From owner-freebsd-questions@freebsd.org Mon Oct 7 07:19:12 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B86DCF8F55 for ; Mon, 7 Oct 2019 07:19:12 +0000 (UTC) (envelope-from mail@osfux.nl) Received: from vm1982.osfux.nl (vm1982.osfux.nl [IPv6:2a03:5500:1724:55:79:99:187:212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46msKq6Bd9z4MnK for ; Mon, 7 Oct 2019 07:19:11 +0000 (UTC) (envelope-from mail@osfux.nl) Received: from vm1982.osfux.nl (localhost [127.0.0.1]) by vm1982.osfux.nl (Postfix) with ESMTP id B2F2B201D8; Mon, 7 Oct 2019 09:18:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=osfux.nl; s=default; t=1570432734; bh=JvABug7ldaA9YRLZ8SM1BTDxH3L+02urVOy3SvkXR4A=; h=Subject:To:References:From:Date:In-Reply-To; b=bU5HPTF7LVxswu83asmnIijnaLYXSj/i1nQw/R2bv/5kO2BRqFeTh+rN5K48WVE2V p5C68swrETZAm8tBD96/WNdkYDAcw2FPaQrjA/FmV+R2jT0iHLYFq9BQGoQ42+NfJo wEb/cFKYl2PEUjcAYXQpabpjM07QzftPBHbFIiE9zn83nEIuVleA3OdEHklexXRwxS K7BKJnJade4kyXNGOnAkBSEkSokN+ss0ruM7TN44xGY+jfIubhGmxjEm5pSkYCbYFt KtfqOP6VEldfgzPnvjUVruj4nHrivqmTMqEVhqTXvjErBTWxHT8K6zqCLN6BsWR5lk JXaa2nLmhXoiX8zm1wAPSw2VGjjelNczjZVrmZozcyTu8H7zCzx0BJjzPE7NcSvdVL xogO7Lwza0dl5HivzUIj/rngqazLW8Ex1AnIobX/20uIQ4PDuGU53FQyCWJ1JgLlN+ qA0BjL2BfSwLdJq9SZDdwfOBbjgbPIhpfphTFHldAVVVGcMKWGyBQBfODq3J78AIgT xMlIrt5cVDha/1EQqiLT/XcBTZFdCTY7edLtaVmmRdTTAY9JuLTqsMF5sqhb8daoFr B2PmejiUMGpyc3qfleAOkV/pFXTKHG6OJlnFjjzbOUhveBqD+no0rQQ8ZIrfCxkMb8 35XHkr+K4j86/xFXiYnku1Sc= X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on vm1982.osfux.nl Received: from [192.168.9.78] (ip51ccb320.speed.planet.nl [81.204.179.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm1982.osfux.nl (Postfix) with ESMTPSA; Mon, 7 Oct 2019 09:18:48 +0200 (CEST) Subject: Re: Ansible for FreeBSD - use cases? To: Victor Sudakov , freebsd-questions@freebsd.org References: <20191005141507.GA1223@admin.sibptus.ru> <20191006072125.GA83898@admin.sibptus.ru> <8f645b64-059d-dab2-d08c-d608b645451b@osfux.nl> <20191007042235.GA98441@admin.sibptus.ru> From: Ruben Message-ID: Date: Mon, 7 Oct 2019 09:18:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20191007042235.GA98441@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46msKq6Bd9z4MnK X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=osfux.nl header.s=default header.b=bU5HPTF7; dmarc=pass (policy=none) header.from=osfux.nl; spf=pass (mx1.freebsd.org: domain of mail@osfux.nl designates 2a03:5500:1724:55:79:99:187:212 as permitted sender) smtp.mailfrom=mail@osfux.nl X-Spamd-Result: default: False [-1.85 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[osfux.nl:s=default]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-0.997,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[osfux.nl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[osfux.nl,none]; IP_SCORE(0.13)[asn: 8315(0.64), country: NL(0.02)]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8315, ipnet:2a03:5500::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[32.179.204.81.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2019 07:19:12 -0000 stuff snipped On 10/7/19 6:22 AM, Victor Sudakov wrote: > Ruben wrote: >>>> - freebsd-update (crossing . releases, so using the "upgrade" switch) >>> >>> Do you administer freebsd-update within one release with Ansible too? >>> >> >> Yes, that works nicely (since it doesn't require interaction). > > Maybe you have been lucky, but for me freebsd-update sometimes drops > into interactive mode to resolve conflicts in /etc > freebsd-update within the same point release works nicely. So 11.2.* . The moment I use the upgrade switch to change to 11.3 for instance, the pain starts. Its a real shame its this difficult. I've tried all sorts of pre-seeding , freebsd-update.conf options, caching servers, adjusting freebsd-update, etc. I spent hours on trying to smoothe this. A co-worker came up with a better solution I think: just unpack the new distribution on top of everything that is in place (keep a list of configfiles that were overwritten, script script etc). Ofc , this has its drawbacks as wel, but should we decide to spend any more time on this (prior to the pkgng of base solution) that will be our next attempt. The situation atm is terrible if I compare it to other OS'ses I manage with ansible. Normally we just delete a vm and redeploy it with the new OS, but since we use FreeBSD a lot for fileservers, this is not always possible. Im curious how others solve this (freebsd-update with orchestration tools). >> What other modules were you contemplating on using / what is your usecase? > > A good question. Let me remember the most tedious tasks. > > 1. I already distribute some configuration files (like > squid white- and blacklists, hosts.allow, sysutils/vm-bhyve templates > etc) with net/rdist6. I may replace rdist by ansible if it's more > flexible (rdist cannot edit files, only replaces if newer). > The "copy", "lineinfile" and "blockinfile" modules are for that, right? > Yes. You could also try using the "template" module. If you use the template module, you can generate the configfiles (or feed "blockinfile" for instance) based on jinja2 templates you keep. > 2. Installation of packages (from the single repo I keep) and keeping > them up-to-date. In jails too. > > 3. User and group management certainly. In jails too. > > 4. Creation/destruction/configuraton of a) jails and b) VMs in vm-bhyve. > I have very limited experience with running jails, let alone managing them with ansible. I do manage a couple of bhyve machines, but without the vm-bhyve framework. I just use ansible to execute shellscripts on the hypvervisors, no fancy stuff there. > 5. The management of Let's Encrypt certs (I use acme.sh currently). Do I > even need ansible for that? > I don't think you "need" ansible, cron might be better suited? Regards, Ruben