Niels K.


Ranting about Ansible…just some venting

So recently I had long discussions about Saltstack and Ansible. I like Salt, use it for years but realize the shortcomings when it comes to local development of states and formulas, especially when using gitfs.

But some people try to convince me that Ansible is so much better because you can locally develop, its error messages are better and it is easier to write.

Since I wanted to have an informed opinion, I started trying to use it. For my personal dot files it should be better usable than setting up salt-ssh and for my couple of servers it should be easy to use with some roles from the net.

But to be honest I am not convinced. Yes, developing locally and pushing only when something finished is nice but I had so many problems.

I needed only a couple of hours to get into my first hard to understand error-messages (yes, experience will make that easier). I also tried multiple roles and currently I ended up using two. One from someone who seems to be doing a decent job and one I had to fork because it wasn’t so flexible. The others, well. I saw dependencies to roles from other people, deprecation-warnings, missing flexibility and bad/incomplete documentation.

Speed was another issue, it is soooo slow. I have a copy-state with 92 files and a couple of directories which I run locally, since it copies over a base of Neovim-configuration-files and it is soooo slow. And apparently it doesn’t even know what changes, for that I need apparently with_filetree. But that made it unusable slow. Finding out about async, helped a bit - it is still slow, but other stuff can run. Using “strategy: free” for my servers helped as well in terms of speed, but that meant that the output became more or less useless because everything is mixed up. I already use MasterControl with ssh, so I only had to add pipelining to improve it a bit further. But still, I don’t see me rolling out playbooks over a couple of dozens servers, even with more forks.

I also seem to need a plethora of playbooks, or have to work heavily with tags, which I have to document? somewhere, since they are hard to discover because they are in files in a convoluted file structure of roles when I do not want always to run all tasks, since that slows things down because Ansible seems to be slow. With saltstack I just run a single state against a freely chosen set of targets. I know that a decent top.sls and just a high state would be better but in my experience it can be very useful to run just a single state. Especially when testing. With ansible I have to set up multiple groups or inventories with lots of copy and pasting stuff and then I can run it additionally against a subset of servers in a group. Targeting and running a single play/role against one or some servers seems to be a mess, or I do something fundamentally wrong.

Writing roles, even ones with some dynamics was ok-ish. I still figured out though how to use optional vars - only by adding a lot of “{% if somevar is defined %}”. And in the role I forked I have to dig deeper how I could correctly use it because I couldn’t figure out yet how the templating of the final file is done with asserts.

But in saltstack I do not necessarily need formulas, since I can use Jinja in state-files and in templates which makes life pretty easy.

And I always have to use a password…so annoying, either a become-password, or a vault-password. On my saltmasters I just have sudo with a timeout and/or use publisher-acls.

I am also not convinced that agentless in terms of bootstrapping is better. Yes with salt I have to bootstrap a minion. But with Ansible I need to have access to a server. But I know the case where people set something up or got sick, forgot to document access to the server and then nobody had access or needed to do some magic with single-user boot and usually trying out some defaults and searching the documentation if there is something somewhere. And then I would have needed to reach out. With salt I just roll out my user as long as the minion is connected (yes, and running). But using ssh-certificates makes life easier…when people set it up which might not have happened in the case mentioned above because it was just a “fire and forget”-thing and then it got somehow important enough that breakage was noticeable.

So yes, saltstack has some problems. I’d like to see the usually better readable error-messages from Ansible and I’d like to have a bit better development workflow. But the slow speed of Ansible makes up a lot to the slow speed of “salt-run fileserver.update”. But in the end Ansible isn’t really better and besides my use of dotfiles, I don’t see me running it in production or maybe I am doing something fundamentally wrong. Who knows. My experience was less than stellar though.

Update: Using synchronize instead of copy helps a lot with my neovim-role