Onboarding SSH target hosts to PrivX via Ansible
Ansible Deployment
This example uses Ansible for deploying a target host into PrivX, and allows members of specified PrivX roles to access the host.
Prerequisites
- A host for running Ansible commands. Requires Ansible 1.2 or compatible.
- A target host satisfying the following requirements:
- Python 2.7 installed. Modify the scripts to install Python if not available yet.
- Allow HTTPS to/from PrivX servers. You may need to enable HTTPS in the target-host firewall settings.
- For automatic host deployment, the target host must have a user account that satisfies the following:
- Ability to gain root privileges via passwordless sudo.
- Allows SSH public-key login without passphrase.
(In the example Ansible files, we assume ubuntu account on the target host to satisfy these requirements.)
- PrivX must include some roles and users that are to be granted access to the target host. For more information about PrivX roles and users, see the PrivX Administrator Manual: PrivX Users and Permissions.
(In the example Ansible files, we assume PrivX is configured with a web-developers role, and that this role has some members.) - Host-deployment script downloaded from PrivX. For more information about obtaining a host-deployment-script, see the PrivX Administrator Manual: Script-Based Certificate-Authentication Setup.
- You are familiar with host-deployment-script options.
Deploying PrivX Hosts with Ansible
Unless otherwise specified, perform the following commands on your Ansible machine:
Download the example playbook from GitHub to a directory on your Ansible machine.
For the rest of the steps, we assume you downloaded the example playbook to the
privx_ansible
directory in your current working directory.From your target host, download the private key used for accessing the host. Place it at
privx_ansible/privx_test.pem
.From PrivX, download a host-deployment script. Place it at
privx_ansible/deploy.py
.Modify privx_ansible/privx_hosts as follows:
*Under[webservers]
, specify the target host you will deploy to PrivX.- Under
[webserver:vars]
, provide the SSH and Python settings to match your target host, and the location of the downloaded private key. - Set
host_environment
according to your host platform. For example:--aws
for AWS hosts, or--standalone
for non-cloud hosts. - Set
--principals
according to which roles you want accessing the target host.
- Under
Go to the privx_ansible directory and run Ansible as follows:
$ cd privx_ansible $ ansible-playbook -b -i privx_hosts privx_hosts.yml
deploy.py requires sudo access (-b flag) for modifying OpenSSH-server configurations.
You should see output similar to the following on successful deployment:
PLAY [Deploy PrivX hosts]
****************************************
TASK [Gathering Facts]
****************************************
ok: [ubuntu1]
TASK [common : Copy deploy.py script to target host]
****************************************
ok: [ubuntu1]
TASK [common : Run deployment script]
****************************************
changed: [ubuntu1]
PLAY RECAP
****************************************
ubuntu1: ok=3 changed=2 unreachable=0 failed=0
By default the deployment script fails with already-deployed hosts. If you want to be able to rerun the script for the same host, you must enable Deployable in the host's settings in PrivX.