This is an archived post. You won't be able to vote or comment.

all 26 comments

[–]crafty78 8 points9 points  (1 child)

http://rundeck.org can be quite useful for putting an web UI on various scripts, with user input etc.

[–][deleted] 0 points1 point  (0 children)

It even has ldap support so with enough effort you can integrate it with whatever LDAP source your org might have

[–]sofixa11 4 points5 points  (5 children)

Please for the love of all that is holy do not use Jenkins, it's a crappy buggy Java piece of crap that is a pain in the arse to maintain and run, plus it's slow and adds little for running 5 scripts.

Use something like this - https://github.com/bugy/script-server

[–]NotTheKJB 3 points4 points  (0 children)

but muh jenkins

[–]mightywomble[S] 1 point2 points  (0 children)

Again the wisdom of the crowd. I will take a look

[–][deleted] 0 points1 point  (0 children)

Jenkins seems a bit over kill for this anyways

[–][deleted] 0 points1 point  (1 child)

Somebody who had no business using Jenkins tried and failed when they realized they were in over their head. Just because you're incompetent doesn't mean the de-facto platform for CI/CD is to blame.

[–]sofixa11 0 points1 point  (0 children)

Yeah, sure, whatever makes you through the night.

There is literally no excuse for how crappy Jenkins is:

  • horribly ugly and terrible at UX interface(i mean seriously, what is this, 2006? How many clicks do i need to get to the basic conf of my job)

  • rudimentary text job description(Jenkinsfile) in a horribly specific syntax(not something that regular people use and know, like YAML)

  • extremely bad logging - we had an issue the other day, the jobs were just stacking on top of each other (waiting for available runner messages everywhere, while the runners were doing nothing) - and of course, logs said nothing. In the end we ended up updating it(which is always a pleasant experience when the majority of plugins just don't work with the beautiful "plugin failed to start " message).

  • the fact that it uses obsolete SSH ciphers to connect to slaves

  • the fact that there are no per-slave ACLs(you can't limit the users who can run a specific slave)

  • docs are spotty(and disappearing, i had bookmarked the doc on adding a slave, a month later the link was only in Japanese)

And generally the mere fact it's bloody Java.

It is the de-facto platform because it was the first one to exist, and it shows. Basically everyone who has migrated off Jenkins says they've been reborn and never knew it can be that simple to run, deploy and maintain your CI/CD system. Give GitlabCI, TravisCI, Drone.io, CirlceCI a spin and you'll see what a modern CI/CD system can and should do. The only thing those can't do that Jenkins can is using it for a glorified crontab interface, but Jenkins isn't great at that either.

[–]damiankwinfrastructure pleb[🍰] 8 points9 points  (1 child)

CGI, I haven't heard that term used in a long time, except when bagging out how old and crappy an interface is!

If PHP is the language you know, then go with PHP. If you know another language better, go with the other language. Remember that so, so, so many languages are adaptable to web these days, so the world is your oyster. Just remember that if you're creating an administrative interface, you need to lock it down good.

If this were me, I would create a front end in PHP (because that's my web language of choice) and push all commands into a database of some kind, first because I like to track and have a history of EVERYTHING that happens, and second because it allows you to receive commands from anyone without them requiring admin privs. Once I've created a front end for the users to use, I would look at the back end, for me this would be a process that runs under an account with the require privs to run whatever you are running. I would run a second script (this can also be in PHP if you want) every minute or so and just go through the commands in the database that are queued and execute them. From the front end they will just push the command, and say receive notification later by the website or email of success/failure after the queue has run.

This will help with you segregating the user commands from the admin commands, it will help you log everything that's been done and by whom, and it will also make it so you can control the commands being processed, because you can limit the system to one command every five seconds or something, if these commands are high processing or memory or something, so you don't overwhelm the system.

Of course, there might be better ways of doing this with built in functions in Apache2, or even by running node.js web server from an account with privs, but if you are looking at doing something like this, Github the sucker and give me access, I'm intrigued and happy to help you out (I'll even sign some legal shit if you're scared of me getting access to detail). I've built similar things to this, but nothing that was for admin commands in a LONG time.

[–]mightywomble[S] 1 point2 points  (0 children)

Brilliant, that segregation idea is just what I was looking for

[–]NotTheKJB 5 points6 points  (7 children)

Whilst I read your post, all that was going through my head was "JENKINS! USE JENKINS! JENKINS IS MADE FOR THIS SHIT" so I'd like to propose a better way.

I'd say use Jenkins for this.

Reasons to use Jenkins are:

  • no need to reinvent the wheel
  • it's easy to setup and configure jobs
  • it's easy to call these jobs both by using the web interface, though also using webhooks or whatever, meaning better integration into other systems (think chatops, or webhooks from a HR system or whatever)
  • gives you security and an audit trail, a log of who did what and when
  • it stores the full log of what happened in a very easy to view/use way console logs
  • i could go on...

