[ale] Linux configuration management (validation)?

Tue Oct 14 09:07:58 EDT 2014

On 10/14/2014 06:56 AM, Raj Wurttemberg wrote:
> Our Linux server environment has grown from 10 RHEL servers to over 150 RHEL
> systems in a few short months. I need an easy way to confirm that they all have
> the same settings (sshd, time zone, routes, selinux, etc…) for security
> purposes.   At the moment I have a simple bash script (lots of sed and awk!)
> that prepares a server for use but I would like something that would be easier
> to manage and to be able to turn over to someone else to manage eventually.

I'm with Emily.

Ansible.  10x easier than puppet. You can be managing all those systems in less
than 1 hr. Nothing needs to be installed on the client machines besides the
default python (they already have) and ssh-server.  If you have ssh-keys there,
it is easier, but you can use ansible to push those too.

A 20 min video will introduce it - "ansible quickstart video" will find it. It
is basically all about a nice organization for your playbooks, tasks, variables,
notifications, templates, files, etc... and how you want to manage the network
systems .... Some of my playbooks are for "all web servers" and others are for
"exactly 1 server" ... lots-o-reuse. And consistency - you will have
consistency. The video will explain better than I can.

Before I bring up a new system, I create a build-playbook for that system. It is
basically a list of tasks to be performed so it fits into the network here. Uses
the time server, the package cache-server, has my preferred settings, ssh-keys,
consistent sshd_config, static IP, disabled ipv6, nominal firewall, tcp-wrapper
settings, etc...
http://blog.jdpfu.com/2014/02/28/1st-five-minutes-on-a-server explains more.

I've looked at chef, saltstack, puppet, Rexify, cfengine and a few others.
Ansible is much easier and just as capable. It was created by a former
Puppet-Labs engineer who thought Puppet was overly complex for the job.  The
same guy created cobbler.

Ansible is python - but that isn't important at all - no need to deal with
python at all. Actually, it isn't even helpful to nkow python from what I can
tell. I'm a perl and ruby guy - but still prefer ansible over the options.

OTOH, Puppet is the IBM of 1989 and Microsoft of 2002 - nobody gets fired for
picking it. If you want to be a DevOps expert and get paid as such, puppet is
the poison to take.

A quick test.
* Load ansible onto 1 workstation. No place else.
* create a "hosts-inventory" file that lists all the system names (DNS, IP, or
whatever your /etc/hosts has) - following their example format. Feel free to use
patterns - db[01:10]-node.example.com
* Run - ansible -i hosts -a "uname -a" all

Be happy.