Ansible: SSH into shell servers as root #44
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It seems the documentation was too hard to follow in the first place...
Those files are created by Ansible when a playbook fails, to allow re-running it only on the faulty machines.
In this playbook, we only care about the order of actions on each individual server: it's safe to let servers run through the playbook without waiting on other servers. This leaves synchronisation between the two plays (pulling in changes from git and applying `apt` changes) which is unnecessary. On the other hand, there is very little cost to it anyhow, as most of the execution time is spent on the `apt` play.
Same as for `shell.yml`: we only care about ordering on individual ircds
Using `sudo`, through the Ansible feature `become`, is problematic due to hashbang/shell-etc#74 : sudo does not let Ansible escape the namespace-based sandbox. Since all admins have SSH keys deployed for `root`, this is a good alternative.
Those aren't needed anymore, as Ansible SSHes in as root anyhow.
Reviewed-by: daurnimator
|
@hashbang/administrators Review needed. |
Reviewed-by: daurnimator
Reviewed-by: daurnimator, dgrove, Ryan
drGrove
approved these changes
Feb 28, 2017
Reviewed-by: dgrove
daurnimator
reviewed
Feb 28, 2017
| @@ -4,6 +4,10 @@ ny1.hashbang.sh | |||
| sf1.hashbang.sh | |||
| to1.hashbang.sh | |||
|
|
|||
| [shell_servers] | |||
| ansible_user=root | |||
There was a problem hiding this comment.
Can you add a link to issue 74 in a comment here?
There was a problem hiding this comment.
Arg. Will do... in a separate PR? :V
In general, though, there is no benefit not to do this: direct root isn't any more privileged than admin+sudo, and this avoids the dependency on LDAP/userdb.
There was a problem hiding this comment.
In general I like to disable root login via sshd. I'd like to do that for hashbang too but... this. :)
There was a problem hiding this comment.
Eeeh, experience (#! and otherwise) says that having a method of getting root without relying on LDAP is good :3
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a workaround for hashbang/shell-etc#74