Simplify Ansible Playbook Management with Semaphore

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
anable is an extremely useful automation tool for managing computers and network devices and along my years as a Cisco engineer of got me used to using a command line sometimes you find a graphical interface can help you do things better and for anible that's where something like semore comes in you can use it to schedule playbooks to receive status notifications you can handle your secrets and so on which for me makes task management much easier but how do you install semaphore as a package on a Debian computer for instance well if that's something that you're interested in finding out then stick around and watch this video is that's what we'll be going over now there are several ways that you can install sem4 and in this video we'll be installing it as a Debian package although the process should work on a bundo as well for instance I would have preferred overrun this as a container on my Docker server but some strange reason the web server you get doesn't support TLS the suggestion of you using a reverse proxy doesn't help unless it's on the same computer as the one running semaphore because if it's not you'll still be left with un encrypted traffic and Transit and that would be flagged at a security udit now I don't want the extra admin work of managing engine X for instance just to address a security weakness in SEMA 4 so for that reason we'll install everything on a single computer so people will need a log to the computer to use sem4 now sem4 requires that you have python as well as get installed in which case we're going to install those now first thing I want to do is just make sure that uh the actual package information is up to date so we're going to run app update first then once that completes we'll get it to install Python 3 as well as git now this is a Debian 12 computer so I already know it's actually got Python 3 installed but there's no harm in including that and git is a requirement because if you actually try to install semaphore and you don't have git installed the actual installation process would fail so even if you've got no plans to actually connect to a git repository you do still need to install this so I'm just including Dy just to save me answering the prompt I'll then hit return and offer goes and actually start to install those packages now for me as I said Python 3 is already included so let's just skip that now it's just often installing G as well as any other dependencies for that now not surprisingly sem 4 requires that you have anible installed because well it's going to be using that to run your playbooks now I actually already have anible installed on this computer but when we look at the version what I'm getting is 2.4.3 and that's um an installation that I've done using Debian repository problem is is that well this particular version I've got here isn't receiving any more security updates which is a problem but also out key has been deprecated and the anible module that you need for its replacement isn't in this version either in which case what I'm going to have to do is to uninstall my version of anible first and then we're going to have to install the newer version so we'll wait for this to uninstall answerable the only thing is we're then going to have to remove all of the dependencies as well uh to installing that so just wait a while until it finishes that and then what we'll do is run apt order or remove so hit return and this is going to take a bit longer so I'm now just going to double check that anible has actually been removed so so we're going to run the anable command just put in dash dash version for instance and it should return I didn't see here an error to see that an isn't installed I can't find it on the computer at least not in my path anyway now we want the latest version of anible uh what deban themselves actually suggest is to use pipex to actually install third party packages for example so the idea is you get official soft Ware through Debian themselves through their actual repositories files that they've actually vetted and checked and then if there's are the thirdparty software that you want use pipex put it into a virtual environment it makes it a bit more safe so we need to install pipex itself first so we'll just use that pseudo app to install pipex now it goes and installs that now that that's done we'll run one more command here pipex Ure path hit return and as it says it's updated the path but it's suggesting to open a new terminal or relog in to make sure that the path changes take effect so I'll just close that terminal start a new one as it suggests and I'm just going to increase the font size here just to make it easier to see and then we're actually going to install an itself using PEX so PEX install D- include dependencies then anable is the one we actually want to install hit return and yeah this this is going to take a while well now that that's finally finished just going to check to see we've got anible installed and we'll just run anible D- version and see which version we've got so at the time of recording we're now up to 2.6.2 now sem4 requires access to a database and unless you've already got one available that you can use then you do need to install one Now the default Choice looks to be my SQL in which case we're actually going to install that because I can't actually get access to it through the actual deian repositories I need to get it directly from the source which is Oracles that's why I'm on this website here so what I need to do is to click on the download option here uh it's going to ask about cookies which I don't particularly want I'll just close that I don't specifically want an actual account for this even though it is free so I'm just going to click on the option no thanks I just want you to actually download the file on that and then that should download it to my downloads folder so we'll jump across to that we'll switch over to the folder and then what I should be able to do is to install that but do make sure the actual version that I'm showing here is actually the version that you've got so just hit return what's my password assuming I'm actually p and then it installs that now I'm quite happy to go with the default options here so I'm just going to use the arrow keys to drop down where it says okay tab over to okay itself because you can't make changes to these specific settings here um just takes you through other pages but as I say I'm just quite happy with the default settings anyway so go with okay and installs that and now we're going to run app update because what we've done basically is to update our repository uh details here so now you can see how it's referencing over to my seal.com as a potential repository then what we need to do is to actually install my seal so we want the server and we want the client so hit return and of it goes and starts asking for an actual password so curiosity I'll see I paste this in yes I can fortunately it does actually blang it out which is good then wants confirmation of that rude password okay now it's giving us a choice of strong password encryption or Legacy authentication in this case it's a completely new database anyway and makes more sense just go with the default option of having strong password encryption so I'll leave that set there and then uh we'll hit okay and then of goes and continues with the actual installation well now that my sql's actually been installed there is one more thing I want to do which is just to make sure that it is a bit more secure so we're just going to run this command here just copy and paste that in so it's my SQL undor securecore installation so we'll start that uh straight away it's asking for the root password for my SQL so this is not the actual root password for your Linux computer and it is really strongly recommended that you do use different passwords this is just the root account for SQL itself so I'm going to paste that in there now what it wants to know is do you want to actually validate actual password component so I think that's a good idea and make sure that passwords are strong enough so going to stick with the default so I need to a y and then hit return Then wants to know what do you want you want low medium or strong passwords well I rather have strong passwords or option two now it's estimating that the strength of the password I'm using for this root uh user is only 50 so it does give you an option here to actually change it uh because this is only a video I'm just going to leave that as is and just say uh no I do not want to change the actual password now it's saying that it's got an anonymous user in here which isn't really a good idea I mean something that might go into say like a test enir M or something but I don't particularly want that so yes I do want to actually remove that Anonymous user so we'll select the option yes then it's saying that normally only the root should be able to get in through a local connection as opposed to Via the network that does make a lot of sense so yes I do want to disable the ability of the root login it's also got a test database and well we don't need access to that there's no point keeping it so we'll say yes to remove that and now we just want to know well all of these uh questions have been answered so do you want to actually reload the actual privileges table for this to take effect so I'll say yes and that's