So, two repos? One with passwords in it, another without? --David Reagan
On Thu, Jun 4, 2015 at 11:47 PM, Mirko Friedenhagen <mfriedenha...@gmail.com > wrote: > Hello David, > > I am using push right now exclusively and thought about ansible-pull as > well. > > My idea was to tag all tasks which need passwords/secret keys and only run > them only in push mode. Most (of my) tasks do not secrets. > > Regards > Mirko > -- > Sent from my mobile > Am 04.06.2015 22:34 schrieb "David Reagan" <jer...@gmail.com>: > >> ansible-pull checks out your entire project repository, then runs >> whichever playbook you tell it to. That repo is basically a map to your >> entire infrastructure. >> >> So, how do you ensure a compromised server doesn't reveal all that >> information to an attacker? (With the assumption that the attacker has root >> access, and that a single rooted server doesn't mean your entire >> infrastructure is rooted.) >> >> ansible-pull can purge the repo after it runs, but that doesn't stop an >> attacker from running ansible-pull with that option turned off in order to >> get a copy of the whole repo. Or just read the repo the next time >> ansible-pull is running. >> >> If you use ansible-vault, then your vault password is either in the cron >> job, or in a file on the server that the attacker has access to, and knows >> the location of. >> >> So far, all I can think of to mitigate these issues, is a repo per >> server, and a vault password per repo.... Which kinda destroys most of why >> people use configuration management. >> >> Am I just not thinking of it in the right way, or maybe misunderstanding >> how something works? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-project+unsubscr...@googlegroups.com. >> To post to this group, send email to ansible-project@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/ccc8006c-6007-490e-9b61-2c720c8dafbd%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/HuCM9Gd_XPI/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAK8jvqyPiBz2uotHmn_u86H7MtQJRM0aBLYCvh0%2BdjhBbXkrcA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcV%3DgTgO3ajc8r21EZ9V8w4y92qZiiDjyA6nXKPPwi7dw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
