Hello David, I am using push right now exclusively and thought about ansible-pull as well.
My idea was to tag all tasks which need passwords/secret keys and only run them only in push mode. Most (of my) tasks do not secrets. Regards Mirko -- Sent from my mobile Am 04.06.2015 22:34 schrieb "David Reagan" <[email protected]>: > ansible-pull checks out your entire project repository, then runs > whichever playbook you tell it to. That repo is basically a map to your > entire infrastructure. > > So, how do you ensure a compromised server doesn't reveal all that > information to an attacker? (With the assumption that the attacker has root > access, and that a single rooted server doesn't mean your entire > infrastructure is rooted.) > > ansible-pull can purge the repo after it runs, but that doesn't stop an > attacker from running ansible-pull with that option turned off in order to > get a copy of the whole repo. Or just read the repo the next time > ansible-pull is running. > > If you use ansible-vault, then your vault password is either in the cron > job, or in a file on the server that the attacker has access to, and knows > the location of. > > So far, all I can think of to mitigate these issues, is a repo per server, > and a vault password per repo.... Which kinda destroys most of why people > use configuration management. > > Am I just not thinking of it in the right way, or maybe misunderstanding > how something works? > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
