wetting my feet with CM software

matteo nunziati

just for the curious, I'm trying to configure a couple of VM with ansible and salt just to compare them.
here is my diary with the gists.

notes:

• this is a work in progress
• this is really n00b stuff: I'm a coder not a sys admin
• I'm not the kind of man than reads the full doc and then start code with order <- I rather create a lot of chaos and then I reorder and formalize after docs
• the document is a sort of diary updated live in these days whenever I've time.

bye bye

matteo nunziati

ok, I've pushed the configuration scripts for Salt on github. In the while here is my conclusion, after I've experimented a bit with both systems. Again: this is the newbie approach so keep it with a grain of... Salt(stack)

My conclusion here is that Ansible is more radicated and mature, but Salt is more powerful/easier to deal with when up and running. The issue is how to make it up and running:

• The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen. This implies a bit of troubles as the recommended install ways of Salt either require you to stick with a vulnerable version or expose you to the fast pace of updates which - for security reasons - already have broken backward compatibility twice. Considering this, I’ve ended up with the salt-ssh approach, which resembles the Ansible one and involves just the control machine, avoiding risky version upgrades.
• Both systems don’t run on python3, with Ansible having an experimental mode enabled. This implies that even today you have to instrument Ubuntu distros (as in a near future Debian too) with a python-minimal package which is able to deal with Salt/Ansible.
• Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.
• Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
• This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.
• Basically this means that Salt instrumentation is more cumbersome: while ansible requires you to export your keys and set up the hosts file (Roster in Salt), here you also have to create the user and then manually issue a salt-ssh command system wide, without any target filtering, as you cannot know if you send an apt-get command for instrumentation even to CentOS machines. Really a bad hack, maybe due to my noobness.
• The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.
• Another thing to mind of is that issuing raw shell commands is neither well suited for error catching nor for input security, but, in the end of the day it can save your day, as it fits well the role of fallback. While this is not possible before instrumentation with Salt, both systems can do this once up and running, allowing you to fill possible features holes in the functions (somethin glike systemd modules not already in place).

matteo nunziati

Once up and running, Salt is really the winner to me, for a number of reasons:

• it can leverage full Jinjia2 templating straight inside state files (playbooks) letting you avoiding to split playbooks or add all of those ‘when’ directives all around;
• its file.managed state is a proper diff-patch automatic routine able to check for file state without you to be required to create patches or so like you have to with Ansible: it is just auto-magic;
• while distro specificities are always there Salt tends to abstract away as most as possible the underlying OS you are configuring, leading to certain reductions in number of lines/verbosity. It is just a bit more “dense”. While not incredibly more dense, it is still more compact;
• I’ve not dig this in depth, but Salt allows you to keep your config files in a git repo in the cloud (say github or bitbucket) and deploy them from here. I’m talking about config templates or so, like a crontab file etc... Again I’ve not tested this so I can not comment on it, but it is a really nice idea. Ansible can leverage git in a way or another, but has not builtin modules for file redistribution straight from git.

Emad R

+1 to everything, very good effort and explanation and helpful experiment.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

• The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

• Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

• Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
• This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

• Basically this means that Salt instrumentation is more cumbersome: while ansible requires you to export your keys and set up the hosts file (Roster in Salt), here you also have to create the user and then manually issue a salt-ssh command system wide, without any target filtering, as you cannot know if you send an apt-get command for instrumentation even to CentOS machines. Really a bad hack, maybe due to my noobness.

None of this has happened when I've used Salt. I'm not sure why you are having these issues. It "just works" when we've used it. No need for dependencies to be met, no user creation, no SSH in from the outside... nothing like that.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

• The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.

scottalanmiller

You left out instant commands. Salt can run commands or changes against the environment "instantly", faster than SSH. If something is wrong and you need to push a change or you need to be really tight on the timing of a change, Salt makes this incredibly easy.

matteo nunziati

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.

I mean that new Rad Hat products have KVM per default and Xen, to my humble opinion, is a second class citizen - at least since Red Hat 7. Of course they support their previous releases, and of course XenServer is built on it, but it is based on the CentOS distro and is supported by the XenServer project (Linux Foundation?) not by direct Red Hat support.

matteo nunziati

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.

It is negative in that I've to make adjustements to "plain" installed distros by hand, or at least other configuration tools. Then having a dedicated locked down user is perfectly OK.

matteo nunziati

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
• This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.

that's the point: if you run a standard ISO from canonical or redhat/centos, you have not it installed by any default install: you have to add it and/or preseed the installer (never done this, so I'd have to experiment with this).

matteo nunziati

@scottalanmiller said in wetting my feet with CM software:

It "just works" when we've used it. No need for dependencies to be met, no user creation, no SSH in from the outside... nothing like tha

if you install the minions everything is resolved by the installer either the boostrap script or the repository you have choosen. What is nice about Ansible if that you just need to apt-get/yum install it on a control machine, then "minions" are there, just add the dependancy installation as very first step in your palybook and ansible "autoinstalls" requirements.

