11 comments

[ 4.2 ms ] story [ 38.1 ms ] thread
I don't really understand the point of this. Aren't there already simple tools that take a list of server credentials and run the same command on all of them? (I could understand if it was made for fun but the FAQ says it's "out of necessity" and patching multiple distros can be a "nightmare". How? Just attempt to execute apt and yum everywhere.)

Though maybe I'm just disappointed that it doesn't log in via shellshock as I hoped from the title.

This is the nature of "devops."
For those wondering, "What simple tools take a list of server credentials and run the same command on all of them?", Fabric is a great one: http://www.fabfile.org/en/latest/
Thanks for the specifics!
Fabric is a great suggestion! Here is a small fabfile as an example.

It's super-simple (wrote it for this answer), but should be less than 5 min if anyone need something quick.

    from fabric.api import *

    # Fabric
    #
    # Simple tool to execute commands on multiple machines.
    # Use for easier, ad-hoc changes, such as package updates.
    #
    # http://docs.fabfile.org
    #
    # Installation on OS X
    # `brew update && brew install python && pip install fabric`

    # use local ssh config
    env.use_ssh_config = True

    # Hard-coding host IPs is not ideal! There are better ways:
    # http://docs.fabfile.org/en/latest/usage/execution.html#defining-host-lists
    all_nodes = [
      '10.10.10.1',
      '10.10.10.2',
    ]

    # print uptime
    # usage: `fab uptime`
    @hosts(all_nodes)
    def uptime():
      run('uptime')

    # install package via apt
    # usage: `fab install_package:my-package-name`
    @hosts(all_nodes)
    def install_package(package):
      run('sudo apt-get update && sudo apt-get install {name}'.format(name=package))

    # check package version
    # usage: `fab package_version:my-package-name`
    @hosts(all_nodes)
    def package_version(package):
      run('dpkg -s {name} | grep Version'.format(name=package))
So... instead of connecting to all my servers securely and 'yum update bash'ing I can download this script that I don't trust, configure it with all my super secret passwords and let it run riot.
ansible main -a "sudo apt-get update; apt-get install --upgrade-only bash"
That should be "--only-upgrade", but ya, that's what I did.
I gotta say, if this is what you have to resort to for one single security advisory, I'm scared to think how the remaining ~weekly advisories are handled.