it that's should have made it a bit more secure now what I'm then going to do is just double check that my SQL is actually running so use system cbll and then status just to check the status bar my equal database and there you go it's it is active and it's running so don't seem to have a problem with my SQL so I should be now ready to use now the next thing to do is to create a database for sem for so what I want to do is to actually log into this database server as the root and then just going to copy and paste in my super secret password and then that gives me a access to my SQL then tell to create a database now I'm going to call this one semaphore but you can name it something else if you like and you don't necessarily have to put the actual instructions in upper case but I like to make things stand out a bit here so hit return that gets us our database then what we're going to do is to create an actual user account because it's not a good idea to have people logging in as the actual root user and uh making changes it's better that applications and users have their own individual user accounts so you've got accountability so tell to create a user now I'm calling this seor but probably makes sense to use something less obvious and this is all on one single computer so I'm referencing the domain as just being Local Host if it had been say like a centralized database server would have made more sense to actually include the actual domain name and then I'm putting in a super secret password return oh dear it doesn't meet the actual security requirements and that's because of the settings we put in earlier so I'm going to make a slight tweak to that password just so that we can get past the requirements but again I would suggest using something much stronger and more complicated than that hit return and that gets us our user account now the next thing we need to do is to actually give this user account access to the actual database that we created called before and then that's it what I'm going do is then just exit out of my sqls the actual root user then this time what we're going to do is just check things by logging in as this actual semi for user put in the password for that and then just see that we've actually can see something I'm going to go to actually just show the databases as an example and you can see these are the databases it can see which includes that actual semore database that we set up so as far as I can tell we should be good to go we've got our database user that we can tell semor about and we've got a database now we can install semap 4 as a package but before we do that it's best to check what the latest version is so over on this web page here uh we got details here telling us how to actually install semop 4 as a package for Debian or bundo and although I could click on this option to copy the clipboard it's going to copy everything in one go but at least we can tell here that we're on 2.875 for at least at the time of the recording so what I'm going to do is go back to the terminal and then I'm just going to use WG to actually download that actual file and then we're going to install that package so I'll just copy and paste the command in for that hit return and it wants my password here to do that and off it goes in install sem4 now one of the really appealing things about semore is that you can schedule tasks in other words run your playbooks at certain times of the day now in order to do that we'll be running semop for as a service but it's not a good idea to be running this using the root account or indeed any privileged account in which case we're actually going to create a new user so I'll just copy and paste in the command now I'm going to set the home folder to be slop sem4 because we'll be using this for other purposes and I want to make sure that we're using bash as the shell now I'm actually calling the user account semi for but I would really suggest using something a lot less obvious than that but I just want to keep things simple here so off it will go and creates that sets up the home folder and then what I'll need to do is just at least give this a password so now it wants a password to use so I'm going to give this one something slightly different because I don't want this to be the same password that we use for the actual database so I'll just confirm that again and there we go we now got our user account created uh plus the actual password for it I'm going to change the actual permissions for that actual folder because I don't want anybody being able to get access to it um because there's going to be sensitive information in there because it's not just a simple home folder where we're keeping a config file there's other information going to go in there so I'm going to restrict access while we're here we're also going to create a group now I'm going to call this anable group because the idea is I want users on this computer plus sem4 to get access to the answerable files and they're going to be stored in a folder so while I'm here I'm just going to actually create a new group now I've called it anible group I would suggest using something less obvious than that to be honest but once that groups created I'm then going to add the users so for now that is going to be myself plus that semaphore user now the dhm option is something you need to be careful of because we're really just telling it to add David and semaphore to this group called an group now I'm going to hit return it's going to do that but what this is actually going to do is basically reset the list of users as well so it's something you need to be careful of so if I need to add a new user to that group well if if I use the dhm option I'd have to include both of these existing users at the same time so i' have to declare all of the users as part of using that dhm parameter so it's just something to bear in mind anyway we've now got our actual user account set up for seor plus an actual group that we can use to give semore access to the actual anible files now semor is going to require a configuration file to run and although you could download an example from the website and then edit it what we're going to do is to actually generate our own config file first thing I need to do is to actually switch over to that semore user account go to it's home directory and just going to double check yeah it is slop semore so what we're then going to do is to run this command semaphore and setup and it basically just walks you through a wizard asking you questions and then based on those answers it'll generate you a file so the default option for the database here is my SQL that's what we've installed so I'm just going to hit return it then wants to know how to connect to the server in other words what's it domain name or IP address and what port to use so the default is a loop back address then Port 3306 which for us is fine because we've actually installed my SQL on this local computer then once the username well we're not logging in as root we're going to log in as semore then it wants to know the password for that account now what I will warn you is that this actual password when we either type it in or paste it in is going to be visible so just bear that in mind then it wants to know what the actual database name's called well we called our c for that happens to be the default but obviously if you've used a different database name you'll want to change that I don't so I'm just going to hit return you want to know what the Playbook path is so this is a working directory if you will uh I'm going to set that to slash opsi for to keep everything in the same folder we're not running multiple websites off a server so this doesn't apply to us so I'm just going to hit return I do want email alerts so I'm put in yes and hit return want to know what our actual email server is so for me it is mail. homelab CU I'm using mail rise what is it 025 now the sender address let defaulting to semore at local horse but I'm going to set this to be semor at. much my domain it then wants know do we want to send telegram alerts well I don't so I'm just going to go with the default option slack alerts I don't so again I'm just going to go with the default option do you want to use ldap authentication well I don't but that is a useful feature because the idea is semaphor is set up for teams to have multiple users who will be using it uh but in this case anyway um I don't want to use l authentication but it is there as an option so I'm just going to hit return it wants to know what the output directory is well we're already in SLS 4 so I don't need to change anything here and then often goes and starts to create our actual tables as well as our actual config file now eventually as you can see the actual process halts and it's prompting for a username now it's actually asking you to actually set up an admin account for this so I'm going to just give this an account name of well I want to call it admin I would obviously suggest using something less obvious than that but I just want to keep things as simple as possible once know what's the actual email address going to be now for me if any emails get sent to this admin user I actually want them to go to slack maiz doxyz in other words this is the email address where you want your alerts going to for that admin user now obviously you've got the ability to set up other users later on they'll all have their own individual email addresses for me because