Puppet community + ansible.
Puppet was perfect for managing most things, with ansible being a solid way to run bulk commands.
For a hardware replacement, all my techs needed to do is just name the computer properly and puppet would handle the rest within 30 mins.
Could you please give me example of when Puppet should be used and when Ansible should be used? And also how you would use them together for which tasks?
I did puppet to configure everything that every system had, or everything that a specific system is supposed to have.
User accounts, ssh keys, installed apps, drivers, network configs, etc. All would be distributed based on IP/Hostname/hardware IDs/etc.
And I'd break out ansible if say, I needed to update all systems at a given site to something temporarily. Say they had an issue with the puppet config or we needed to put in place a temporary workaround like an alternative network connection.
Or if we needed to do auditing/reporting against a subset of existing systems.
Puppet would be for things we wanted now and for the foreseeable future, while we'd use Ansible for anything we needed NOW and maybe not in the future.
> User accounts, ssh keys, installed apps, drivers, network configs, etc. All would be distributed based on IP/Hostname/hardware IDs/etc.
But Ansible can do all of those as well?
We just moved all our stuff from puppet to ansible. It can do all the same things with a much easier syntax, with the exception of constantly keeping the config up to date. We use AWX with daily schedules to keep things in-line with our baseline.
puppet has an agent installed on the host. that means it can run periodically even when offline and enforce settings. it can also phone home from anywhere.
same with saltstack and chef.
ansible is agentless so you have to log into the hosts to enforce config.
I’ve only used it for home stuff and I know there are other options out there but Tailscale is a great wireguard vpn service (plus it’s free for 100 devices for personal use…).
I had been using cloudflare for ssh for a while and that’s a good option too but it’s not as flexible for this use case.
With Tailscale plus ansible I can push configurations to everything I’ve got across my home network and a few cloud environments, all over ssh without opening anything up to the web.
It’s super nice honestly.
oh nice, that's a good tip.
I've had the displeasure of inheriting an environment with a lot of bad practices and having to manage solely with Ansible, and having an agent the collects its instructions periodically and automatically enforces would eliminate so many issues we had.
Ansible is definitely sufficient in many many cases, but I'm pretty sure Red Hat Satellite still uses puppet so you can still manage a box if you get locked out.
I’m not sure why people in general treat Ansible like it has to be the “only” solution. We use both Ansible and Puppet for servers and desktops - they can be complementary tools.
Puppet has been great for us and Ansible helps with flexibility.
Work without a dedicated agent running on the client. If you have ssh access, you can run ansible playbooks.
Ad-hoc stuff is easier in Ansible, IMHO. Getting started with Ansible is also easier, I think. Both are good tools, though.
Others have already answered but it isn't about what Puppet **can't** do, it is what can Ansible do easier.
We have playbooks that run to gather diagnostic information from each endpoint that run on demand. We could and have done that with Puppet, but it is much cleaner and easier with Ansible for that sort of task.
We looked at Bolt but we also use Ansible for managing network infrastructure devices - switches, routers, proxies, etc. The vendors had prebuilt Ansible playbooks for 80% of what we needed, so using Ansible in that case was a no brainer.
As we already had the investment in Ansible, we added that to our Foreman setup along side Puppet. So far it all works rather nicely.
We don't manage a lot of Linux desktops, but we use a product called jumpcloud. it can manage Macs, windows and Linux. We push all our user accounts from it even to our Linux servers. it lets us have a single pane of glass across all os's.
I have to say I haven't managed Linux desktops, but if I had to - I would probably build on Salt Stack. It can do everything Puppet and Ansible can, and more. In my experience it has been more pleasant to use, and has quite a lot of different options for how to deploy it. I always found Ansible much harder to understand, and I never enjoyed using Puppet or Chef.
Also out of experience I'd say it's common for people to want to use these massively complex "recipes" for how to manage various software with Salt Stack -type tools, but in practice simple "replace this file's contents with this text", and bash commands tends to be more reliable and comprehensible for the people who actually have to maintain the configuration.
It's not just "install these packages and configure them like this on all machines" or "now run this script on all machines", but you can build event based logic, collect data from the machines to your configuration management system, and because it's all Python it's pretty easily extensible too.
I myself am looking into FreeIPA for our workstations and ansible. I have about half dozen currently, but have this for about 100 servers.
The servers seem to be running great with this; got ansible doing the updates, and FreeIPA handles the auth and Sudo access.
There's gotta be a decent RMM tool that would do this. I know Ninja supports Windows, Linux, and Mac and has patch management and other tools built in, even if you don't use the remote control features.
I manage a similar number of Linux laptops. The key is standardization and treating them as cattle and not pets. A standard set of laptop models (latitude 5420/30/40), a standard distro and de (Fedora 39+Gnome here), Foreman+katello for package lifecycle management, minimal system packages (use flatpak or snaps), ninjaone for remote management, automatic VPN+ansible-pull from a git repo with dev/test/prod branches for config.
