From owner-freebsd-questions@freebsd.org Sun Oct 6 08:25:30 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D5FC6131163 for ; Sun, 6 Oct 2019 08:25:30 +0000 (UTC) (envelope-from mail@osfux.nl) Received: from vm1982.osfux.nl (vm1982.osfux.nl [IPv6:2a03:5500:1724:55:79:99:187:212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46mGrn1M5bz3KCK for ; Sun, 6 Oct 2019 08:25:28 +0000 (UTC) (envelope-from mail@osfux.nl) Received: from vm1982.osfux.nl (localhost [127.0.0.1]) by vm1982.osfux.nl (Postfix) with ESMTP id 38BB520257; Sun, 6 Oct 2019 10:25:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=osfux.nl; s=default; t=1570350310; bh=gRDjeVrzdJXex5BUZFsZ3KtbLcmhq+PaeK2Kba+/g6I=; h=Subject:To:References:From:Date:In-Reply-To; b=cwV1sjeTRpoi854BgYRyWsGLdhJHMmW3yuP3Rot1COFk0Mu2Wd0lF6YRn2miXh+cr 1IcytI4/FOw0YGRYZqdRkaZdiuQVahMnc+wJKks5XgfT0CukcokfhsJu2iX+HxVOsD La+CEHDPh9+ZmDJKCXKf2xe+rsgOpOQ6MbYuKFLaynJ8f7oKldLp+iPiS3lElC9kaW DXz2CCqukFYfqeSXn4sjtMTcE6pixkIhJruvINg9XA7VL4gdpuQGBRP6qXoAVVxhD4 uA4YRT/PV3MXOd4W0ddU2l0ACHzfgDH9A6GKUBIOxe5yV2+5HzfRXLfBVCjVOF3Afc lFpeesFQksRBfmFOXzszbVQ58gi/eaQ3R5ZRNKBGgMJNKn4iBBlqM5618Rl18k8Z4N Xqb81zPEKeuJAnaJZ4gl7eAPg4Gz1+ffqaxsNIbjJtOoaCyjk2sy96pauluCZAHxSR z0DgcpuY62zVR6xQIOd/VqA+E/jozhWtiUwN1CctPpL1MBp3ND5AoR9J1gDqPsqBx2 cZ+NUGkQY88cli1UvZqAOsnQ8YBqgAM5EJDzndxqublyTI7Bpx1ygX2DBMdm6e6gVp oxpQCFaIHJveOk61z76q09IqwN3qYuSj3L6eUqLLXKzBSqKhmYYyGJ+gSBIoHoZyTc DRCLuyOJhqj3m13mMwusOY+k= X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on vm1982.osfux.nl Received: from [192.168.178.23] (217-120-180-31.cable.dynamic.v4.ziggo.nl [217.120.180.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm1982.osfux.nl (Postfix) with ESMTPSA; Sun, 6 Oct 2019 10:25:06 +0200 (CEST) Subject: Re: Ansible for FreeBSD - use cases? To: Victor Sudakov , freebsd-questions@freebsd.org References: <20191005141507.GA1223@admin.sibptus.ru> <20191006072125.GA83898@admin.sibptus.ru> From: Ruben Message-ID: <8f645b64-059d-dab2-d08c-d608b645451b@osfux.nl> Date: Sun, 6 Oct 2019 10:25:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20191006072125.GA83898@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46mGrn1M5bz3KCK X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=osfux.nl header.s=default header.b=cwV1sjeT; dmarc=pass (policy=none) header.from=osfux.nl; spf=pass (mx1.freebsd.org: domain of mail@osfux.nl designates 2a03:5500:1724:55:79:99:187:212 as permitted sender) smtp.mailfrom=mail@osfux.nl X-Spamd-Result: default: False [-1.83 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[osfux.nl:s=default]; NEURAL_HAM_MEDIUM(-0.97)[-0.968,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[osfux.nl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[osfux.nl,none]; IP_SCORE(0.14)[asn: 8315(0.67), country: NL(0.02)]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8315, ipnet:2a03:5500::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[31.180.120.217.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Oct 2019 08:25:30 -0000 Hi Victor, On 10/6/19 9:21 AM, Victor Sudakov wrote: > Ruben wrote: >> Stuff snipped. > > Did you consider compiling centrally in poudriere and then installing > the binary packages with pkgng on the managed hosts? I haven't considered it seriously. Mainly because I have no experience with using poudriere whatsoever, partly because it only covers fringe-cases in our usage. > >> - freebsd-update (crossing . releases, so using the "upgrade" switch) > > Do you administer freebsd-update within one release with Ansible too? > Yes, that works nicely (since it doesn't require interaction). >> >> Ansible integrates quite nicely with Jinja2, which allows us to >> configure/adminstrate all applications we run on FreeBSD servers. > > Please tell if Jinja2 (which port is that?) has to be installed on the > Ansible controller only, or on every managed host? You would only need it on the ansible host. I think it's even a requirement for running ansible, but i'm not sure. The package I have currently installed on an FreeBSD ansible controller: py27-Jinja2-2.10.1 . > >> I think using a framework to administer stuff that is used by many other >> sysadmins makes more sense than writing one's own framework. I don't >> know of any other orchestration framework out there that is OS and only >> needs ssh/python in order to function, thats why I use Ansible. > > Thanks for the positive review! One more question: have you ever had > problems and disasters caused by Ansible modules? After all, they are > pieces of software written probably by a Linux-minded person modifying > your FreeBSD system's vitals. Does it not sound a bit scary? I totally agree : it is scary. Especially the packetfilter/firewall and user management stuff. As you are probably well aware AWS for instance doesn't provide console access to its ec2 instances. If a playbook/role screws up, customers miss an often very vital part of their infrastructure. If you test playbooks/roles on non-production deployments prior to running them on live stuff its suddenly a lot less scary and I have never come accross disaster scenarios. The user management modules - in my experience - are rock-solid. The "lininfile,blockinfile,raw,shell,command" modules as well. What other modules were you contemplating on using / what is your usecase? Regards, Ruben > >