I’m working on a configuration management proposal for a client at the moment - and I’m planning on using Ansible (I have ‘prior’). Part of their requirements is patching - and having done something similar in the past with Puppet, I was planning on looking at doing patch management with Ansible too. Again, I’m fine with working that out.
They’d also like to be able to review their estate for compliance - initially it’ll be package versions, I guess (they’re an RPM shop). I’m pondering if I could also do this bit with Ansible - but off hand I can’t imagine how I’d approach that.
Does anybody have any thoughts and/or experience? Is it a daft thing to even contemplate? Am I thinking of pushing a square peg into a round hole?
You could create a fact module that gathers facts about what packages are installed (essentially an rpm -qa stuffed into a dictionary).
This information can be used in fail tasks to fail if the appropriate packages are not installed.
This would be different than the normal operation of Ansible, which would be to just state that you wish certain packages be installed, and Ansible would tell you if they already are, or install them if they aren't.
Thanks Jesse, nice idea. I’d have to test the performance of it - my first
thought is it will cane every run unless most roles have gather_facts set
to false.
But, that is a nice start. Thank you for the suggestion.
In any case the standard facts module does not support this, you can create your own facts module you run as a task or a script in /etc/facts.d/ that would be run by the standard facts module.
I would recommend that you use Ansible to do the patching and updating but use serverspec (serverspec.org) to do the compliance checking. They work well together and this uses each for its intended purpose.
I disagree, as it’s not a compliance testing framework, it’s intended to do a particular variety of basic tests.
Compliance is more about checking for drift between unlike systems, and being able to do very good reports on them and then select systems based on certain criteria.
We’ll be doing some things here in the near future, part of the steps to get here are to either have a fact caching system or use a callback to record facts, another step is to supplement our existing setup module with some modules that calculate a bit more inventory.
And that’s precisely what the client, in this particular case, wants Michael. So yes, please do hurry along and get it in the product
Reporting is the key thing, especially for management types. Just being able to see the state of their systems is a good start, because then it can easily be confirmed if a process is being adhered to (or not).
TASK: [git | Create symlinks to the git tools] ********************************
fatal: [ansible-os1] => One or more undefined variables: ‘dict object’ has no attribute ‘meld’
The following works for me. I changed a few things to be more yaml like, but I think the heart of your issue was the way you were referencing the nested data:
