wetting my feet with CM software



  • just for the curious, I'm trying to configure a couple of VM with ansible and salt just to compare them.
    here is my diary with the gists.

    notes:

    • this is a work in progress
    • this is really n00b stuff: I'm a coder not a sys admin
    • I'm not the kind of man than reads the full doc and then start code with order <- I rather create a lot of chaos and then I reorder and formalize after docs
    • the document is a sort of diary updated live in these days whenever I've time.

    bye bye



  • ok, I've pushed the configuration scripts for Salt on github. In the while here is my conclusion, after I've experimented a bit with both systems. Again: this is the newbie approach so keep it with a grain of... Salt(stack) :)

    My conclusion here is that Ansible is more radicated and mature, but Salt is more powerful/easier to deal with when up and running. The issue is how to make it up and running:

    • The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen. This implies a bit of troubles as the recommended install ways of Salt either require you to stick with a vulnerable version or expose you to the fast pace of updates which - for security reasons - already have broken backward compatibility twice. Considering this, I’ve ended up with the salt-ssh approach, which resembles the Ansible one and involves just the control machine, avoiding risky version upgrades.
    • Both systems don’t run on python3, with Ansible having an experimental mode enabled. This implies that even today you have to instrument Ubuntu distros (as in a near future Debian too) with a python-minimal package which is able to deal with Salt/Ansible.
    • Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.
    • Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
    • This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.
    • Basically this means that Salt instrumentation is more cumbersome: while ansible requires you to export your keys and set up the hosts file (Roster in Salt), here you also have to create the user and then manually issue a salt-ssh command system wide, without any target filtering, as you cannot know if you send an apt-get command for instrumentation even to CentOS machines. Really a bad hack, maybe due to my noobness.
    • The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.
    • Another thing to mind of is that issuing raw shell commands is neither well suited for error catching nor for input security, but, in the end of the day it can save your day, as it fits well the role of fallback. While this is not possible before instrumentation with Salt, both systems can do this once up and running, allowing you to fill possible features holes in the functions (somethin glike systemd modules not already in place).


  • Once up and running, Salt is really the winner to me, for a number of reasons:

    • it can leverage full Jinjia2 templating straight inside state files (playbooks) letting you avoiding to split playbooks or add all of those ‘when’ directives all around;
    • its file.managed state is a proper diff-patch automatic routine able to check for file state without you to be required to create patches or so like you have to with Ansible: it is just auto-magic;
    • while distro specificities are always there Salt tends to abstract away as most as possible the underlying OS you are configuring, leading to certain reductions in number of lines/verbosity. It is just a bit more “dense”. While not incredibly more dense, it is still more compact;
    • I’ve not dig this in depth, but Salt allows you to keep your config files in a git repo in the cloud (say github or bitbucket) and deploy them from here. I’m talking about config templates or so, like a crontab file etc... Again I’ve not tested this so I can not comment on it, but it is a really nice idea. Ansible can leverage git in a way or another, but has not builtin modules for file redistribution straight from git.


  • +1 to everything, very good effort and explanation and helpful experiment.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    • The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

    What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    • Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

    This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    • Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
    • This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

    What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    • Basically this means that Salt instrumentation is more cumbersome: while ansible requires you to export your keys and set up the hosts file (Roster in Salt), here you also have to create the user and then manually issue a salt-ssh command system wide, without any target filtering, as you cannot know if you send an apt-get command for instrumentation even to CentOS machines. Really a bad hack, maybe due to my noobness.

    None of this has happened when I've used Salt. I'm not sure why you are having these issues. It "just works" when we've used it. No need for dependencies to be met, no user creation, no SSH in from the outside... nothing like that.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    • The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

    Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.


  • Service Provider

    You left out instant commands. Salt can run commands or changes against the environment "instantly", faster than SSH. If something is wrong and you need to push a change or you need to be really tight on the timing of a change, Salt makes this incredibly easy.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

    What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.

    I mean that new Rad Hat products have KVM per default and Xen, to my humble opinion, is a second class citizen - at least since Red Hat 7. Of course they support their previous releases, and of course XenServer is built on it, but it is based on the CentOS distro and is supported by the XenServer project (Linux Foundation?) not by direct Red Hat support.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

    This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.