I'm using mail rise well to be honest everything's going to go at slack at mail .xyz so it ends up in an actual slack alert but in any case that is going to be my actual email address it then wants to know what the actual name is so this is just going to be called admin so I'm just going to hit return it wants to know what the password's going to be so I need to give this user account a password as I ever it it actually shows up on the actual screen so that's something you need to be aware of and that's it it's finished it's actually done the actual setup process if you have a look in the actual folder we've also got a config.js file it does actually suggests to actually launch it to use dot slash sema4 but the thing is that actual command doesn't exist in the current working directory we actually ask it curiosity yeah it's actually in SL user bin so that's just something to bear in mind if you actually just want to run the actual um server directly from the actual terminal session but really we want to run it as an actual service now earlier on in the video we installed anible or more specifically I reinstalled anible reason being is I wanted to have the latest version now the only thing is as you see here in a minute if I actually ask what the version of anible is while logged in as this semaphore User it's coming back with an error message saying that the command can't be found B and the reason being is because we actually use pipex to install anible in which case I need to install anible for this actual semaphore user to be able to use I mean the reason I installed it for my account is because they're going to be times where I want to do my own testing with aible independently of semone in which case both actual user accounts here need access to it so first thing I'm going to do is run Accenture path just to make sure that we've got set up properly uh as it suggests we need to get out of this basically this terminal session suggesting you could log out and log back in and so on but I'm just going to exit out as the user rather than actually exiting out completely because that's enough because it it means we're no longer Lo logged in as that user but then what I could do is log back in again or rather switch over to that user account I need to put my password in here to do that switch the home folder check again I'm bit paranoid just double check yes it's pointing at the moment to slops 4. loal bin here which is what we want then what we got to do is go back through that process of installing anible again using pipex and yeah it's going to take a while well this is eventually finished so what I'm going to do is just check that we've got an available so there we go so now semaphore users got access to version 2.6.2 now an allows you to set up a default configuration file which basically saves you having to type the same sort of parameters out over and over again at the command line now most of the actual settings that I put in there can actually be defined within semore but there are two in particular that I still want to have so I need to set up an an. CFG file and because of the way that sem 4 works I need to actually create one within my home directory which means it actually has to be a hidden file so I'm going to use Nano create a file called do ansible.cfg and we are already in my home folder at least within the home folder of semore then I'm just going to copy and paste in the settings that I want so defining our defaults settings here I like to have this interpreted python setting of Auto silent basically it's just you get warnings if it runs into problems with uh the actual python interpretate finds so I like to suppress those also when you log into a computer for the first time using SSH you'll actually get prompted if you want to accept the fingerprint now that's not practical when it comes to automation with something like anable in which case I've got this hostor Kore checking uh setting here which is set to false so I'll save that and because this file exists within the home folder I don't have to actually create similar files for every project that we set up for example and those are sort of settings that apply no matter uh what project I would set up for anal anywhere now the next thing that we're going to do is to actually set up a service to actually run semap for reason being is I want this running 24 by7 so that I can actually schedule my tasks and first thing I need to do though is to exit out as this sem 4 use it because it doesn't have any privileges that's deliberate then we're going to create our service file so I'm creating a file called semap 4. service I'm putting into SL Etsy systemd system and copy and paste in the details that work for me and stress that because some of these settings are going to depend on how you're setting things up so we're setting up some conditions here where I want to make sure that the actual binary file itself for semaphore exists um before it tries to actually run the service it's always going to be called semor because that's the name of the command but I also make sure that the actual config file exists thing is mine exists within a folder called slop semaphore the name of that binary and the name that I've got for the folder just happens to be because I've set up a user called semore and I've set up a folder to go with it called semaphore within this folder SL op so a lot depends on where you're putting this um config file basically that's where you want to be pointing uh your service account to now when it comes to the service itself I want this to be running as a non-privileged service basically I don't want to be using the rout account so I'm stressing that I want to actually use a semaphore user that I created and that's a group that goes with it but you can run into problems with pathing especially because of installation using pipex advanceable so I want to make sure that it knows the path for that user this is basically what I've done is I've just copied the path that I would have getting for that user when I I actually log in as that user I want to make sure that the actual service account when it's running actually sees that same path otherwise it just throws an error for instance saying it can't find answerable so that's the reason for that environment path but again a lot depends on where you've actually set this all up so everything for me is in slop semaphore but it might vary depending on what you call the user uh what you call the folder where you actually create the folder and so on then lower down where we're actually starting um the actual semaphor application again that's fixed it's SL user bin semaphore as up there but the config file that we're then pointing it to is in for me slop semaphore so up here we're just checking to make sure these things exist down here we're actually making use of them so do make sure that align with you know how you've set this all up and then finally I've just got an identifier for CIS log of semap for now that's because the actual application is going to be SEMO so that's going to basically stay the same but you could change it to something else if you particularly wanted to I'm just giving it simple I'm just calling it semi for so that defines the actual file so we'll exit out with that now next thing to do is well we've actually changed something here as far as as system de goes so we need to make an update so we running system CDL and Dem and reload I want to make sure that this service will always start when the computer boots up and then we're going to actually start it see if it throws any error messages no hasn't complained but all of the same just going to check the status there you go it looks as though so far things seem to be working so from what can tell semore is now open and running now in order to connect and stop managing things in se4 what we have to do is point our actual web browser here to the web server that we get so for me this is going to be HTTP callon loal host and then Port 3000 there now I'm using Local Host because this is installed on the actual computer itself we're using HTTP because well htts isn't actually supported they do not give you a secure web server for some strange reason I mean you can actually try to use https as interestingly enough their documentation suggests hit return and no doesn't work doesn't even give me an option to say well just accept the private certificate it just doesn't work um I do find that odd because if you go through the documentation they'll say you can only use HTTP for the docker version they don't specifically say anything about being able to get https with this packaged version yet oddly enough the URL that give you has https or at least it did at the last time I checked but the only way to connect is through this unsecure process of using HTTP so we'll do that then what it does it comes up with the login point so when we run the setup I created a user called admin now I need to put in my super SQL password uh click on sign in so it's now logged in and the first thing it wants us to do is to create a new project the reason being is that's the way semore works it expects you to be doing everything within projects which makes a lot of sense uh for teams to be honest so what I'm going to do is I'm going to create a new project and I'm going to call it video I'll click on create and that's it we've now got access to a project and all these other things that we can do although one tip I'll