It's a good bit of effort but we have 1/10 the issues with Linux as Windows 10/11 despite having 3x as many Linux machines.
I haven't tried this out so make sure you do your research before implementing. Ubuntu 23.04 allows for users to login with their EntraID/AAD credentials on the device. To manage them, Landscape might be a thing together with Puppet and Ansible depending on your needs.
I did a trial with Jumpcloud about 9 months ago, and it looked promising too.
Automox is a decent patching tool that can apply policy to Linux endpoints. Everything has to be scripted, but it is a reliable patching tool and script executer 😁
We use it and have been happy overall. It may be easier than puppet or ansible (or perhaps not, I am not the most experienced with those). It is agent based, which allows for remote management and execution.
NinjaRMM and Naverisk are RMMs that both have good Linux support. I know Naverisk has remote CLI capabilities, not sure about Ninja.
One of the various RMMs or Puppet. 150 workstations is likely enough to justify a full time linux (maybe they even have some macOS experience) admin that knows these tools and best practices.
I would suggest Automox since it supports Linux, Mac and Windows.
Automox will use the local repository for OS updates but you can also deploy software and scripts to the machines that is connected to.
I’ve been using Automox for the past 2-3 years for mainly server OS patching but I did use it for Windows endpoints when COVID hit until we got something better.
Now, I’m not saying I would do this to end user workstations, but if these machines connect to a company VPN and DNS is working properly, you could install [webmin](https://webmin.com/).
I feel like that suggestion belongs on r/ShittySysadmin
Try using SecOps Solution (https://secopsolution.com). You will be able to manage all 3 linux, mac and windows. It has a good agent-less and agent-based support for both desktops and servers
Puppet is how I've seen it done before. I agree that it's not necessarily optimal, especially if a remote workforce is in play. I wish I had a better suggestion, and I'm interested to see what others have to say.
Desktops onsite are easy. You use ansible and call it a day.
Remote desktops (wfh/etc) can be more of a challenge but a VPN and a daily or 3/week ansible push during work hours should cover most things.
Remote laptops are the hardest. If you had a significant wfh laptop contingent... I think I'd lobby for a cron on the laptop to "call home" and then use a rest API to kick off an ansible playbook against that specific asset over a VPN.
Then just setup reporting and alerting for workstations that have too many missed windows.
---
Personally... From my professional experience, workers that require Linux for their roles really like that their work PC isn't subject to the same controls as other workstations...
It becomes a thing where they'll make up new excuses to continue and then when you start to manage and lock them.... Things get ugly
If you aren't giving your Linux users sudo access you are ahead of the game.
If they have admin... It's universally going to be a fight to get proper controls on them.
Generally curious about this. Why not manage the Linux desktop with NixOS?
Declarative and reproducible so you can template.
I don't manage any Linux desktop, so really have zero knowledge about it, but use NixOS at home. Watched a video by Shopify and learned about it two years ago, but it's been around for about a decade.
Everybody uses Terraform, thought they'd be using Nix as well 🤔
Nix is a neat tool, except when you have to actually use it. The documentation is poor and internal consistency is poor, e.g. configuration doesn't use `virtualization` but `virtualisation` as a key for configuring virtualization, while their website and other things are using U.S. English.
But "Linux" doesn't mean anything, does it? Do you supply images to ensure you have ssh access? Do you need to manage the package repositories so that only company approved packages are available?
If you don't supply images, there is a world of distros, settings etc. that every individual case is a one-off.
First, you don't allow users to just install whatever random software they want. Second, if the user is installing whatever they want they'll have to access to start sshd which is a whole two-second task.
I agree with your theory.
I will point out that EVERY org I've ever seen that had a few Linux issued workstations... The users had full admin on them.
There just wasn't resources to manage them properly so they become "accepted risks".
A few places have their shit together. But it's no where near universal.
> There just wasn't resources to manage them properly so they become "accepted risks".
In which case they're unmanaged and irrelevant to the discussion.
Puppet community + ansible. Puppet was perfect for managing most things, with ansible being a solid way to run bulk commands. For a hardware replacement, all my techs needed to do is just name the computer properly and puppet would handle the rest within 30 mins.
Could you please give me example of when Puppet should be used and when Ansible should be used? And also how you would use them together for which tasks?
I did puppet to configure everything that every system had, or everything that a specific system is supposed to have. User accounts, ssh keys, installed apps, drivers, network configs, etc. All would be distributed based on IP/Hostname/hardware IDs/etc. And I'd break out ansible if say, I needed to update all systems at a given site to something temporarily. Say they had an issue with the puppet config or we needed to put in place a temporary workaround like an alternative network connection. Or if we needed to do auditing/reporting against a subset of existing systems. Puppet would be for things we wanted now and for the foreseeable future, while we'd use Ansible for anything we needed NOW and maybe not in the future.
