what are you using as a source of truth (inventory)
Posted by crankysysadmin@reddit | linuxadmin | View on Reddit | 33 comments
We have so many different systems used for different things. We have ansible and puppet. We have threat detection software on every linux machine. We also have an inventory database.
Of course none of these all match because everything is manual.
You can't use your management tool as inventory because inevitably there will be some systems that aren't part of it. I see a lot of smaller shops trying to use their management tool as their inventory system.
A management tool won't have records of machines that are not managed, it won't have records of machines that are an exception and run a different OS than you typically support (appliances, etc). A management tool also won't have historical records of machines that no longer exist.
A system also needs to be a source of truth where you can pull a machine name from as part of provisioning a machine.
Curious what people are doing and how you tie all different systems together.
hlamark@reddit
You can use orcharhino for this. orcharhino can manage basically all Linux distributions and Windows. You can connect AWX or the Ansible Application Plattform to orcharhino.
https://docs.orcharhino.com/or/docs/sources/guides/integrating_orcharhino_and_awx.html
symcbean@reddit
Code.
It is inevitable that there will be lots of places where you need to maintain lists of your kit and how it is installed configured (indeed, the configuration itself is a st of lists in itself). The myth of a single CMDB as an absolute source of truth has all but disappeared.
There are lots of tools available but none of them solve all the problems.
That means you need a suite of tools but you'll need to write your own tools to cross-reference and keep them in sync/reconcile data.
If you choose tools which are not only good at what they do but also provide an API or accessible data then that becomes a lot easier.
exekewtable@reddit
NetBox.
oddroot@reddit
Check out Netbox, nicest thing I've seen called not a cmdb in a while, plugs into things, API hooks, all the good stuff. (Supposedly an iPAM solution)
wildcarde815@reddit
This is currently a pain point for me with it. Why can't I make an IP range and have all possible ups just get made and be ready to assign. It's such an odd shortcoming for a powerful tool.
Mailstorm@reddit
The idea is that when you do IaC and whatnot, you use the API to get the next unallocated IP. Cuz if it's not documented then that means it's free and not in use.
But that doesn't work for everyone so you can do what the other person said. Use the [] to make a range
oddroot@reddit
I think the IP prefixes might do what you are looking for, I use it more for system automation with ansible/Linux. But there seems to be a few ways of doing IPs, and VRF/vlans also seem to matter when allowing individual IP allocation/usage. We don't use a DHCP server that interacts with our netbox, so we only have the static allocation stuff in there.
wildcarde815@reddit
yea this is primarily for record keeping, but we have a few vlans where we own all / most of the IP space so instead of having to add every ip entry manually having them all ready and available to add to a host while adding host details is super handy.
420GB@reddit
You can do
10.2.2.[1-254]or a syntax like that to create multiple entries at oncewildcarde815@reddit
o my god, that's amazing. thank you!
Loud_Posseidon@reddit
TIL, thanks!
jambry@reddit
We have NetBox and then different custom written tools that pull data from our configuration management, monitoring, etc and update NetBox with all the data we can add that way.
gargravarr2112@reddit
Definitely Netbox. It's built to be the single source of truth for your domain.
tremblane@reddit
+1 for Netbox. I have a script that hits its API to get a list of every host with an “ansible-managed” tag and use that to build my Ansible inventory files. And before anyone points out that ansible could directly hit netbox as its inventory source, I wanted to be able to handle if netbox is unavailable for some reason. This way I can hand edit the inventory files if need be.
wildcarde815@reddit
This is currently a pain point for me with it. Why can't I make an IP range and have all possible ups just get made and be ready to assign. It's such an odd shortcoming for a powerful tool.
snark42@reddit
NetBox, previously Device42.
wyohman@reddit
Netbox/Nautobot
wired-one@reddit
Satellite.
crankysysadmin@reddit (OP)
what systems do you have connect to it and use the data? do they grab inventory information with an API or what is your overall workflow using it as a source of truth?
wired-one@reddit
I use Ansible Automation Platform to pull automate information out of the Satellite. The inventories are up to date, as the Satellite is ALWAYS the source of truth in my organization. I'm able to then publish that inventory data into our CMDB via Ansible. I have full host info, patching data, IP information, ownership, everything that I want in Satellite dynamically.
This is the benefit of using Satellite here too, as the facts are dynamically pulled from the hosts via subscription manager and are accurate.
The Satellite API is also hugely useful for additional work and integrating with other tools in your ecosystem.
crankysysadmin@reddit (OP)
how do you get the data out of satellite?
wired-one@reddit
I use Ansible, the hammer utility, or the API directly, depending on the use case.
Ansible has an inventory integration for Satellite built in. It collects host data from the Satellite server and provides that into your inventory for playbooks.
For direct API integration I use this reference: https://docs.redhat.com/en/documentation/red_hat_satellite/6.16/html/using_the_satellite_rest_api/index
and this cheat sheet for working with host data: https://docs.redhat.com/en/documentation/red_hat_satellite/6.16/html/using_the_satellite_rest_api/api-cheat-sheet#working-with-hosts
When needed, I can use the hammer CLI to directly issue commands to the Satellite: https://docs.redhat.com/en/documentation/red_hat_satellite/6.16/html/using_the_hammer_cli_tool/index
pnutjam@reddit
Assuming you're servers are Red Hat, they should all be registered to satellite for patching.
I use hammer scripts to update stuff or pull manual inventories based on different criteria. It will integrate cleanly with AWX or Ansible Tower.
The API is also useful, but a little more work then using hammer to export specific inventories.
knobbysideup@reddit
Everything is monitored, so it used to be naemon was my inventory. Now it's my ansible inventory, but everything is still monitored so you can get lists from either place. Ansible is the core if it though, since it generates the naemon host configs anyway.
If you have unmanged systems, get some proper policies in place so that is less likely to happen, then enforce those policies with scans from auditing tools.
GamerLymx@reddit
im on the journey to populate netbox
StatementOwn4896@reddit
I use SUSE Manager. Shops with salt stack out of the box and I can manage everything from there. Plus it does vulnerability scans and notifies me when I need to make patches
ryebread157@reddit
Implement puppetdb, then export the hosts to an ansible inventory
unixbhaskar@reddit
GLPI
planetafro@reddit
Just record serial numbers in your ticket system.
itsgottabered@reddit
We use Netbox for our inventory for ansible. this ties into AWX and with sensible grouping/tagging makes life most enjoyable.
pgmanno@reddit
Ansible has a bunch of different inventory plugins.
https://docs.ansible.com/ansible/latest/plugins/inventory.html
"You can use ansible-doc -t inventory -l to see the list of available plugins"
AfraidAnalyst@reddit
How the hell do you have ansible and puppet and everything is manual?
ISortaStudyHistory@reddit
Sounds like maybe you could benefit from the nmap dynamic inventory plugin.