I have adopted an approach of having a separate bootstrap phase which sets up SSH on a non standard port, adds core accounts, some other tasks, and finally reboots the compute instance.
I am using this with Digital Ocean. When I create a compute instance they send me an email with the IP address and root password.
My current approach is not scalable as I can only run the bootstrap for a single compute instance at a time, as you can see from the script file I have "--ask-pass", which requires me to enter the provided root password at run time.
Is it possible to have a hosts file with the following:
[bootstrap]
107.170.2.181 hostname=memsql01 password=llfdkjsd9837
124.221.33.181 hostname=memsql02 password=99irekfiewl
and have the provided password used for the paramiko connection during this phase?
Thank you...
-- Randy
...... Files Below .....
ansible_ssh_pass can be set, but this leaves the password plaintext in your inventory file, which is not something you’d want to do.
If you can do something around your customer’s pub keys and maybe also adding your own, that would be better.
–Michael
Hi Randy,
You may want to use a layer like Vagrant to simplify this initial setup. I use the vagrant-digitalocean plugin which interacts with the DO API to create droplets and returns ip info for the droplets (even sets up private(ish) IPs) - you can then run Ansible from within or outside Vagrant and ideally interact with something to track the IPs/hosts (HostDB maybe, or just a bastion host). You also get the sideeffect of being able to provision the same config against VBox, VMware from the same interface for testing/offline dev purposes.
Hi,
DigitalOcean supports authorizing by SSH keys.
Using those is more secure and easy than using passwords so you’d better try that instead unless you have
good reasons for using passwords.
Regards,
Timur
There is already a digital ocean provisioning module in core BTW.
– Michael
Timur,
I did not realize this. I set up SSH keys during the initial configuration but I didn’t think about having them set up during the Digital Ocean provisioning process. I check that out.
Thanks – Randy
Timur Batyrshin wrote:
Steve,
Thanks - very interesting idea. I’ll check this out.
Randy
Steve Pereira wrote:
I wouldn’t.
Just use the DO module, and then you can also looking at using the inventory plugin as well.