I’m a complete git noob, never used it before this morning when I ran “git clone” and this afternoon when I poked around at github enough to submit a couple of issues. I’d love to write some code and submit it to y’all for consideration but could use a pointer for how to play nice with git. Of the zillions of “getting started with git” articles on the web, can you point me at one that you recommend and add anything particular that I should know for this project in particular?
In return, I will write a module that will assure that a particular kind of line is in a config file (without disturbing the rest of the file).
I’m a complete git noob, never used it before this morning when I ran “git clone” and this afternoon when I poked around at github enough to submit a couple of issues. I’d love to write some code and submit it to y’all for consideration but could use a pointer for how to play nice with git. Of the zillions of “getting started with git” articles on the web, can you point me at one that you recommend and add anything particular that I should know for this project in particular?
The official git tutorials are pretty good.
In return, I will write a module that will assure that a particular kind of line is in a config file (without disturbing the rest of the file).
I actually don’t think I want this module, though you are free to develop it and share it with everyone. I think it’s a hazardous way to manage systems IMHO. It’s kind of cfenginey vs declarative modelling and doesn’t really assure central management.
I don’t follow you. We use this to ensure PCI compliance on servers. For instance, by default Ubuntu+Plesk have some weak ciphers enabled for the IMAP daemon. We disable those in the config file without disturbing anything else that the system administrator might want to tweak in there.
Having admins edit on the box (having unique snowflake config files) is something the whole idea of configuration management was designed to eradicate.
It is much better to edit templates in Ansible and push them out, otherwise your systems will drift.
There are various horrible attempts to solve this problem (augeas, sed, etc) but they don’t lead to any sort of central auditable definition of what your systems are actually doing.
You can’t assume compliance by saying a line is present or not present, you would want to validate that the config file was as you expected it to be, exactly.
Maybe your use cases are a bit different as you say “the system administrator”, implying it’s not the admin who is using Ansible.
That being said, there is nothing stopping you from making this module – it’s just a bad use case for central management of IT resources.
Having admins edit on the box (having unique snowflake config files) is something the whole idea of configuration management was designed to eradicate.
It is much better to edit templates in Ansible and push them out, otherwise your systems will drift.
There are various horrible attempts to solve this problem (augeas, sed, etc) but they don’t lead to any sort of central auditable definition of what your systems are actually doing.
Michael,
It sounds like we have a slightly different use case than you imagined. We provide web hosting servers to small businesses. As such, we need to control some of the server while leaving some of it open to the end-user to manage. For instance, we push out a set of Apache config files (which the end-user can ignore) and we keep these locked in sync with our master. We push out a MySQL config file but do not lock this one; the end-use can edit it. We force one line in the IMAP daemon config file to be as we need it to be, disabling the weak ciphers, but allow the end-user to set things like number of daemon children.
I agree with you completely. Right now we have a horrible kludge of editing the config file with perl. I want to simply declare that /etc/courier-imap/imapd-ssl must contain this line:
You can’t assume compliance by saying a line is present or not present, you would want to validate that the config file was as you expected it to be, exactly.
Yup. We check the config file nightly and the PCI external vulnerability scans have the work of truly validating compliance.
That being said, there is nothing stopping you from making this module – it’s just a bad use case for central management of IT resources.
I am very open to other ideas on how to manage this use case. Do you have a better way to do it?
Joint admin is definitely an interesting use case. Thanks for explaining.
Not really one I plan for.
In your case, this may be unavoidable, hence saying I can’t forbid anyone from doing this, I just don’t want it to be a normal way of doing things.
I generally find this kind of thing where a user/program is editing my files in ways I don’t know about kind of sketchy, but I understand where you are coming from.
It sort of sounds like your playbook could be for initial provisioning only and then just not run it again, but you also said compliance.
I would very much like to teach all modules a no-op mode for compliance purposes but this is simply not something we have now.
Anyhow, you can write that module, and I would share it with the list, it’s just not something I think should be in core, since it is apt to break people depending
on how they edit files.
(It makes sense for a contrib repo, which I temporarily killed because there weren’t enough community modules for it yet. A good way to do this is probably to start one
and use git submodules to link to modules people own and maintain on github, basically like a series of hyperlinks. Anyway, once we have more than a handful of non-core
modules I am more than willing to reinstate the contrib repo – I didn’t want to have it there though with nothing in it, as that was a bit confusing.)
Thank you for your feedback. I will hold onto my "contains" module until
you hae the contrib repo open. Though ansible is very very new, I like
the architecture and your philosophy very much. I think it will fit our
business needs beautifully.
I will see if I can tame git enough to let me write bits of code for
you, like setting the exit status.
If I were dealing with your issue, I might consider a module that would check that a certain line appears or does not appear in certain files, but not actually do anything. Instead it would generate a report and fire off an email warning to the actual sysadmin. Just an alternate idea.
In this case, I’d definitely consider pushing down the whole config file from a central server, and keep that template in git so you have an audit trail of when/why you change it.
It’s more difficult if you were doing something like configuring files in someone’s shared hosting directory because they could always undo your change and you didn’t know what they had done.
In this case, I'd definitely consider pushing down the whole config
file from a central server, and keep that template in git so you have
an audit trail of when/why you change it.
Michael,
Believe me, I would much rather do it this way but I cannot. We cannot
lock down the rest of the file. It may get changed by the end-user. It
may get changed by Parallels (makers of Plesk control panel). It may get
changed by the upstream provider for the courier IMAP daemon. When any
of those things happen, our code has to assure that the weak ciphers
were not re-enabled.
PCI is a PITA. Welcome to my world.
It's more difficult if you were doing something like configuring files
in someone's shared hosting directory because they could always undo
your change and you didn't know what they had done.
Thankfully, we don't have to do anything even approaching this. It is
only shared sysadmin responsibility. And that's hard enough, thank you
very much!
Git is frustrating. I have followed the instructions on http://help.github.com/fork-a-repo/ to fork the ansible repo. I added a README.az and tried to push it back to github and I get this message:
Clearly git is trying to push the file to MD’s repo, not mine. I don’t get it. Can’t even figure out why. I’m drowning in documentation and not finding an answer to the simple question: How do I push my own file to my own repo???
Basically you would want to fork my repo using the github tools and then if you do that and clone from that repo, it will automatically do the right thing.
I suspect you cloned my repo and not yours, so the origin is me, not you.
