Using Ansible to Manage install and update Apple OSX DHCP clients
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates So on your ansible server do you have a folder called playbooks and in that you have numerous different <something>.yml files each that do something?
It's up to personal preference. I store things in
~/Documents/projects/ansible. Then in that I have a playbooks directory and a roles directory. Playbooks has the playbooks I need which is a single git repo and then each role has it's own git repo under roles.Your default ansible.cfg file is in /etc/ansible.cfg. It points you to
/etc/ansible/hostsand/etc/ansible/rolesI never use that. I always set an ansible.cfg in my playbooks directory. It overrides that and stores everything in that playbooks directory. -
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
As @stacksofplates mentioned, connect with SSH how you do now, and I would create a special account just for ansible via playbook once you authenticat
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
As @stacksofplates mentioned, connect with SSH how you do now, and I would create a special account just for ansible via playbook once you authenticat
OKay that that would just be over ssh as our administrative user
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So going out on the wild assumption that I wasn't on my couch right now, how would ansible find my clients?
No credentials have been set anywhere - how do I add my clients?
So how you use credentials depends on how you have them set up on your systems. If you have a user that can access all of them, then you can use that user. If you don't, you'll have to call separate plays for the different systems.
If you running an ansible ad-hoc command you can do:
ansible -i <path to inventory> group-name -m setup -u <username>SSH keys are preferable, but if you don't have them you can pass a
-kto ask for the SSH password.-Kis the sudo password flag and goes along with-bfor become (meaning become another user).To run a playbook, just have your user defined like I showed in the other thread and become as true if you need it.
@DustinB3403 this is what I am talking about. Use your SSH root user to run the user creation playbook.
-
@IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So going out on the wild assumption that I wasn't on my couch right now, how would ansible find my clients?
No credentials have been set anywhere - how do I add my clients?
So how you use credentials depends on how you have them set up on your systems. If you have a user that can access all of them, then you can use that user. If you don't, you'll have to call separate plays for the different systems.
If you running an ansible ad-hoc command you can do:
ansible -i <path to inventory> group-name -m setup -u <username>SSH keys are preferable, but if you don't have them you can pass a
-kto ask for the SSH password.-Kis the sudo password flag and goes along with-bfor become (meaning become another user).To run a playbook, just have your user defined like I showed in the other thread and become as true if you need it.
@DustinB3403 this is what I am talking about. Use your SSH root user to run the user creation playbook.
So my inventory file is currently in (I assume) is
/etc/ansible/hostsright?Also I don't think that is how you create users on OSX cli (have to confirm)
-
So here's my tree view for that directory
ansible ├── playbooks ├── ansible.cfg ├── apache.yml ├── group_vars ├── inventory ├── Makefile └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus -
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So here's my tree view for that directory
ansible ├── playbooks ├── group_vars ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheusI assume this actually looks like
etc └──ansible ├── playbooks ├── group_var ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheus -
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So here's my tree view for that directory
ansible ├── playbooks ├── group_vars ├── inventory └── roles └── roles ├── apache ├── firewalld ├── grafana ├── nginx ├── node-exporter └── prometheusI assume this actually looks like
etc
└──ansible
├── playbooks
├── group_var
├── inventory
└── roles
└── roles
├── apache
├── firewalld
├── grafana
├── nginx
├── node-exporter
└── prometheusNo it's under ~/Documents/projects/ansible like I mentioned above.
-
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! -
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!yes. That was one of the first things I recommended
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!Yeah that's why I said you can either use FQDN or IP address and why I also mentioned disabling host key checking for Ansible. There are times not to disable it but shouldn't matter in this case.
-
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
SSH is open on Mac OSX by default already, nothing I'm doing is opening that.
I'm looking to setup SSH keys alsoI've already setup SSH keys, so I'm not sending passwords.This is also still very early stage testing and things can be changed/improved well before deployment.
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
You can use keys (recommended). Also, ideally you only run your management tools from one subnet. You only open ssh on the clients to that subnet. No reason for client1 to be able to SSH to client2. You could also get more restrictive and only allow specific IPs.
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
So you are going to have SSH open on everything while allowing root and/or password login?
TF?
Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication. Using the password only to set that up. Second where did the allowing root come from? That never came up. Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ. If you limit where SSH access can come from to a subnet (like @IRJ mentioned) or a single machine it's pretty much exactly what you have with ZeroMQ but just not a message bus.
Plus this is ignoring the fact that when you get to fully immutable infrastructure (I realize the Macs aren't that) you can leverage Ansible through tools like Packer to build your image and never need SSH after the fact because you don't ever log in again at all.
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication.
Yeah, I didn't read all the way down before I wrote that. I don't always have time to read past the first few, and it wasn't mentioned in what I did read. My bad there.
-
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ.
No, it's a preference, and for some things Salt works better, nothing more. Just like Fedora is a preference, but I use Ubuntu and others as well where they work better.
At work, we use Ansible, and it works well for that case. There may be a secondary need for config management in the immediate area I work with, and for that SaltStack will work better naturally vs Ansible.
Just FYI, I take every technology case by case. Just because I show a preference, does not EVER mean I choose that by default. I always use the best option for that specific case, regardless of my preference, so long as I have a say.
-
@Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients:
@stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients:
Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ.
No, it's a preference, and for some things Salt works better, nothing more. Just like Fedora is a preference, but I use Ubuntu and others as well where they work better.
At work, we use Ansible, and it works well for that case. There may be a secondary need for config management in the immediate area I work with, and for that SaltStack will work better naturally vs Ansible.
Just FYI, I take every technology case by case. Just because I show a preference, does not EVER mean I choose that by default. I always use the best option for that specific case, regardless of my preference, so long as I have a say.
I agree. Ansible isn't the best use case for laptop management unless you're using an SD-WAN or you are really immutable with them (kind of like what Google does with their Chromebooks).
I mean there's "workarounds" to do remote callbacks to your config management platform (like remote triggers with Jenkins and provisioning callbacks in Tower or ansible-pull) but they are a little more advanced and aren't for everyone.
-
Okay so I'm just now getting back to this after the break and the Monday rush.
I'm having an issue that doesn't make sense to me.
I can't use ansible to ping any of my hosts (the one of interest is everything dbeue) but I can ssh in without having to enter a password so keyauth is working.
What am I missing or have misconfigured here?
-
@DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients:
Okay so I'm just now getting back to this after the break and the Monday rush.
I'm having an issue that doesn't make sense to me.
I can't use ansible to ping any of my hosts (the one of interest is everything dbeue) but I can ssh in without having to enter a password so keyauth is working.
What am I missing or have misconfigured here?
That looks like a DNS issue.
-
@IRJ will add the IP and test again, but I'm pretty certain I was unable to ping even by IP address.
