Ansible and jails

[Matthew Seaman]

On 27/11/2016 14:02, Andrea Venturoli wrote:
> I'm digging into sysutil/ansible and I'd welcome some suggestion on how
> to manage jails.
> 
> Right now I'm still trying to be able to run simple commands and I'll
> deal with playbooks later.

You can manage jails with ansible exactly like you manage any other type
of host.  That's easiest if you have a mixed environment.  Yes, you need
to run sshd and install all the ansible prerequisites in each jail, but
that's usually not a problem.

Personally, I prefer to install sudo everywhere and configure it to
authenticate using your SSH key -- see the security/pam_ssh_agent_auth
port.  Also check out
https://dan.langille.org/2013/12/22/creating-a-new-ansible-node/
although I don't think it's necessary to create a special ansible user
account -- you can just log into your own account and become root from
there.  After all, you're already doing that when you need root access
aren't you?

(The trick here would be to write a "first time" playbook that sets up
sudo + pam_ssh_agent_auth by using eg. su(8) as the become method just
for the initial setup of a freshly installed machine, but then uses sudo
afterwards.)

However, ansible does have a special connection_method method for jails
-- see https://www.keltia.net/howtos/jail-mgmt-with-ansible/  This
easily allows you to run ansible from the jail host and use jexec(8) to
get root level access to the jails hosted on it, and it's good if your
system is essentially one physical machine with a bunch of jails on it.
Working out how to use this connection method for jails hosted on a
remote server is another story though...

	Cheers,

	Matthew





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20161127/e0ce4e29/attachment.sig>