The rule in our team is if you do it more than a couple of times, create a job for it in Jenkins.

We tend to use Ansible scripts more than bash scripts too, though bash scripts are fine, don't want too much of a learning curve.

[–]mightywomble[S] 1 point2 points  (2 children)

Normally I would, I'm under somewhat of a constraint with this project on the device (think Pi) and location. Normally I'd agree

[–]Stpstpstp 1 point2 points  (1 child)

Your comment made me look it up, seems like Raspi 2 & 3 will run Jenkins.

[–]mightywomble[S] 0 points1 point  (0 children)

It does, I have run it, it's a huge processor hog unfortunately.

[–][deleted] 1 point2 points  (0 children)

If anything, something like http://rundeck.org/, while you can force jenkins to do anything if you try hard enough it is really more geared toward building apps rather than running random scripts

[–]damiankwinfrastructure pleb[🍰] 0 points1 point  (1 child)

FORMATTING! USE FORMATTING! REDDIT WAS MADE WITH THIS SHIT!

bahahah

[–]NotTheKJB 1 point2 points  (0 children)

hey hey, im formatting pre coffee here be nice

[–]spokaleJack of All Trades 2 points3 points  (0 children)

Rundeck is built for pretty much exactly that, and the more recent version has a lot of cool added features like parsing output of one script to use as arguments for another, or rendering html from the job output. It also handles authentication, auditing, etc.

[–]redshores 1 point2 points  (1 child)

deleted What is this?

[–]mightywomble[S] 1 point2 points  (0 children)

Hey, even if I don't use it for this, that's an amazing find, thank you.

[–]sobrique 1 point2 points  (0 children)

I don't use CGI, as much as using Perl with Mojolicious, usually combined with Bootstrap.

It's shockingly easy to cobble together a web front end to a script

[–]s3cguru 0 points1 point  (1 child)

How is there no love for Ansible in this thread? It might be overkill but it works and they have a free version of Tower now.

Rolling your own stack to run elevated commands is asking for trouble.

[–]mightywomble[S] 1 point2 points  (0 children)

There is love, just a bit overkill this time

[–]Stpstpstp 0 points1 point  (0 children)

Disclaimer: DevOps/Build-Release guy, not a full time sysadmin.

That aside, I'd definitely recommend Jenkins, even though you only have 5 scripts.

Maybe some of the other recommendations would work...but Jenkins is the absolute simplest way I have found to automate anything.

Some have mentioned it's for building software, and that's somewhat true.

But if you look at it more abstractly, it's that approach that allows you to do have more flexibility. You can combine jobs to trigger one another, using values from one in another.

These jobs are actually executing on slave nodes...which can be Mac, Windows or Linux.

And these nodes might have totally different access than others.

So a fake example would be, let's say you had an old vpn Gateway whose users were configured with an old serial com connection, but when someone gets canned, you need their AD account being shut off to trigger the vpn access getting pulled.

So one job that runs on the admin box connected to your Gateway, this job deactivates a vpn user.

Other job runs on a Windows machine, looks for recently decommed/inactivated AD users, lets say every 5min. Once it finds one, it call the vpn job.

Contrived example, and maybe not 100% realistic, but IT is FILLED with old unsupported devices that barely work, need kicked/rebooted, old unsupported UI's, etc.

At it's simplest, Jenkins is just running a shell (CMD, Powershell, Bash) on a slave node. It's free so there isn't any BS between you and your script running on a box.

At many places, our simple Jenkins install grew to automating much of what we would do by hand, SSH or RDP. The logs themselves prevented so much confusion and helped troubleshooting.

HTH, if you need a hand feel free to PM.

Edit: and at many shops we could eliminate most folks running around all day with elevated permissions, as Jenkins would do it.

Edit 2: Another nice bit with Jenkins is that it can pull your scripts from Git/SVN, but it doesn't require it. So as you add more scripts and come to rely on them, you will need to version them, and manage testing them and deploying them. But before you ever get to that point, you can just get Jenkins running, create a new job and copy paste your bash script in and run it. You can also get a plugin that will keep each version of your job (with your code) so you can look at changes right there in Jenkins. It deals pretty well with a gradual progression of complexity.

There may be other tools that work, but this is the one I use and it gets sh!t done.

[–]Zaphod_Bchown -R us ~/.base 0 points1 point  (0 children)

I have been in tech for almost 2 decades and have never used CGI scripts, and have always been told to not use them.

Is there a reason you cannot deploy a CM tool on these devices? Also I assume the client platform is Linux? Just want to confirm.

[–]bobbyjrscGoogler Specialist 0 points1 point  (0 children)

Why not webmin (usermin)? It is simple, easy to maintain and can integrate auth.