Bootstrapping question - modules, role, or something else?

Archives Ansible Project
1

Hi -

I worked with Ansible many months ago (pre 1.0?) and now I'm back, catching up on the new features, including roles.

My question is about the best practice structure for the core setup of a server. What I want to do is get on a clean Ubuntu install (such as from Digital Ocean) and perform a low level "setup". This includes changing SSH to port 2222, setting up some common accounts, installing a firewall, etc. I only need to do this once for each machine coming on line. And once finished I'll have locked down root password access, SSH will be on a new port, etc. A lot of non-idempotent things.

What I am wondering is how I should encapsulate this. Should this be a module which when run a second time can check that a machine has been "setup" (probably by checking for the existence of an empty file) or should this be a role, or something else?

The solution I worked out when I first started using Ansible was to have a group in my inventory file called "setup" and I'd put new machines in that group, run playbooks and then remove those machines from [setup]. That approach works, but it doesn't scale and requires a manual editing step.

Thank you -- Randy

2

I have a 'bootstrap' group that I add new machines into and remove from
once I run my 'bootstrap.yml' (which has hosts: bootstrap).

3

Brian,

Thank you for confirming this isn approach that is used in the community. That’s essentially what I worked out before and I’ll head in this direction again.

Cheers – Randy

Brian Coca wrote:

4

I don’t know about ‘the community’ but this is what I do myself, there are probably 10 ways people deal with this, this one just made sense for me (and you it seems).

5

Moving the machine between groups seems a little heavy, but yes, there are probably many approaches.

It may be easier to just have “ansible_ssh_port” in your setup playbook override what is in inventory, or do the bootstrap with “-e ansible_ssh_port=22” to override inventory.

Alternatively your kickstart/preseed could possibly use ansible-pull at the end of a run and set it up for later management.

I would generally like to see the system running on it’s final SSH port at the end of preseed so you never have the interval when it’s running elsewhere, but some people also have things like provisioning networks/vlans, etc, so it’s all very up to you.