LinchPin: A simplified cloud orchestration tool using Ansible

Launched in late 2016, LinchPin now has a Python API and a growing community.
370 readers like this.
9 Lessons from 25 Years of Linux Kernel development

Internet Archive Book Images. Modified by CC BY-SA 4.0

Late last year, my team announced LinchPin, a hybrid cloud orchestration tool using Ansible. Provisioning cloud resources has never been easier or faster. With the power of Ansible behind LinchPin, and a focus on simplicity, many cloud resources are available at users' fingertips. In this article, I'll introduce LinchPin and look at how the project has matured in the past 10 months.

Back when LinchPin was introduced, using the ansible-playbook command to run LinchPin was complex. Although that can still be accomplished, LinchPin now has a new front-end command-line user interface (CLI), which is written in Click and makes LinchPin even simpler than it was before.

Not to be outdone by the CLI, LinchPin now also has a Python API, which can be used to manage resources, such as Amazon EC2 and OpenStack instances, networks, storage, security groups, and more. The API documentation can be helpful when you're trying out LinchPin's Python API.

Playbooks as a library

Because the core bits of LinchPin are Ansible playbooks, the roles, modules, filters, and anything else to do with calling Ansible modules has been moved into the LinchPin library. This means that although one can still call the playbooks directly, it's not the preferred mechanism for managing resources. The linchpin executable has become the de facto front end for the command-line.

Command-line in depth

Let's have a look at the linchpin command in depth:

$ linchpin
Usage: linchpin [OPTIONS] COMMAND [ARGS]...

  linchpin: hybrid cloud orchestration

  -c, --config PATH       Path to config file
  -w, --workspace PATH    Use the specified workspace if the familiar Jenkins
                          $WORKSPACE environment variable is not set
  -v, --verbose           Enable verbose output
  --version               Prints the version and exits
  --creds-path PATH       Use the specified credentials path if WORKSPACE
                          environment variable is not set
  -h, --help              Show this message and exit.

  init     Initializes a linchpin project.
  up       Provisions nodes from the given target(s) in...
  destroy  Destroys nodes from the given target(s) in...

What can be seen immediately is a simple description, along with options and arguments that can be passed to the command. The three commands found near the bottom of this help are where the focus will be for this document.


In the past, there was linchpin_config.yml. This file is no longer, and has been replaced with an ini-style configuration file, called linchpin.conf. Although this file can be modified or placed elsewhere, its placement in the library path allows easy lookup of configurations. In most cases, the linchpin.conf file should not need to be modified.


The workspace is a defined filesystem path, which allows grouping of resources in a logical way. A workspace can be considered a single point for a particular environment, set of services, or other logical grouping. It can also be one big storage bin of all managed resources.

The workspace can be specified on the command-line with the --workspace (-w) option, followed by the workspace path. It can also be specified with an environment variable (e.g., $WORKSPACE in bash). The default workspace is the current directory.

Initialization (init)

Running linchpin init will generate the directory structure needed, along with an example PinFile, topology, and layout files:

$ export WORKSPACE=/tmp/workspace
$ linchpin init
PinFile and file structure created at /tmp/workspace
$ cd /tmp/workspace/
$ tree
├── credentials
├── hooks
├── inventories
├── layouts
│   └── example-layout.yml
├── PinFile
├── resources
└── topologies
    └── example-topology.yml

At this point, one could execute linchpin up and provision a single libvirt virtual machine, with a network named linchpin-centos71. An inventory would be generated and placed in inventories/libvirt.inventory. This can be known by reading the topologies/example-topology.yml and gleaning out the topology_name value.

Provisioning (linchpin up)

Once a PinFile, topology, and optionally a layout are in place, provisioning can happen.

We use the dummy tooling because it is much simpler to configure; it doesn't require anything extra (authentication, network, etc.). The dummy provider creates a temporary file, which represents provisioned hosts. If the temporary file does not have any data, hosts have not been provisioned, or they have been recently destroyed.

The tree for the dummy provider is simple:

$ tree
├── hooks
├── inventories
├── layouts
│   └── dummy-layout.yml
├── PinFile
├── resources
└── topologies
    └── dummy-cluster.yml

The PinFile is also simple; it specifies which topology, and optional layout to use for the dummy1 target:

  topology: dummy-cluster.yml
  layout: dummy-layout.yml

The dummy-cluster.yml topology file is a reference to provision three (3) resources of type dummy_node:

topology_name: "dummy_cluster" # topology name
    resource_group_name: "dummy"
    resource_group_type: "dummy"
        name: "web"
        type: "dummy_node"
        count: 3

Performing the command linchpin up should generate resources and inventory files based upon the topology_name (in this case, dummy_cluster):

$ linchpin up
target: dummy1, action: up

$ ls {resources,inventories}/dummy*
inventories/dummy_cluster.inventory  resources/dummy_cluster.output

To verify resources with the dummy cluster, check /tmp/dummy.hosts:

$ cat /tmp/dummy.hosts

The Dummy module provides a basic tooling for pretend (or dummy) provisioning. Check out the details for OpenStack, AWS EC2, Google Cloud, and more in the LinchPin examples.

Inventory Generation

As part of the PinFile mentioned above, a layout can be specified. If this file is specified and exists in the correct location, an Ansible static inventory file will be generated automatically for the resources provisioned:

    hostname: __IP__
      count: 3
        - example

When the linchpin up execution is complete, the resources file provides useful details. Specifically, the IP address(es) or host name(s) are interpolated into the static inventory:



Teardown (linchpin destroy)

LinchPin also can perform a teardown of resources. A teardown action generally expects that resources have been provisioned; however, because Ansible is idempotent, linchpin destroy will only check to make sure the resources are up. Only if the resources are already up will the teardown happen.