give you is down here we go an option for dark mode that makes a lot more sense now as you have seen when you first log into semore you have to create a project and once you do it gives you access to all these other things within that project so anything we set up here is specific to that project but it can create other projects to do that click on whatever the project happens to be that you're in at the moment and it gives you an option to create a new project so for instance we call one test and then click on create so that creates a new project and it automatically switches across to that project now it is unusual for companies to delete things but if you actually want to delete a project make sure you're actually using that project go over to settings then just select the option to delete project it does come up with a confirmation just to make sure you do actually want to remove it but click yes and that's it and now it's just pushed us back to that original video project but that's how you actually manage your projects now usually for anible to be able to gain access to an IT device on your network it'll have to actually authenticate and and when it comes to semaphore here that's where the key store comes into play so if we click on key store we've got an option here to create new keys and one thing I'll stress is that there's various sections within this project where you need to provide credentials but you can't just type them in you've actually got to reference a key within this key store so that's something to bear in mind it's best to set up all your keys first before you go any further in any case for us we're using anible to actually log into computers using SSH so we actually need to use SSH key authentication so click on new key give the key an actual name here that we can reference it by and then for the type select SSH key we can tell it what the user account is here and then you would copy and paste in private key and i' stress the private key not the public key the private key the only thing is well all of this information is visible and although this is a video and just a lab I don't want to keep going through the process of recreating keys every time I do a video in which case I'll set this one up off camera now what you do next really depends on how you've got this setup because there's another option which is login with password so we provide an actual login name plus a password again that information is visible so do bear that in mind if anybody is walking by and look over your shoulder but this would also be useful not just for a system where you do log in with a username and password but also if your anible user account has to provide a password to get pseudo rights for instance you'd have to set up another key to be able to do that now in my case the account can actually log in using SSH ke authentication but it doesn't have to provide a password to get pseudo right so I don't need to provide another key for rible itself to do that however what I do need to do is to set up another key which I'm going to call Anonymous and I'm going to set that type to non hence Anonymous now as it suggests here they're talking about you know maybe you're going to log into a repository or web server or something to download something and there's no need for um any user authentication in my case I'm going to have the actual anel files stored on the computer and the semaphore user account that's running semore itself as a service will already have rights to those I'll be setting those up later on in which case it doesn't actually have to authenticate as such but when we actually go to set this whole thing up it's going to actually ask for a key in which case I do need this Anonymous key to actually do that so whatever type of key you're going to create you fill in the details then click on create once you've actually got a key what you can do is you can delete it just click on on the bin option there or you click on the pencil to edit it now if you want to make a change you got to click that override option in this case all we can do is just change the type but with other types with the SSH key you could then give it the new uh private key if it was the uh the actual login with password type you could give it a new password for instance and so on and then once you've done you would click on Save but either way that's how you actually set up the keys within the key store now in order for semi for here to actually be able to run any of my anible playbooks I actually need to tell it where those anable files are and that's where repositories comes into play so you click on repositories and then click on new repository to set up a new one but before we do that I'm actually going to set up a new folder on this computer because that's when I'm going to be storing my actual anal files so I'm going just switch over to a terminal session and I'm going to create a new folder in slop and not call it anible uh for that reason I need pseudo rights to be actually able to do this but it's not just me who needs access to these sort as semaphore and basically anybody else who's going to be using anible on this computer so I'm going to change the ownership so that the anable group is defined as the group for this so this is a group that had a find before and at the moment I'm a member but also is that semaphore user so we'll change it ownership and then I'm also going to change the actual permissions because I don't want everybody to have visibility of it then what we're going to do is to actually switch over to that folder and what I could do is then create a folder in here um which is in line with the actual project that we've got created in semifur but since we've actually got git installed I'm going to take advantage of that and I'm going to get git to actually create the folder for me we'll swap over to the actual folder there reason being is if you look here it's referring to the initial branches Master now if you're used to using git online it's actually referred to as mean so I'm actually going to change the branch to be mean instead well back over here on semap for we need to tell it where the actual anable files are and that means setting up a repository so to do that we click on repositories then click new repository now because it's a local folder I'm just going to call it logal and then once the URL or path get access to the repository as you can see there's quite a few choices here in terms of how to connect to a git server but when it comes to local folders like we're using it wants the absolute path so I'm going to copy and paste that in so it's slop SL anable and then within there we set a folder call video to go with the actual project name now although I configured git within the actual folder that's just basically for me to be able to do my own versioning uh we're not actually connecting to a git server as such using any of these protocols so this option about the branch is actually grayed out the last thing to do is to tell us how to essentially authenticate now we're connecting to a local folder and the user account that's running this sem4 service already has access to the folder so it doesn't need to log in again in which case I'm actually going to select the anonymous key that I set set up in the key store here because there's no point logging in when you've already got access to it so with all that done I'm going to click on Create and then that gives us our repository the only other things to do are well you could delete the repository you do have to confirm that you can edit the repository and you can also create other repositories within your project if you like now anible requires access to an inventory file which gives details about groups of hosts for example that you're referencing within a Playbook now for sem4 you can actually set up inventories um to do that click on inventory then click on new inventory you give it a name so for example I could call this well just inventory now I can't type in username uh details and passwords that sort of thing I've actually got to click on this option here user credentials and actually pick something that I've already defined within the case store so for me anible is going to be connecting in using SSH key authentication and I've set up a key within the key store that has details of the actual um anible account so I'm going to select that it doesn't need a password to actually gain pseudo wres if it did I would have had to set up another key with a username and password and I would have then selected it here now we've got a choice of types so you've got static static yaml or file static is probably the more common way so I've got an example but for me it would be something like these are my PVE nodes so I got a group called PVE nodes they the actual IP addresses of them you can also do it in a yaml format but it's basically just the same it's just a different format that's all so you've got choices when it comes to these static the only thing to bear in mind is that you're going to be entering information and it goes into the actual project itself so if you want to maintain these inventories you're going to have to keep coming back into here and updating that entry in there adding a new host removing a host and so on and what I was thinking of is that if you've got several projects and they're all referencing the same host it's the same essential inventories seems a bit quite a bit uh extra work more