Hi folks. I want to run Ansible unattended via cron on a utility server in a datacenter. It’s been a while since I’ve set one up and I was wondering if the best practices have changed.
My initial thought is to set up a user on all the remote boxes with sudo nopassword + a passwordless ssh key that my cron job on the utility box can use. That’s a little scary, but nothing else I can think of is any less scary.
I could have the ssh key live in a running ssh-agent on the utility box and have to unlock it each time the utility box reboots, but that adds the risk of not unlocking it at a crucial time.
Ansible-pull seems less scary, but the vulnerability is basically the same: If someone gets write access to the repo, they can do anything.
I guess, I’m building a thing that controls all the things, so scary is part of the deal.
Anyway, what I really want to know is, have there been any changes in how this gets approached in the last 10 years?
We use ansible-pull in our cloudinit. So every new server gets initialized.
Use git tags, protected branches and merge request reviews …100% security is not reachable.
Might be more prudent to buy in to AWX when they’ve settled on how the new architecture is going to look. I don’t know if there’s a timeline for when that may be. It may have been discussed at RedHat summit, but I did not attend.
I did attend the RH Summit and spoke with some folks on the Ansible team about AWX. From what I gather they are still working on some of the repos that are going to be required to run AWX.
Even after all the repos are completed, deploying AWX will require considerable work to put all the repos together to deploy AWX with the new architecture.
In addition, if a CVE is released we will need to recompile the repos to redeploy AWX.