Hacker News new | past | comments | ask | show | jobs | submit login

I agree ... Ansible is awesome.

I'm using a single set of playbooks for my infrastructure with Jenkins to check out changes and push them to production machines. The same infrastructure definitions are used with Vagrant to give each developer an exact copy of the production system.




How do you let jenkins install packages and make changes to the machine? Passwordless sudo?


I turn off password access to production machines, so nobody accesses them without a known key anyway. Ansible has its own key installed on the servers and its account is allowed to sudo without a password.


So if I can break into your ci machine (or just get jenkins to run random commands on your prod server, which is probably easier), I then have sudo access to your prod server?

Using ansible from a local machine is fine, because you can make your devs type in passwords and etc, but I can't think of a secure way to do it with continuous integration.


Don't assume that breaking into his CI instance is easier than breaking into the prod server. It's probably on a private subnet, in the first place.


That's one way, you could also allow SSH key access as root too.

Ansible also has a --ask-pass and --ask-sudo-pass if you want to provide a password.


So you store a password that will give you root/sudo on your production machine in your deployment code, or just on your ci server?


I would suggest just using keys in this case.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: