HomeAboutMailing ListList Chatter /0/0 3.238.204.31

Saltstack

2021-01-28 by: "Mike (meuon) Harrison"
From: "Mike (meuon) Harrison" 
------------------------------------------------------


On Wed, 27 Jan 2021, Dave Brockman wrote:
> Salt server maintains its own database of registered minions.

I didn't know about "saltstack.com". Kewl. I've been too far into my 
bubble for too long. Trying to remediate that. Hence all the chatter,

I love the "minion" vernacular. I may have to steal that from 
saltstack. Not so sure abot the "master" reference, is that still allowed?
I've been renaming things slowly: allowlist vs whitelist, blocklist vs 
blacklist etc..

My current homegrown system is "ET" and the "Mothership". "ET" =~ "Minion",
Mothership being the controller. Today the #1018'th ET was born and called 
home..Kinda proud of that. Not near as complex as saltstack, but it's working 
well for us and does some off the wall things (Asterisk AMI.. etc.)

My answer on the embedded devices was to just remove 'sudo'. Nothing 
should be using it anyway.

As for "simple"?

https://docs.saltproject.io/en/latest/ref/configuration/minion.html

Wow. That's the "simple" config? That's been my issue with such things, 
trying to solve ALL of the problems instead of a narrow set.

Anway, ramble over.





=============================================================== From: Lynn Dixon ------------------------------------------------------ If you=E2=80=99re looking for automation that doesn=E2=80=99t require an ag= ent to be running on the target machines, check out Ansible. It uses SSH to connect and run commands on the machine. It has a really easy to read/ write language (yaml) and a metric crap ton Of community support and community written playbooks. On Wed, Jan 27, 2021 at 7:00 PM Mike (meuon) Harrison wrote: ? on", d

=============================================================== From: Dave Brockman ------------------------------------------------------ I discovered it about 3 years ago, because updating dozens of client Unifi debian boxes manually wasn't really hard, but required a lot of time to log into and past commands. I'll just say that I am careful to pick my words, especially in certain company. Old habits die hard, but I am trying to do better, similar to you, allow/deny lists, etc. Controller/Minion is about the best I have come up with. That's a pretty impressive Mothership :) In reality, the only thing you need to edit in a new minion is the server configuration item. server: salt.dtbnet.com Restart the service, and then authorize the key on the master. You can do a lot, but I think the majority of the other configurations will be in the grains file. Typically all I do is assign a role or three to target when specific things are updated (unifi, backup software, etc). If you want to see someone taking it to the next level, take a peek at the minion/grains config files on an installed 3CX system.... Cheers, -Dave

=============================================================== From: Dave Brockman ------------------------------------------------------ Saltstack can also use SSH instead of an agent, and I sometimes have to use it for extremely low memory systems, but I prefer to know the status of my minions at any point in time rather than polling. Cheers, -Dave n agent to be read/ and r, vs g ngs,

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Knew/Know of and have played with Ansible. It's impressive, but it's also why I rolled my own. I tried to make it work. It's way too fat for our limited scope and micro platforms. And bluntly, my Redhat/RPM skills are long gone. Dave brought up 3CX: "If you want to see someone taking it to the next level, take a peek at the minion/grains config files on an installed 3CX system...." And I want to be able to say I've never seen ortouched a 3CX system. But now I know something I didn't. :)

=============================================================== From: Lynn Dixon ------------------------------------------------------ Odd. Ansible is one (if not the) lightest management tools out there, which is why Cisco and a myriad of other IoT device makers are switching to it. It literally requires nothing other than SSH to be in the remote node that you want to control. You also don=E2=80=99t need to know RPM. Ansible supports just about every = package manager out there, even chocalatey for windows. I have seen folks using it to manage AIX and even some crusty HP-UX and SCO machines because it does not require anything on the target. I have been working with a customer that supports a very large burger chain that manages several hundred thousand very tiny IOT devices for sign boards, POS terminals, etc. some of their devices have 512mb of ram, and they=E2=80=99re considering Ansible for those devices simply because all t= hey use to control them is SSH. We even have a special working group that focuses on the exact devices you guys are dealing with: edge, IOT, micro footprints at scale. On Wed, Jan 27, 2021 at 10:45 PM Mike (meuon) Harrison wrote: n agent to be

=============================================================== From: DaWorm ------------------------------------------------------ Off Topic. Mostly. I love it when I hear people talk about embedded and micro in the same breath as 512M ram and SSH. I guess I'm too old, to me embedded and micro is maybe 512K of ram and a UART. I suppose when you are building 1,00,000 of something instead of 1,000, the economies of scale allow that sort of thing. Jeff to y package t n they use u an agent to be t o

=============================================================== From: Dan Lyke ------------------------------------------------------ 512K of ram. K. /me goes off muttering "512 *bytes*. Freakin' kids these days." (current 1 hour a week consulting gig is being the backup programmer/substitute for key employee insurance for a project that's being developed for the consumer market and that has some hard real-time concerns, so, yeah, we have the "could throw an AVR at that problem, but they're kinda pricey" discussions.) Dan

