From 9108c9343ed38a7b606055671e4a4213ef6a5c49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 22 Dec 2019 16:33:31 +0100 Subject: [PATCH 1/2] =?UTF-8?q?Rename=20ansible=5Fpull.yml=20to=20?= =?UTF-8?q?=E2=80=A6=5Fcron.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It might still be useful as a reference for old systems, so let's keep it. --- language_features/{ansible_pull.yml => ansible_pull_cron.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename language_features/{ansible_pull.yml => ansible_pull_cron.yml} (100%) diff --git a/language_features/ansible_pull.yml b/language_features/ansible_pull_cron.yml similarity index 100% rename from language_features/ansible_pull.yml rename to language_features/ansible_pull_cron.yml From 4c2994dd2104a2b29a09eb0c8820de64eb94cfb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 22 Dec 2019 16:35:32 +0100 Subject: [PATCH 2/2] Add modernized ansible-pull example A bit simpler, and self-contained solution with no extra files. This is based on systemd timers and services, so it is has a smaller footprint on systems which already have systemd installed (cron and logrotate dependencies are gone). I assume that ansible is mostly used with modern systems which have systemd available. Systemd will restart the service every OnUnitInactiveSec=, while making sure to not schedule overlapping runs. In practice, it is convenient to change the timer to something as low as one minute when quick updates are needed. With --only-if-changed the load on the system is not even noticable because all that happens is a noop git pull if no changes were made to the repo. The logs end up in the journal, so no logging configuration is necessary. --- language_features/ansible_pull.yml | 68 ++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 language_features/ansible_pull.yml diff --git a/language_features/ansible_pull.yml b/language_features/ansible_pull.yml new file mode 100644 index 000000000..6b5d31c7e --- /dev/null +++ b/language_features/ansible_pull.yml @@ -0,0 +1,68 @@ +# ansible-pull setup +# +# on remote hosts, set up ansible to run periodically using the latest code +# from a particular checkout, in pull based fashion, inverting Ansible's +# usual push-based operating mode. +# +# This particular pull based mode is ideal for: +# +# (A) massive scale out +# (B) continual system remediation +# +# DO NOT RUN THIS AGAINST YOUR HOSTS WITHOUT CHANGING THE repo_url +# TO SOMETHING YOU HAVE PERSONALLY VERIFIED +# +# +--- + +- hosts: pull_mode_hosts + remote_user: root + + vars: + # This becomes part of the systemd timer unit. + # We want to start soon after the machine boots, and repeat every half an hour. + # The service has 30s randomized delay to avoid a stampede if many machines boot + # at once. + schedule: | + OnBootSec=30 s + OnUnitInactiveSec=30 min + RandomizedDelaySec=30 s + + # Repository to check out -- YOU MUST CHANGE THIS + # repo must contain a local.yml file at top level + repo_url: SUPPLY_YOUR_OWN_GIT_URL_HERE + + tasks: + + - name: Install ansible + yum: pkg=ansible state=installed + + - name: Create unit directory + file: + path: /usr/local/lib/systemd/system/ + state: directory + + - name: Install timer file + copy: + dest: /usr/local/lib/systemd/system/ansible-pull.timer + content: | + [Timer] + {{ schedule }} + + [Install] + WantedBy=default.target + + - name: Install service file + copy: + dest: /usr/local/lib/systemd/system/ansible-pull.service + content: | + [Service] + Type=oneshot + ExecStart=ansible-pull -i localhost, -U {{ repo_url }} --only-if-changed local.yml + + - name: Enable timer + systemd: + name: ansible-pull.timer + enabled: true + state: started + daemon_reload: yes