21 Nov
2021
21 Nov
'21
9:09 a.m.
I always meant to get my head around Ansible (or Chef, or Puppet) for my
VPS based on recommendations on this very list. Sadly I have not yet got
round to it, and I suddenly find I have a need for something of this ilk
at work.
My use case is a single Linux instance, on-prem. (No fleet, no cloud, no
VMs or containers planned.) It's to provide internal services for an
office network: DHCP, DDNS, maybe NAS, maybe print accounting, maybe
firewall/router/IDS, maybe apt cache or other proxies.
I think what I want is infrastructure-as-code:
* Config files (/etc) under revision control with convenient automated
backup
* All superuser actions are fully logged and replayable (fire drill:
complete reimage from scratch)
* Nobody gets direct sudo access, but I can give out admin access via
the config management tool.
I've had root shells for about 25 years now but I'm new to thinking
deeply about IaC. I would be grateful for feedback:
- is what I think I want reasonable and achievable? (what are the gotchas?)
- am I on the right track by looking at Ansible/Chef/Puppet and do any
of them particularly suit my use case? Are the paid-for versions worth
paying for?
- is there a useful noobs guide?
Thanks
Ross
21 Nov
21 Nov
11:02 a.m.
I know you said you weren’t considering containers, but it might be worth another look for
a few reasons:
- each service is ‘encapsulated’ and logically separated from everything else running on
the machine
- depending on your exact needs, you could more than likely use existing images from
Docker Hub and not have to build your own
- you can easily externalise the config backup files to known locations on the host disk,
making it easy to back up the configurations
- upgrades are easy; just pull the latest version of the container, and roll back to the
previous one if stuff breaks
- with tools like docker-compose you could bring up all your services, in the correct
order, with a single command
- it would be very easy to move the services and config across to another machine in the
event of a hardware failure
I’ve used Puppet in the past (but ~10 years ago now so it may have moved on quite a bit)…
there’s going to be a significant amount of effort in setting up the Puppet/Ansible
infrastructure, config, etc., and for one machine you will probably feel like it’s easier
to just do it manually/script it with bash or similar.
Kind regards,
Paul
Sent from my iPad. Please excuse brevity, spelling, and punctuation.
On 21 Nov 2021, at 09:18, Ross Younger via users <users(a)lists.bitfolk.com> wrote:
I always meant to get my head around Ansible (or Chef, or Puppet) for my VPS based on
recommendations on this very list. Sadly I have not yet got round to it, and I suddenly
find I have a need for something of this ilk at work.
My use case is a single Linux instance, on-prem. (No fleet, no cloud, no VMs or containers
planned.) It's to provide internal services for an office network: DHCP, DDNS, maybe
NAS, maybe print accounting, maybe firewall/router/IDS, maybe apt cache or other
proxies.
I think what I want is infrastructure-as-code:
* Config files (/etc) under revision control with convenient automated backup
* All superuser actions are fully logged and replayable (fire drill: complete reimage from
scratch)
* Nobody gets direct sudo access, but I can give out admin access via the config
management tool.
I've had root shells for about 25 years now but I'm new to thinking deeply about
IaC. I would be grateful for feedback:
- is what I think I want reasonable and achievable? (what are the gotchas?)
- am I on the right track by looking at Ansible/Chef/Puppet and do any of them
particularly suit my use case? Are the paid-for versions worth paying for?
- is there a useful noobs guide?
Thanks
Ross
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
11:33 a.m.
Hello Ross,
On 2021-11-21 22:09+1300, Ross Younger via users wrote:
I always meant to get my head around Ansible (or Chef,
or Puppet) for
my VPS based on recommendations on this very list. Sadly I have not
yet got round to it, and I suddenly find I have a need for something
of this ilk at work.
The short version is, they're like glorified Makefiles, only proceeding
with other bits if the first bit succeeds.
My use case is a single Linux instance, on-prem. (No
fleet, no cloud,
no VMs or containers planned.) It's to provide internal services for
an office network: DHCP, DDNS, maybe NAS, maybe print accounting,
maybe firewall/router/IDS, maybe apt cache or other proxies.
