1 |
Am 11.01.2015 um 13:25 schrieb Rich Freeman: |
2 |
> On Sun, Jan 11, 2015 at 3:22 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
3 |
>> The reason I'm recommending to keep all of /etc in it's own repo is that |
4 |
>> it's the simplest way to do it. /etc/ is a large mixture of |
5 |
>> ansible-controlled files, sysadmin-controlled files, and other arbitrary |
6 |
>> files installed by the package manager. It's also not very big, around |
7 |
>> 10M or so typically. So you *could* manually add to a repo every file |
8 |
>> you change manually, but that is error-prone and easy to forget. Simpler |
9 |
>> to just commit everything in /etc which gives you an independant record |
10 |
>> of all changes over time. Have you ever dealt with a compliance auditor? |
11 |
>> An independant change record that is separate from the CM itself is a |
12 |
>> feature that those fellows really like a lot. |
13 |
> |
14 |
> If you're taking care of individual long-lived hosts this probably |
15 |
> isn't a bad idea. |
16 |
> |
17 |
> If you just build a new host anytime you do updates and destroy the |
18 |
> old one then obviously a git repo in /etc won't get you far. |
19 |
|
20 |
I have long-lived hosts out there and with rather individual setups and |
21 |
a wide range of age (= deployed over many years). |
22 |
|
23 |
So my first goal is kind of getting an overview: |
24 |
|
25 |
* what boxes am I responsible for? |
26 |
|
27 |
* getting some kind of meta-info into my local systems -> /etc, @world, |
28 |
and maybe something like the facts provided by "facter" module (a nice |
29 |
kind of profile ... with stuff like MAC addresses and other essential |
30 |
info) ... [1] |
31 |
|
32 |
and then, as I learn my steps, I can roll out some homogenization: |
33 |
|
34 |
* my ssh-keys really *everywhere* |
35 |
* standardize things for each customers site (network setup, proxies) |
36 |
|
37 |
etc etc |
38 |
|
39 |
I am just cautious: rolling out standardized configs over dozens of |
40 |
maybe different servers is a bit of a risk. But I think this will come |
41 |
step by step ... new servers get the roles applied from the start, and |
42 |
existing ones are maybe adapted to this when I do other update work. |
43 |
|
44 |
And at keeping /etc in git: |
45 |
|
46 |
So far I made it a habit to do that on customer servers. Keeping track |
47 |
of changes is a good thing and helpful. I still wonder how to centralize |
48 |
this as I would like to have these, let's call them "profiles" in my own |
49 |
LAN as well. People tend to forget their backups etc ... I feel better |
50 |
with a copy locally. |
51 |
|
52 |
This leads to finding a structure of managing this. |
53 |
|
54 |
The /etc-git-repos so far are local to the customer servers. |
55 |
Sure, I can add remote repos and use ansible to push the content up there. |
56 |
|
57 |
One remote-repo per server-machine? I want to run these remote-repos on |
58 |
one of my inhouse-servers ... |
59 |
|
60 |
For now I wrote a small playbook that allows me to rsync /etc and |
61 |
world-file from all the Gentoo-boxes out there (and only /etc from |
62 |
firewalls and other non-gentoo-machines). |
63 |
|
64 |
As mentioned I don't have FQDNs for all hosts and this leads to the |
65 |
problem that there are several lines like "ipfire" in several groups. |
66 |
|
67 |
Rsyncing stuff into a path containing the hostname leads to conflicts: |
68 |
|
69 |
- name: "sync /etc from remote host to inventory host" |
70 |
synchronize: | |
71 |
mode=pull |
72 |
src=/etc |
73 |
dest={{ local_storage_path }}/"{{ inventory_hostname |
74 |
}}"/etc |
75 |
delete=yes |
76 |
recursive=yes |
77 |
|
78 |
|
79 |
So I assume I should just setup some kind of talking names like: |
80 |
|
81 |
[smith] |
82 |
ipfire_smith .... |
83 |
|
84 |
[brown] |
85 |
ipfire_brown .... |
86 |
|
87 |
... and use these just as "labels" ? |
88 |
|
89 |
Another idea is to generate some kind of UUID for each host and use that? |
90 |
|
91 |
---- |
92 |
|
93 |
I really like the ansible-approach so far. |
94 |
|
95 |
Even when I might not yet run the full standardized approach as I have |
96 |
to slowly get the existing hosts into this growing setup. |
97 |
|
98 |
Stefan |
99 |
|
100 |
|
101 |
[1] I haven't yet managed to store the output of the setup-module to |
102 |
the inventory host. I could run "ansible -i hosts.yml -m setup all" but |
103 |
I want a named txt-file per host in a separate subdir ... |