Re: [ansible-project] How do you run unattended ansible?
793 views
Skip to first unread message
Brian Coca
Dec 6, 2012, 2:38:15 PM12/6/12
to ansible...@googlegroups.com
for certain tasks i have a 'maint' user that has a sshkey w/o passphrase, run ansible from the cron with the config options using that key for that user (he also has sudo NOPASSWORD to a restricted set of commands).
--
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
I haven't used it, but there is also fireball mode.
On Thu, Dec 6, 2012 at 1:49 PM, Dylan Martin <dma...@seattlecentral.edu> wrote:
I'm trying to decide how to make ansible do regular maintenance. The options, as I see them are 1) ansible-pull and 2) set up an ssh-agent and tell cron the SSH_AUTH_SOCK on the ansible master.
What does everyone else do? What do you recommend?
Thanks!
-Dylan
--
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
Michael DeHaan
Dec 7, 2012, 11:11:56 AM12/7/12
to ansible...@googlegroups.com
On Thu, Dec 6, 2012 at 2:38 PM, Brian Coca <bria...@gmail.com> wrote:
> for certain tasks i have a 'maint' user that has a sshkey w/o passphrase,
> run ansible from the cron with the config options using that key for that
> user (he also has sudo NOPASSWORD to a restricted set of commands).
>
> I haven't used it, but there is also fireball mode.
>
Fireball mode doesn't help you with the intended case at all because
> for certain tasks i have a 'maint' user that has a sshkey w/o passphrase,
> run ansible from the cron with the config options using that key for that
> user (he also has sudo NOPASSWORD to a restricted set of commands).
>
> I haven't used it, but there is also fireball mode.
>
it distributes secrets over SSH.
Dylan's previous 2 answers are what is there now. I'd like to see
more done in the docs explaining how to do the ssh-agent /
SSH-AUTH-SOCK thing if someone wants to write a paragraph or two, I'll
figure out where to insert it.
>
> On Thu, Dec 6, 2012 at 1:49 PM, Dylan Martin <dma...@seattlecentral.edu>
> wrote:
>>
>> I'm trying to decide how to make ansible do regular maintenance. The
>> options, as I see them are 1) ansible-pull and 2) set up an ssh-agent and
>> tell cron the SSH_AUTH_SOCK on the ansible master.
>>
>> What does everyone else do? What do you recommend?
>>
>> Thanks!
>> -Dylan
>>
>> --
>>
>>
>
>
>
>
> --
> Brian Coca
> Stultorum infinitus est numerus
> 0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
>
>
>
Dylan Martin
Dec 7, 2012, 1:48:52 PM12/7/12
to ansible...@googlegroups.com
Okay, here's a stab at it:
------
An alternative to ansible-pull might be to set up a cron job that runs ansible-playbook with ssh-agent. Here's one way to do that.
Log on to your ansible master and start ssh-agent with a process that won't stop and specify where you want to put the socket EG
ssh-agent -a /var/run/ansible_ssh_auth_sock.sock "bash 'while /bin/true ; do sleep 3600 ; done"
Then add the ansible ssh key to the ssh-agent
export SSH_AUTH_SOCK=/var/run/ansible_ssh_auth_sock.sock
ssh-add .ssh/ansile_admin.pub
and in your crontab
PATH=/usr/local/bin:/usr/bin:/bin
MAILTO=m...@example.com
# ansible at midnight
00 0 * * * export SSH_AUTH_SOCK=/var/run/ansible_ssh_auth_sock.sock; ansible-playbook maintenance.yaml
Note that you have to do all this as the user who's crontab is going to run the ansible jobs. The ssh-agent socket should only be readable/writable by that one user. If you forget the socket or want to find the PID of the ssh-agent, use ps. You have to put "export SSH_AUTH_SOCK;" in the cron command. You can't set it like the PATH or MAILTO variables.
--------------
I've tested ssh connections using this method, but not actual ansible playbooks. If anyone sees anything insecure or otherwise stupid, please let me know.
------
------
An alternative to ansible-pull might be to set up a cron job that runs ansible-playbook with ssh-agent. Here's one way to do that.
Log on to your ansible master and start ssh-agent with a process that won't stop and specify where you want to put the socket EG
ssh-agent -a /var/run/ansible_ssh_auth_sock.sock "bash 'while /bin/true ; do sleep 3600 ; done"
Then add the ansible ssh key to the ssh-agent
export SSH_AUTH_SOCK=/var/run/ansible_ssh_auth_sock.sock
ssh-add .ssh/ansile_admin.pub
and in your crontab
PATH=/usr/local/bin:/usr/bin:/bin
MAILTO=m...@example.com
# ansible at midnight
00 0 * * * export SSH_AUTH_SOCK=/var/run/ansible_ssh_auth_sock.sock; ansible-playbook maintenance.yaml
Note that you have to do all this as the user who's crontab is going to run the ansible jobs. The ssh-agent socket should only be readable/writable by that one user. If you forget the socket or want to find the PID of the ssh-agent, use ps. You have to put "export SSH_AUTH_SOCK;" in the cron command. You can't set it like the PATH or MAILTO variables.
--------------
I've tested ssh connections using this method, but not actual ansible playbooks. If anyone sees anything insecure or otherwise stupid, please let me know.
------
Reply all
Reply to author
Forward
0 new messages