admin to do because you're going to have to do that for every project now now if these are many projects all referencing their own individual servers and that's all they touch that makes a lot more sense but if you're going to be running multiple projects but referencing essentially the same servers just seems like too much work I mean it is useful in the sense I mean you don't have to maintain s like one big static file for example I mean what I could do is set up an individual um inventory save for my PVE servers I can then have another inventory for web servers and another one for database servers and so on so you can actually get your playbooks to reference um whatever inventory is relevant to them but me I think it's just the the extra admin work kind of puts me off so for that reason what I'm going to do instead is I'm going to call this inventory and I'm going to point it to a file instead so I need to put the actual path to this file I haven't created it yet but I'm going to call it inventory and I'm I'm going to put it into the slop slans folder reason being is for me I might have multiple projects going but they're all going to reference that same inventory file so I just need to maintain one specific inventory file right across the board so it makes more sense to put it into the parent folder so whatever it is you're doing just click right and then that creates your inventory now one thing to point out is another good thing about the file option is that it doesn't actually just pull all that information in once you create it it just keeps referencing back to the file so all I have to do is just keep maintaining that actual file itself and semi for will be up to date but obviously it's no use without an actual file so I'm going to create that file uh I'm just going to use Nano to do it so I'll get it to create this file called inventory in slop anable not I haven't had to use pseudo rights to do do this because well I've already given myself rights to this folder anyway anybody in that anable group as well is going to have access to it but I know need to copy and paste in the details and then that gives us an inventory now an can take advantage of variables and for simp for here what you can do is click on environment and then click new environment and you've got choices for for exra variables and environment variables and they do even give you an example in Json format there now personally I've got no particular plans to set up variables this way I'm quite happy to just set up the actual files themselves but even if you don't want to use this where this is all set up you still have to have at least an environment set up that can actually be referenced so I'm going to actually create one called imp just that I know it's in the environment essentially and what I've going to do is to copy and paste in some curly brackets similar to those there's just nothing in them but as I said you've got to have at least an environment uh to reference so this one doesn't really do anything but at least it's defined so I'm going to click on Save and that gives me an environment now as we'll go over later you run your playbooks as tasks but what you can actually do is to set up views for them so do that if you go over to task templates by default all you've got is this tab here called all but you can actually set up views here so I click on the pencil it's saying at the moment there are no views but I click add View and create a new one I'll call that s one you can spell and then click that tick box there and another one call that one test two and click that one uh test three and so on if I now close the actual dialogue box here you can see we've got actual tabs so this is quite useful if you want to actually filter um tasks out cu you can actually assign them to views but if you actually want to remove these what you can do is click on the pencil button again then just click uh the cross next to them to actually delete them and it removes them so that does have potential there as I say if you want to actually filter uh your actual tasks out now in order to run a playbook in sem 4 here what you've got to do is set up a task for it and to do that you click on task templates and then click new template now when we're setting up this new template you've got a choice of a task build or deoy now for the sake of this video we're not going to cover build or aoy all we're interested in is actually running a Playbook and that means setting up a task so what we've got to do is give it a name uh the description is optional we've got to tell it to the name of the actual file which for me is going to be ping. ynl now one thing I'll point out is that you can't actually browse for that file you've either got to copy and paste it in or you got to type it makes no difference if you provide you know the repository in where and find uh the actual files still not going to give you an option to browse then what you have to do is provide the inventory which we created in the inventory section repository which we created in the repository section and the environment which we created in the environment section and all three of those are mandatory so you've obviously got to set them up in advance and again even if you don't want to provide any variables uh within an environment you've still got to set up at least an empty environment that you can point to now if the Playbook needs access to a vault you can provide the Vault password here but it's got to be something that you've set up within the key store so it would be one of these login passwords but it won't have a username just an actual password for this to be able to get access to the Vault we've got an option for survey variables so if you click on that you can fill in the details pick a type of string ring or integer and these are basically variables when you actually run this task and run the Playbook you'll actually get prompted to provide the values now that's no good if you're running these at uh a scheduled time of the day because well you would need interaction but the option is there if you want to use it as I mentioned before you can have views now I've only created one um you don't have to actually provide a view it is optional but for the take this example I'll pick that one out uh I'll touch on cron in a minute because the other thing I'll mention is you've got a choice here to suppress success alerts so maybe you want to run your actual tasks but you don't want to know if it's actually succeeded you only want to know if there's a fault so you can actually suppress any alerts that way and then you've got an opportunity to put in commandline arguments here if you will it's providing some examples just remember to select that box so I see ogs and it's got to be in Json format here as you can see now I'll come back to Chron reason being I'm I'm going to demonstrate a bit of an oversight I'd see on on the part of the developers if you're not familiar with cron it's basically it's a way to actually schedule uh actual things within Linux here and although in some respects it's quite useful I've given you this URL here where if you click on docs it opens up a tab and you can get details um and you've even got examples so for example this one here I'll just copy and paste that so it's detailing is the number of seconds minutes hours day of the month month day of the week so it's useful in the sense that the pointing you to the documentation telling you a bit more about it giving you examples um through Chron themselves essentially but if we go back [Music] to semaphore itself let's see our p in that example to run this job every hour on the hour if I click on create it actually it won't let me create it because it's saying it's only expecting five Fields but we actually got six that's why I'm I'm saying this is to me an oversight on the part of the developer particularly if you're not familiar with KRON because here we're getting told about setting up a Chron job using six Fields but semur only accepts five fields so I can see in some respects why they're only using five Fields cuz what you need to do is delete that first field in other words the seconds because I mean typically you're going to be running these maybe every quarter of an hour every hour half hour these sort of things it's would be very unusual to run an actual task at a specific second um so obviously remove that as an option but yeah that could that could actually throw you almost ad anyway I'm not going to be setting this up to schedule because it's just um something I wanted to point out for the video but I want to actually run this actual task manually so I'm leaveing that empty and I'm going to click on Create and that creates the actual task for me now when I say it creates the task if you click on that option there it expands out because essentially every time this gets run it spawns up a new task that's going to be the same thing any other task that you created and what's really really useful to me about SEMA 4 here is that it's going to give you really a history of every time this gets run H you'll be able to know when it was run whether it was a success or not and so on it's to me that's just extremely useful compared to just setting up a Cron job uh within you know the command line basically so I do like that a lot that's a a really appealing thing here so semaphores not like an all-in-one solution you've still got to have a separate way of creating your anible