For a single instance, you can use Ansible against the localhost. I do
something like this for that:
$ ansible -i localhost, -b playbook_file.yaml
I think what I want is infrastructure-as-code:
* Config files (/etc) under revision control with convenient automated
backup
Well, git is what most people use, but use what you're happy with. I
tend to put these in a tree in say, /home/ed/git/config/etc, then push
that to the remote places with Ansible, one way or another rather than
put /etc under version control itself.
* All superuser actions are fully logged and
replayable (fire drill:
complete reimage from scratch)
* Nobody gets direct sudo access, but I can give out admin access via the
config management tool.
Promotional warning, 'please' exists too, thoughts welcomed :)
<https://gitlab.com/edneville/please>
I've had root shells for about 25 years now but
I'm new to thinking
deeply about IaC. I would be grateful for feedback:
- is what I think I want reasonable and achievable? (what are the gotchas?)
I prefer the design of Ansible, things start of in an area of high
privilege and trickle down into areas of doubt and lower security. In
the puppet model, lower privilege and lower trust areas connect into the
areas of higher trust, the area that keeps all the secrets. I don't like
that much and there have been issues due to this design. It is more
popular though I will always fight the corner of Ansible as I prefer the
way that high trust area initiates communication with the lower trust.
- am I on the right track by looking at
Ansible/Chef/Puppet and do any of
them particularly suit my use case? Are the paid-for versions worth paying
for?
Ansible can work in a stand alone environment without /much/ work.
- is there a useful noobs guide?
I think I have an idea of what you're trying to do, maybe this helps, in
my search bubble there were usage examples from others, which might
match what you're trying to do:
<https://www.google.com/search?q=ansible-playbook+localhost>
Ed
24 Nov
24 Nov
1:25 p.m.
On Sun, Nov 21, 2021 at 10:09:32PM +1300, Ross Younger via users wrote:
I always meant to get my head around Ansible (or Chef,
or Puppet) for my VPS
based on recommendations on this very list. Sadly I have not yet got round
to it, and I suddenly find I have a need for something of this ilk at work.
Ansible user here, SSH+Python is all that is required for it work.
My use case is a single Linux instance, on-prem. (No
fleet, no cloud, no VMs
or containers planned.) It's to provide internal services for an office
network: DHCP, DDNS, maybe NAS, maybe print accounting, maybe
firewall/router/IDS, maybe apt cache or other proxies.
I think what I want is infrastructure-as-code:
You are thinking absolutely right. I used to do old-school hand editing config
files directly on boxes myself. That all changed 10 years ago when I finally got
a chance to use an internally developed tool very similar to ansible. All
configuration changes was committed to a repo before being pushed out.
* Config files (/etc) under revision control with convenient automated
backup
* All superuser actions are fully logged and replayable (fire drill:
complete reimage from scratch)
* Nobody gets direct sudo access, but I can give out admin access via the
config management tool.
I've had root shells for about 25 years now but I'm new to thinking deeply
about IaC. I would be grateful for feedback:
- is what I think I want reasonable and achievable? (what are the gotchas?)
- am I on the right track by looking at Ansible/Chef/Puppet and do any of
them particularly suit my use case? Are the paid-for versions worth paying
for?
- is there a useful noobs guide?
You should be fine using one of Ansible/Chef/Puppet, no need to blow up money
for commercial tools.
Even though you are managing just a single machine, believe me using a config
management tool will save you a lot of hassles. I have had to do your "fire
drill" quiet a few times and config management saved me all those times. I use
subversion (SVN) since I am the only one managing the stuff. I would use Git if
I was part of a team.
HTH.
Kind regards,
Didar
Thanks
Ross
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
--
All constants are variables.
26 Nov
26 Nov
9:23 a.m.
Firstly, a ringing endorsement for Ansible here. I've used Puppet before,
and while that's useful for large fleets of machines which need to be
policed on their configuration, it's not so great for ad-hoc machines.
My worry is the second part of your email where you mix several items into
one block:
* Config files (managed with Ansible) under revision control (um, perhaps
manage the Config files with Ansible, and your ansible scripts with Git)
and convenient auto backup (Or, use etckeeper, and have a cronjob which
does a git push to a central repo store?)
