Hello David, yes, sorry. I have all my secrets in a different directory/repository, my playbooks and roles are completely clean of secrets.
You may of course deduce the general structure and machine names and maybe even the topology. Regards Mirko -- Sent from my mobile Am 05.06.2015 17:22 schrieb "David Reagan" <[email protected]>: > So, two repos? One with passwords in it, another without? > > --David Reagan > > On Thu, Jun 4, 2015 at 11:47 PM, Mirko Friedenhagen < > [email protected]> wrote: > >> Hello David, >> >> I am using push right now exclusively and thought about ansible-pull as >> well. >> >> My idea was to tag all tasks which need passwords/secret keys and only >> run them only in push mode. Most (of my) tasks do not secrets. >> >> Regards >> Mirko >> -- >> Sent from my mobile >> Am 04.06.2015 22:34 schrieb "David Reagan" <[email protected]>: >> >>> ansible-pull checks out your entire project repository, then runs >>> whichever playbook you tell it to. That repo is basically a map to your >>> entire infrastructure. >>> >>> So, how do you ensure a compromised server doesn't reveal all that >>> information to an attacker? (With the assumption that the attacker has root >>> access, and that a single rooted server doesn't mean your entire >>> infrastructure is rooted.) >>> >>> ansible-pull can purge the repo after it runs, but that doesn't stop an >>> attacker from running ansible-pull with that option turned off in order to >>> get a copy of the whole repo. Or just read the repo the next time >>> ansible-pull is running. >>> >>> If you use ansible-vault, then your vault password is either in the cron >>> job, or in a file on the server that the attacker has access to, and knows >>> the location of. >>> >>> So far, all I can think of to mitigate these issues, is a repo per >>> server, and a vault password per repo.... Which kinda destroys most of why >>> people use configuration management. >>> >>> Am I just not thinking of it in the right way, or maybe misunderstanding >>> how something works? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/HuCM9Gd_XPI/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcV%3DgTgO3ajc8r21EZ9V8w4y92qZiiDjyA6nXKPPwi7dw%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcV%3DgTgO3ajc8r21EZ9V8w4y92qZiiDjyA6nXKPPwi7dw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK8jvqxyphhhWV_3tUJ6%3DW2qfwp%3Da56tJ_6%3DiG-MdiemTKYrbQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
