From owner-freebsd-questions@freebsd.org Sun Nov 27 15:28:10 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78C97C58A39 for ; Sun, 27 Nov 2016 15:28:10 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id F15A265C for ; Sun, 27 Nov 2016 15:28:09 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id E2C402977 for ; Sun, 27 Nov 2016 15:28:04 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/E2C402977; dkim=none; dkim-atps=neutral Subject: Re: Ansible and jails To: freebsd-questions@freebsd.org References: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it> From: Matthew Seaman Message-ID: Date: Sun, 27 Nov 2016 15:27:51 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2016 15:28:10 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ Content-Type: multipart/mixed; boundary="BT26xicc7s6xA5FghdENPO6qOIktGPekF"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: Ansible and jails References: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it> In-Reply-To: <34b5beb3-b942-d1c9-aa67-25bb9597ea98@netfence.it> --BT26xicc7s6xA5FghdENPO6qOIktGPekF Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 27/11/2016 14:02, Andrea Venturoli wrote: > I'm digging into sysutil/ansible and I'd welcome some suggestion on how= > to manage jails. >=20 > Right now I'm still trying to be able to run simple commands and I'll > deal with playbooks later. You can manage jails with ansible exactly like you manage any other type of host. That's easiest if you have a mixed environment. Yes, you need to run sshd and install all the ansible prerequisites in each jail, but that's usually not a problem. Personally, I prefer to install sudo everywhere and configure it to authenticate using your SSH key -- see the security/pam_ssh_agent_auth port. Also check out https://dan.langille.org/2013/12/22/creating-a-new-ansible-node/ although I don't think it's necessary to create a special ansible user account -- you can just log into your own account and become root from there. After all, you're already doing that when you need root access aren't you? (The trick here would be to write a "first time" playbook that sets up sudo + pam_ssh_agent_auth by using eg. su(8) as the become method just for the initial setup of a freshly installed machine, but then uses sudo afterwards.) However, ansible does have a special connection_method method for jails -- see https://www.keltia.net/howtos/jail-mgmt-with-ansible/ This easily allows you to run ansible from the jail host and use jexec(8) to get root level access to the jails hosted on it, and it's good if your system is essentially one physical machine with a bunch of jails on it. Working out how to use this connection method for jails hosted on a remote server is another story though... Cheers, Matthew --BT26xicc7s6xA5FghdENPO6qOIktGPekF-- --DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYOvt/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7F4QAI+UmliyasY2M4jYJcWVYhst /OeDxi5JKvgu07XcM4wX16j0wkVIVYd/DpRhqvUR7UHeFlqgCo4MFr9ZHAKYEAEy u6CPqrrYu+wQxsJqYAGoAF6adomSgd0+/CKLWa02+8W3DeKtd0zFn3AWxWme5Y1b WrxleGcR2H0Ywkp5pB2TSTL4CgVkeEAljBtSkEoIswdF7vXWaH1jD2muXSb9tJ+g Dwodfun9KKLpD8GeSFYWWB9iFE4ZvDolnCE+udSWNexGZ8Wx7g+mupSatt/Eqgzp gnVW3sxZQ1Nn5Odjkut/4jCRGJOgO7Gvlbmz8Me4kB+CDZbc52E9E4w7Qw71clGi zh/4pc34yNnMcrk55/u/uQlBFIb7TjWOYtWxq+ywwhiGvx2x0JKkJYuK4Moz68Ux zcZikSi9EbFCsKrRU56XO/ERHTvj5KZwg4W+ysUQJogZ/7ESrZgW35OkQ/cWWHQA zhCCtwktg+zjSQ8nveRkzq3cXj6epmaqJJtSboQZju/BmIOYX6uf/pXXtXJqsQVc gwhNAZDLGd9n7xrIAW7WPMCDToGXPavMtBebbwck0x4J8dhwPQ9ImNZq0WCunx9S /GqP5Kq6UIreu1jU/tk0mX/RLK8MVvBiBX3oSlk3WHsG2IK+zm44eECY6pVe9lPj 3igaTQFfFT8swG/KN5hw =63jl -----END PGP SIGNATURE----- --DsumwvQr2Xm40LRqxramrg3FJSkNHsBOJ--