jails and ansible

This is rather an open question.
I have a jail, i have ansible installed.
To which use can , or do you use ansible, to do what, in the jail.
Maybe you have interesting uses.
 
I once had all of our infrastructure services (e.g. dns slaves, dhcp, radius) set up and managed via ansible.
Each type of service was defined in a playbook, config in git repositories (some with branches for each instance or site if necessary) and e.g. the jail/zone setup boilerplate was defined in other playbooks.
This way the whole installation of a jail or zone for such a service could be performed fully automated. Some jails even ran ansible in pull-configuration (via cron) to automatically pull config updates and e.g. DNS entries and firewall rules got updated upon setup of the new service.

At the time I thought this is a good strategy for disaster-recovery as I could basically spin up all essential services fully automated within a few minutes. OTOH our infrastructure isn't THAT huge and with template jails and configs that reside in git repos anyways, doing it manual won't take that long to justify the overhead and extra time I often had to spend to get/keep this working. Especially because a lot of FreeBSD/Jail/smartOS/zones-related modules had inconsistencies, quirks, bugs or were simply broken and more than once a simple "just add this small thing to the playbook" ended in hour-long bugfixing sessions or even complete rewrites of modules (usually in shell or perl because I absolutely hate Python...)
Plus with basejails and zfs snapshots backups are extremely cheap and simple and just as fast to restore, so my motivation to keep/get this working dwindled more and more...

In theory ansible (or any other orchestration/configuration management system) is really nice to automate and at the same time document everything in your network. If you have a lot of boilerplate stuff on a daily basis going on, this stuff truly shines and will save you a lot of time and prevent errors.
If you have a relatively static network and server landscape, and most servers and service installs are unique, I'd say just install and manage them by hand and put configurations in version control (e.g. git) together with their documentation. Even if you have to reinstall some of them once or twice a year, this is still quicker than the hours spent building and maintaining an orchestration system.
 
OTOH our infrastructure isn't THAT huge and with template jails and configs that reside in git repos anyways, doing it manual won't take that long to justify the overhead and extra time I often had to spend to get/keep this working. Especially because a lot of FreeBSD/Jail/smartOS/zones-related modules had inconsistencies, quirks, bugs or were simply broken and more than once a simple "just add this small thing to the playbook" ended in hour-long bugfixing sessions or even complete rewrites of modules (usually in shell or perl because I absolutely hate Python...)
Plus with basejails and zfs snapshots backups are extremely cheap and simple and just as fast to restore, so my motivation to keep/get this working dwindled more and more...

I setup my whole environment around ansible, when I actually needed to rebuild things my ansible scripts always needed to be reworked and I would always find
more problems to fix with ansible. I converted everything back to basic shell scripts and using 'Bastille files' and they've been far more stable for me but they also have their own trade offs.

As for what I did with ansible: I run most my services in jails, samba, nginx, matrix synapse chat. I used ansible to automate/document each services setup as well as for making
test enviroments. I still do the same but I use a basic install.sh script for my host system and jails I converted to using bastille for jail automation.
 
  • Thanks
Reactions: sko
Thanks for reminding me of Bastille!
IIRC I took a short look at it a few years ago when it was in a very early stage and completely forgot about it. This looks really nice now - extremely simple and effective and easy to integrate in/switch to from my current workflow. I think I'll give it a try on one of my jailhosts.
 
Back
Top