[ale] Copying config files to DHCP peer

Todor Fassl fassl.tod at gmail.com
Fri Dec 20 11:30:26 EST 2019 

I've decided to go with ansible. I already ran it past my co-workers and 
they are okay with it.

I was reluctant to suggest creating a whole new infrastructure just for 
this one thing which isn't really even broken right now.  My script 
still works (copies the dhcp config files to the slave and restarts the 
dhcp service via an ssh key). There is a quick & dirty way. Systemd can 
be configured to run a script when a service starts successfully. All 
I'd have to do is add a line to the systemd config file for the 
isc-dhcp-server service. My co-workers wouldn't have to understand how 
it works or even learn to type something different.

I've been seeing articles about ansible everywhere for years now but I 
hadn't bothered to really look into it. Lots of them were about things 
like how to deploy a cloud based email service onto 147 different nodes 
-- which I am not interested in.  But a little bit of research changed 
my mind.

Reasons I decided to go with ansible:

* Its as if ansible was designed for this very task. Many of the basic 
examples out there are of copying a config file to a server and starting 
a service -- all via ssh keys just as I am already doing.
* If I get hit by a bus, new guy isn't going to come in here and say, 
"Ansible, what the heck is that?" If he does, that's on him.
* If I went with the quick & dirty approache and then got hit by a bus, 
new guy could reasonably say, "All I did was to re-install dhcp and now 
the peers are no longer syncing. Turns out dude modified the systemd 
config file. Where is that documented?"
* My current co-workers should be okay with it. They just have to learn 
to type an ansible command to restart dhcp when I'm on vacation. And 
ansible uses yaml for config so it is kinda sorta self-documenting. 
They are not going to want to learn to be an ansible admin but if I' in 
Bimini and something goes wrong, they *may* be able to figure it out.
* I have a lot of other scripts that would be better written as ansible 
playbooks. For example, I have a script to resync the slave with the 
master ldap database. Another to generate a CSR with standardized 
answers to the questions for a certificate. I've trained my co-workers 
to run these scripts but they'd be better as ansible playbooks.

On 12/19/19 7:51 PM, Robert Tweedy wrote:
> Another option with systemd would be to use its ability to monitor 
> changes to files and start a custom systemd script when the config files 
> being monitored are modified: 
> https://www.freedesktop.org/software/systemd/man/systemd.path.html
> 
> This is the method we use to keep our DHCP server configs in sync at 
> work; we make an update to the config file on one system, and it pushes 
> the change to the peer via a systemd oneshot service that copies it over 
> via scp. You could also modify it to do a restart of the DHCP service at 
> the same time, though that could be dangerous if you have to save the 
> config file for any reason before finishing with all the changes; it 
> would result in the DHCP server being restarted each time the file's 
> saved, and if it's in an incomplete state then you'll have a disruption 
> in your DHCP service.
> 
> -Robert
> 
> On 12/19/19 12:40 PM, Todor Fassl via Ale wrote:
>> It occurs to me that my question has a basic push/pull problem. I 
>> could make it so my co-workers don't know they are updating the peer.  
>> That is the way it is now. They type "service dhcp start" just as they 
>> have always done. So that's nice when I am on vacation but what if I 
>> get hit by a bus? New guy comes in and has no idea how the peer is 
>> getting updated. Maybe its bad that I'm making this so easy.
>>
>> Well, if I stick with the make it easy approach, what about adding a 
>> execstart post script to the systemd config file?
>>
>> https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStartPre= 
>>
>>
>>
>>
>>
>> On 12/19/19 11:20 AM, Bryan L. Gay via Ale wrote:
>>> Using a config manager would be perfect, but that's a long row to hoe
>>> if not already using a config manager.
>>> Personally, I'd use Chef above ansible or puppet, but that's just me.
>>> There's a learning curve for the people who want to make config
>>> changes using either of these tools.
>>>
>>> On Thu, Dec 19, 2019 at 12:17 PM Joey Kelly via Ale <ale at ale.org> wrote:
>>>>
>>>> On Thursday, December 19, 2019 10:58:03 AM Todor Fassl via Ale wrote:
>>>>> I have been running peered ISC dhcp servers for years. The problem is
>>>>> that you need copies of the config files on both machines. Say you 
>>>>> want
>>>>> to assign an IP address to a new machine. You add a stanza to a config
>>>>> file but then you then have to get a copy of the modified config 
>>>>> file to
>>>>> the peer. If you forget to do that, you are going to screw things up
>>>>> pretty badly.
>>>>
>>>> So write a wrapper that fetches your stanzas or the complete config 
>>>> file, pushes
>>>> them to the servers, then restarts the servers. ansible/puppet can 
>>>> be your
>>>> friend here.
>>>>
>>>> --Joey
>>>>
>>>>
>>>>> Other people in my department occasionally need to make these config
>>>>> changes. So I need a way to guarantee that the config files get copied
>>>>> over. Googling showed me lots of articles on configuring a peer in
>>>>> isc-dhcp but only one on syncing the config files. That person was 
>>>>> doing
>>>>> it via rsync and a script in cron.hourly.
>>>>>
>>>>> What I have done, at least for now, is to replace the init script with
>>>>> my own script. This script uses an ssh key to copy the files to the 
>>>>> peer
>>>>> and then restarts dhcp on the peer. If somebody types "service dhcp
>>>>> restart", it runs my script. But now with systemd, it is going to 
>>>>> be harder.
>>>>>
>>>>> Fortunately, for now, my co-workers are still typing "service bind9
>>>>> restart" and the like. So "service dhcp restart" is not a problem --
>>>>> yet. But if somebody types "systemctl restart isc-dhcp-server", it is
>>>>> not going to work.
>>>>>
>>>>>
>>>>> Its interesting that bind9 and slapd handle this under the covers.
>>>>
>>>> -- 
>>>> Joey Kelly
>>>> Minister of the Gospel and Linux Consultant
>>>> http://joeykelly.net
>>>> 504-239-6550
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> https://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
> 

-- 
Todd

More information about the Ale mailing list