I recently added my account to /etc/sudoers on N servers using Ansible in raw mode (running a shell oneliner). We use visudo to edit /etc/sudoers when we are logged into a server, but since I was doing this in “batch” mode I wanted to do it non-interactively but still have the benefit of the file-locking and syntax checking and rollback that visudo provides. So I set visudo’s VISUAL environment variable to my external command:

[root@myhost ansible]# more sudoers.sh
grep -q ^tsalolia /etc/sudoers || VISUAL="(echo /^root; echo a; echo 'tsalolia ALL=(ALL) ALL'; echo .; echo 'g/^#tsalolia/d'; echo 'x!') | ex - /etc/sudoers" visudo
visudo -c
[root@myhost ansible]#

I edited /etc/sudoers directly with ex to append my entry below root’s because every host had a different /etc/sudoers file (this is what happens when you don’t have configuration management).

Long-term, I’m planning to templatize /etc/sudoers at this client.

I should be able to run

VISUAL="cp /etc/sudoers.new /etc/sudoers" visudo

to safely install the new sudoers file.

P.S. I developed the above on CentOS 5 and 6, but when I tried it on Ubuntu 16, I got the error:

visudo: specified editor ((echo /^root; echo a; echo 'tsalolia ALL=(ALL) ALL'; echo .; echo 'g/^#tsalolia/d'; echo 'x!') | ex - /etc/sudoers) doesn't exist


CFEngine Enterprise makes it absurdly easy to track deployed
servers. All you have to do is spin up a hub, install the lightweight agent on each host, and run cf-agent --bootstrap <hub> to setup a trust relationship between hub and hosts. (If you need any help setting this up, let me know.)

The agent will discover information about each host (hostname, address, OS version, disk utilization, packages installed, etc.) and the hub will collect and aggregate this data, so you can see at a glance things like, my OS inventory is 5% RHEL 4, 10% RHEL 5, 84% RHEL 6, and 1% RHEL 7.

The neat thing, because the agent is lightweight, CFEngine is able to refresh this inventory every 5-10 minutes, so when you go into the Reporting UI, the data is completely up to date — even if you are provisioning hosts dynamically (scaling to meet demand, for example), the Reporting Portal will stay up to date.

CFEngine Enterprise has a great Reporting UI which can build charts and graphs on the fly (under Inventory Report in the Reports tab), you can add filters, and it has a custom report builder.

Plus the inventory is extensible — you can run an arbitrary external shell script or binary (e.g. from third-party vendors) to harvest additional data about the environment. This new data gets picked up by the Enterprise Hub along with the built-in inventory.

The Reporting Portal can export PDFs and CSVs as well, so you can make pretty pie graphs and slides for corporate meetings if you’re lucky enough to be involved in such! 🙂

You can see screenshots of the Reporting Portal in my blog post on cfengine.com.

I am working on setting up a “reporting portal” CFEngine Enterprise hub to aggregate inventory from several hubs in different parts of a company (managed by different organizations). This one “superhub” would allows executives instant insight into infrastructure integrity.

While demonstrating my prototype, an executive liked the idea of having data at her fingertips so much, she asked, can we put our Windows servers into CFEngine?

I said sure, but CFEngine inventory on Windows is not as detailed as it is for UNIX and Linux. The next question naturally then is how detailed is it?

To answer, I spun up a Windows Server 2012 VM in the Joyent public cloud (the Joyent UI is a delight to use, BTW, and I had my VM up in less than a minute) and bootstrapped it to a CFEngine hub in the same cloud. While I was able to pull policy immediately, the hub couldn’t connect to the Windows server on port 5308 to collect reports until I went into the Windows Firewall with Advanced Security control panel and opened up port 5308. (Rackspace.com has a decent write-up.)

Here is what you get out of the box in the way of inventory.

Name	Value
Windows roles	WinServer
System version	BOCHS – 1
Host name	ownerco-18v4p42
Hardware addresses	90:b8:d0:52:7c:09, 90:b8:d0:b5:c7:94
System manufacturer	Joyent
Disk free (%) on main drive (C:)	69
BIOS version	Bochs
Architecture	x86_64
OS type	windows
IPv4 addresses	10.112.186.4, 165.225.131.21
OS kernel	Windows Server 2012
CFEngine ID	SHA=1f6666e1e88b05a4c7a98604ffa429bc452dc209a22e78072abd2d6eccb5170c
System serial number	720f2caa
BIOS vendor	Bochs
CFEngine version	3.7.4
Server class	windows
Uptime minutes	46
OS	Windows Server 2012

The basics are there – hostname, OS version, disk utilization, network addresses. And, just like the UNIX/Linux inventory, the Windows inventory is extensible.

And just for fun, here is a screenshot showing the CFEngine processes running on Windows (the first three in the “ps” output).

I charge US $3,000 per training day, plus a US $2,000 admin fee, to come on-site and train up to 12 staff using a training methodology that ensure that deep learning occurs. Some people have pushed back on the price as too expensive.

As Red Adair, the firefighter specializing in putting out oil well fires, once said:

“If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur.”

I have heard horror stories of 5-day long classes where the “Instructor” sat at the front and droned through a PowerPoint presentation. He wouldn’t answer questions because he had hundreds of slides to get through. I’ve heard of Instructors dismissing class on Friday morning because they’ve “covered the material” already, yet the students still can’t do the actions required because they lack complete understanding.

When I train, I look at the faces of the students to see if they understand. You can see it in their eyes if you care to look. I don’t move on to the next module until everybody understands the current one.

The hallmark of our training is balancing theory with practical, so there are lab exercises after every module. It’s one thing to learn about engines in a text book, but you get a completely different level of understanding after you put one together with your own two hands!

Our materials are carefully laid out to cover all the basics and define all the terms and then and only then start on intermediate and advanced topics. Careful attention to fundamentals is how experienced users come out raving how much they’ve learned.

I have never had anyone complain about price after our training. I have had a couple of people express that ours was the best training they ever had, anywhere.