JP Vossen on 25 Jun 2016 11:39:58 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Ansible for updating in the field

I have 500+ CentOS-5 and 6 servers to manage in the field and I need to find the best Ansible way to maintain and update about 120 custom scripts and configs, but also a few binary library files.

I have SSH connectivity as a non-root user who does have `sudo` access.

By my design, all my 120+ files can be arbitrarily overwritten, any special snowflakes are handled via *.local files that are per-device and only ever touched manually. (The nodes are mostly cattle, not pets, but there are some "special" ones.)

I already have a `` that can install missing RPMs, create symlinks, fix permissions/owner, etc. It is idempotent and designed to be run any time just for the hell of it to make sure stuff is correct. There were Good Reasons to start that way instead of Ansible from scratch, but now I'm torn. The tier1/tier2 folks working on these devices will not have Ansible access, nor do they have strong Linux skills, so having a local "just make it right" script is very handy. OTOH, it duplicates the hell out of Ansible's domain.

All the code is in a tree in Subversion (don't ask) and the way we've deployed up to now is rsync from a sandbox or a tarball from an export, depending on some connectivity details, plus `` either way. Again, there are Good reasons for that, but it's not sustainable or scalable for in-life management; Ansible is.

I can think of two basic ways to handle on-going updates via Ansible:

1) Use Ansible rsync to upload the tree, with a handler of the existing `` script. This is simple, but blunt force. It's also probably fast to get working since it's just Ansiblizing what we do now.

2) List every single file, where it goes, owner, perms, etc. This is tedious, but surgical and would certainly involve double-entry with the `` script, until/unless I can do away with that.

It feels like #2 is more "correct" but #1 is faster to develop and a better fit with current practice, though I control practice and can slowly change or evolve it as needed.

Am I missing any better ways?  Am I over-thinking this?

Thoughts and clues?

--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --