1 |
On 2015-01-09 10:25, Stefan G. Weichinger wrote: |
2 |
> Am 08.01.2015 um 19:29 schrieb Alan McKinnon: |
3 |
> |
4 |
>> The directory layout in the best practice page is indeed way more than |
5 |
>> you need, it lists most of the directories in common use across a wide |
6 |
>> array of deployments. In reality you create just the directories you |
7 |
>> need. |
8 |
>> |
9 |
>> Global stuff goes in the top level (like inventory). |
10 |
>> Variables for groups and individual hosts go into suitably named files |
11 |
>> inside group_vars and host_vars. |
12 |
>> Roles have a definite structure, in practice you'll use tasks/ and |
13 |
>> templates/ a lot, everything else only when you need them. |
14 |
>> |
15 |
>> This is a good design I feel. If a file describes variables, you don't |
16 |
>> have to tag it as such or explicitly include it anywhere. Instead, |
17 |
>> files |
18 |
>> inside a *vars/ directory contain variables, the system knows when to |
19 |
>> use them based on the name of the file. It's really stunningly obvious |
20 |
>> once you train your brain to stop thinking in terms of complexity :-) |
21 |
> |
22 |
> Thanks a lot ... I spent some time with it already and learn to like it |
23 |
> ;) |
24 |
> |
25 |
> I am nearly done with setting up an inventory file for all the customer |
26 |
> boxes I am responsible for. Just using the ad-hoc-commands is very |
27 |
> useful already! |
28 |
> |
29 |
> For example I could store the output of the "setup" module for local |
30 |
> reference ... this gives me loads of basic information. |
31 |
> |
32 |
> I know it is not a backup program but I think I could also use it to |
33 |
> rsync all the /etc directories to my ansible host? Or trigger a "git |
34 |
> push" on the remote machines to let them push their configs up to some |
35 |
> central git-repo I provide here (having /etc and the @world-file is |
36 |
> quite a good start here and then ... ). |
37 |
> |
38 |
> It is also great to be able to check for let's say |
39 |
> shellshock-vulnerability by adding a playbook and running it to |
40 |
> all/some |
41 |
> of the servers out there ... I am really starting to come up with lots |
42 |
> of ideas! |
43 |
> |
44 |
> My current use case will be more of an inventory to track all the boxes |
45 |
> ... deploying stuff out to them seems not so easy in my slightly |
46 |
> heterogeneous "zoo". But this can lead to a more standardized setup, |
47 |
> sure. |
48 |
> |
49 |
> One question: |
50 |
> |
51 |
> As far as I see the hostname in the inventory does not have to be |
52 |
> unique? I have some firewalls out there without a proper FQDN, so there |
53 |
> are several "pfsense" lines in various groups (I have now groups in |
54 |
> there with the name of the [customer] and some of them have child |
55 |
> groups |
56 |
> like [customer-sambas] ...). |
57 |
> |
58 |
> I would like to be able to also access all the ipfires or sambas in |
59 |
> another group ... so I would have to list them again in that group |
60 |
> [ipfires] ? |
61 |
> |
62 |
> Thanks for the great hint to ansible, looking great so far! |
63 |
> Stefan |
64 |
|
65 |
Ansible is a not a backup solution. You don't need to download your /etc |
66 |
from the machines because you deploy your /etc to machines via ansible. |
67 |
|
68 |
I was also thinking about putting /etc in git and then deploying it but: |
69 |
- on updates, will you update all configurations in all /etc repos? |
70 |
- do you really want to keep all the information in git, is it |
71 |
necessary? |
72 |
|
73 |
Opposite to this, you can define roles like apache, mysql, |
74 |
common-gentoo, firewall etc. where you describe how to install that |
75 |
software and do some basic configuration that is to be shared among the |
76 |
most of your machines. You can also define "default" values (like the |
77 |
bind address, the listen port) and then override it in your machine |
78 |
group role (if it's used with multiple servers). |
79 |
|
80 |
If you have all the software pieces written down in roles and you use |
81 |
the defaults of that role, you simply get to that a server configuration |
82 |
is just a compound of that roles (plus some configuration copy). Like |
83 |
this an apache+php application server with firewall and centralized |
84 |
logging is just like around 20-30 lines. |
85 |
|
86 |
You don't need to use roles, you can put all this information in task |
87 |
files and then you include this files, however then you don't have |
88 |
encapsulation and the default values. |
89 |
|
90 |
It really doesn't matter how your servers diverge, if you keep the |
91 |
details split up in roles, you just cherry-pick the roles, overriding |
92 |
their defaults and copying configuration. However it is true that |
93 |
ansible tries to keep your configuration identical among server (for |
94 |
example to not install apache absolutely differently on two machines, |
95 |
but to use as much common pieces as possible). |
96 |
|
97 |
Check out ansible galaxy and search for some roles (like apache, cron, |
98 |
redis etc.). Regarding configuration, you can template or just copy the |
99 |
configuration to a server (like when installing postfix for example) but |
100 |
you need to keep the template up to date with the shipped configuration |
101 |
(or ship your own configuration and diverge from mainstream). An |
102 |
alternative is to just make some changes to the default configuration |
103 |
(replace line, add some line). Then you don't need to update your |
104 |
templates, on updates you can copy over the new configuration from |
105 |
._cfgXXX and make the same changes as before, most probably it will |
106 |
work. A good trick is to use include directories where possible (don't |
107 |
edit /etc/sudoers but copy your stuff to /etc/sudoers.d). |