Advice on best way to sync root-owned files from one remote server to a group of others?
33 views
Skip to first unread message
Uditha Desilva
Jun 1, 2016, 7:13:37 AM6/1/16
to Ansible Project
Hi,
I'm trying to create a Playbook to synchronize some initialization scripts and crontabs across a VCS cluster. The cluster itself is on RHEL5, so I am trying to use a RHEL7 server as a controller.
The key restriction here is that we cannot have direct root login via the network (i.e. "PermitRootLogins No" in /etc/ssh/sshd_config), so I need to use an account that is able to use a passworded "sudo" in order to gain root, which is needed to read or write these files.
Thus far, the only method I have managed to get to even come close to working is to create an archive of these directories from the primary, pull that back to the controller, then extract them on each of the secondary nodes -- which is horribly clunky.
Approaches I have tried and failed on include trying to delegate the synchronization to the master node, e.g.
- hosts: standby
become: true
tasks:
- name: copy crontabs to other nodes
copy:
src: /etc/cron.d/
dest: /etc/cron.d/
become: true
delegate_to: "{{ hostvars.localhost.primary }}"
-- but delegation in this context merely means that the controller is just trying to copy files from itself to the master node each time.
Johannes Kastl
Jun 1, 2016, 1:33:43 PM6/1/16
to ansible...@googlegroups.com
On 01.06.16 13:13 Uditha Desilva wrote:
> The key restriction here is that we cannot have direct root login via the
> network (i.e. "PermitRootLogins No" in /etc/ssh/sshd_config), so I need to
> use an account that is able to use a passworded "sudo" in order to gain
> root, which is needed to read or write these files.
No problem, as long as sudo is allowed. Providing the password via
> The key restriction here is that we cannot have direct root login via the
> network (i.e. "PermitRootLogins No" in /etc/ssh/sshd_config), so I need to
> use an account that is able to use a passworded "sudo" in order to gain
> root, which is needed to read or write these files.
ansible-vault encrypted files works like a charm.
> Thus far, the only method I have managed to get to even come close to
> working is to create an archive of these directories from the primary, pull
> that back to the controller, then extract them on each of the secondary
> nodes -- which is horribly clunky.
> Approaches I have tried and failed on include trying to delegate the
> synchronization to the master node, e.g.
encrypted files, if you need.
Otherwise I would also fetch the files from the primary to the
controller and then distribute them along.
Delegating the task of copying the files to the primary could also
work, but that would mean the controller has to build ssh connections
to the other hosts, running commands through sudo via python and that
sounds pretty fragile.
Johannes
Reply all
Reply to author
Forward
0 new messages