Hello David,

I am using push right now exclusively and thought about ansible-pull as
well.

My idea was to tag all tasks which need passwords/secret keys and only run
them only in push mode. Most (of my) tasks do not secrets.

Regards
Mirko
-- 
Sent from my mobile
Am 04.06.2015 22:34 schrieb "David Reagan" <[email protected]>:

> ansible-pull checks out your entire project repository, then runs
> whichever playbook you tell it to. That repo is basically a map to your
> entire infrastructure.
>
> So, how do you ensure a compromised server doesn't reveal all that
> information to an attacker? (With the assumption that the attacker has root
> access, and that a single rooted server doesn't mean your entire
> infrastructure is rooted.)
>
> ansible-pull can purge the repo after it runs, but that doesn't stop an
> attacker from running ansible-pull with that option turned off in order to
> get a copy of the whole repo. Or just read the repo the next time
> ansible-pull is running.
>
> If you use ansible-vault, then your vault password is either in the cron
> job, or in a file on the server that the attacker has access to, and knows
> the location of.
>
> So far, all I can think of to mitigate these issues, is a repo per server,
> and a vault password per repo.... Which kinda destroys most of why people
> use configuration management.
>
> Am I just not thinking of it in the right way, or maybe misunderstanding
> how something works?
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to