
>
> I have a 'common' role that deploys /etc/hosts. In 'cluster node' role
> luster nodes I also add lines for all nodes in the cluster. Now I am
> using a really ugly loop around lineinfile for this that took me some
> time before I made it place the content properly. Try to use lineinfile
> with a relatively complex data structure and you will remember my words.
> Instead, it would be far more easy to write an "extra_hosts" block and
> do things in pure jinja.Why not deploy for example dnsmasq? I mean, using /etc/hosts for DNS in a multiple host environment is so 1960...
>
> > I'm thinking that they wish they'd called them prerequisites not dependencies now. :-)Seconded. :)
Maciej
> >
--
> > Adam
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5385F9DB.9030903%40yahoo.gr.
> For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEnKK1y7B3ecBT3KC%2B1pUQxKNv94krF2sQ1Ziboix3Rm5BnosA%40mail.gmail.com.
Maciej Delmanowski
I am sure that you can deploy all these and that you are happy with the result. However, I took a look at your nginx role and it seems you are doing exactly what I believe people could (and should) avoid with template encapsulation. It seems you are creating a "super-role" merging together what could be at least 3 separate roles connected through dependencies: nginx, fastcgi_app, php_app. If you prefer that monolithic way of doing things, it's fine. You will be one of those who will not be excited by a feature like the one I propose and probably never use it.On 05/28/14 18:17, Maciej Delmanowski wrote:
> It is true that software that has support for include directories can
> help, but it become less helpful as you add more levels in ther hierarchy
>
> For example, consider a tree like this:
>
> 'apache' role
> |
> +-------------------------+-------------------------+
> | |
> |
> 'wsgi_app' role 'php_app' role
> 'passenger_app'
> | |
> +-----------------------+
> +------------------------+
> | | |
> |
> 'django_app' role 'flask_app' role 'redmine_app'
> role 'gitlab_app' role
>
>
> Deploying all or a subset of the above roles on the same server could be
> most easily done if my proposal for template encapsulation was available.Maybe most easily, but definitely not impossible. Currently I can deploy gitlab, gitlab-ci, phpmyadmin, phpipam, etherpad, owncloud, all on the same server behind nginx. I don't see how including templates in nginx role from other roles to make that possible could help me.
Because it would be overkill for a 2 or 3 - node cluster. But you are missing the point. dnsmasq would still have a common configuration on most hosts, as well as an extra configuration needed for cluster nodes.> I have a 'common' role that deploys /etc/hosts. In 'cluster node' role
> luster nodes I also add lines for all nodes in the cluster. Now I am
> using a really ugly loop around lineinfile for this that took me some
> time before I made it place the content properly. Try to use lineinfile
> with a relatively complex data structure and you will remember my words.
> Instead, it would be far more easy to write an "extra_hosts" block and
> do things in pure jinja.Why not deploy for example dnsmasq? I mean, using /etc/hosts for DNS in a multiple host environment is so 1960...
Petros Moisiadis
2014-05-28 17:55 GMT+02:00 'Petros Moisiadis' via Ansible Project <ansible...@googlegroups.com>:
I am sure that you can deploy all these and that you are happy with the result. However, I took a look at your nginx role and it seems you are doing exactly what I believe people could (and should) avoid with template encapsulation. It seems you are creating a "super-role" merging together what could be at least 3 separate roles connected through dependencies: nginx, fastcgi_app, php_app. If you prefer that monolithic way of doing things, it's fine. You will be one of those who will not be excited by a feature like the one I propose and probably never use it.On 05/28/14 18:17, Maciej Delmanowski wrote:
> It is true that software that has support for include directories can
> help, but it become less helpful as you add more levels in ther hierarchy
>
> For example, consider a tree like this:
>
> 'apache' role
> |
> +-------------------------+-------------------------+
> | |
> |
> 'wsgi_app' role 'php_app' role
> 'passenger_app'
> | |
> +-----------------------+
> +------------------------+
> | | |
> |
> 'django_app' role 'flask_app' role 'redmine_app'
> role 'gitlab_app' role
>
>
> Deploying all or a subset of the above roles on the same server could be
> most easily done if my proposal for template encapsulation was available.Maybe most easily, but definitely not impossible. Currently I can deploy gitlab, gitlab-ci, phpmyadmin, phpipam, etherpad, owncloud, all on the same server behind nginx. I don't see how including templates in nginx role from other roles to make that possible could help me.
Actually my playbook does exactly what you suggest - 'fastcgi_app' role (say, gitlab), uses 'nginx' role as dependency and passes its configuration via hash variable. Similarly, PHP5-based role (like ownCloud), uses 'php5' role as a dependency to create custom php5-fpm pool for itself, and 'nginx' role as another dependency similarly with its own custom configuration passed via hash variable.
