On Sat, 2 Sep 2017, at 06:17, manne shiva kumar wrote: > Hi Kiran, > > Am having the same issue.. could you please help me in resolving this.. > > On Thursday, February 4, 2016 at 3:02:04 PM UTC+5:30, Javier Palacios > wrote: > > > > With the setup you describe, you have basically two jenkins-aware options. > > One, which is closer to what you are currently making, is to give ssh > > permission from jenkins to ansible servers. In that case you will need also > > one of the plugins that allows Jenkins to execute ssh commands in a > > different node (ssh-plugin or similar one) and use it instead of standard > > shell command box, _but_ the remote node has no access to whatever lives at > > the jenkins server, and will only access whatever exists at the ansible > > server unless you explicitly copy it (it's just ssh after all). The second > > approach which is the one that will probably behave as you expect, is to > > make the ansible server a Jenkins slave, and configure all ansible jobs to > > be executed in that slave with standard shell command box, you can drop the > > ssh stuff and run the slave as a user capable to run ansible, but security > > implications are not actually higher than giving ssh access (except maybe > > firewall ports). In this setup the workspace lives at the ansible (slave) > > server, but it is transparent to you because everything else is stored at > > jenkins (master) server.
I've just dealt with this last week. With the caveat that every time I use Jenkins I feel like I've been assaulted by aliens, here's the only solution I found that actually worked: - the jenkins slave has a passwordless ssh key provided to it that *only* enables ssh to the ansible box. It cannot be used elsewhere in the infrastructure. The key lives in $HOME of the jenkins user - $HOME/.ssh/id_ed25519 (or id_rsa whatever key you use) as putting the private key directly into the Jenkins config did not work. ssh-keygen -o -t ed25519 -f /home/jenkins/.ssh/id_ed25519 "[email protected]" - the ansible server has an authorized_keys file that restricts the above key to run a pre-selected command and 1 parameter # /home/ansible/.ssh/authorized_keys command="/home/ansible/src/ansible/jenkins.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 <pubkey> [email protected] - the jenkins job calls ssh and passes in 1 parameter which will be provided to ansible # Jenkinsfile stage('Deploy') { steps { echo 'Deploy step ...' script { switch(env.BRANCH_NAME){ case "master" : sh 'ssh [email protected] production' case "develop" : sh 'ssh [email protected] develop' default : echo "... ignored in this branch" } } } - this is the script spawned by ssh # /home/ansible/src/ansible/jenkins.sh #!/bin/sh -xe # restricted command for ssh to run ansible via make targets cd /home/ansible/src/ansible case $1 in production) make production ;; development) make development ;; esac - there is a Makefile in the root of the ansible dir that picks up the parameter and uses it as a makefile target # /home/ansible/src/ansible/Makefile clean:: @git reset --hard @git clean -fdx @git pull --ff-only production:: clean ansible-playbook app.yml --limit prod,lb --diff There is also an ssh_config and ansible.cfg files that specify ports, private key to use, and a few other useful parameters. There are a few things you can do to tighten security, making sure that there is no way for jenkins to do anything other than ssh in and run make. - make jenkins.sh immutable - move the authorized_keys file to somewhere like /etc/ssh/ to ensure the command cannot be trimmed - find a better way to handle the ansible-side ssh key. I use hashicorp's vault here to handle that but thats a story for another day - get the jenkins hashicorp plug to work, it doesn't for me I'd really like to tell ansible to display output in ANSI colour even though its running as a background task. A+ Dave -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1504858410.1110773.1099270560.3DDD52E7%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