    It is negative in that I've to make adjustements to "plain" installed distros by hand, or at least other configuration tools. Then having a dedicated locked down user is perfectly OK.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
    • This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

    What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.

    that's the point: if you run a standard ISO from canonical or redhat/centos, you have not it installed by any default install: you have to add it and/or preseed the installer (never done this, so I'd have to experiment with this).



  • @scottalanmiller said in wetting my feet with CM software:

    It "just works" when we've used it. No need for dependencies to be met, no user creation, no SSH in from the outside... nothing like tha

    if you install the minions everything is resolved by the installer either the boostrap script or the repository you have choosen. What is nice about Ansible if that you just need to apt-get/yum install it on a control machine, then "minions" are there, just add the dependancy installation as very first step in your palybook and ansible "autoinstalls" requirements.

    You can do this even with Salt, but you need salt-ssh -r on the command line and then you can execute any state deployment with Salt (either salt-ssh or salt master/minion).

    Everything boils down to the fact you have or not an image ready to go with your CM tools. With Ansible you do not need it, you can do on the fly. with Salt you have an intermediate step. To me it is better to run salt-ssh to instrument your target machines, rahter than preseed an image. This is massive do not requires you to poke with isos ad so...

    It is just an additional step to remember even when you are in a hurry. just this.

    Or, of course, I've missed something. Do not forget I've just started this as a learning project, so exchange here is really appreciated.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

    Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.

    mmm... link please :)
    (OK, after luch I will search for it anyway)


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

    What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.

    I mean that new Rad Hat products have KVM per default and Xen, to my humble opinion, is a second class citizen - at least since Red Hat 7. Of course they support their previous releases, and of course XenServer is built on it, but it is based on the CentOS distro and is supported by the XenServer project (Linux Foundation?) not by direct Red Hat support.

    True, but you really don't bring in Salt from Red Hat sources, at least we don't. We use Salt's own tools.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

    This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.

    It is negative in that I've to make adjustements to "plain" installed distros by hand, or at least other configuration tools. Then having a dedicated locked down user is perfectly OK.

    That's considered a basic in any environment, though, whether you are using Ansible or Salt. Just getting your keys in place requires an adjustment to the base install, so Ansible doesn't work without a modified base either.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
    • This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

    What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.

    that's the point: if you run a standard ISO from canonical or redhat/centos, you have not it installed by any default install: you have to add it and/or preseed the installer (never done this, so I'd have to experiment with this).

    Same with Ansible, there is no agent there by default, nor keys for accessing the OS. Neither "just works". Nothing does. And just doing installs from ISO is a lot of effort that isn't needed. That's way more time consuming and complex than doing one install, installing keys for Ansible or the agent for Salt, running updates for security then making an image. Making a new install is seconds after that, instead of a long time. It's worth it, even for a single additional install.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    To me it is better to run salt-ssh to instrument your target machines, rahter than preseed an image. This is massive do not requires you to poke with isos ad so...

    This is where we differ. As someone who never uses the ISOs and always preseeds, I'm unclear what benefit there is from using the ISOs, ever (other than the very first time, obviously.) I want to avoid the ISOs as much as possible, I see them as purely a negative from all aspects. They are slow, risky (because we don't ensure standard security) and cumbersome. Even without CM tools we never used the ISOs. We pre-seeded keys, standard packages, latest updates, etc.

    So what's the reason you choose ISOs? What benefit are you seeing from all that extra work?


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    • The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

    Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.

    mmm... link please :)
    (OK, after luch I will search for it anyway)

    Just back from the grocery now. Link to what exactly? To how we do it on Vultr, for example?



  • @scottalanmiller said in wetting my feet with CM software:

    Same with Ansible, there is no agent there by default, nor keys for accessing the OS. Neither "just works". Nothing does. And just doing installs from ISO is a lot of effort that isn't needed. That's way more time consuming and complex than doing one install, installing keys for Ansible or the agent for Salt, running updates for security then making an image. Making a new install is seconds after that, instead of a long time. It's worth it, even for a single additional install.

    mmm... I got it! I prefer to clone plain vanilla rather than rebuild my images (I mean VM images) so that's where my considerations comes from. In this specific case it would mean to add a standard user locked down without password. Therefore it could be rather straight forward to have the user in place and "clone" it as you have not to add different users/passwords.

    Still, from a more detailed POW: still do you think that having the agent into the image is better than use the ssh approach? I always end up considering that an ssh is always good as a fallback. I'm comparing here Salt master/minion vs Salt-ssh to make that clear.



