it seems to me that ansible-pull will not work if it picks up a config which has ask_pass=true. I would’ve assumed that a “-c local” on the command line would overrule everything but it seems that’s not the case.
Problem is that I have everything (hosts,config, etc) in git which gets pulled. The first time the repo gets pulled, the “-m git -a…” of ansible-pull works fine but then hangs at the subsequent ansible-playbook.
I did use --ask-pass in the beginning but then decided to switch. I simply noted the error since I’m still in the beginning of setting up ansible. I think it’s not that far fetched that people use a config file (source control) and ask pass. A failing ansible-pull is a big deal IMO if you rely on something getting pushed out and don’t check the logs.
I think it’s not expected since few people seem to be using pull instead of push.
Even if this is unlikely, I still think it’s a bug and very intuitive. I don’t think it ever makes sense to ask for a password when you’re using a local connection instead of SSH (correct me if I’m wrong).
One alternative, since you have ansible.cfg in your repository, is to define the environmental variable ANSIBLE_CONFIG that has ask_pass set to false when you invoke ansible-pull.
which actually gets me to my second request for ansible-pull: IMO It should take --private-key option just like ansible does. Having root ssh and git pull to the master host is not very secure since it will compromise your entire network if only one host is compromised. The GIT_SSH will point to a wrapper script which sets “-i id_rsa” command line option for my ssh://master_host//etc/ansible/.git repository. We can’t trust root on any of the ansible-pull servers since they’re used by tons of users and are possibly easily compromised. So with this wrapper script root can only get access to the master with a very underprivileged account.
Q: Did I oversee anything in this case? Is there an easier option to not have git pull as root from the master? How do people actually use ansible-pull? Root everywhere?
I think a --private-key would have to be passed to the git module which then passes “-o IdentityFile=…” to git.
An unprotected git repo is easier here of course since you are wanting to have it set up for non-interactive periodic remediation, etc, and don’t want to have your password somewhere to feed to ssh-add if your key was locked.