files through a text editor of some sort um but this yeah this this is seems to be a much better way of actually running uh your actual playbooks once they're ready now we've only got one task here but You' get the same opportunity for every task that you create um very useful that you you've got this option to actually run it um directly from this view here I mean actually if I go over here you can see we've got this is a view called test one if I create a new one called test two again select that one we don't see anything about that task because it it only belongs within view one so it's it's a good way to filter things out but I do like this you'd end up with a lot of actual tasks and you could run any of them individually directly from that line so that's very very useful now we've got some information about each individual task as well its status which version will want to in terms of how many times it's been run but if you actually click on the name of the task you then you're into the details of the actual task itself so you'll just get the details the history of that one task in this pan view here which is very useful again we get information about the task up here we can run it again you can delete it and I do like that that uh option there we've got a confirm it you can actually copy it which is quite useful and but if you want to edit it you click on the pencil then you can make changes to it so that's that's very useful that gives you that high level view for all of you tasks but then you can you know drill down into each individual task you'll get similar sort of things on the history of tasks room um within the dashboard as well but obviously I've actually set up a task here but I don't actually have a Playbook so I'm just going to have to do that next so I'm going to keep this simple what I'm going to do is just create that very file we've referenced and it's not really going to do anything it's just going to log into all of the actual computers hence why I called it ping so it's just a ping test as such but it does actually log in so that then sets up our task now se4 here is really aimed at multiple users in other words the idea is you'll have a team of users working on your rible projects now at the moment all we've done is to create an admin user that was as part of the actual setup of sem4 itself but it's not really good for individual users to log in as the admin because there's no accountability and it makes a lot of sense as to why they've picked L up as well because of this um support for teams but because of the way we've actually got this set up we've got an admin user and we going to be using local authentication so we're going to have to set up individual accounts for each individual user so to set up accounts we're going to click on admin then click users then we'll click on new user then we can fill in the details for the user so I'm using mail rise so really everything has an email address of Slack mail. XYZ for me so I'll put in a password which incidentally does actually get obscured here I know when you're setting up the keys that information doesn't get obscured so I don't know why they haven't done it across the board they've only done it here so it would be useful if they've done that elsewhere but anyway we can make this user an admin user and we've got an option to send alerts to this user now be in mind um if you don't enable that feature then I'll probably never see alert somebody at least uh involved in the project has to have this feature enabled if you want any alerts being sent out essentially I mean when you actually set up your admin user which is interesting that isn't enabled by default for that user account which I suppose makes sense you'd probably be sending uh emails to the individual users for the project or maybe for a team leader it's really depends on your circumstances but that's something I want to point out make sure that if you do want to receive alerts make sure some somebody who's working on this actually has send alerts enabled now what you're going to find is when I click on Save yeah again an error message request failed status code 400 now that's not very specific um I was scratching my head for a long time I've seen people reporting U maybe it's to do with a version some people have ended up um just manually editing the database because of certain cir circumstances for me what I found out eventually because I've got two computers I've got a live system and I've got a lab system and it's a case of ah it took a while before the penny eventually dropped the reason I'm getting this problem is because I've got two users with the same email address they're both exactly the same and the system will not accept that so I've got to change this to something else now in a normal sort like Team Network everybody would have their own individual email addresses um this is probably just because I'm using mail rise the idea is that all of the computer systems send an email message to mail rise which in turn will then send an alert out to some Service uh I'm using slack so that's always going to be the email address regardless but now that I've changed the email address click on Save and a voila that's done so it's it's interesting it's not very specific there to point it out so yeah it took me a while I had to figure that out but that that is the cause of my problem but at least it's now solved and I've got two users now it's quite useful because you can sort on individual columns the external by the way is to do with if these like L up users for example which in my case they're not uh these are local accounts that's why none of them are enabled from I can see here I can't actually enable things make changes to individual Accounts at this level i' have to actually go into that user account and make changes that way uh there is an option to delete a user if you wanted to if I click on delete you get the confirmation one thing I'll point out though is this admin user at the moment I've got a project up and running I've got an admin user which is which is basically the super user essentially and this is my only admin user if I take away the rights from this account and make a save I'm not going to get any warning at all and this is going to just open up a whole heap of problems it doesn't ask me to confirm it in other words it's not checking to see is this the last user with admin rights it just says yeah okay and the problem then is it's broke at that point because there is no admin left to make administrative changes and that just cause you a whole heap of problems now if you're familiar with my SQL as in the database we're using here or whatever SQL a whatever database you're using you can actually make changes within the database itself because it's that's all it says it's just saving information and each user account will have uh an actual column in there to say whether it's got admin right so you could fix it that way but do bear that in mind if you ever decide to take admin a right rights of away from a user really you need to make sure that at least somebody else on the system has admin rights otherwise it as I say it just breaks anyway it's relatively easy to set up users although it's not that to me it's not that blantantly obvious that the fact you going to click on the actual user account to then do it I mean it gives me an opportunity to edit my own account because that's the user I'm logged in as um for example but yeah that's not so obvious there's no nowhere else I'm seeing to set up users as such because as I'll point out in a minute there is a team but you can't add PE add people to the team unless you've actually created them as an actual user account for example so yeah it's a bit an odd way I would have thought might have been easier if they created a separate little section for users that way but that's how you create users now now as I mentioned before semore here supports multiple users but whether you're connecting this up to an L app server or creating logal user accounts like I did before these users don't actually have access to anything unless you make them a member of the team for an actual project so we've got one project here which I've called video and to add a user to the actual team you click on team then you click on new team member and then from there you just click on the drop- down box and it goes through the list of whatever you've got in terms of users and then you can pick that user to be added to it you can make the user an administrator if you like but in any case once you made your choice click link and it adds that user to the actual team now thing to point out is that we've got administrative users go back to users so these are admin users for semap for but when it comes to team members you'll actually be an administrator of the actual uh project if you will so I could make this user an administrator of the project but not necessarily an administrator of semur here you can see likewise just because you're an administrator of semore you're not necessarily an administrator of a project so when let's come back to here now this is something I want to point out because it's similar to uh what I was mentioned before about users and admin rights youve got to be very very careful when it comes to admin rights if I take away admin rights there's no warning here if I want to take away their admin rights I could run into similar sort of problems where nobody can actually manage the