Using Ansible to Manage install and update Apple OSX DHCP clients
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
may not be available at update time.
This is harder and a lot more advanced. There's multiple ways to handle this, but like I said it's a lot more advanced than just running playbooks or ad-hoc commands on a system.
Okay so lets stick with ad-hoc commands for now.
Pretending I was still at the office with this server installed and the homebrew role installed. How would I start finding my clients?
Do they have DNS names or are you referencing solely off of IP addresses?
They'll register in DNS, but nothing is assigned, so it would be better to reference off of the IP only until a key was present.
Which
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
- name: Ensure user key is present
authorized_key:
user: dustin
state: present
key: "{{ lookup('file', '/home/dustin/.ssh/id_rsa.pub') }}"
Where / how do this go?
- name: Ensure user key is present
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
They'll register in DNS, but nothing is assigned, so it would be better to reference off of the IP only until a key was present.
I'm confused as to how a key will change any of that?
Where / how do this go?
That would go in a playbook. You could use this:
--- - name: Ensure key exists hosts: all user: dustin tasks: - name: Ensure user key is present authorized_key: user: dustin state: present key: "{{ lookup('file', '/home/dustin/.ssh/id_rsa.pub') }}"
Then just run:
ansible-playbook playbook.yml
Keep in mind the inventory has to be populated for this to hit those systems and you will most likely want to set Ansible to ignore the host keys because you will have to accept each one as it tries to connect if you don't.
-
@stacksofplates So on your ansible server do you have a folder called playbooks and in that you have numerous different <something>.yml files each that do something?
-
As @stacksofplates mentioned, connect with SSH how you do now, and I would create a special account just for ansible via playbook once you authenticat
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates So on your ansible server do you have a folder called playbooks and in that you have numerous different <something>.yml files each that do something?
You can and it's recommended to do that when things start to get more complex, but for simple commands you can use a single yaml file.
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates So on your ansible server do you have a folder called playbooks and in that you have numerous different <something>.yml files each that do something?
It's up to personal preference. I store things in
~/Documents/projects/ansible
. Then in that I have a playbooks directory and a roles directory. Playbooks has the playbooks I need which is a single git repo and then each role has it's own git repo under roles.Your default ansible.cfg file is in /etc/ansible.cfg. It points you to
/etc/ansible/hosts
and/etc/ansible/roles
I never use that. I always set an ansible.cfg in my playbooks directory. It overrides that and stores everything in that playbooks directory. -
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
As @stacksofplates mentioned, connect with SSH how you do now, and I would create a special account just for ansible via playbook once you authenticat
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
As @stacksofplates mentioned, connect with SSH how you do now, and I would create a special account just for ansible via playbook once you authenticat
OKay that that would just be over ssh as our administrative user
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So going out on the wild assumption that I wasn't on my couch right now, how would ansible find my clients?
No credentials have been set anywhere - how do I add my clients?
So how you use credentials depends on how you have them set up on your systems. If you have a user that can access all of them, then you can use that user. If you don't, you'll have to call separate plays for the different systems.
If you running an ansible ad-hoc command you can do:
ansible -i <path to inventory> group-name -m setup -u <username>
SSH keys are preferable, but if you don't have them you can pass a
-k
to ask for the SSH password.-K
is the sudo password flag and goes along with-b
for become (meaning become another user).To run a playbook, just have your user defined like I showed in the other thread and become as true if you need it.
@DustinB3403 this is what I am talking about. Use your SSH root user to run the user creation playbook.
-
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So going out on the wild assumption that I wasn't on my couch right now, how would ansible find my clients?
No credentials have been set anywhere - how do I add my clients?
So how you use credentials depends on how you have them set up on your systems. If you have a user that can access all of them, then you can use that user. If you don't, you'll have to call separate plays for the different systems.
If you running an ansible ad-hoc command you can do:
ansible -i <path to inventory> group-name -m setup -u <username>
SSH keys are preferable, but if you don't have them you can pass a
-k
to ask for the SSH password.-K
is the sudo password flag and goes along with-b
for become (meaning become another user).To run a playbook, just have your user defined like I showed in the other thread and become as true if you need it.
@DustinB3403 this is what I am talking about. Use your SSH root user to run the user creation playbook.
So my inventory file is currently in (I assume) is
/etc/ansible/hosts
right?Also I don't think that is how you create users on OSX cli (have to confirm)
-
So here's my tree view for that directory
ansible ├── playbooks ├── ansible.cfg ├── apache.yml ├── group_vars ├── inventory ├── Makefile └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So here's my tree view for that directory
ansible ├── playbooks ├── group_vars ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus
I assume this actually looks like
etc └──ansible ├── playbooks ├── group_var ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So here's my tree view for that directory
ansible ├── playbooks ├── group_vars ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus
I assume this actually looks like
etc
└──ansible
├── playbooks
├── group_var
├── inventory
└── roles
└── roles
├── apache
├── firewalld
├── grafana
├── nginx
├── node-exporter
└── prometheusNo it's under ~/Documents/projects/ansible like I mentioned above.
-
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
yes. That was one of the first things I recommended
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
Yeah that's why I said you can either use FQDN or IP address and why I also mentioned disabling host key checking for Ansible. There are times not to disable it but shouldn't matter in this case.
-
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
SSH is open on Mac OSX by default already, nothing I'm doing is opening that.
I'm looking to setup SSH keys alsoI've already setup SSH keys, so I'm not sending passwords.This is also still very early stage testing and things can be changed/improved well before deployment.
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
You can use keys (recommended). Also, ideally you only run your management tools from one subnet. You only open ssh on the clients to that subnet. No reason for client1 to be able to SSH to client2. You could also get more restrictive and only allow specific IPs.
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication. Using the password only to set that up. Second where did the allowing root come from? That never came up. Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ. If you limit where SSH access can come from to a subnet (like @IRJ mentioned) or a single machine it's pretty much exactly what you have with ZeroMQ but just not a message bus.
Plus this is ignoring the fact that when you get to fully immutable infrastructure (I realize the Macs aren't that) you can leverage Ansible through tools like Packer to build your image and never need SSH after the fact because you don't ever log in again at all.
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication.
Yeah, I didn't read all the way down before I wrote that. I don't always have time to read past the first few, and it wasn't mentioned in what I did read. My bad there.