1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Add info about sudo.

This commit is contained in:
Michael DeHaan 2012-04-14 08:45:27 -04:00
parent 2850b8d921
commit adbf3590c5
15 changed files with 49 additions and 21 deletions

View file

@ -245,7 +245,7 @@ languages:
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -329,7 +329,7 @@ a conf.d file appropriately or something similar. Who knows.</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -181,8 +181,9 @@ ssh-add ~/.ssh/id_rsa.pub</pre>
<div class="highlight-python"><pre>ansible atlanta -a "/usr/bin/foo" -u yourname</pre>
</div>
<p>If you want to run commands through sudo:</p>
<div class="highlight-python"><pre>ansible atlanta -a "/usr/bin/foo" -u yourname --sudo</pre>
</div>
<blockquote>
<div>ansible atlanta -a &#8220;/usr/bin/foo&#8221; -u yourname &#8211;sudo [&#8211;ask-sudo-pass]</div></blockquote>
<p>Use &#8211;ask-sudo-pass (-K) if you are not using passwordless sudo.</p>
<p>If you need to access SSH on a different port:</p>
<div class="highlight-python"><pre>ansible atlanta -a "/usr/bin/foo" -p 2112</pre>
</div>
@ -340,7 +341,7 @@ a simplified syntax for this.</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -137,6 +137,7 @@ s.parentNode.insertBefore(ga, s);
</ul>
</li>
<li><a class="reference internal" href="#other-questions">Other Questions</a><ul>
<li><a class="reference internal" href="#what-is-ansible-s-approach-to-security">What is Ansible&#8217;s approach to security?</a></li>
<li><a class="reference internal" href="#how-does-ansible-scale">How does Ansible scale?</a></li>
<li><a class="reference internal" href="#are-transports-other-than-ssh-supported">Are transports other than SSH supported?</a></li>
<li><a class="reference internal" href="#what-are-some-ideal-uses-for-ansible">What are some ideal uses for Ansible?</a></li>
@ -277,6 +278,21 @@ useful for sysadmins (not just web developers), and can also be used for firing
</div>
<div class="section" id="other-questions">
<h2>Other Questions<a class="headerlink" href="#other-questions" title="Permalink to this headline"></a></h2>
<div class="section" id="what-is-ansible-s-approach-to-security">
<h3>What is Ansible&#8217;s approach to security?<a class="headerlink" href="#what-is-ansible-s-approach-to-security" title="Permalink to this headline"></a></h3>
<p>Ansible aims to not develop custom daemon code but rely heavily on OpenSSH, which is extremely well
peer reviewed and the most widely used security subsystem in the industry. As a result, Ansible
has a lower attack surface than any configuration management tool featuring daemons that run
as root, and you do not have to worry about network security vulnerabilities in the tool itself.</p>
<p>If your central server is taken over (or even logged into by a malicious employee),
provided you were using SSH-agent and encrypted keys (and/or sudo with a password),
your keys are still locked and no one can take control of your nodes.</p>
<p>Compared with something like Chef/Puppet/other, compromised manifests would lead
to a loss of the whole network, with your network turning into an easily controllable
botnet. Further by not running daemon infrastructure, you have more
free RAM and compute resources, which should be relevant to users wanting to maximize their
computing investments.</p>
</div>
<div class="section" id="how-does-ansible-scale">
<h3>How does Ansible scale?<a class="headerlink" href="#how-does-ansible-scale" title="Permalink to this headline"></a></h3>
<p>Whether in single-execution mode or using ansible playbooks, ansible can
@ -335,7 +351,7 @@ tasks &#8211; whether for a QA sytem, build system, or anything you can think of
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -160,7 +160,7 @@ s.parentNode.insertBefore(ga, s);
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -303,7 +303,7 @@ explore, but you already have a fully working infrastructure!</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -182,13 +182,17 @@ version of software if required.</p>
<p>Other deployment oriented frameworks similarly cover deployment well but lack a strongly defined resource model and devolve into glorified remote scripts. Ansible playbooks &#8211; having been designed with this problem in mind &#8211; are good at both deployment &amp; idempotent configuration, meaning you don&#8217;t have to spread your infrastructure management out between different tools (Puppet+Capistrano, Chef+Fabric, etc), and performing ordered steps between different classes of machines is no problem, yet our modules affect system state only when required &#8211; while avoiding the problem of fragile scripting that assumes certain starting
or ending states.</p>
<p>Ansible is also unique in other ways. Extending ansible does not require programming in any particular language &#8211; you can write <a class="reference internal" href="modules.html"><em>Ansible Modules</em></a> as idempotent scripts or programs that return simple JSON. Ansible is also pragmatic, so when you need to, it&#8217;s also trivially easy to just execute useful shell commands.</p>
<p>Why use Ansible versus something else? (Puppet, Chef, Capistrano, etc?) Ansible will have far
<p>Why use Ansible versus other configuration management tools? (Puppet, Chef, etc?) Ansible will have far
less code, it will be (by extension) more correct, and it will be the
easiest thing to hack on and use you&#8217;ll ever see &#8211; regardless of your
favorite language of choice.</p>
<p>Systems management doesn&#8217;t have to be complicated. Ansible&#8217;s docs
will remain short &amp; simple, and the source will be blindingly obvious.</p>
<p>We&#8217;ve learned well from &#8220;Infrastructure is Code&#8221;. Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project &#8211; bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit.</p>
favorite language of choice. Versus other deployment tools? (Capistrano, Fabric?). Ansible playbooks are easier
to use (not being code) and also allows intermixing of idempotent configuration management rules for a higher level
of control. Further, it was designed for deploying multi-node applications from the beginning.</p>
<p>Compared with most configuration managememnt tools, Ansible is also more secure. While most configuration management tools use a daemon, running as root with full access to the system, with it&#8217;s own in-house developed PKI infrastructure, Ansible just uses SSH (and supports sudo as neccesssary). There is no additional attack surface and OpenSSH is one of the most peer reviewed security components out there.
If a central server containing your playbooks are comprimised, your nodes are not &#8211; which is NOT the case
of these other tools, which can, more or less, turn into a botnet. Our security approach is to avoid writing custom
crypto code altogether, and rely on the most secure part of the Linux/Unix subsystem that your machines are already using.</p>
<p>Systems management doesn&#8217;t have to be complicated. Ansible&#8217;s docs will remain short &amp; simple, and the source will be blindingly obvious. We&#8217;ve learned well from &#8220;Infrastructure is Code&#8221;. Infrastructure should be easy and powerful to command, but it should not look like code, lest it acquire the disadvantages of a software project &#8211; bugs, complexity, and overhead. Infrastructure configurations should be simple, easy to develop, and easy to audit.</p>
<div class="section" id="architecture">
<h2>Architecture<a class="headerlink" href="#architecture" title="Permalink to this headline"></a></h2>
<div align="center" class="align-center"><img alt="&quot;Architecture Diagram&quot;" class="align-center" src="http://ansible.github.com/ansible_arch2.jpg" style="width: 800px;" /></div>
@ -345,6 +349,7 @@ Email: <input type=text name=email>&nbsp;&nbsp;<input type=submit name="sub" val
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="faq.html#other-questions">Other Questions</a><ul>
<li class="toctree-l3"><a class="reference internal" href="faq.html#what-is-ansible-s-approach-to-security">What is Ansible&#8217;s approach to security?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faq.html#how-does-ansible-scale">How does Ansible scale?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faq.html#are-transports-other-than-ssh-supported">Are transports other than SSH supported?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faq.html#what-are-some-ideal-uses-for-ansible">What are some ideal uses for Ansible?</a></li>
@ -376,7 +381,7 @@ Puppet Labs, and rPath. Reach Michael by email <a class="reference external" hr
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -394,7 +394,7 @@ Stop by the mailing list to inquire about requirements.</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -613,7 +613,7 @@ yum pkg=httpd ensure=installed</pre>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -240,7 +240,7 @@ wildcards:</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -239,6 +239,9 @@ documentation. The <cite>user</cite> is just the name of the user account:</p>
user: yourname
sudo: True</pre>
</div>
<p>If you need to specify a password to sudo, run <cite>ansible-playbook</cite> with <cite>&#8211;ask-sudo-pass</cite> (<cite>-K</cite>).
If you run a sudo playbook and the playbook seems to hang, it&#8217;s probably stuck at the sudo prompt.
Just <cite>Control-C</cite> to kill it and run it again with <cite>-K</cite>.</p>
</div>
<div class="section" id="vars-section">
<h3>Vars section<a class="headerlink" href="#vars-section" title="Permalink to this headline"></a></h3>
@ -659,7 +662,7 @@ Let&#8217;s run a playbook using a parallelism level of 10:</p>
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

