Am I Idempotent? A silly game

Dennis Rowe @shr3kst3r

Some Definitions of Idempotent

๏ Math version: f(f(x)) = f(x) ‣ example: identity function applied to x equals x

๏ CS version: Applying an action multiple times has the same result as applying the same action once. ‣ example: mkdir -p /hi

๏ Ansible version: “The concept that change commands should only be applied when they need to be applied, and that it is better to describe the desired state of a system than the process of how to get to that state.” - http://docs.ansible.com/ansible/glossary.html

What are we looking for? Repeatability

Reliability Resiliency

* The 3R’s taken from the talk “The Twelve-Factor Container” by Casey West

Why is Idempotency Important? (the CS version)

๏ Consistency among servers ‣ This removes drift in the system ‣ This removes surprises ‣ This leads to

- Repeatability

- Reliability

- Resiliency

๏ A server that can be reasoned about ‣ Cannot reliably fix problems that you don’t understand.

Game Time

Am I idempotent?

main.yml - name: ensure /etc/hosts template: src=etc/hosts dest=/etc/hosts

hosts {% for name in hosts %} {{ hosts[name] }} {{ name }} {% endfor %}

No Dictionaries are not sorted

hosts file should have a “sort” {% for name in hosts|sort %} {{ hosts[name] }} {{ name }} {% endfor %}

Am I idempotent?

Input - name: make a directory command: mkdir -p /var/tmp/test

Output TASK [make a directory] ************************ changed: [localhost]

Yes But why?

Am I idempotent?

Input - name: make a directory command: mkdir -p /var/tmp/test changed_when: False

Output TASK [make a directory] ********************** ok: [localhost]

Yes But how is it different from the previous example?

Am I idempotent?

Input - name: make a file command: touch /tmp/test_file changed_when: False

Output TASK [make a file] ******************** ok: [localhost]

Not really What happens on reboot?

Am I idempotent?

Input - file: path=/tmp/a_dir state=directory

Output TASK [file] ************** ok: [localhost]

Not really But Ansible says it is green!?

Am I idempotent?

Input - file: path=/a_dir state=directory mode=0755 - file: path=/a_dir state=directory mode=0700

Output TASK [file] *********** changed: [localhost]

TASK [file] *********** changed: [localhost]

Yes But it will always show changed to Ansible

Am I idempotent?

Input - file: path=/a_dir state=directory - file: path=/a_dir state=directory mode=0700

Output TASK [file] ************** ok: [localhost]

TASK [file] ************** ok: [localhost]

Yes

Am I idempotent?

Input - user: name=johnd comment="John Doe" uid=1040 group=admin - user: name=johnd state=absent remove=yes

Output TASK [user] ************** changed: [localhost]

TASK [user] ************** changed: [localhost]

Yes But there are consequences

Thoughts

๏ There is only a casual correlation between idempotency and Ansible’s changed notifications

๏ We are more interested in the idempotency of the playbook(s) ๏ Factors like time and reboots can affect the perceived idempotency of a playbook ๏ Don’t let the green lead you in to a false sense of security ๏ You have to understand how the systems works ๏ Side affects are hard

The End

Dennis Rowe @shr3kst3r