1

I'm fairly new to administrating servers with configuration managers such as Ansible. I plan on running playbooks automatically on a schedule (via something like Ansible Semaphore, or even just Cron) with high frequency (like every 30 minutes or so).

I'm hoping to achieve two goals with this approach:

  1. Enforce configuration (so I can be confident that no deviation from the expected configuration exists for long);
  2. Detect any such deviation and investigate it (since Ansible reports changes for each task).

Is this a normal and/or recommended approach (I wasn't able to find authoritative sources on the best practices in this regard)?

If not, why, — and what would be a better way to achieve my goals?

Thank you!

corvus-migratorius
  • 13
  • 3
  • 1
    See [UBUNTU20-CIS](https://github.com/ansible-lockdown/UBUNTU20-CIS) for an example of configuring and auditing systems. Use [ansible-runner](https://ansible.readthedocs.io/projects/runner/en/stable/) to schedule the playbooks on your own. See the [example](https://ansible-runner-role.readthedocs.io/en/latest/example1-cron.html). – Vladimir Botka Jul 02 '23 at 19:29
  • @VladimirBotka, thanks a lot for the helpful recommendations. Especially for mentioning CIS configuration. Now I know what my next project will be =) – corvus-migratorius Jul 07 '23 at 10:34

1 Answers1

0

Ansible AWX and Ansible Tower, both have the capability to Schedule Job Templates.

Since Ansible Managed Nodes are agent-less, Ansible pushes the configuration which is described with a playbook from the Control Node onto the Remote Nodes. Therefore you need at least to consider

  • How long will the runtime for my playbook be?
  • How many nodes should become configured and the configuration enforced?
  • What could be resource constrains like network bandwith, hops, latency, utilization, etc.?

but that should be the same for any other product.

You could start with reviewing Task engine built on top of Ansible (AWX) and read further about Ansible Tower for Configuration Drift or Control with Ansible Tower. And also do not miss the comment from Vladimir Botka about

UBUNTU20-CIS for an example of configuring and auditing systems. Use ansible-runner to schedule the playbooks on your own. See the Example.

U880D
  • 1,017
  • 2
  • 12
  • 18
  • AWX too complex for this task, Semaphore better choice. – FiftiN Jul 03 '23 at 08:57
  • Agree - the runtime of the playbook in question is usually the biggest limiting factor for determining how frequently the playbook can be re-run. – Semicolon Jul 05 '23 at 13:19
  • Thanks a lot! So, just to clarify, in a server environment, it's A-okay to run playbooks as often as possible based on the observed execution time (plus some margin, of course)? – corvus-migratorius Jul 07 '23 at 10:36
  • Yes, of course. See in example [Control with Ansible Tower](https://www.ansible.com/blog/control-with-ansible-tower-part-1) to prevent Configuration Drift or [Ansible Tower for Configuration Drift](https://stackoverflow.com/a/71251713/6771046). – U880D Jul 07 '23 at 10:48
  • 1
    @U880D Don't have enough reputation to upvote anything, but I'm certainly grateful for your help! Cheers! – corvus-migratorius Jul 09 '23 at 15:46