project as such so you've got to be very very careful when you're taking any rights away I mean I can't edit this user to be fair there's there's not really a great deal to do because you just picked it um from the list of non users anywhere any changes are really only involving admin rights but if you don't particularly want that user as part of the team anymore you can just delete them at least that prompts you for a confirmation to actually remove the user from the project it doesn't remove the user account itself the user is still a a local account which in some ways might make some sense as to why you you don't just see a users section here CU it's not users that are specific to the project when you're creating users there are you know these are users from the perspective of semaphore as a whole whereas I suppose team is specific to that actual project so relatively simple to set up but you do have to be very very careful when it comes to this admin rights now one area in semore which I think could do with a bit more attention is when it comes to actual alerts and that's because by default you don't actually receive any now to me alerts are extremely important I don't know if the task has failed or actually succeeded but by default it's not going to happen and there are quite a few Hoops here You' got to actually jump through and to some extent I kind of get it I mean there's a lot of flexibility here but yeah it's just there's just too many Hoops involved I think it could be simplified so in my case I actually prefer to get my alerts through emails and although we went through an actual setup process it's not enough we're going to have to manually edit the config file to finish this off so what I need to do is to edit this config.js file for sema4 which is why I'm logged in as the sema4 user here because I've got it in the actual home folder because this user account is actually running semap for as a service now if we go down to here there's two lines I'm going to have to update one's going to be the username and the other is going to be the password to get access to the email server now most servers that a imagine do require authentication but we weren't asked you know to do that as part of the setup process for some reason another thing to consider is that down here we've got another line which is email secure and by default it's said false now when you're going to connect to an email server and provide credentials you don't want that going in clear text so you'd really want that set true so in my case the way I've got mail R set up and I'm going to have to provide a username and password to get access to it and I'm going to have to set that to true to actually be able to then send my emails now once you've done that and for those changes to take effect we would have to actually reboot the service incidentally um there are other things still left to do so we've got to an actual project here uh which I've called video but if you create a new project you'll notice that by default alerts are not actually enabled for the project so every time you create a project you're going to have to remember to select that option to receive alerts maybe in the case of the developers who do this they don't particularly want alerts or something I don't know but for whatever reason by default that's not enabled if you've already got a an actual project like I have here you can go to settings and if you forgot to enable it at least you can take the box and then click save but that's not enough then got to go back to our user here because at least one user needs to be able to receive alerts so just click save again on that yep we go back to our list of users I'm going to have to make sure that our admin user here can receive alerts because that's the one I'm going to be using without that you just don't get any alerts so something else to bear in mind is yeah there's all these extra steps the project needs to have it enabled a user account needs to have it enabled in my case the config file needed to be updated as well but having said that there's one slight PCH so I've got an actual uh task setup so if I edit that the only option I've got here is to suppress successful alerts that's disabled by default in my case that's great because I actually want to be actually told if an actual task succeeds reason being is that there's always the possibility somebody might make a change say I World change which locks semaphor out from being able to get access to the email server for instance the trouble is I won't know about that until somebody actually then logs into semaphore and starts seeing you know tasks that have failed for example it just couldn't actually notify me um that you know those actual tasks failed because it couldn't get access to the email server so I like to have this option where I'm always actually receiving alerts regardless that way at least I know things are always working in the background um tally up to individuals but that's just my preference so we've got an option here where you can actually suppress successful alerts the only trouble is it only applies to if you're using slack alerts for example and from what been reading on forums this is a deliberate setup if you're using emails like I am you'll receive an email if a task fails but you will not receive an email if a task succeeds so that's something to bear in mind vice versa as far as I'm aware I haven't tested it because I'm not using this with slack but if you get it to send slack alerts in other words you've configured it within that config file to send slack alerts then you will receive alerts for tasks that have succeeded but that's going to be a problem for me because well I've got everything set up to use an email server so everything's sending emails to mail rise which in turn then sends alerts to slack I don't really want different computers sending alerts to slack for instance I'm trying to keep the security as tight as possible only mail rise has got access to these sort of things over the Internet basically but that's just not an option here I'm stuck with a situation where yes I can get bailed alerts on emails but not successful ones so the only way I can see around this would be for me to set up maybe like a Playbook run that on a regular basis and what that does is to actually send an alert um or an email rather over to mail rise which in turn sends me a slack alert so at least I know that semor is able to get access to the email server but it's a bit of a shame I I don't know why they've done it from what I've read the forums it's a deliberate um set up on their part so at the moment that is the way it is so I can work around it uh but I mean the good thing about it at the end of the day is I can still get alerts assuming everything's working I should still be able to get alerts which is ideal and it makes this thing a whole lot better than if I was just running cron jobs through the command line for instance so at the end of the day this is still extremely useful in comparison now the last thing to do is to actually test this all works and what we're going to do is to actually get it to run this Playbook here so we've got a task and we've already drilled into it so as I mentioned there are different ways that you can manually run a task so where we are now we've got an option to just click on run or we could go back to task templates where you get basically a list of all the tasks you've got and then in the actions Comm here is a an option to run so we're going to click on that and start off and it it actually asks uh if there's any additional parameters you want to put in so these are your typical command line parameters you might want to add as extras I'll leave those there's also an advanced option which I'm not really sure why it's there because all it does is point you back to the ca arguments settings for the task template itself anyway but any case I don't need to add anything to it so I'm just going to click on run and then it'll pop up a dialogue box um and actually try and run this Playbook so nothing it goes through the process it says it's running that so it's now Gathering the facts it's ping those actual servers which really means it's actually logged in to them and so it's actually finished now so it's it's got a status of success so that means that's done if you go back to dashboard it's this is a basically a history of all of your task which is it's quite useful if you just want to a top level view I me telling you what the name of the task is uh that was run who actually run it when it was so at the moment it's just a few seconds ago very useful obviously is the actual status uh if we have a look at activity there's all sorts of things going on back there but if you go over to task templates there you go it's showing you that we've got an actual number against this task so if I expand this out you can see we've now got a an before that and now we've actually got an option to rerun it now to be honest I'm not quite sure of the benefit of that because it still spins up another task as such so we've got this task I don't know it's kind of bit confusing I find because we've got this concept of task templates I would have thought that was a task template in itself because it then creates all these tasks but if I click rerun here it doesn't literally rerun task number one here that's being defined for this um ping task we're running we get another task spawned anywhere so