You can do this even with Salt, but you need salt-ssh -r on the command line and then you can execute any state deployment with Salt (either salt-ssh or salt master/minion).

Everything boils down to the fact you have or not an image ready to go with your CM tools. With Ansible you do not need it, you can do on the fly. with Salt you have an intermediate step. To me it is better to run salt-ssh to instrument your target machines, rahter than preseed an image. This is massive do not requires you to poke with isos ad so...

It is just an additional step to remember even when you are in a hurry. just this.

Or, of course, I've missed something. Do not forget I've just started this as a learning project, so exchange here is really appreciated.

matteo nunziati

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.

mmm... link please
(OK, after luch I will search for it anyway)

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• The first thing to consider as now is that Salt is less available than Ansible in distros’ packages. Moreover, being Ansible backed by Red Hat is possible that they will purge Salt as they done with Xen.

What do you mean purge? Xen is still supported by Red Hat and XenServer is still built on it.

I mean that new Rad Hat products have KVM per default and Xen, to my humble opinion, is a second class citizen - at least since Red Hat 7. Of course they support their previous releases, and of course XenServer is built on it, but it is based on the CentOS distro and is supported by the XenServer project (Linux Foundation?) not by direct Red Hat support.

True, but you really don't bring in Salt from Red Hat sources, at least we don't. We use Salt's own tools.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• Salt doesn’t work well with sudo. It requires that the user has NOPASSWD rights for sudo. This basically kills usage on any Ubuntu like distro. The solution is to manually add a special locked user with NOPASSWD rights in sudoers. In fact, giving the standard user NOPASSWD is close to security suicide.

This isn't a standard user, though, so that this is considered bad for standard users isn't applicable here. So that's not a negative.

It is negative in that I've to make adjustements to "plain" installed distros by hand, or at least other configuration tools. Then having a dedicated locked down user is perfectly OK.

That's considered a basic in any environment, though, whether you are using Ansible or Salt. Just getting your keys in place requires an adjustment to the base install, so Ansible doesn't work without a modified base either.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• Considering this, instrumentation is a bit more of a trouble in Salt: while Ansible can check with pure shell commands for its platform requirements (and install them), you have to force salt to install those items from a salt-ssh cmd line. It can’t create a state file for instrumentation in the likes of ansible “instrumentation” playbooks.
• This implies that rebuilding an infrastructure is not a one line away with Salt as it is with Ansible, first you need to instrument with salt-ssh, then run environments (cascade of playbooks in Ansible terms). As a side note ansible requires libselinux-python as additional dependency in CentOS 7, while Salt doesn’t.

What do you mean? You'd have Salt built into your base image. So none of this would apply in normal circumstances. Salt would already be installed along with all dependencies before you even start.

that's the point: if you run a standard ISO from canonical or redhat/centos, you have not it installed by any default install: you have to add it and/or preseed the installer (never done this, so I'd have to experiment with this).

Same with Ansible, there is no agent there by default, nor keys for accessing the OS. Neither "just works". Nothing does. And just doing installs from ISO is a lot of effort that isn't needed. That's way more time consuming and complex than doing one install, installing keys for Ansible or the agent for Salt, running updates for security then making an image. Making a new install is seconds after that, instead of a long time. It's worth it, even for a single additional install.

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

To me it is better to run salt-ssh to instrument your target machines, rahter than preseed an image. This is massive do not requires you to poke with isos ad so...

This is where we differ. As someone who never uses the ISOs and always preseeds, I'm unclear what benefit there is from using the ISOs, ever (other than the very first time, obviously.) I want to avoid the ISOs as much as possible, I see them as purely a negative from all aspects. They are slow, risky (because we don't ensure standard security) and cumbersome. Even without CM tools we never used the ISOs. We pre-seeded keys, standard packages, latest updates, etc.

So what's the reason you choose ISOs? What benefit are you seeing from all that extra work?

scottalanmiller

@matteo-nunziati said in wetting my feet with CM software:

@scottalanmiller said in wetting my feet with CM software:

@matteo-nunziati said in wetting my feet with CM software:

• The relevant thing here is: how can massively create this user from a plain VM not customized at installation time and deployed on N VMs (with N possibly really big)? Maybe a datacenter can customize an iso, but a small company like mine is best server by Ansible like solutions, especially in disaster recovery scenarios, where you have to think fast at a lot of things.

Why would you not have your VM customized? Size doesn't make any difference. Even if you are a one man shop with one server, you would customize your installation distro. We do this just for our lab alone, for example. And we do it on Vultr or Linode. Makes everything much easier and standardized, even if you are not using a tool like Ansible or Salt. In fact, the smaller you are, the more important that efficient processes be used. Big companies can afford to be more lax, and often are.

mmm... link please
(OK, after luch I will search for it anyway)

Just back from the grocery now. Link to what exactly? To how we do it on Vultr, for example?