From owner-freebsd-questions@freebsd.org  Mon Oct  7 04:22:44 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9635F13D6A5
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon,  7 Oct 2019 04:22:44 +0000 (UTC) (envelope-from vas@sibptus.ru)
Received: from admin.sibptus.ru (admin.sibptus.ru
 [IPv6:2001:19f0:5001:21dc::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46mnQC4S7Sz4Dm2
 for <freebsd-questions@freebsd.org>; Mon,  7 Oct 2019 04:22:43 +0000 (UTC)
 (envelope-from vas@sibptus.ru)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; 
 s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date;
 bh=zW+wnd3yLeckPl9hJy2XSlmZhf92Vej6+VpLy8dKULc=; b=T5Bd0hGJzUcdPnM7DXI0XbA0nG
 /tR1pEshhQM/zmQCaKij739Vuzromh0W30x54rpZd98xlPgqGur9gMlk/k2aSwWm30wvOxKh0mOqO
 IjyXypvDrO87BLYzd8NeuwNOl1Nt73K6yRSHFlW1xtXnRw5SgeKvb9jGuqnX46xDlAfU=;
Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD))
 (envelope-from <vas@sibptus.ru>) id 1iHKXb-0000VR-Py
 for freebsd-questions@freebsd.org; Mon, 07 Oct 2019 11:22:35 +0700
Date: Mon, 7 Oct 2019 11:22:35 +0700
From: Victor Sudakov <vas@sibptus.ru>
To: freebsd-questions@freebsd.org
Subject: Re: Ansible for FreeBSD - use cases?
Message-ID: <20191007042235.GA98441@admin.sibptus.ru>
References: <20191005141507.GA1223@admin.sibptus.ru>
 <aa417bc5-c0cf-bda3-1750-7342726633ac@osfux.nl>
 <20191006072125.GA83898@admin.sibptus.ru>
 <8f645b64-059d-dab2-d08c-d608b645451b@osfux.nl>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ"
Content-Disposition: inline
In-Reply-To: <8f645b64-059d-dab2-d08c-d608b645451b@osfux.nl>
X-PGP-Key: http://admin.sibptus.ru/~vas/
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Rspamd-Queue-Id: 46mnQC4S7Sz4Dm2
X-Spamd-Bar: -------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sibptus.ru header.s=20181118 header.b=T5Bd0hGJ;
 dmarc=pass (policy=none) header.from=sibptus.ru;
 spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates
 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru
X-Spamd-Result: default: False [-7.31 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[];
 DKIM_TRACE(0.00)[sibptus.ru:+];
 DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US];
 RCVD_COUNT_TWO(0.00)[2];
 IP_SCORE(-3.21)[ip: (-9.80), ipnet: 2001:19f0:5000::/38(-4.90),
 asn: 20473(-1.27), country: US(-0.05)]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 04:22:44 -0000


--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Ruben wrote:
> >> - freebsd-update (crossing . releases, so using the "upgrade" switch)
> >=20
> > Do you administer freebsd-update within one release with Ansible too?
> >=20
>=20
> Yes, that works nicely (since it doesn't require interaction).

Maybe you have been lucky, but for me freebsd-update sometimes drops
into interactive mode to resolve conflicts in /etc

> >>
> >> Ansible integrates quite nicely with Jinja2, which allows us to
> >> configure/adminstrate all applications we run on FreeBSD servers.
> >=20
> > Please tell if Jinja2 (which port is that?) has to be installed on the
> > Ansible controller only, or on every managed host?
>=20
> You would only need it on the ansible host. I think it's even a=20
> requirement for running ansible, but i'm not sure. The package I have=20
> currently installed on an FreeBSD ansible controller: py27-Jinja2-2.10.1 .

You are right, in my test setup py36-Jinja2-2.10.1 is already a
requirement for sysutils/ansible.

[dd]

> > Thanks for the positive review! One more question: have you ever had
> > problems and disasters caused by Ansible modules? After all, they are
> > pieces of software written probably by a Linux-minded person modifying
> > your FreeBSD system's vitals. Does it not sound a bit scary?
>=20
> I totally agree : it is scary. Especially the packetfilter/firewall and=
=20
> user management stuff. As you are probably well aware AWS for instance=20
> doesn't provide console access to its ec2 instances. If a playbook/role=
=20
> screws up, customers miss an often very vital part of their infrastructur=
e.
>=20
> If you test playbooks/roles on non-production deployments prior to=20
> running them on live stuff its suddenly a lot less scary and I have=20
> never come accross disaster scenarios.=20

I see.

> The user management modules - in=20
> my experience - are rock-solid. The=20
> "lininfile,blockinfile,raw,shell,command" modules as well. What other=20
> modules were you contemplating on using / what is your usecase?

A good question. Let me remember the most tedious tasks.

1. I already distribute some configuration files (like
squid white- and blacklists, hosts.allow, sysutils/vm-bhyve templates
etc) with net/rdist6. I may replace rdist by ansible if it's more
flexible (rdist cannot edit files, only replaces if newer).
The "copy", "lineinfile" and "blockinfile" modules are for that, right?

2. Installation of packages (from the single repo I keep) and keeping
them up-to-date. In jails too.

3. User and group management certainly. In jails too.

4. Creation/destruction/configuraton of a) jails and b) VMs in vm-bhyve.

5. The management of Let's Encrypt certs (I use acme.sh currently). Do I
even need ansible for that?

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJdmr2LAAoJEA2k8lmbXsY0VHgIAKq7RNPMlS8u56tsI4STCbpt
M9zK//YV2ZVT5MoOJOk0TruNi9AT8qe3QaQoM495l5H+C8lblyv3osPDxR4L5Hhl
xXk6oP4FMToIQp6GfU5HgG0y8PYRBgcpqF9wRxJFnqqNU9/QfSsowZ/B3m7ILkXK
sWb2/I3Nnx4b03aUw/fuMex2LperIev4fiOj3dylYOpaum9kq00482dzUF1X5cYk
yWYD2jR+p9yo20ZKf28fNVHzi9lisW3GSlVxLU271iLmjT1ChgXPeQq+v1yJhXbF
iscQsX/aerCqoRNBcnJNzkHhNfhm/cozHjyB6y2B5gl8OuPYMiqzhhKwDD/SU7Q=
=sWSP
-----END PGP SIGNATURE-----

--lrZ03NoBR/3+SXJZ--