city-of-bloomington / ansible-role-linux Goto Github PK

So far, we provide a custom NTP conf file as a template. However, this does not allow for the distro to provide variations over time.

Instead of writing a template, we should just make sure the server lines are added to the ntp.conf file.

If you want to run this role, but desire no addtional packages, you still must declare the "linux_packages" var. Otherwise it crashes.

We neet to switch to using "import_tasks" to organize our tasks

We are starting to want to run CentOS on servers. We need to update our Ansible roles to work with RPM based distros as well as DEB.

The README does not mention the vars that are expected by this role and what they are used for. It would be nice to not have to read through all the task YML files to discover this.

Cloud-config makes it more difficult to make network changes. We should have Ansbile turn this off for us, as part of a base linux install.

Ubuntu 20.04 has started adding directory restrictions to services, such as Tomcat. When we deploy apps that need access to config or data directories, we have to override the service definition. The app's playbook will be responsible for providing a systemd drop-in unit file, but we'll need to call systemctl daemon-reload for it to take effect.

Our web applications usually require locales (en_US) for the i18n to work. Ubuntu 20.04 server no longer installs any locales, by default. (It used to install en_US).

We'll need to add the locale installation to our Ansible scripts.

We use the staff group to control permissions on the content of /srv. However, we never set a umask, so when one staff member adds a file, the file is still not editable by the next staff member.

We should set a good umask for this.

Ubuntu uses a local systemd-resolv deamon. It keeps getting in the way of our local DNS environment, though.

We should have ansible disable this service, and replace it with static nameservers in resolv.conf

You must specify a direction when declaring default deny. I think this is something that changed in 18.04. Ansible's latest version has been updated to throw an error if you do not declare a direction.

The linux role is currently hard coded to open the nagios monitoring port. This role is not the place for open firewall ports for monitoring software. There should be a seperate role for monitoring software.

https://github.com/City-of-Bloomington/ansible-role-zabbix-agent

We have been installing open-vm-tools on all machines. Recently we moved it's declaration out of the main task, and declared it in group_vars.

#5

OpenVM tools should be installed by core, but only when the host is a virtual machine. We'll need to check the CPU the kernel is running on to see if it's a VM.

The old way of doing apt with-items is deprecated. The new way is to declare a variable for all the package names.

New style for apt-get install

- name: "Install Dependencies"
  apt:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
      - "postgis"

Old, deprecated style

- name: "Install Dependencies"
  apt:
    name: "{{ item }}"
    state: present
  with_items:
    - "postgis"

When a playbook or role errors out, any handlers notified during that run are forgotten. However, subsequent runs of the same playbook or role will not re-notify the handler.

On a given run, the cert is correctly copied to the host. Then, later on during that run, there's an error in the role, and it fails out. Subsequent runs of the playbook will not, then, notify the handler, since the presence of the correct cert file means it shouldn't re-notify.

Some servers we want to turn on unattended upgrades, and some servers we don't want rebooting. We should add a configuration variable that controls modifications to 50unattended-upgrades

Ubuntu's default configuration sets cron.daily stuff to start running at 6:00 am. Unattended upgrades are part of that, and occur fairly late in the process. By the time Unattended Upgrades run and reboot, it's usually 8:00 am. This is putting upgrades and reboots into normal working hours.

We should adjust crontab to start the cron.daily stuff earlier.

I know Ubuntu is usuing Anacron, so we'll need to make sure we understand how to control when things run.

Ansible does not have namespacing, and variables are read from ALL group_vars files. We need to make sure to distinguish similar variables from different roles.

We must rename all variables declared in the linux role to be linux_*

We want to allow for hosts to customize the base package list. The packages should not be hard coded in the role. For instance, we now have a line for VM-tools; however, we use this on physical machines as well.

We should be able to customize the base packages.

The linux role already creates a standard place for cron backup scripts, and sets permissions on /srv. We should go ahead and create the /srv/backups directory. This is the directory all applications should use to send nightly backups.