View file

@ -146,7 +146,7 @@ has a lower attack surface than any configuration management tool featuring daem
as root, and you do not have to worry about network security vulnerabilities in the tool itself.
If your central server is taken over (or even logged into by a malicious employee),
provided you were using SSH-agent and passwords with keys (and/or sudo with a password),
provided you were using SSH-agent and encrypted keys (and/or sudo with a password),
your keys are still locked and no one can take control of your nodes.
Compared with something like Chef/Puppet/other, compromised manifests would lead

View file

@ -80,6 +80,9 @@ Support for running things from sudo is also available::
user: yourname
sudo: True
If you need to specify a password to sudo, run `ansible-playbook` with `--ask-sudo-pass` (`-K`).
If you run a sudo playbook and the playbook seems to hang, it's probably stuck at the sudo prompt.
Just `Control-C` to kill it and run it again with `-K`.
Vars section
++++++++++++

View file

@ -177,7 +177,7 @@ s.parentNode.insertBefore(ga, s);
<p class="pull-right"><a href="#">Back to top</a></p>
<p>
&copy; Copyright 2012 Michael DeHaan.<br/>
Last updated on Apr 12, 2012.<br/>
Last updated on Apr 14, 2012.<br/>
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.8.<br/>
</p>
</div>

File diff suppressed because one or more lines are too long