=============================================================== From: DaWorm ------------------------------------------------------ Did work with an Echelon Neuron processor once. Had 256 bytes of memory, total. Odd architecture where ROM and RAM were the same thing. Fortunately lately I've been able to work with STM32 processors of various capabilities. Jeff

=============================================================== From: Billy ------------------------------------------------------ Scientific Atlanta cable dvd set top boxes: they ran a version of Java apple= t to do anything. https://electronics360.globalspec.com/article/3232/scientific-atlanta-8300-s= et-top-box-teardown This was a similar device from what I worked on. I had a colleague that desi= gned a weather app for the set top. He had to write it in a form of Java app= let that had specific libraries and resolution he could use. These boxes had 256MB of ram, not all of which was used for apps. Oh, these were the new ones. Older ones had less ram and less features. Newer boxes use html5 instead, which means they are less error prone, and ea= sier to update for new functionality (do it on the server). At least that=E2=80=99s the theory. --b otal. Odd architecture where ROM and RAM were the same thing. Fortunately l= ately I've been able to work with STM32 processors of various capabilities. reath as 512M ram and SSH. I guess I'm too old, to me embedded and micro is= maybe 512K of ram and a UART. I suppose when you are building 1,00,000 of s= omething instead of 1,000, the economies of scale allow that sort of thing. titute for key employee insurance for a project that's being developed for t= he consumer market and that has some hard real-time concerns, so, yeah, we h= ave the "could throw an AVR at that problem, but they're kinda pricey" discu= ssions.)

=============================================================== From: David White ------------------------------------------------------ I agree with Lynn. Use Ansible. Very light weight, doesn't require any agents (unlike puppet, etc..), and is compatible with all sorts of stuff - servers, network equipment, you name it. It's not a Red Hat only product. It's compatible with basically any version of Linux, and like Lynn said, you can also use it to manage network gear of all sorts. Heck, it's also used by people to manage Windows. Lynn, you'll be interested to know, I'm actually scheduled to take RH294 in a couple weeks. I use Ansible for (some of) my own stuff for my own business (Barred Owl Web), but we also use it where I work. The corporate team has Ansible Tower, but I deployed a vanilla ansible server for my team to use last year. -- David White

=============================================================== From: Dave Brockman ------------------------------------------------------ I'll bite. Anyone have a decent tut to set up an Ansible Server (free) on Debian 10? Cheers, -Dave , 4 l of me oo ething e

=============================================================== From: Billy ------------------------------------------------------ Install: https://docs.ansible.com/ansible/latest/installation_guide/intro_installatio= n.html#installation-guide Get Started: https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.htm= l --b free)

=============================================================== From: David White ------------------------------------------------------ Just to get started & learn? # apt install ansible You don't have to have a dedicated server, although it's a good thing to have when you've got a team of people. For my own personal stuff, I just have Ansible installed onto my local laptop, and I run plays against servers I manage. On Friday, I ran this playbook against all of my servers to update the `sudo` package. Saved me a ton of time: *$ cat sudo.yml * *- hosts: all* * remote_user: username* * become: yes* * become_user: root* * tasks:* * - name: Update sudo package to latest version (CentOS / Red Hat)* * yum:* * name:* * - sudo* * state: latest* * when: ansible_distribution =3D=3D "CentOS" or ansible_distribution = =3D=3D "Red Hat Enterprise Linux"* *$ ansible-playbook sudo.yml* tion.html#installation-guide html (free) --=20 David White

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Catching up.. been busy. The "SSH" requirement was one of the issues, the boxen we manage are behind firewalls. Can't get to them. They have to call home. Current client "ET" is under 1000 lines of PHP in a single file. Yeah, PHP is fat, but we use it for other things so it has to be there.

=============================================================== From: Ed King ------------------------------------------------------ I know a really smart and good looking dude who has 80 android tablets runn= ing Termux, each with a reverse ssh connection to a local server.=C2=A0=C2= =A0 Cant ssh to any tablet directly, but can ssh to it's reverse tunnel all= day long.=C2=A0=C2=A0=C2=A0 would Ansible work over a reverse ssh tunnel?= =C2=A0=C2=A0=C2=A0=C2=A0=20 ch It ou Catching up.. been busy. The "SSH" requirement was one of the issues, the boxen we manage are=20 behind firewalls. Can't get to them.=C2=A0 They have to call home. Current= =20 client "ET" is under 1000 lines of PHP in a single file. Yeah, PHP is fat,= =20 but we use it for other things so it has to be there.

=============================================================== From: Lynn Dixon ------------------------------------------------------ Ed, Yessir! We had a customer doing this very thing. They couldn't control the WAN, or even layer3 back to the endpoints AT ALL. So, they wrote a little bash script that was ran on the endpoint, and that script setup a reverse SSH tunnel back to their Ansible Tower machine (doesn't need to be tower though). Ansible would simply use the reverse tunnel TUN adapter for its communications back to the end point. This let them get around uncontrolled WAN's, firewalls, etc. As long as the end point could open an SSH tunnel, it was easily managed.