Inside 'nginx' role, a server template generates server configuration for each "parent" role, puts it in its own file in /etc/nginx/sites-available/ and enables it by symlinking it to /etc/nginx/sites-available/.
The idea behind this was to abstract nginx configuration and management away from gitlab and owncloud roles, so that you could define for example your own SSL certificates or other server-wide configuration in one place. I treat Ansible roles which support dependencies like these like blackboxes (from the perspective of a role that uses them as dependency) with common interface - how nginx configures itself shouldn't matter for gitlab. That way I could replace nginx with apache2 (with similar interface prepared beforehand) and gitlab role should be none the wiser.
In fact, I stumbled on a similar problem you describe just recently, while planning WordPress integration - you can see here http://codex.wordpress.org/Nginx that proper installation requires a lot more configuration in nginx that should be necessary to include in base nginx role. Because of that I'm thinking about creating a directory inside /etc/nginx/ where other roles could place their own nginx configuration (either via copy or template) and include it in their nginx server configuration - but not on Ansible level, but using nginx "include" option.
As you can hopefully see, I don't want to create a super-role for nginx, but instead I want to include just enough logic and room in that role so that other roles could use it comfortably. It might not be optimal or simple, as Michael would suggest, but it's a tradeoff between simplicity and customization which I feel will be beneficial for me in the long run - instead of creating specific nginx roles for many servers, I'm trying to create one general and reusable one.
Because it would be overkill for a 2 or 3 - node cluster. But you are missing the point. dnsmasq would still have a common configuration on most hosts, as well as an extra configuration needed for cluster nodes.> I have a 'common' role that deploys /etc/hosts. In 'cluster node' role
> luster nodes I also add lines for all nodes in the cluster. Now I am
> using a really ugly loop around lineinfile for this that took me some
> time before I made it place the content properly. Try to use lineinfile
> with a relatively complex data structure and you will remember my words.
> Instead, it would be far more easy to write an "extra_hosts" block and
> do things in pure jinja.Why not deploy for example dnsmasq? I mean, using /etc/hosts for DNS in a multiple host environment is so 1960...
Fair enough - I don't know what are your needs. I'm using dnsmasq on a laptop for 3-4 virtual machines in my development environment and I don't feel it's a waste of resources, but a convenience. :) I can define a CNAME or A in one place (in my inventory, in fact) and all hosts immediately know about it.
As for dnsmasq configuration on hosts other than the server (I hope you didn't plan to install it on all your servers), it's just one line in /etc/resolv.conf which is managed by operating system anyway, via DHCP. So, no extra configuration for me.
Maciej
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEnKK1xpOWkaxH-3sMWUhUaNdQLf-aDSJMWHikFL3ZT0XCCzNg%40mail.gmail.com.
Maciej Delmanowski
But it seems you do have some specialized functionality embedded in your nginx role. For example you do fastcgi stuff. By fastcgi stuff I mean things such as configuration sections, structures and directives (e.g fastcgi_index, fastcgi_pass, etc.). I do not mean configuration data (such as {{ document_root }} or {{ fastcgi_script_name }}). If I could, I would abstract it further and put fastcgi stuff in a separate role that depends on nginx role. You would ask why to do that? Shouldn't the nginx know how to deploy fastcgi applications? Well, as you saw while planning for WordPress integration, sooner or later you will come across with a fastcgi (or php, or whatever) application A that needs different fastcgi configuration than the fastcgi configuration needed by a fastcgi application B. So you would need to abstract your fastcgi logic further. But this will also happen with your wsgi logic (which could also have its own universe with one app being deployed with modwsgi, another one with uwsgi, etc.), your php logic, your phusion passenger logic, etc. If you keep all this stuff in a single role, you will end up with a difficult to read and maintain project. So, I think splitting your deployment in multiple roles would make your life much easier. That said, I really appreciate the way you are thinking, as you do recognize the need for abstracting your basic roles, and I see that you have done what the current tools allow you to do for that purpose. It is just that Ansible does not (yet) give you a mechanism to modularize your roles in a cleaner way.
ra...@future500.nl
Adam Morris
On Wednesday, May 28, 2014 12:42:52 PM UTC-7, Ernest0x wrote:
dependency. I am not sure if that can be done (easily and cleanly) with an ngix type of "include" mechanism. Also, keep in mind that there are systems that they do NOT provide such an "include" mechanism at all.
Paul Oyston
Adam Morris
On Thursday, May 29, 2014 1:52:16 AM UTC-7, Paul Oyston wrote:
Just to confirm, I wasn't suggesting any form of inheritance in any way,...