| 1 |
On 2015-01-09 10:25, Stefan G. Weichinger wrote: |
| 2 |
> Am 08.01.2015 um 19:29 schrieb Alan McKinnon: |
| 3 |
> |
| 4 |
>> The directory layout in the best practice page is indeed way more than |
| 5 |
>> you need, it lists most of the directories in common use across a wide |
| 6 |
>> array of deployments. In reality you create just the directories you |
| 7 |
>> need. |
| 8 |
>> |
| 9 |
>> Global stuff goes in the top level (like inventory). |
| 10 |
>> Variables for groups and individual hosts go into suitably named files |
| 11 |
>> inside group_vars and host_vars. |
| 12 |
>> Roles have a definite structure, in practice you'll use tasks/ and |
| 13 |
>> templates/ a lot, everything else only when you need them. |
| 14 |
>> |
| 15 |
>> This is a good design I feel. If a file describes variables, you don't |
| 16 |
>> have to tag it as such or explicitly include it anywhere. Instead, |
| 17 |
>> files |
| 18 |
>> inside a *vars/ directory contain variables, the system knows when to |
| 19 |
>> use them based on the name of the file. It's really stunningly obvious |
| 20 |
>> once you train your brain to stop thinking in terms of complexity :-) |
| 21 |
> |
| 22 |
> Thanks a lot ... I spent some time with it already and learn to like it |
| 23 |
> ;) |
| 24 |
> |
| 25 |
> I am nearly done with setting up an inventory file for all the customer |
| 26 |
> boxes I am responsible for. Just using the ad-hoc-commands is very |
| 27 |
> useful already! |
| 28 |
> |
| 29 |
> For example I could store the output of the "setup" module for local |
| 30 |
> reference ... this gives me loads of basic information. |
| 31 |
> |
| 32 |
> I know it is not a backup program but I think I could also use it to |
| 33 |
> rsync all the /etc directories to my ansible host? Or trigger a "git |
| 34 |
> push" on the remote machines to let them push their configs up to some |
| 35 |
> central git-repo I provide here (having /etc and the @world-file is |
| 36 |
> quite a good start here and then ... ). |
| 37 |
> |
| 38 |
> It is also great to be able to check for let's say |
| 39 |
> shellshock-vulnerability by adding a playbook and running it to |
| 40 |
> all/some |
| 41 |
> of the servers out there ... I am really starting to come up with lots |
| 42 |
> of ideas! |
| 43 |
> |
| 44 |
> My current use case will be more of an inventory to track all the boxes |
| 45 |
> ... deploying stuff out to them seems not so easy in my slightly |
| 46 |
> heterogeneous "zoo". But this can lead to a more standardized setup, |
| 47 |
> sure. |
| 48 |
> |
| 49 |
> One question: |
| 50 |
> |
| 51 |
> As far as I see the hostname in the inventory does not have to be |
| 52 |
> unique? I have some firewalls out there without a proper FQDN, so there |
| 53 |
> are several "pfsense" lines in various groups (I have now groups in |
| 54 |
> there with the name of the [customer] and some of them have child |
| 55 |
> groups |
| 56 |
> like [customer-sambas] ...). |
| 57 |
> |
| 58 |
> I would like to be able to also access all the ipfires or sambas in |
| 59 |
> another group ... so I would have to list them again in that group |
| 60 |
> [ipfires] ? |
| 61 |
> |
| 62 |
> Thanks for the great hint to ansible, looking great so far! |
| 63 |
> Stefan |
| 64 |
|
| 65 |
Ansible is a not a backup solution. You don't need to download your /etc |
| 66 |
from the machines because you deploy your /etc to machines via ansible. |
| 67 |
|
| 68 |
I was also thinking about putting /etc in git and then deploying it but: |
| 69 |
- on updates, will you update all configurations in all /etc repos? |
| 70 |
- do you really want to keep all the information in git, is it |
| 71 |
necessary? |
| 72 |
|
| 73 |
Opposite to this, you can define roles like apache, mysql, |
| 74 |
common-gentoo, firewall etc. where you describe how to install that |
| 75 |
software and do some basic configuration that is to be shared among the |
| 76 |
most of your machines. You can also define "default" values (like the |
| 77 |
bind address, the listen port) and then override it in your machine |
| 78 |
group role (if it's used with multiple servers). |
| 79 |
|
| 80 |
If you have all the software pieces written down in roles and you use |
| 81 |
the defaults of that role, you simply get to that a server configuration |
| 82 |
is just a compound of that roles (plus some configuration copy). Like |
| 83 |
this an apache+php application server with firewall and centralized |
| 84 |
logging is just like around 20-30 lines. |
| 85 |
|
| 86 |
You don't need to use roles, you can put all this information in task |
| 87 |
files and then you include this files, however then you don't have |
| 88 |
encapsulation and the default values. |
| 89 |
|
| 90 |
It really doesn't matter how your servers diverge, if you keep the |
| 91 |
details split up in roles, you just cherry-pick the roles, overriding |
| 92 |
their defaults and copying configuration. However it is true that |
| 93 |
ansible tries to keep your configuration identical among server (for |
| 94 |
example to not install apache absolutely differently on two machines, |
| 95 |
but to use as much common pieces as possible). |
| 96 |
|
| 97 |
Check out ansible galaxy and search for some roles (like apache, cron, |
| 98 |
redis etc.). Regarding configuration, you can template or just copy the |
| 99 |
configuration to a server (like when installing postfix for example) but |
| 100 |
you need to keep the template up to date with the shipped configuration |
| 101 |
(or ship your own configuration and diverge from mainstream). An |
| 102 |
alternative is to just make some changes to the default configuration |
| 103 |
(replace line, add some line). Then you don't need to update your |
| 104 |
templates, on updates you can copy over the new configuration from |
| 105 |
._cfgXXX and make the same changes as before, most probably it will |
| 106 |
work. A good trick is to use include directories where possible (don't |
| 107 |
edit /etc/sudoers but copy your stuff to /etc/sudoers.d). |
Archives