Advice on best way to sync root-owned files from one remote server to a group of others?

Archives Ansible Project
1

Hi,

I’m trying to create a Playbook to synchronize some initialization scripts and crontabs across a VCS cluster. The cluster itself is on RHEL5, so I am trying to use a RHEL7 server as a controller.

The key restriction here is that we cannot have direct root login via the network (i.e. “PermitRootLogins No” in /etc/ssh/sshd_config), so I need to use an account that is able to use a passworded “sudo” in order to gain root, which is needed to read or write these files.

Thus far, the only method I have managed to get to even come close to working is to create an archive of these directories from the primary, pull that back to the controller, then extract them on each of the secondary nodes – which is horribly clunky.

Approaches I have tried and failed on include trying to delegate the synchronization to the master node, e.g.

  • hosts: standby
    become: true

tasks:

  • name: copy crontabs to other nodes

copy:
src: /etc/cron.d/
dest: /etc/cron.d/
become: true
delegate_to: “{{ hostvars.localhost.primary }}”

– but delegation in this context merely means that the controller is just trying to copy files from itself to the master node each time.

2

The key restriction here is that we cannot have direct root login via the
network (i.e. "PermitRootLogins No" in /etc/ssh/sshd_config), so I need to
use an account that is able to use a passworded "sudo" in order to gain
root, which is needed to read or write these files.

No problem, as long as sudo is allowed. Providing the password via
ansible-vault encrypted files works like a charm.

Thus far, the only method I have managed to get to even come close to
working is to create an archive of these directories from the primary, pull
that back to the controller, then extract them on each of the secondary
nodes -- which is horribly clunky.

Hmm...

Approaches I have tried and failed on include trying to delegate the
synchronization to the master node, e.g.

Storing the files on the controller is not an option? Could even be
encrypted files, if you need.

Otherwise I would also fetch the files from the primary to the
controller and then distribute them along.

Delegating the task of copying the files to the primary could also
work, but that would mean the controller has to build ssh connections
to the other hosts, running commands through sudo via python and that
sounds pretty fragile.

Johannes