I'm really starting to get Ansible now that I'm looking at it from the perspective of setting up an entire server from scratch and keeping it the way I want it. So I'm about to set up my first major deployment, and am twitchy about a few things.
I assume that the local connection type needs a passwordless SSH key? How do you go about providing this for ansible-pull scenarios?
Same for things like app database credentials and such. I'm thinking of putting them in host_vars.
I don't want those things in the repository because if that ever gets compromised, then all of my systems are at risk. I also don't want every system knowing the credentials of every other.
I was thinking of having a keys directory that doesn't get versioned, and a setup task that adds SSH keys from that. I was also thinking of not versioning host_vars either, and copying the vars for an individual host to that host.
Do plays know what host they're running on so I can copy the correct host_vars file? I know about facts, but it's possible that the plays haven't set the correct hostname yet, so they probably can't be trusted here.
And is this a bad/broken approach? I'm shifting my perspective on Ansible away from "something that performs one-off complex tasks" to "something that sets up a system and keeps it that way," and am discovering lots of flaws in my understanding.
Thanks.
I assume that the local connection type needs a passwordless SSH key? How do
you go about providing this for ansible-pull scenarios?
no, the local connection type doesn't use SSH at all. It runs from
your user account.
Same for things like app database credentials and such. I'm thinking of
putting them in host_vars.
vars_files can also be good.
group_vars may be a better fit if it's a particular group of machines
than host_vars anyway.
I don't want those things in the repository because if that ever gets
compromised, then all of my systems are at risk. I also don't want every
system knowing the credentials of every other.
agreed on the first part for sure. Second? Hmm, somewhat. Only
because you are using pull.
First you should decide if you really need pull.
The other machines won't be sent any info from the others in the
default usage model.
Fireball mode *mostly* eliminates the need for pull except at very
large scale and has made it obsolete in many cases.
Do plays know what host they're running on so I can copy the correct
host_vars file? I know about facts, but it's possible that the plays haven't
set the correct hostname yet, so they probably can't be trusted here.
And is this a bad/broken approach? I'm shifting my perspective on Ansible
away from "something that performs one-off complex tasks" to "something that
sets up a system and keeps it that way," and am discovering lots of flaws in
my understanding.
You can just rerun ansible periodically from the central server if you want to.
Ah, and another piece falls into place. So my central server manages everything, and as long as I can lock down the /etc/ansible directory tight, I can keep credentials in one place.
Is it safe in this instance to set up a passwordless SSH key and add it to the root account on any servers I manage, and just keep a copy in the locked-down /etc/ansible/keys? I probably wouldn't commit that to the repository, just keep it on the central server.
also you can set ansible-pull to get a host specific url/repo so you
don't need to expose all info across hosts.
I see no reason to use a passwordless SSH key. As long as you unlock your key e.g. using ssh-agent, before running ansible, you’re fine.
For unattended sessions (e.g. cron) you can setup keychain (http://www.funtoo.org/wiki/Keychain)
Serge
Is it safe in this instance to set up a passwordless SSH key
I see no reason to use a passwordless SSH key. As long as you unlock your
key e.g. using ssh-agent, before running ansible, you're fine.
For unattended sessions (e.g. cron) you can setup keychain
(http://www.funtoo.org/wiki/Keychain)
Yep.
BTW, some people were discussing a technical FAQ page on IRC.
Keychain should definitely be on it.