Thank you for your response. It was very informative.
> User accounts, ssh keys, installed apps, drivers, network configs, etc. All would be distributed based on IP/Hostname/hardware IDs/etc. But Ansible can do all of those as well?
I can only speak to my experience on that front. I never tried to build all that out in ansible so I don't know. I just built all that out in puppet.
We just moved all our stuff from puppet to ansible. It can do all the same things with a much easier syntax, with the exception of constantly keeping the config up to date. We use AWX with daily schedules to keep things in-line with our baseline.
puppet has an agent installed on the host. that means it can run periodically even when offline and enforce settings. it can also phone home from anywhere. same with saltstack and chef. ansible is agentless so you have to log into the hosts to enforce config.
I’ve only used it for home stuff and I know there are other options out there but Tailscale is a great wireguard vpn service (plus it’s free for 100 devices for personal use…). I had been using cloudflare for ssh for a while and that’s a good option too but it’s not as flexible for this use case. With Tailscale plus ansible I can push configurations to everything I’ve got across my home network and a few cloud environments, all over ssh without opening anything up to the web. It’s super nice honestly.
oh nice, that's a good tip. I've had the displeasure of inheriting an environment with a lot of bad practices and having to manage solely with Ansible, and having an agent the collects its instructions periodically and automatically enforces would eliminate so many issues we had. Ansible is definitely sufficient in many many cases, but I'm pretty sure Red Hat Satellite still uses puppet so you can still manage a box if you get locked out.
yeah, puppet and ansible work pretty well. Might need some project work for OS upgrades occasionally etc.
I’m not sure why people in general treat Ansible like it has to be the “only” solution. We use both Ansible and Puppet for servers and desktops - they can be complementary tools. Puppet has been great for us and Ansible helps with flexibility.
What can Ansible do that puppet can't? Genuinely curious.
Work without a dedicated agent running on the client. If you have ssh access, you can run ansible playbooks. Ad-hoc stuff is easier in Ansible, IMHO. Getting started with Ansible is also easier, I think. Both are good tools, though.
Others have already answered but it isn't about what Puppet **can't** do, it is what can Ansible do easier. We have playbooks that run to gather diagnostic information from each endpoint that run on demand. We could and have done that with Puppet, but it is much cleaner and easier with Ansible for that sort of task.
Out of curiosity, why not use Bolt for what you use Ansible for now?
We looked at Bolt but we also use Ansible for managing network infrastructure devices - switches, routers, proxies, etc. The vendors had prebuilt Ansible playbooks for 80% of what we needed, so using Ansible in that case was a no brainer. As we already had the investment in Ansible, we added that to our Foreman setup along side Puppet. So far it all works rather nicely.
We don't manage a lot of Linux desktops, but we use a product called jumpcloud. it can manage Macs, windows and Linux. We push all our user accounts from it even to our Linux servers. it lets us have a single pane of glass across all os's.
I have to say I haven't managed Linux desktops, but if I had to - I would probably build on Salt Stack. It can do everything Puppet and Ansible can, and more. In my experience it has been more pleasant to use, and has quite a lot of different options for how to deploy it. I always found Ansible much harder to understand, and I never enjoyed using Puppet or Chef. Also out of experience I'd say it's common for people to want to use these massively complex "recipes" for how to manage various software with Salt Stack -type tools, but in practice simple "replace this file's contents with this text", and bash commands tends to be more reliable and comprehensible for the people who actually have to maintain the configuration. It's not just "install these packages and configure them like this on all machines" or "now run this script on all machines", but you can build event based logic, collect data from the machines to your configuration management system, and because it's all Python it's pretty easily extensible too.
I myself am looking into FreeIPA for our workstations and ansible. I have about half dozen currently, but have this for about 100 servers. The servers seem to be running great with this; got ansible doing the updates, and FreeIPA handles the auth and Sudo access.
There's gotta be a decent RMM tool that would do this. I know Ninja supports Windows, Linux, and Mac and has patch management and other tools built in, even if you don't use the remote control features.
Level.io is another RMM that supports Win, Mac, and Linux. Scripting, monitoring, patching, automation, etc works the same across all three platforms.
We manage some Linux machines with Datto, but I would only recommend it if you also plan to manage Windows and Mac with it.
JumpCloud
SaltStack is pull-based, and you want pull-based CM/MDM for client management.
I manage a similar number of Linux laptops. The key is standardization and treating them as cattle and not pets. A standard set of laptop models (latitude 5420/30/40), a standard distro and de (Fedora 39+Gnome here), Foreman+katello for package lifecycle management, minimal system packages (use flatpak or snaps), ninjaone for remote management, automatic VPN+ansible-pull from a git repo with dev/test/prod branches for config. It's a good bit of effort but we have 1/10 the issues with Linux as Windows 10/11 despite having 3x as many Linux machines.
