BB> Ansible users. How does every handle the SSH and root access parts?
BB> I assume you don't have ansible connecting directly as root on the
BB> destination servers, you use a regular user.
Yep! One question is whether you give that regular user a shared key that
all your sysadmins use, or if you put each sysadmin's key into that user's
authorized_keys file on the remote systems. There are pros and cons of
each, but the latter seems good for flexibility and accountability.
BB> Then how do you give that user sudo/root access and provide that user
BB> password so the ansible task can execute a root function?
One way: Have Ansible log in as root to the new remote system long enough
to run a bootstrapping playbook that sets up the ansible user (and enough
sudo privs for it to be able to do the rest of its job), and then switch
to using the ansible user + sudo from then on out. (Closing the directly-
as-root path as well while you're at it, if you like). For cloud type
things, there's typically a root account (or an account with full sudo
privs) with a key when you provision the thing, so you can piggyback on that.
Alternatively, if you can easily change how things come up at provisioning
time (Kickstart %post scripts, custom images on cloud systems, etc), you
can bake the ansible user into that.
-Josh (iril...@infersys.com)
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