The command linchpin destroy will either use resources and/or topology files to determine the proper teardown procedure.

The dummy Ansible role does not use the resources, only the topology during teardown:

$ linchpin destroy
target: dummy1, action: destroy

$ cat /tmp/dummy.hosts

The teardown functionality is slightly more limited around ephemeral resources, like networking, storage, etc. It is possible that a network resource could be used with multiple cloud instances. In this way, performing a linchpin destroy does not teardown certain resources. This is dependent on each provider's implementation. See specific implementations for each of the providers.

The LinchPin Python API

Much of what is implemented in the linchpin command-line tool has been written using the Python API. The API, although not complete, has become a vital component of the LinchPin tooling.

The API consists of three packages:

  • linchpin
  • linchpin.cli
  • linchpin.api

The command-line tool is managed at the base linchpin package; it imports the linchpin.cli modules and classes, which is a subclassing of linchpin.api. The purpose for this is to allow for other possible implementations of LinchPin using the linchpin.api, like a planned RESTful API.

For more information, see the Python API library documentation on Read the Docs.


One of the big improvements in LinchPin 1.0 going forward is hooks. The goal with hooks is to allow additional configuration using external resources in certain specific states during linchpin execution. The states currently are as follows:

  • preup: Executed before provisioning the topology resources
  • postup: Executed after provisioning the topology resources, and generating the optional inventory
  • predestroy: Executed before teardown of the topology resources
  • postdestroy: Executed after teardown of the topology resources

In each case, these hooks allow external scripts to run. Several types of hooks exist, including custom ones called Action Managers. Here's a list of built-in Action Managers:

  • shell: Allows either inline shell commands, or an executable shell script
  • python: Executes a Python script
  • ansible: Executes an Ansible playbook, allowing passing of a vars_file and extra_vars represented as a Python dict
  • nodejs: Executes a Node.js script
  • ruby: Executes a Ruby script

A hook is bound to a specific target and must be restated for each target used. In the future, hooks will be able to be global, and then named in the hooks section for each target more simply.

Using hooks

Describing hooks is simple enough, understanding their power might not be so simple. This feature exists to provide flexible power to the user for things that the LinchPin developers might not consider. This concept could lead to a simple way to ping a set of systems, for instance, before running another hook.

Looking into the workspace more closely, one might have noticed the hooks directory. Let's have a look inside this directory to see the structure:

$ tree hooks/
├── ansible
│   ├── ping
│   │   └── dummy_ping.yaml
└── shell
    └── database

In every case, hooks can be used in the PinFile, shown here:

  topology: dummy-cluster.yml
  layout: dummy-layout.yml
      - name: ping
        type: ansible
          - dummy_ping.yaml
      - name: database
        type: shell

The basic concept is that there are three postup actions to complete. Hooks are executed in top-down order. Thus, the Ansible ping task would run first, followed by the two shell tasks,, followed by Assuming the hooks execute successfully, a ping of the systems would occur, then a database would be set up and initialized.

Authentication Driver

In the initial design of LinchPin, developers decided to have authentication be managed within the Ansible playbooks; however, moving to a more API and command-line driven tool meant that authentication should be outside of the library where the playbooks now reside, and still pass authentication values along as needed.


Letting users use the authentication method provided by the driver used accomplished this task. For instance, if the topology called for OpenStack, the standard method is to use either a yaml file, or similar OS_ prefixed environment variables. A clouds.yaml file consists of a profile, with an auth section:

      project_name: factory2
      username: factory-user
      password: password-is-not-a-good-password

More detail is in the OpenStack documentation.

This clouds.yaml—or any other authentication file—is located in the default_credentials_path (e.g., ~/.config/linchpin) and referenced in the topology:

topology_name: openstack-test
    resource_group_name: linchpin
    resource_group_type: openstack
      - name: resource
        type: os_server
        flavor: m1.small
        image: rhel-7.2-server-x86_64-released
        count: 1
        keypair: test-key
          - test-net2
      filename: clouds.yaml
      profile: default

The default_credentials_path can be changed by modifying the linchpin.conf.

The topology includes a new credentials section at the bottom. With openstack, ec2, and gcloud modules, the credentials can be specified similarly. The Authentication driver will then look in the given filename clouds.yaml, and search for the profile named default.

Assuming authentication is found and loaded, provisioning will continue as normal.


Although LinchPin can be complex around topologies, inventory layouts, hooks, and authentication management, the ultimate goal is simplicity. By simplifying with a command-line interface, along with goals to improve the developer experience coming post-1.0, LinchPin continues to show that complex configurations can be managed with simplicity.

Community Growth

Over the past year, LinchPin's community has grown to the point that we now have a mailing list, an IRC channel (#linchpin on, and even manage our sprints in the open with GitHub.

The community membership has grown immensely—from 2 core developers to about 10 contributors over the past year. More people continue to work with the project. If you've got an interest in LinchPin, drop us a line, file an issue on GitHub, join up on IRC, or send us an email.

This article is based on Clint Savage's OpenWest talk, Introducing LinchPin: Hybrid cloud provisioning using Ansible. OpenWest will be held July 12-15, 2017 in Salt Lake City, Utah.

User profile image.
Clint Savage works for Red Hat as a Senior Software Engineer for Project Atomic. His job entails automating Atomic server builds for Fedora, CentOS, and Red Hat Enterprise Linux (RHEL).

Comments are closed.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.