About half of my machines are in Amazon/EC2. In order to solve the chicken/egg problem, I write out a "user_data" script which installs some SSH keys for me to the root user of the VM upon first boot. This allows me to run my initial bootstrap and get the machine joined to the domain, then I can optionally remove the root keys. This is all done with Ansible.
On Saturday, February 14, 2015 at 11:10:11 AM UTC-5, Ananda Debnath wrote: > > Thanks for looking. > > There are too many current processes dependent on passwords that I'm > migrating to Ansible - while converting to keys is partly underway, it > won't be complete for a while. > > There's also a second bootstrapping problem. I'm using Ansible to run > baremetal bringup scripts on xen hosts (doing double duty as the > jumpbox/bastion host above) which in turn creates the VM's from an image. I > cannot bake keys into the image and need to get them on there after they > boot up. Hence - a chicken and egg problem. How would I get the keys onto > the VMs? Xen hosts have numerous problems running Ansible scripts directly > because they run an old version of Python - so I don't think I can call the > authorized_key module on the host and have it inject them into the VMs. The > action would need to be triggered outside in a machine/vm that supports > Ansible - which in turn would need to tunnel into the VMs to do just this - > hence chicken and egg. > > Ultimately, the key pairs would be created and injected into the images > instead of the passwords we do today - but as I mention above, this won't > be for a while. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c580d759-2c50-48d9-8684-68f0a3743243%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