* All superuser actions fully logged (um, auditd is your friend here, so
you'd then need a central syslogd to push those logs to it) and replayable
(yehr, that's not going to happen... - the way to enforce this is to
completely prevent all logins to the box, and manage it entirely with some
automation tooling - like Ansible - but your ops teams [*] will HATE this)
* Nobody gets direct sudo access, but I can give out admin access (yep,
ansible can change user groups and /etc/sudoers files)
Regarding that second item, my employer used
https://www.ssh.com/academy/iam/pam in the past which basically you put in
front of your managed device, and it's the only box with SSH keys to access
it, but it's got a service that records all the TTY while you're logged
into the box. That said, it's a commercial service, and means you've got
another device to manage too.
Regarding learning Ansible, it's pretty straightforward. I've done a few
podcasts about it (shameless plug for the podcast I'm a regular co-host on
- https://www.adminadminpodcast.co.uk/ep63/ and one where I just joined
them to talk about Ansible -
https://lhspodcast.info/2019/10/lhs-episode-307-ansible-deep-dive/) but
you'll also find lots of videos on Youtube, Udemy and A Cloud Guru about
Ansible.
If this really is a one-off event, then disable password login from your
host, and have it calling out every 30 minutes (to a github repo for
playbook changes using ansible-pull) to enable it again. Your build process
should be:
1. Install OS (any Linux distro will do, but I'd suggest one of the
commercially supportable ones, like RHEL, Ubuntu, etc)
2. Set a LONG password for the root user. Sign in as root.
3. Remove your user account.
4. Install git and python3-pip then `pip install ansible`.
5. git clone
https://some.git.service/yourOrgAccount/OfficeHubMachinePlaybook to
somewhere sensible (changing URL, natch)
6. ansible-playbook /opt/OfficeHubMachinePlaybook/setup.yml
To create your OfficeHubMachinePlaybook, I'd suggest using Vagrant to
rapidly provision and destroy a VM with the configuration on it. That way,
if you want to see what the current state of your deployed host is, you can
just issue `vagrant up` and then it'll be operating like your deployed node.
If you don't mind having a little bit of SSH access into the host - you
could setup and run Ansible Tower (a commercial product from RedHat and
requires a RHEL device to run Tower on) or AWX (the open source upstream
project), as this will record your Ansible activities, including all the
logs from your playbook. It will also schedule regular deployment
activities (e.g. every day, run the security-updates playbook, or every
week, run the full-upgrade playbook, or every time the git repo is updated,
run the provision playbook)... but again, this is another machine you have
to feed and water and manage and maintain. This gives you a friendly web
interface, and as your ops [*] get more capable, they can be trusted to run
more activities on this node, and it keeps all your "secrets".
[*] Obviously, if you don't have an ops team, then ... ignore this part :)
--
Jon "The Nice Guy" Spriggs
@jontheniceguy everywhere...
https://jon.sprig.gs
On Sun, 21 Nov 2021 at 09:18, Ross Younger via users <
users(a)lists.bitfolk.com> wrote:
I always meant to get my head around Ansible (or Chef,
or Puppet) for my
VPS based on recommendations on this very list. Sadly I have not yet got
round to it, and I suddenly find I have a need for something of this ilk
at work.
My use case is a single Linux instance, on-prem. (No fleet, no cloud, no
VMs or containers planned.) It's to provide internal services for an
office network: DHCP, DDNS, maybe NAS, maybe print accounting, maybe
firewall/router/IDS, maybe apt cache or other proxies.
I think what I want is infrastructure-as-code:
* Config files (/etc) under revision control with convenient automated
backup
* All superuser actions are fully logged and replayable (fire drill:
complete reimage from scratch)
* Nobody gets direct sudo access, but I can give out admin access via
the config management tool.
I've had root shells for about 25 years now but I'm new to thinking
deeply about IaC. I would be grateful for feedback:
- is what I think I want reasonable and achievable? (what are the gotchas?)
- am I on the right track by looking at Ansible/Chef/Puppet and do any
of them particularly suit my use case? Are the paid-for versions worth
paying for?
- is there a useful noobs guide?
Thanks
Ross
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
1121
days inactive
1126
days old
4 comments
5 participants
participants (5)
-
didar -
Ed Neville -
Jon Spriggs -
Paul Lewis -
Ross Younger