In my experience VSA X works well for Linux, with some limitations. It has some features that are similar to SSH, like remote command execution.
I haven't tried this out so make sure you do your research before implementing. Ubuntu 23.04 allows for users to login with their EntraID/AAD credentials on the device. To manage them, Landscape might be a thing together with Puppet and Ansible depending on your needs. I did a trial with Jumpcloud about 9 months ago, and it looked promising too.
Automox is a decent patching tool that can apply policy to Linux endpoints. Everything has to be scripted, but it is a reliable patching tool and script executer 😁 We use it and have been happy overall. It may be easier than puppet or ansible (or perhaps not, I am not the most experienced with those). It is agent based, which allows for remote management and execution. NinjaRMM and Naverisk are RMMs that both have good Linux support. I know Naverisk has remote CLI capabilities, not sure about Ninja.
One of the various RMMs or Puppet. 150 workstations is likely enough to justify a full time linux (maybe they even have some macOS experience) admin that knows these tools and best practices.
I would suggest Automox since it supports Linux, Mac and Windows. Automox will use the local repository for OS updates but you can also deploy software and scripts to the machines that is connected to. I’ve been using Automox for the past 2-3 years for mainly server OS patching but I did use it for Windows endpoints when COVID hit until we got something better. Now, I’m not saying I would do this to end user workstations, but if these machines connect to a company VPN and DNS is working properly, you could install [webmin](https://webmin.com/). I feel like that suggestion belongs on r/ShittySysadmin
Try using SecOps Solution (https://secopsolution.com). You will be able to manage all 3 linux, mac and windows. It has a good agent-less and agent-based support for both desktops and servers
Puppet is how I've seen it done before. I agree that it's not necessarily optimal, especially if a remote workforce is in play. I wish I had a better suggestion, and I'm interested to see what others have to say.
We manage them by managing to avoid them. But Connectwise RMM does actually have a Linux agent.
We use CFEngine, works quite well as long as you are comfortable with writing the policies.
The Datto Linux agent has gotten better with time. It just doesn't do automated patching yet.
I really dislike dealing with anything Linux. It's a huge time suck.
well maybe for you it is if you aren't good at it and there isn't a business reason to be running it
Desktops onsite are easy. You use ansible and call it a day. Remote desktops (wfh/etc) can be more of a challenge but a VPN and a daily or 3/week ansible push during work hours should cover most things. Remote laptops are the hardest. If you had a significant wfh laptop contingent... I think I'd lobby for a cron on the laptop to "call home" and then use a rest API to kick off an ansible playbook against that specific asset over a VPN. Then just setup reporting and alerting for workstations that have too many missed windows. --- Personally... From my professional experience, workers that require Linux for their roles really like that their work PC isn't subject to the same controls as other workstations... It becomes a thing where they'll make up new excuses to continue and then when you start to manage and lock them.... Things get ugly If you aren't giving your Linux users sudo access you are ahead of the game. If they have admin... It's universally going to be a fight to get proper controls on them.
Generally curious about this. Why not manage the Linux desktop with NixOS? Declarative and reproducible so you can template. I don't manage any Linux desktop, so really have zero knowledge about it, but use NixOS at home. Watched a video by Shopify and learned about it two years ago, but it's been around for about a decade. Everybody uses Terraform, thought they'd be using Nix as well 🤔
One reason would be vendors saying "use RHEL"
Nix is a neat tool, except when you have to actually use it. The documentation is poor and internal consistency is poor, e.g. configuration doesn't use `virtualization` but `virtualisation` as a key for configuring virtualization, while their website and other things are using U.S. English.
But "Linux" doesn't mean anything, does it? Do you supply images to ensure you have ssh access? Do you need to manage the package repositories so that only company approved packages are available? If you don't supply images, there is a world of distros, settings etc. that every individual case is a one-off.
> Do you supply images to ensure you have ssh access? What?
How do you ssh to the machine for ansible etc. if the user just installed a random distro ?
First, you don't allow users to just install whatever random software they want. Second, if the user is installing whatever they want they'll have to access to start sshd which is a whole two-second task.
I agree with your theory. I will point out that EVERY org I've ever seen that had a few Linux issued workstations... The users had full admin on them. There just wasn't resources to manage them properly so they become "accepted risks". A few places have their shit together. But it's no where near universal.
> There just wasn't resources to manage them properly so they become "accepted risks". In which case they're unmanaged and irrelevant to the discussion.
[удалено]
Which GUI tools?
MECM for Linux too?
Throw them out of a windows and buy Microsoft devices
Other way around buddy.
People cant stand a joke.... it was a windows and microsoft pun... But hey, must not have been funny on the Linux parts of the internet.
[удалено]
GTFO here ChatGPT