FRESH

Hacker News

Home

Show HN: Enroll, a tool to reverse-engineer servers into Ansible config mgmt

265 points by _mig5

by geerlingguy

1 subcomments

Woah, very neat! I may have to add this to the examples in Ansible for DevOps. Great idea, looks like for many cases it will help move hand config into automation.

by bcye

1 subcomments

This looks like a great way to learn Ansible too. Instead of learning alongside random examples, you can setup your server and see how it would look like in Ansible.
Awesome stuff!

by _mig5

0 subcomment

Here's a video of JinjaTurtle, the companion tool that converts configs to Jinja2 templates and Ansible vars:
https://asciinema.org/a/765293
Enroll will automatically make use of jinjaturtle if it's on the $PATH, to generate templates.

by smoyer

0 subcomment

I have quite a few machines that were constructed using Ansible ... When I get a chance, I'll reverse then and compare the results to the IaC that created them

by _mig5

0 subcomment

Thanks for all the love HN!
I had a lot of good feedback directly from the comments here, and have made a new release that contains some bug fixes, as well as an improvement to support remote harvesting when the user requires a password for sudo. Thanks to 'slhck' here for the help, advice and patch for that.
There have also been some questions about 'what does enroll harvest actually capture in its state'. I've updated the docs here to clarify the process:
https://enroll.sh/docs.html#harvest
And for the data/API nerds, I've also published a JSON Schema of the state.json file here:
https://enroll.sh/schema.html
Thanks again!

by Quarrel

1 subcomments

Very cool.
I just saved the state of my WSL2 instance, pushed it to github. Amazingly simple.
FWIW, I was required to add the --harvest, which your quick start seems to be missing?
ie I used:
uvx enroll single-shot --harvest ./harvest --out ./ansible

by nightshift1

1 subcomments

This makes me think of the now defunct https://github.com/SUSE/machinery

by novoreorx

2 subcomments

I wonder if Nix has similar tools, as it is famous for declarative system management, which is quite suitable for server provisioning.

by Imustaskforhelp

1 subcomments

Bravo, I will play with it. I haven't played with ansible till now but I know that its related to automation.
If something can make ansible easier for me to try out like this tool while being pragmatic, I will give this a try someday thank you!
How accurate does this tool end up becoming though? Like can I just run some bunch of commands to setup a server and then use this with ansible?
Would this end up being a good use for it or would I just re-invent something similar to cloud-init on wrong abstraction. (On all fairness, one thing troubling me about cloud-init is that I would need to probably have a list of all commands that I want to run and all changes which sometimes if history command might have some issues or you do end up writing files etc. ends up being a little messy)
I haven't played that much with both cloud-init and ansible either but I am super interested to know more about enroll and others as well as I found it really cool!

by stevekemp

1 subcomments

That's a really cute looking tool. I ran it without installing via:
```
    uv tool run enroll  single-shot --harvest ./harvest --out ./ansible
```
It generated almost a thousand roles, and at quick glance it identified many changes which I expected and some that I didn't.

by proxysna

0 subcomment

Genuenly the thing i've been dreaming about for a while. Nice work.

by neilv

1 subcomments

This is a great idea. I have done this manually, and it was a lot of work.
Even with a tool, people will still have to understand the output, enough that they can spot situations like "this part doesn't make sense at all", "that bit isn't static", "holy crud, there's an unsecured secret", "this part suggests a dependency on this other server we didn't know was involved, and which the tool doesn't investigate".

by usrme

1 subcomments

An incredible undertaking! How much testing have you done with regards to harvesting a manual configuration into Ansible, creating a new machine and then applying that to see whether the machine is a functional representation of the old machine?
The reason I'm asking is because I'm interested in how much confidence could be lent to this tool with regards to more old and obscure machines that have been running for years.

by barbazoo

1 subcomments

This is a fantastic idea. I can imagine using this to pull in any manual changes I might have made to the server because I’m not the most disciplined person.

