Configuration Management Options

The discussion thus far on IRC/Matrix has been concerning whether to use Ansible (with Tower) and existing playbooks or develop infrastructure in puppet instead. Moving this discussion here for further comment.

Running tally of top options:

  • Ansible (config management)
    – including vault (secrets)
    – including tower (management / auth)

  • FreeIPA (Identity Management)

5 Likes

I believe we’ve confirmed now that we’ll be using Ansible, 90% sure we decided on Tower, it’s the bits that float around it we’re waiting on now I think.

4 Likes

Yes, 100% ansible.

We are going to also do tower (AWX) to make sure things are nice and secure and we’re locking it down properly.

5 Likes

So, requirements around AWX sounds like Ansible and Docker, Python 3, Node 14.x, NPM 6.x, make, and git. Hardware requirements are 2 CPUs, 4GB of RAM, 20GB of storage, and AWX itself needs to run on a system running Docker, K8s or OpenShift.

Is this something that needs to be highly available/run in a cluster behind a load balancer?

1 Like

To get things rolling (ie. deploy AWX), someone needs to start with plain old Ansible playbooks in a git repo :slight_smile: Once AWX (and probably Identity with FreeIPA or something) is deployed, it can be used to deploy the rest of the stuff.

If AWX only handles configuration management and orchestration, then it’s probably not a component that can’t recover from some minutes of downtime every now and then. rather than HA and redundancy for it, I’d focus on good backups first.

Looking at the components, it’s a web UI on top of PostgreSQL, and both of those can be migrated into an HA setup later too.

It’s also possible to use a Managed Kubernetes solution somewhere, or set up our own, but to be honest I would not want to complicate the infrastructure with full-blown container orchestration right off the bat.

There are also non-techical things like naming schemes and such to decide, which are surprisingly important when it comes to building understandable systems.

Agreed, oranenj, especially with what is sounding like it’ll end up as a more distributed architecture… we need to make sure we encode good naming conventions into things.

I’m personally a fan of location-environment-subenvironment-name/function-arity.subenvironment.environment.location.rockylinux.org… e.g.

use1-dev-ci-builder001.ci.dev.use1.rockylinux.org (or similar) though pieces can be removed/added/changed as required.

Spent the last hour or so mapping all the dependencies and taking some notes on the CentOS Ansible Repo mentioned above. Below are all the playbooks, Their interconnects (Not documented well we need to NOT do that ) and a few i identified that would need a rebrand if we adopted the playbook.

  • ansible-host MIT
  • baseline MIT
    • iptables
    • zabbix-agent
    • sshd
  • bind MIT
    • iptables (implicit)
  • boot-server MIT pxe config (where does it get its selinux from?)
    • iptables
    • httpd
  • centbot MIT
    • httpd
    • centos-backup
  • centos-backup MIT
    • server - restic
  • certbot MIT
    • iptables
    • centos-backup
  • geoip2 MIT
  • gitea MIT
    • mysql
    • httpd
    • centos-backup
  • haproxy MIT
    • iptables
    • zabbix-server
  • httpd MIT (Branding)
    • iptables
    • zabbix-server
  • httpd-compose MIT
    • httpd
  • httpd-feeds MIT
    • httpd
  • ipa-client MIT
  • ipsalon MIT (Branding)
    • httpd
    • centos-backup
  • iptables MIT
  • iscsid-target MIT
    • iptables
  • iscsid-target MIT
    • iptables
  • kanboard MIT (where is application?)
    • mysql
    • httpd
  • Keepalived NO LICENSE
  • kojibot MIT (Not actually an ansible role)
  • kojid MIT
    • zabbix-server
  • kojihub MIT (branding)
    • httpd
    • zabbix-server
    • postgresql
  • kvm-host MIT
  • lsyncd MIT
  • mailman MIT
    • centos-backup
    • httpd
  • mantisbt MIT
    • mysql
    • iptables
    • httpd
    • postfix
    • centos-backup
  • mirmon MIT
    • geoip2
  • mirror MIT
    • httpd
    • zabbix-server
    • rsyncd
  • moin MIT
    • httpd
    • centos-backup
  • mqtt MIT
    • iptables
  • mysql MIT
    • zabbix-server
    • centos-backup
  • nfs-server MIT
    • iptables
  • ocp-admin-node MIT
  • odcs-backend MIT
  • odcs-frontend MIT
5 Likes

FreeIPA can also handle DNS responsibilties in addition to Identity Management)

Yes, we have came to the decision to use FreeIPA for identity management. It will likely be used for internal infrastructure DNS, but not external DNS (it doesn’t support views).

2 Likes

Roger that.

Good point.

Vince

I mentioned on another thread, I’ve been doing Puppet for a decade in a very large scale environment… And I think we should do Ansible. :slight_smile: Seems like there’s no opposition to Ansible, though…

4 Likes

As an Ansible expert working for everyone’s favorite chromatic head wear company, I’m all about being here to support Ansible!

4 Likes

It’s worth pointing out I’ve had success with running AWX on Podman on Centos8, if we’re wanting to keep it self hosted (as Centos8/RockyToBe doesn’t support docker as standard) - https://github.com/ikke-t/awx_pod

Having AWX in a container may be useful for us. We will keep note of this for when we get the infra setup.

3 Likes

Looks great. But “Role is tested on Fedora server.” Is this role usable with CentOS 8 as is?

A coworker recently setup AWX with Docker on CentOS 8. It was painful.

As I said - yes I got it up and working relatively easily on a Centos 8.2 install.

1 Like

Hi folks. I work on the AWX/Tower team. I’m excited to see y’all are considering using it. I just came here to share this announcement regarding upcoming changes to the project’s architecture and deployment model: https://groups.google.com/g/awx-project/c/47MjWSUQaOc

6 Likes

Thank you for letting us know Shane!

I’m personally not a huge of Ansible because with proper time and coding it can’t really do anything you could not do already with SSH commands and bash scripting. Even less now that Red Hat belongs to IBM. It is very likely IBM will start to cut down on open source projects in the future.

2 Likes

I’m currently using awx in an rpm based setup for production. Multiple instances in groups, and ha (replication) postgresql backend. Not quite as simple as containers, but quite scalable. I’ve got the setup notes somewhere and can post up if needed.