Production Ready Configuration Management Suites
As far as I know, in the entire world, there are two open source, production-based, bespoke configuration management systems.
In other words, if you want to run a full data center, network, production system and you want a system that has been designed and built and TESTED in production already to work, you only have two options.
Sure you can make your own system and test everything together, you can make a bricolage of existing roles and custom roles and make it work. But there will always be a long tail of implementation issues.
One such project comes from the US federal government, the NSA, SIMP, is based on Redhat and uses Puppet. There is excellent documentation and its compliant with the highest security standards (docs).
The other comes from a medical university in Europe and is based on Debian. Being an Ubuntu user, I’ll start with the Debian system. The second system is called Debops, the Debian data center in a box.
Debops is a Debian Data Center in a Box
Debops is based on the concept of an Ansible controller, i.e. a desktop or laptop which acts as the controller for the entire network.
I am going to install a bastion server, a VMware based VM which will be encrypted and also act as the bastion server for the entire network. This way my laptop does not become the weakest link in the entire chain.
I am running the VMware bastion VM from the RAID drive, and will give it a static IP, from within the VM and also at the router. My Comcast business router has annoying IP reassignment settings that kick in at very unfortunate times, such as after a power out etc. I force them to stick with dedicated IP.
I installed the operating system on the server, configure bridged, static public and private IP, setup DNS with Cloudflare, VNC access and openssh-server. I also install Ubuntu Desktop, 1, because I have loads of RAM and 2 I want the flexibility of using VNC if needed. I know, shell purists roll their eyes now.
Install openssh-server, keygens, and then allow root login with keys, create a root password, and then connect locally and remotely ssh [email protected] This is super important as otherwise you will be locked out of ssh from remote and can only use VNC. Also when you run debops for the first time you debops adds root to the users for remote logins. I also had to
su devekko to change from root to my main sudo user to run the debops python scripts.
Debops has excellent, if dense, docs, and we use the Install docs
sudo -H apt install python-pip
let’s also upgrade pip
sudo -H pip install --upgrade pip
Next we install Debops itself with PIP
sudo -H pip install debops
Debops uses Ansible and we need that installed now, but let’s install the latest development version via GIT and run from source
sudo apt install -y git wget curl
sudo apt install -y build-essential libssl-dev libffi-dev python-dev
sudo -H pip install paramiko PyYAML Jinja2 httplib2 six
git clone git://github.com/ansible/ansible.git --recursive
now we have a Ansible running from source
ansible 2.3.0 (devel bd036c15e0) last updated 2017/02/19 16:06:37 (GMT -700)
config file =
configured module search path = Default w/o overrides
Starting Debops project
Now we begin our Debops project. Debops is designed to have separate projects for separate networks of servers and applications. From Getting Started installs the Debops roles, playbooks and some handy Python scripts for shortcuts to standard verbose Ansible
DebOps playbooks have not been found, installing into /home/devekko/.local/share/debops/debops-playbooks
for a total of 107 playbooks
Creating new DebOps project in /home/devekko/devekko-io ...
We now add our bastion server to the inventory
Now we run Debops on our Bastion server
PLAY RECAP ******************************************************************************************
bastion : ok=218 changed=124 unreachable=0 failed=0
TASK: debops.dhparam : Generate Diffie-Hellman params on Ansible Controller - 224.43s
TASK: debops.apt : Update APT cache ------------------------------------ 19.12s
TASK: debops.apt_install : Install requested APT packages -------------- 13.19s
TASK: debops.core : Install required core packages --------------------- 12.88s
TASK: debops.sshd : Ensure OpenSSH support is installed ---------------- 10.40s
TASK: debops.ferm : Configure ip(6)tables rules ------------------------- 8.98s
TASK: debops.ferm : Ensure ferm is installed ---------------------------- 7.39s
TASK: debops.nullmailer : Install required packages --------------------- 6.48s
TASK: debops.auth : Install auth-related packages ----------------------- 5.56s
TASK: debops.atd : Install atd ------------------------------------------ 5.09s
now, Debops runs 107 playbooks and bootstraps your Bastion server as the Ansible controller
we now have Debops installed as a Bastion server which we can encrypt and backup and access from across the network