by krelas

0 subcomment

I’ve been looking for something exactly like this, thank you! Now I just need to find the same thing for Windows and macOS…

by yowlingcat

1 subcomments

Very cool! Managing ones boxes as cattle and not pets almost always seems like a better idea in retrospect but historically it is easier said than done. Moreover, I like the idea of being able to diff a box's actual state from a current Ansible system to verify that it actually is as configured for further parity between deployed/planned.

by skywhopper

0 subcomment

Really cool! I’m in a similar situation and I’m going to try this tool out right away to see if it can speed up Ansible onboarding for some particularly crusty old servers. Thanks for sharing!

by slhck

1 subcomments

I've been looking for something like this, awesome!
Is it expected that it does not allocate a TTY for sudo password prompts when connecting to a remote machine via SSH? How would I use it otherwise?

by dweller42

0 subcomment

Amazing tool! It can have multiple use cases for sure.

by olekspin

0 subcomment

Wonderful! I wish that tool was existed a few years ago, when I had no experience with Ansible. Anyway, will try it and compare outcome of Enroll with my current playbooks

by kriskaminski

0 subcomment

Looks very promising. It is the tool for ansible that I wish egsisted for years.
JinjaTurtle is just chef's kiss. Definitely taking both for a spin.

by westurner

1 subcomments

Could it also detect changed package files; if there are per-package-file checksums like with `debsums` and `rpm -V`?
Does it check extended filesystem labels with e.g. getfacl for SELinux support?
I've also done this more than a few times and not written a tool.
At least once I've scripted better then regex to convert a configuration file to a Jinja2 templated configuration file (from the current package's default commented config file with the latest options). And then the need is to diff: non-executable and executable guidelines, the package default config (on each platform), and our config.
Sometimes it's better not to re-specify a default config param and value, but only if the defaults are sane on every platform. Cipher lists for example.
P2V (physical to virtual) workflows don't result in auditable system policy like this.
Most of the OS and Userspace packages backed up in full system images (as with typical P2V workflows) are exploitably out of date in weeks or months.
To do immutable upgrades with rollback, Rpm-ostree distros install the RPM packages atop the latest signed immutable rootfs image, and then layer /etc on top (and mounts in /var which hosts flatpaks and /var/home). It keeps a list of packages to reinstall and it does a smart merge of /etc. Unfortunately etckeeper (which auto-git-commits /etc before and after package upgrades) doesn't yet work with rpm-ostree distros.
Ansible does not yet work with rpm-ostree distros. IIRC the primary challenge is that ansible wants to run each `dnf install` individually and that takes forever with rpm-ostree. It is or is not the same to install one long list of packages or to install multiple groups of packages in the same sequence. It should be equivalent if the package install and post-install scripts are idempotent, but is not equivalent if e.g. `useradd` is called multiply without an explicit UID in package scripts which run as root too.
I wrote a PR to get structured output (JSON) from `dnf history`, but it was for dnf4.
From https://news.ycombinator.com/item?id=43617363 :
> upgrading the layered firefox RPM without a reboot requires -A/--apply-live (which runs twice) and upgrading the firefox flatpak doesn't require a reboot, but SELinux policies don't apply to flatpaks which run unconfined FWIU.
Does it log a list of running processes and their contexts; with `ps -Z`?
There are also VM-level diff'ing utilities for forensic-level differencing.

by tecoholic

0 subcomment

Very cool idea and kudos for building and making the idea into a reality.

by bityard

1 subcomments

A question I didn't see answered on the Web site or in the comments... How does it determine what is "state"? Packages are easy, you just get a list of those with the package manager. I guess systemd lists services. But what about everything else? Is it just walking the whole file system and checking every file it finds to see if a package owns it? What about files and symlinks created by postinst scripts? Does it have special "knowledge" about certain services like Apache which have their own Ansible modules?
I don't know if this touches networking or not but I've always deliberately avoided configuring (most) networking on Ansible after having shot myself in the foot too many times.
I like this in theory and will give it a shot but I'm wary of getting bled out by all the sharp corner cases...

by poemxo

0 subcomment

Can it do Oracle? That would be a gamechanger.

by indigodaddy

1 subcomments

Does the playbook generation have support for some totally custom/one-off application? (Eg, not just system/well-known stuff). If so, that would be insane!

by xyst

1 subcomments

poor man’s nixOS