Ansible Agent Option?
-
For all you Ansible users out there, I know that by default Ansible is agentless. That's fine, but that leaves a ton of situations where we would need ZeroTier or something to reach systems. Has anyone looked into agent options for Ansible to make it able to reach systems on its own without needing a third party software defined network or VPN to reach machines on different LANs than the Ansible servers?
-
Also, not having to open ports would be nice.
-
I'm not even at the point where I would need to consider this.
-
You could use a github repository and manage ansible locally using shell scripts.
-
@scottalanmiller , it would look like this.
#*********************************************************** # Install ansible #*********************************************************** sudo apt install -y ansible #*********************************************************** # Create or append ansible requirements file #*********************************************************** sudo sh -c "echo '- src: https://github.com/florianutz/Ubuntu1804-CIS.git' >> /etc/ansible/requirements.yml" #*********************************************************** # Install the role for CIS Ubuntu script from Github #*********************************************************** cd /etc/ansible/ sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml #*********************************************************** # Create Ansible Playbook for CIS Ubuntu script #*********************************************************** sudo sh -c "cat > /etc/ansible/harden.yml <<EOF - name: Harden Server hosts: localhost connection: local become: yes roles: - Ubuntu1804-CIS EOF " #*********************************************************** # Run ansible playbook file #*********************************************************** sudo ansible-playbook /etc/ansible/harden.yml -
@IRJ I suspect that that does not work on Windows, though.
-
Since Windows doesn't run Ansible.
-
Why Ansible with Windows?
-
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
I don't think @scottalanmiller is running Ansible from Windows, but looking to manage Windows with Ansible.
Which it looks like it's included. .
-
Specifically
https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#can-ansible-run-on-windows
No, Ansible can only manage Windows hosts. Ansible cannot run on a Windows host natively, though it can run under the Windows Subsystem for Linux (WSL). -
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
Because it seems to be more robust than Salt.
-
@DustinB3403 said in Ansible Agent Option?:
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
I don't think @scottalanmiller is running Ansible from Windows, but looking to manage Windows with Ansible.
Which it looks like it's included. .
Correct. It is included, but how do you reach it when the Windows client leaves the LAN?
-
@scottalanmiller said in Ansible Agent Option?:
@DustinB3403 said in Ansible Agent Option?:
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
I don't think @scottalanmiller is running Ansible from Windows, but looking to manage Windows with Ansible.
Which it looks like it's included. .
Correct. It is included, but how do you reach it when the Windows client leaves the LAN?
How would you reach anything else when it's not on the LAN?
VPN, ssh etc.
-
@DustinB3403 said in Ansible Agent Option?:
@scottalanmiller said in Ansible Agent Option?:
@DustinB3403 said in Ansible Agent Option?:
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
I don't think @scottalanmiller is running Ansible from Windows, but looking to manage Windows with Ansible.
Which it looks like it's included. .
Correct. It is included, but how do you reach it when the Windows client leaves the LAN?
How would you reach anything else when it's not on the LAN?
VPN, ssh etc.
Salt has no issue with that, works the same on LAN or off LAN.
-
With Windows, my guess would be Powershell over SSH
-
@DustinB3403 said in Ansible Agent Option?:
@scottalanmiller said in Ansible Agent Option?:
@DustinB3403 said in Ansible Agent Option?:
@Obsolesce said in Ansible Agent Option?:
Why Ansible with Windows?
I don't think @scottalanmiller is running Ansible from Windows, but looking to manage Windows with Ansible.
Which it looks like it's included. .
Correct. It is included, but how do you reach it when the Windows client leaves the LAN?
How would you reach anything else when it's not on the LAN?
VPN, ssh etc.
Don't want a VPN or to expose ports. Salt handles this beautifully. I can't figure out how all the other ecosystems deal with the myriad machines that don't sit directly accessible on the LAN.
-
@DustinB3403 said in Ansible Agent Option?:
With Windows, my guess would be Powershell over SSH
SSH call back automation isn't the best and if you don't have a person managing it, I think you are going to have a tough time.
-
SHould work, in theory, but having every machine SSH back to the Ansible server to establish a tunnel is extremely cumbersome.
-
@scottalanmiller said in Ansible Agent Option?:
@DustinB3403 said in Ansible Agent Option?:
With Windows, my guess would be Powershell over SSH
SSH call back automation isn't the best and if you don't have a person managing it, I think you are going to have a tough time.
Well windows isn't* POSIX compliant so yeah. . I'd expect as much.
-
@DustinB3403 said in Ansible Agent Option?:
@scottalanmiller said in Ansible Agent Option?:
@DustinB3403 said in Ansible Agent Option?:
With Windows, my guess would be Powershell over SSH
SSH call back automation isn't the best and if you don't have a person managing it, I think you are going to have a tough time.
Well windows is POSIX compliant so yeah. . I'd expect as much.
Yeah, but it would be crappy on UNIX, too. SSH call backs are just cumbersome all around.
