Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2016 15:27:51 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Ansible and jails
Message-ID:  <aba6b960-ad6e-4fed-b36a-7b95d57fa26b@FreeBSD.org>
In-Reply-To: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it>
References:  <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ
Content-Type: multipart/mixed; boundary="BT26xicc7s6xA5FghdENPO6qOIktGPekF";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <aba6b960-ad6e-4fed-b36a-7b95d57fa26b@FreeBSD.org>
Subject: Re: Ansible and jails
References: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it>
In-Reply-To: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it>

--BT26xicc7s6xA5FghdENPO6qOIktGPekF
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 27/11/2016 14:02, Andrea Venturoli wrote:
> I'm digging into sysutil/ansible and I'd welcome some suggestion on how=

> to manage jails.
>=20
> Right now I'm still trying to be able to run simple commands and I'll
> deal with playbooks later.

You can manage jails with ansible exactly like you manage any other type
of host.  That's easiest if you have a mixed environment.  Yes, you need
to run sshd and install all the ansible prerequisites in each jail, but
that's usually not a problem.

Personally, I prefer to install sudo everywhere and configure it to
authenticate using your SSH key -- see the security/pam_ssh_agent_auth
port.  Also check out
https://dan.langille.org/2013/12/22/creating-a-new-ansible-node/
although I don't think it's necessary to create a special ansible user
account -- you can just log into your own account and become root from
there.  After all, you're already doing that when you need root access
aren't you?

(The trick here would be to write a "first time" playbook that sets up
sudo + pam_ssh_agent_auth by using eg. su(8) as the become method just
for the initial setup of a freshly installed machine, but then uses sudo
afterwards.)

However, ansible does have a special connection_method method for jails
-- see https://www.keltia.net/howtos/jail-mgmt-with-ansible/  This
easily allows you to run ansible from the jail host and use jexec(8) to
get root level access to the jails hosted on it, and it's good if your
system is essentially one physical machine with a bunch of jails on it.
Working out how to use this connection method for jails hosted on a
remote server is another story though...

	Cheers,

	Matthew






--BT26xicc7s6xA5FghdENPO6qOIktGPekF--

--DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJYOvt/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7F4QAI+UmliyasY2M4jYJcWVYhst
/OeDxi5JKvgu07XcM4wX16j0wkVIVYd/DpRhqvUR7UHeFlqgCo4MFr9ZHAKYEAEy
u6CPqrrYu+wQxsJqYAGoAF6adomSgd0+/CKLWa02+8W3DeKtd0zFn3AWxWme5Y1b
WrxleGcR2H0Ywkp5pB2TSTL4CgVkeEAljBtSkEoIswdF7vXWaH1jD2muXSb9tJ+g
Dwodfun9KKLpD8GeSFYWWB9iFE4ZvDolnCE+udSWNexGZ8Wx7g+mupSatt/Eqgzp
gnVW3sxZQ1Nn5Odjkut/4jCRGJOgO7Gvlbmz8Me4kB+CDZbc52E9E4w7Qw71clGi
zh/4pc34yNnMcrk55/u/uQlBFIb7TjWOYtWxq+ywwhiGvx2x0JKkJYuK4Moz68Ux
zcZikSi9EbFCsKrRU56XO/ERHTvj5KZwg4W+ysUQJogZ/7ESrZgW35OkQ/cWWHQA
zhCCtwktg+zjSQ8nveRkzq3cXj6epmaqJJtSboQZju/BmIOYX6uf/pXXtXJqsQVc
gwhNAZDLGd9n7xrIAW7WPMCDToGXPavMtBebbwck0x4J8dhwPQ9ImNZq0WCunx9S
/GqP5Kq6UIreu1jU/tk0mX/RLK8MVvBiBX3oSlk3WHsG2IK+zm44eECY6pVe9lPj
3igaTQFfFT8swG/KN5hw
=63jl
-----END PGP SIGNATURE-----

--DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aba6b960-ad6e-4fed-b36a-7b95d57fa26b>