  • @scottalanmiller link to direct commands in Salt.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    Same with Ansible, there is no agent there by default, nor keys for accessing the OS. Neither "just works". Nothing does. And just doing installs from ISO is a lot of effort that isn't needed. That's way more time consuming and complex than doing one install, installing keys for Ansible or the agent for Salt, running updates for security then making an image. Making a new install is seconds after that, instead of a long time. It's worth it, even for a single additional install.

    mmm... I got it! I prefer to clone plain vanilla rather than rebuild my images (I mean VM images)

    I figured that out... but why? Why leave out the standardization stuff that is where all the power is?


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    Still, from a more detailed POW: still do you think that having the agent into the image is better than use the ssh approach? I always end up considering that an ssh is always good as a fallback. I'm comparing here Salt master/minion vs Salt-ssh to make that clear.

    Yes, not having SSH at all I consider the biggest "slam dunk" for Salt. I see needing to SSH into a machine ever as a bit of a failure now. I don't want SSH to even run, let alone be needed.


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller link to direct commands in Salt.

    Still not clear, which commands are you looking for?



  • @scottalanmiller said in wetting my feet with CM software:

    Still not clear, which commands are you looking for?

    @scottalanmiller said in wetting my feet with CM software:

    You left out instant commands.

    Those commands and the link to them in the docs.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    Still, from a more detailed POW: still do you think that having the agent into the image is better than use the ssh approach? I always end up considering that an ssh is always good as a fallback. I'm comparing here Salt master/minion vs Salt-ssh to make that clear.

    Yes, not having SSH at all I consider the biggest "slam dunk" for Salt. I see needing to SSH into a machine ever as a bit of a failure now. I don't want SSH to even run, let alone be needed.

    wowa that's would be a good article on best practices and "why you need access (and which) to your machine".
    My mind set is always:
    1- be sure to have local access. (in VM this is the virtual console provided by the hypervisor)
    2- be sure to have remote access.
    3- implement any other mechanism of communication with the machine (like Salt in this case)

    but I never close any of the others later. Just keep them as fallback.

    btw, remaining on the Ansible/Salt comparison I would like to have an opinion also from @stacksofplates , being he an avid ansible user.



  • @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    mmm... I got it! I prefer to clone plain vanilla rather than rebuild my images (I mean VM images)

    I figured that out... but why? Why leave out the standardization stuff that is where all the power is?

    Because my approach is: what is upstream is default, what is mine it is not. As I do not provide services to others, I do not need to be an upstream for someone else, therefore I always restart from scratch. And having a CM to do this for me is a real added value.
    I mean that as setting up a cronjob in a reproducibile manner is important for a certain class of service (say a backup) It is also important to me to setup everything from scratch in a reproducible manner.

    ex.:

    • I've changed my keys? just re-deploy them
    • Salt/Ansible run with python3? just avoid to use the available image with python-minimal on it. just drop it from the playbook/state

  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    Still not clear, which commands are you looking for?

    @scottalanmiller said in wetting my feet with CM software:

    You left out instant commands.

    Those commands and the link to them in the docs.

    OH!

    First example here, the cmd.run option...

    https://mangolassi.it/topic/11821/executing-basic-commands-with-salt


  • Service Provider

    @matteo-nunziati said in wetting my feet with CM software:

    @scottalanmiller said in wetting my feet with CM software:

    @matteo-nunziati said in wetting my feet with CM software:

    Still, from a more detailed POW: still do you think that having the agent into the image is better than use the ssh approach? I always end up considering that an ssh is always good as a fallback. I'm comparing here Salt master/minion vs Salt-ssh to make that clear.

    Yes, not having SSH at all I consider the biggest "slam dunk" for Salt. I see needing to SSH into a machine ever as a bit of a failure now. I don't want SSH to even run, let alone be needed.

    wowa that's would be a good article on best practices and "why you need access (and which) to your machine".
    My mind set is always:
    1- be sure to have local access. (in VM this is the virtual console provided by the hypervisor)
    2- be sure to have remote access.
    3- implement any other mechanism of communication with the machine (like Salt in this case)

    but I never close any of the others later. Just keep them as fallback.

    btw, remaining on the Ansible/Salt comparison I would like to have an opinion also from @stacksofplates , being he an avid ansible user.

    Salt retains remote access, it just gives you a more secure one than SSH. You don't give up remote access, you simply improve it.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.