Many thanks Michael for the detailed writeup! I'm going to experiment with my setup (quite similar to your's - multiple jumpboxes in multiple locations, some AWS usage as well) to see how much of your approach I can adapt to mine.
On Sunday, February 15, 2015 at 6:14:54 PM UTC-6, Michael Spiegle wrote: > > About half of my machines are in Amazon/EC2. In order to solve the > chicken/egg problem, I write out a "user_data" script which installs some > SSH keys for me to the root user of the VM upon first boot. This allows me > to run my initial bootstrap and get the machine joined to the domain, then > I can optionally remove the root keys. This is all done with Ansible. > > > On Saturday, February 14, 2015 at 11:10:11 AM UTC-5, Ananda Debnath wrote: >> >> Thanks for looking. >> >> There are too many current processes dependent on passwords that I'm >> migrating to Ansible - while converting to keys is partly underway, it >> won't be complete for a while. >> >> There's also a second bootstrapping problem. I'm using Ansible to run >> baremetal bringup scripts on xen hosts (doing double duty as the >> jumpbox/bastion host above) which in turn creates the VM's from an image. I >> cannot bake keys into the image and need to get them on there after they >> boot up. Hence - a chicken and egg problem. How would I get the keys onto >> the VMs? Xen hosts have numerous problems running Ansible scripts directly >> because they run an old version of Python - so I don't think I can call the >> authorized_key module on the host and have it inject them into the VMs. The >> action would need to be triggered outside in a machine/vm that supports >> Ansible - which in turn would need to tunnel into the VMs to do just this - >> hence chicken and egg. >> >> Ultimately, the key pairs would be created and injected into the images >> instead of the passwords we do today - but as I mention above, this won't >> be for a while. >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d390e45b-9aba-4d99-8990-a08baec06766%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
