| 1 |
Am 11.01.2015 um 13:25 schrieb Rich Freeman: |
| 2 |
> On Sun, Jan 11, 2015 at 3:22 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 3 |
>> The reason I'm recommending to keep all of /etc in it's own repo is that |
| 4 |
>> it's the simplest way to do it. /etc/ is a large mixture of |
| 5 |
>> ansible-controlled files, sysadmin-controlled files, and other arbitrary |
| 6 |
>> files installed by the package manager. It's also not very big, around |
| 7 |
>> 10M or so typically. So you *could* manually add to a repo every file |
| 8 |
>> you change manually, but that is error-prone and easy to forget. Simpler |
| 9 |
>> to just commit everything in /etc which gives you an independant record |
| 10 |
>> of all changes over time. Have you ever dealt with a compliance auditor? |
| 11 |
>> An independant change record that is separate from the CM itself is a |
| 12 |
>> feature that those fellows really like a lot. |
| 13 |
> |
| 14 |
> If you're taking care of individual long-lived hosts this probably |
| 15 |
> isn't a bad idea. |
| 16 |
> |
| 17 |
> If you just build a new host anytime you do updates and destroy the |
| 18 |
> old one then obviously a git repo in /etc won't get you far. |
| 19 |
|
| 20 |
I have long-lived hosts out there and with rather individual setups and |
| 21 |
a wide range of age (= deployed over many years). |
| 22 |
|
| 23 |
So my first goal is kind of getting an overview: |
| 24 |
|
| 25 |
* what boxes am I responsible for? |
| 26 |
|
| 27 |
* getting some kind of meta-info into my local systems -> /etc, @world, |
| 28 |
and maybe something like the facts provided by "facter" module (a nice |
| 29 |
kind of profile ... with stuff like MAC addresses and other essential |
| 30 |
info) ... [1] |
| 31 |
|
| 32 |
and then, as I learn my steps, I can roll out some homogenization: |
| 33 |
|
| 34 |
* my ssh-keys really *everywhere* |
| 35 |
* standardize things for each customers site (network setup, proxies) |
| 36 |
|
| 37 |
etc etc |
| 38 |
|
| 39 |
I am just cautious: rolling out standardized configs over dozens of |
| 40 |
maybe different servers is a bit of a risk. But I think this will come |
| 41 |
step by step ... new servers get the roles applied from the start, and |
| 42 |
existing ones are maybe adapted to this when I do other update work. |
| 43 |
|
| 44 |
And at keeping /etc in git: |
| 45 |
|
| 46 |
So far I made it a habit to do that on customer servers. Keeping track |
| 47 |
of changes is a good thing and helpful. I still wonder how to centralize |
| 48 |
this as I would like to have these, let's call them "profiles" in my own |
| 49 |
LAN as well. People tend to forget their backups etc ... I feel better |
| 50 |
with a copy locally. |
| 51 |
|
| 52 |
This leads to finding a structure of managing this. |
| 53 |
|
| 54 |
The /etc-git-repos so far are local to the customer servers. |
| 55 |
Sure, I can add remote repos and use ansible to push the content up there. |
| 56 |
|
| 57 |
One remote-repo per server-machine? I want to run these remote-repos on |
| 58 |
one of my inhouse-servers ... |
| 59 |
|
| 60 |
For now I wrote a small playbook that allows me to rsync /etc and |
| 61 |
world-file from all the Gentoo-boxes out there (and only /etc from |
| 62 |
firewalls and other non-gentoo-machines). |
| 63 |
|
| 64 |
As mentioned I don't have FQDNs for all hosts and this leads to the |
| 65 |
problem that there are several lines like "ipfire" in several groups. |
| 66 |
|
| 67 |
Rsyncing stuff into a path containing the hostname leads to conflicts: |
| 68 |
|
| 69 |
- name: "sync /etc from remote host to inventory host" |
| 70 |
synchronize: | |
| 71 |
mode=pull |
| 72 |
src=/etc |
| 73 |
dest={{ local_storage_path }}/"{{ inventory_hostname |
| 74 |
}}"/etc |
| 75 |
delete=yes |
| 76 |
recursive=yes |
| 77 |
|
| 78 |
|
| 79 |
So I assume I should just setup some kind of talking names like: |
| 80 |
|
| 81 |
[smith] |
| 82 |
ipfire_smith .... |
| 83 |
|
| 84 |
[brown] |
| 85 |
ipfire_brown .... |
| 86 |
|
| 87 |
... and use these just as "labels" ? |
| 88 |
|
| 89 |
Another idea is to generate some kind of UUID for each host and use that? |
| 90 |
|
| 91 |
---- |
| 92 |
|
| 93 |
I really like the ansible-approach so far. |
| 94 |
|
| 95 |
Even when I might not yet run the full standardized approach as I have |
| 96 |
to slowly get the existing hosts into this growing setup. |
| 97 |
|
| 98 |
Stefan |
| 99 |
|
| 100 |
|
| 101 |
[1] I haven't yet managed to store the output of the setup-module to |
| 102 |
the inventory host. I could run "ansible -i hosts.yml -m setup all" but |
| 103 |
I want a named txt-file per host in a separate subdir ... |
Archives