[clug] old-school remote sys configuration/management options

Chris Smart clug at csmart.io
Thu May 7 07:01:23 UTC 2020

On Thu, 7 May 2020, at 16:29, jm via linux wrote:
> Ansible is good when you haveclient machines which you know the address
> for. Running servers this is generally true. In some other situations
> such as where the machines being managed may pop up on random IP address
> anywhere on the Internet or are behind NAT you need an agent to call
> home. For a data centre I much prefer the Ansible model though I've not
> used Ansible for more than an afternoon myself. The only thing I'd
> recommend is starting a second copy of sshd so that if the config gets
> misconfigured (it's happened on machines I work with several times) you
> have a fall back option. Then again you may just have to walk down the
> corridor rather than worry about a truck roll in this situation.

For such situations, Ansible modules have backup and validate functions.

So for example, if you're managing your sshd config with a template task you could do something like below (if the validation fails, then the config will not be replaced and your sshd will not be broken):

- name: Update sshd configuration safely, avoid locking yourself out
    src: etc/ssh/sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0600'
    validate: /usr/sbin/sshd -t -f %s
    backup: yes

Similar for sudo:

- name: Copy a new sudoers file into place, after passing validation with visudo
    src: /mine/sudoers
    dest: /etc/sudoers
    validate: /usr/sbin/visudo -cf %s

And a similar thing with lineinfile module:

- name: Validate the sudoers file before saving
    path: /etc/sudoers
    state: present
    regexp: '^%ADMIN ALL='
    validate: /usr/sbin/visudo -cf %s


More information about the linux mailing list