Hi all,
I need some advice on how to include sensitive data into config files. We
are using cfengine2 and bcfg2 (and are testing salt and ansible at the
moment as -possible- replacement for cf/bcfg) and for both tools we have
recipes to include e.g. password files into not-so-secret files (on the
client). In ansible I tried the same with this simple example:
Yeah, it's a crowded space 
bcfg2/Argon guys are decent folks, hung out some with one of them at
USENIX. If you are looking at the last one be VERY sure you are
comfortable with the crypto layer.
I think it's on the wrong path for numerous reasons but do not really
want to turn my list into a list for discussing other config tools.
Ansible is different in lots of ways from all of these -- focused on
/real/ orchestration, very strong for multi-tier app deployment (but
also OS config obviously), no agents, no server, no required database,
no additional ports, extensible in any language, and it's *actually*
data driven and parseable (not only is there no DSL, conditionals
aren't just templates). Etc.
ansible_hosts:
---
[testhosts]
test ansible_ssh_host=127.0.0.1playbook:
---
- hosts: testhosts
user: rootvars_files:
- /tmp/pwd0
vars:
mypwd: $FILE(/tmp/pwd1)
tasks:
- name: include sensitive data
template: src=sensitive.conf.j2 dest=/tmp/sensitive.conf owner=root
group=root mode=0400template:
---
from pwd0: {{ moresecret.pwd }}
from vars_files/pwd1: {{ mypwd[0] }}
and the data pwd0 (root.root/0640):
---
moresecret: {pwd: 'blablub', otherkey: 'something'}and pwd1 (root.root/0640):
---
tralalaNow playing this book on the local host (with sudo) leads to:
ansible-playbook -i ~/WORKING/ansible/.ansible_hosts -c local -l test -s -K
~/WORKING/ansible/nae/test/testpwd.yml -v
sudo password:
ERROR: file not found: /tmp/pwd0
Templates are evaluated *completely* on the management machine side,
so the file you have referenced in /tmp is never exposed to the remote
side.
Sudo happens *only* on the remote side too. So the user you are
running ansible as *must* have access to read that file. This is by
design and is actually
more secure that way. You don't need a server running as root, etc.
Assuming what you want is to not keep passwords in git, or have a git
repo which is configured more strictly, is to reference a vars_files
file that is outside of your git repository, such as
vars_files:
/opt/secret/passwords.yml
etc
This is pretty much borrowed from Puppet strategy. Of course you can
use $FILE(/whatever/path) as well too, though you may also want to
keep other settings outside of version control.
Hope that helps and is more of what you are looking for!