Running plays as root -- ssh access best practices question

[drio]

Thank you for writing this great book Jeff.

I'd like to know what are the best practices out there to setup an ansible friendly machine.

Ideally what we want is to have ssh access via a non-root user and then "become" root via sudo when necessary.
Is that what you do? Is that an accepted secure way to configure a linux box?

I am asking because that is not what I am seeing in some of the machines I want to run ansible on. Most of the time, sudo requires you entering your user password. In that context ansible is unusable.

When I ask syadmins/dops to change the setup to the "ideal setup" (sudo without password) they don't do it on the basis of security. Is that a valid security concern? And, if it is, what do you then to run ansible?

Thank you.

[dglinder]

Thank you for writing this great book Jeff.
I'd like to know what are the best practices out there to setup an ansible friendly machine.

I'm not Jeff, but hope you'll take my opinion. If you have further Ansible questions, I'd suggest not asking them here in the book's "issues" section. I'd suggest using the Google Group for discussing Ansible, or asking your question over on the Reddit r/Ansible group.

You asked:

Ideally what we want is to have ssh access via a non-root user and then "become" root via sudo when necessary.
Is that what you do? Is that an accepted secure way to configure a linux box?

Yes, the current best practice is to have Ansible connect into the machine(s) it is managing as a "normal" account (specifically NOT "root"), then use the "sudo" command to execute the tasks that need elevated access.

I am asking because that is not what I am seeing in some of the machines I want to run ansible on. Most of the time, sudo requires you entering your user password. In that context ansible is unusable.

Ansible can do this for you too - look at the "-K" and/or the "--ask-become-pass" command-line flags (noted here). This flag will then prompt you for the accounts "sudo" password. This is easy enough to remember because the "-k" (or the "--ask-pass") flag prompts for the user account password to use if SSH keys aren't set up.

When I ask syadmins/dops to change the setup to the "ideal setup" (sudo without password) they don't do it on the basis of security. Is that a valid security concern? And, if it is, what do you then to run ansible?

Using "sudo" with the "NOPASSWD" option when the account could use it for anything (which Ansible essentially would). From the users perspective, it's annoying if you have to type it in 10's of times when doing work. But from Ansibles' perspective, it's a program and doesn't care if it provides it once or 1000's of times during the execution of a play.

Good luck!
DanL

[geerlingguy]

Going to move this to a discussion since I think it does bring up some good points as @dglinder mentions—and that way something like his excellent comment could also be marked as a good answer :)