0

I'm learning ansible, I experimented working with ansible for like 4-5 servers. I was copying the Public-Key to the machines manually.

  • I want to know what would be the case if we have to do it for 1000's of servers?

Like should we do the same thing, providing the other team with SSH-public key and ask them to add it to their machines? Are there any alternatives? How do people in the industry deal with it?

TIA

Zarak1
  • 103
  • 10
  • The question is a tad broad and heavily opinion based, but in workplaces I've used ansible in the account (including the public key of the automation user) was part of the build process. Machines that pre-existed when ansible was introduced were shepherded into the herd after the fa ct by manually creating the account and adding its key. If you're already using any other system (saltstack, puppet, ... ) you could use that to deploy the ansible user. – tink Jan 07 '20 at 16:59
  • So, is it we ask the respective team to create a user account specific to ansible and thereby running playbooks? – Zarak1 Jan 07 '20 at 17:05
  • Don't ask the specific teams, ask your Operators (which might be you) to add this account with your public key and escalation privileges to every machine they deploy. – Zeitounator Jan 08 '20 at 08:09

2 Answers2

1

No, if you are managing really large number of servers, configuring your SSH key into each and every server is not a good way. If we are talking about server on cloud, which are highly dynamic in nature, ie, they are started/terminated as and when needed.

You can always configure which "remote user" to use for SSH connections on Ansible master configuration. Apart from that, you can configure the user anywhere playbook or roles or pass as command line parameter.

For connecting to remote server, using SSH key, same methods can be used.

eg : from command line :

ansible-playbook <playbook yml> -u <user name on remote host> --key-file <SSH key file name with path on master host>

ansible-playbook abc.yml -u "user1" --key-file "/u01/ansible_keys/user1_key.pem"

You can setup these keys in inventory file as well, as below :

myHost ansible_ssh_private_key_file=~/.ssh/mykey1.pem
myOtherHost ansible_ssh_private_key_file=~/.ssh/mykey2.pem

Reference : Specifying ssh key in ansible playbook file

saurabh14292
  • 1,281
  • 2
  • 10
  • 12
0

1.If all machines password are same.

ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath> -k"

Input the password to copy Public-key to all machines and using ansible as before

2.If the most part of all machines password are same. You can do this in inventory.

[groupA]
machine01
machine02

[groupB]
machine03
machine04 ansible_ssh_pass=<different password from others>

[all:vars]
ansible_ssh_user=<ssh_useranme>
ansible_ssh_pass=<machine password>

Then (Do not need to input password)

ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath>"

Then delete the password in inventory file, and using ansible as before

For myself, I prefer method 2 because I have all machines root password and no one can login machines with root account. So I write plaintext password in root directory.But I think your Public-key method maybe more secure.

Matthew Liu
  • 39
  • 5