[clug] old-school remote sys configuration/management options
Chris Smart
clug at csmart.io
Thu May 7 04:22:48 UTC 2020
On Thu, 7 May 2020, at 13:01, Bob Edwards via linux wrote:
> Back in the day, one would do all their remote system configuration
> management using SSH, bash and package management. Throw in some
> rsyslogd for remote logging and life was quite simple.
>
It can be again!
> These days, the preference for config management seems to be one of
> the various Ansible, Chef, Puppet, SaltStack etc. and then add in
> tools like munin, nagios, graylog etc (and/or their successors) and
> there is a whole raft of client side software to be installed,
> maintained, monitored and managed (in terms of load on the system),
> plus all the server side as well.
>
> With the recent SaltStack vulnerabilities [1], I have been reassessing
> the landscape. (we started using SaltStack some years ago, mainly due
> to it's integration with Git, at the time).
>
> At the risk of starting a preferred configuration management system war,
> I am now seriously considering just chucking all that and going back to
> bash scripts running over SSH - simple and well understood. Only need
> to have one port open (maybe two), instead of many ports for all the
> various monitoring and config. management etc.
>
Ansible goes over SSH and you can run scripts if you want to (https://docs.ansible.com/ansible/latest/modules/shell_module.html), although using built-in modules is better as it's then idempotent, more reliable and easy to collaborate on. You can store your playbook in Git and run it from a clone, pipeline or Ansible Tower or whatever.
> Wondering if anyone else has considered this and if anyone can suggest/
> recommend any existing frameworks or similar? I am looking for something
> that can do some/all of:
> - installation/upgrades
Ansible package module (https://docs.ansible.com/ansible/latest/modules/package_module.html), e.g.:
- name: install ntpdate
package:
name: ntpdate
state: present
Install latest version of ntpdate:
- name: install ntpdate
package:
name: ntpdate
state: latest
Or use apt module (https://docs.ansible.com/ansible/latest/modules/apt_module.html) if they are all Debian boxes.
> - configuration
You can use templates (https://docs.ansible.com/ansible/latest/modules/template_module.html) with Jinja expressions in them to automatically and dynamically generate the config based on vars or discovered details about a host from the inventory, e.g.:
- name: Template a file to /etc/files.conf
template:
src: /mytemplates/foo.j2
dest: /etc/file.conf
owner: bin
group: wheel
mode: '0644'
Or you can do line (https://docs.ansible.com/ansible/latest/modules/lineinfile_module.html) or block in files for setting specific things, etc, e.g.:
- name: Ensure the default Apache port is 8080
lineinfile:
path: /etc/httpd/conf/httpd.conf
regexp: '^Listen '
insertafter: '^#Listen '
line: Listen 8080
> - asset details (eg. serial no.s, RAM, CPU etc.)
The Ansible inventory will have most of these details, you can pull out whatever you want. Or you can write a task to run a specific dmidecode or whatever.
> - monitoring (S.M.A.R.T., du, load etc.)
I use Prometheus for most of my monitoring and alerting and graph things with grafana, e.g.
:
https://blog.christophersmart.com/2019/09/08/setting-up-a-monitoring-host-with-prometheus-influxdb-and-grafana/
> - vulnerability checks
Most of my things are Red Hat, so they either take care of themselves or use Satellite for vulnerability reporting. I guess you could do whatever you used to do when life was simple?
> - some sort of reporting (I don't need fancy colour graphs - I don't
> have an MBA)
Maybe Grafana.
> - backups
>
I generally don't bother with backups except for files shares and databases. Everything else is in Git.
If a VM dies I just chuck it away, spin up a new one and re-run the Ansible and it's back online before you can sneeze.
> I already have scripts left over from years ago that can do much of
> this, but would be interested in using a framework if such exists
> (my Googling just turns up how to configure SSH etc.). Mainly targeting
> Debian and Ubuntu, with some CentOS and occasionally others thrown in.
>
Re-writing any tasks you need to do as Ansible tasks gets my vote, and throw your scripts away.
I converted Korora into a set of Ansible scripts for Fedora, if it helps:
https://github.com/csmart/korora-ansible
-c
More information about the linux
mailing list