it doesn't seem to me at least to make any difference whether I click that or click that so if I click that again and click run in this case we haven't made any changes so we'd expect the same result anyway we'll just go back through the process of um connecting to A playbook and then try to run it using anible uh the servers certainly are still up so results the same so you can see we've now got um task number two it's not actually showing it at the moment if I compress that then try to expand it now it shows up so it's showing it in reverse order basically the um I suppose the most recent bite at the top there uh on the other hand if I click on rerun we're just going through exactly the same process so as I say I'm not not really sure what the difference is cuz we've got task number three now now so it hasn't rerun task id2 it's just gone back through the whole process so yeah it's got be a bit confused I'm must admit but in any case that one was a success so does not automatically update itself but if we click on the actual name of that task that we've got now we've just got specifics about um that one task that we've got rather than kind of an overview all tasks but either way I I really like this to be honest because it's aside from the you know security and quibbles about alerts I mean I've got this all now running on a single computer so I'm pretty comfortable in that aspect of it but it means I can schedule this to run tasks using anible certain times the day regularly and what it'll then do is it'll go through the process of running those tasks or at least trying to but they not come back and get details and it's keeping a record of all of the tasks that have been run what the status was and that that to me is is absolutely ideal um it's that historical information as also the actual um status of say the last task for example that's extremely useful to me and yeah there's there is a quite a few solic steps to go through to to set up as as a basic Cron job what it is the grand scheme of things as suppose but it's still extremely useful now as it turns out um well I've been running an older version of se4 for a while and yeah we we actually installed this older version as part of the video and I actually only found out about it when I ran into this 400 error message and it was a case of well people were talking about newer versions on the Forum and I was kind of scratching my head because if I go to the documentation here and go through the installation instructions it talks about version 2.8.5 so well I just assumed that they were keeping the examples and the documentation as a whole of the date but if you go to the releases page up here well we're actually up to 29.41 at least as far as the beta go um the latest version is actually 2.9 .37 and the version that I've been using is actually over a year old uh so yeah on the plus side though it's a case of well this is an opportunity to do an upgrade now before we actually do that though what I'm going to do is just scroll down here go to page two because the warning at 2.94 here to back up your database the reason being is they're actually going to make changes to the database and once you do that you can't then roll back to an older version of semaphore because it won't be compatible I mean basically the jump from 2.89 5 here to 2.94 so that's something to bear in mind they introduced new features and that required a database update now in my case I'm running this on a virtual machine so I've just took a snapshot uh so I can just roll back if things go uh peir shaped basically but in any case what we need is version 2.9.3 7 so what I'm going to do is switch over to the terminal session here and I'm going to shut down the actual Service First my password going to go over to the downloads folder because the process for upgrading is just the same as we're actually installing it in the first place so I'm I'm going to download 2.9.3 7 then once that's actually downloaded what I'm then going to do is to actually then install that version and then off it goes and as it says it's on packing sem for 2937 over the top of 2.875 so then what I need to do is to start the service back up hasn't complained I'll check yep it's active and it's running but because I know it's going to make changes to the database I think I'm going to leave it a bit of a while and then we'll check and see well I'm back here on SEMA 4 and I didn't log back in I just did a control F5 it hasn't ask me to log in I mean I mean having a look around just to see if everything's working even run a task and yeah seems fine so in terms of changes what I've noticed is that down here in the lower left we've now got a choice of languages by default it's set to us English then next to the portrait if you're an administrator that actually flags that up which can be useful I suppose if you try to make changes for instance and you're wondering why you can't well that's an easy and quick way to find out up here in the top Corner underneath the name of the project it now actually tells you what your role is uh for that project I mean we're logged in as admin and admin created this project so seen as an owner in other words they've introduced roles into this if we go over to the actual team here you can see against the user you've got a choice of well you can be an owner you can be a manager you can be a task Runner or you can be a guest so that makes a lot of um sense really I mean especially in teams cuz you might have different people from uh different departments or something who need different levels of access so that is something that's useful I'm just going to have a look and see what else that I noticed I mean this is covered in the notes but I don't know maybe this is just a a feature shall we say um one thing I've done is I'm pretty sure history activity and settings was over here now it's over there if I click on history or activity that seems fine but if I click on settings all of a sudden that shows up billing so it doesn't show if you highlighted on these two but it does on this one for some reason or on settings for some reason so that's something looks like they're going to be introducing as it says I don't know why they've actually included it tell you that or why it only shows up when you're actually on the actual settings tab but in any case that actually sounds quite useful um I mean if you're doing anable projects with customers you can do billing uh within your projects for instance for different customers and even if you know you're in an IT department sometimes they actually build departments for instance so that that is definitely a useful feature that they seem to be introducing so that could be something to look forward to but yeah at the moment it's just a hint of what's to come but other than that I haven't noticed anything else specifically uh go back to my task here and say things seem to be the same haven't done anything about this Advanced um option which to me just seems kind of pointless to be honest um and we're still stuck with HTTP as the only way to get into the actual web server portion and manage semore which is a shame but other than that yeah they're introducing new features as they go along so that's definitely something useful to see so far seor looks to be a very useful tool to help with fible automation I really don't understand though why the developers couldn't have provided a web server that supports TLS for that reason I wouldn't consider this to be a modern UI because even vendor selling devices to retail switch to secure web servers a long long time ago I mean I can get around the security concerns though by installing everything onto one computer and then accessing semaphore logally rather than remotely bear in mind I've seen reports in the Forum about sensitive information being leaked to logs for instance so not only should access to the computer be heavily restricted but any exporting of logs for analysis will have to be FedEd documentation provided could also do with some more attention there are a lot of Hoops to jump through to setup semore this way and they're either not mentioned or explained well enough and maybe you're starting out with this it can be a bit of a struggle to know what to do and that's why document ation is important in the grand scheme of things though this is is a very useful tool for running anible playbooks now if you find this video to be useful then do consider subscribing to the channel as that would really mean a lot to me but it's also a good indicator to let me know how videos like this are helpful to people such as yourselves that are watching in which case thank you on the other hand if you're not ready for that level of commitment then I'd really appreciate it if you could press the like button because that way that'll help to get the video out to other people that might find it useful as well
Info
Channel: Tech Tutorials - David McKone
Views: 2,433
Rating: undefined out of 5
Keywords: ansible gui, ansible gui interface, ansible semaphore, ansible semaphore setup, ansible semaphore ui, ansible semaphore demo, ansible semaphore install, ansible semaphore configuration, ansible semaphore playbook, ansible semaphore environment, install semaphore ansible, install ansible semaphore, install ansible semaphore ubuntu, ansible web ui
Id: Jjp8IgWaQqY
Channel Id: undefined
Length: 86min 40sec (5200 seconds)
Published: Sat Jan 20 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.