mig5/enroll.sh
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

More updates
Some checks are pending
CI / test (push) Waiting to run
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-06-21 12:41:31 +10:00
parent 493c6f5b8c
commit 1d1316d89f
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
3 changed files with 8 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/content/_index.html
View file

@ -257,7 +257,7 @@ enroll diff \
--exit-code
# Ignore a path and changes to package versions, and optionally
# enforce the old state locally (requires ansible-playbook)
# enforce the old state locally
enroll diff --old /path/to/harvestA --new /path/to/harvestB \
--exclude-path /var/anacron \
--ignore-package-versions \

3
src/content/docs.html
View file

@ -323,7 +323,8 @@ target = ansible # is the default, otherwise salt, or puppet
# ignore noisy drift
exclude_path = /var/anacron
ignore_package_versions = true
# enforce = true # requires ansible-playbook on PATH</code></pre>
# enforce = true
# target = ansible # to run ansible-playbook to enforce the old harvest, else puppet, salt</code></pre>
</div>
<div class="alert alert-secondary mt-3 mb-0">

10
src/content/news/0-7-0.html
View file

@ -24,8 +24,8 @@ summary: "Enroll can now render Puppet and Salt manifests alongside Ansible, det
<ul>
<li><strong>Puppet support!</strong> <code>--target puppet</code> renders Puppet module/control-repo style output., and in <code>--fqdn</code> mode, renders per-host Hiera data.</li>
<li><strong>Salt Stack support!</strong> <code>--target salt</code> renders Salt state trees and, in <code>--fqdn</code> mode, Salt pillar data.</li>
<li>Ansible works basically as it always did, and is the default, but you can specify <code>--target ansible</code> too. As usual, in <code>--fqdn</code> mode, specific artifacts end up in <code>host_vars</code> inventory folders rather than polluting the 'golden' roles.</li>
<li>All three config management manifest renderers derive from the same harvest state as a single source of truth. Evaluating how different config managers work? You can rendered repeatedly into different config management tools without re-harvesting the host!</li>
<li>Ansible works basically as it always did, and is the default, but you can specify <code>--target ansible</code> too.</li>
<li>Evaluating how different config managers work? You can rendered repeatedly into different config management tools without re-harvesting the host, because they all use the same harvest state!</li>
<li>Single-site output tries to combine package/service data by their package manager's <code>Section</code> (or equivalent metadata), to reduce role/module/state sprawl and speed up execution.</li>
<li>Flatpak and Snap detection!</li>
<li>Docker image detection!</li>
@ -91,7 +91,7 @@ ok: [localhost] => (item={'channel': 'latest/stable', 'classic': False, 'dangero
<p>The <code>harvest</code> now detects the presence of container images, if the user has permission to call Docker or Podman. In particular, it detects the SHA256 of the image instead of relying on floating tags.</p>
<p>All three renderers (Ansible, Salt and Puppet) will attempt to enforce the presence of those Docker images per their precise SHA256 hash, if they were present in the harvest but not on the machine upon applying a manifest.</p>
<p>For Ansible, you may need the <code>community.docker</code> collection, but on Debian 13 I found that it was already present by default in the official ansible Debian packages.</p>
<p>For Ansible, if using Podman, you'll need 1.20.0 or later. Enroll creates a <code>requirements.yml</code> to make it easy for you: its README.md will guide you to run <code>ansible-galaxy collection install -r requirements.yml</code> before running the playbook.</p>
<p>For Ansible, if using Podman, you'll need 1.20.0 or later of the <code>community.podman</code> collection. Enroll creates a <code>requirements.yml</code> to make it easy for you: its README.md will guide you to run <code>ansible-galaxy collection install -r requirements.yml</code> before running the playbook.</p>
<div class="codeblock terminal">
<pre class="mb-0"><code id="news-070-snap"><span class="prompt">$</span> ansible-playbook -i localhost, -c local playbook.yml --check --diff --tags role_container_images
@ -122,7 +122,7 @@ PLAY RECAP *********************************************************************
localhost : ok=5 changed=0 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
</code></pre>
</div>
<p></p>
<p>I did not use community extensions/modules for Docker in the Salt and Puppet renderers, because, well, they are god-awful (the Salt one <a href="https://github.com/salt-extensions/saltext-dockermod/issues/6" target="_blank" rel="noopener noreferrer">simply doesn't work in 3008.1</a>, and the Puppet one is non-idempotent and I would argue cruder in its approach to image management than a guarded <code>Exec</code> call can be (and is).</p>
<h2 class="h4 fw-bold mt-4">Other smaller changes</h2>
@ -134,7 +134,7 @@ localhost : ok=5 changed=0 unreachable=0 failed=0 s
</ul>
<h2 class="h4 fw-bold mt-4">See you soon..</h2>
<p>I'm off to try and write more tests - we're at about 85% coverage in pytest, and we also run a stack of 'noop' executions for Ansible, Puppet and Salt too now, <a href="https://git.mig5.net/mig5/enroll/actions/runs/592" target="_blank" rel="noopener noreferrer">in CI</a>.</p>
<p>I'm off to try and write more tests - we're at about 86% coverage in pytest, and run a big suite unit tests for Ansible, Puppet and Salt too now, <a href="https://git.mig5.net/mig5/enroll/actions/runs/592" target="_blank" rel="noopener noreferrer">in CI</a>. I'm always trying to catch any regressions given there are so many variations on how you can use this tool.</p>
<p>Thanks to everyone who has reached out with suggestions, constructive criticism, and bug reports! You're helping make Enroll better for everyone.</p>
</ul>