Onboarding SSH target hosts to PrivX via Ansible

Ansible Deployment

This example uses Ansible for deploying a target host into PrivX, and allows members of specified PrivX roles to access the host.

Prerequisites

  • A host for running Ansible commands. Requires Ansible 1.2 or compatible.
  • A target host satisfying the following requirements:
    • Python 2.7 installed. Modify the scripts to install Python if not available yet.
    • Allow HTTPS to/from PrivX servers. You may need to enable HTTPS in the target-host firewall settings.
    • For automatic host deployment, the target host must have a user account that satisfies the following:
      • Ability to gain root privileges via passwordless sudo.
      • Allows SSH public-key login without passphrase.
        (In the example Ansible files, we assume ubuntu account on the target host to satisfy these requirements.)
  • PrivX must include some roles and users that are to be granted access to the target host. For more information about PrivX roles and users, see the PrivX Administrator Manual: PrivX Users and Permissions.
    (In the example Ansible files, we assume PrivX is configured with a web-developers role, and that this role has some members.)
  • Host-deployment script downloaded from PrivX. For more information about obtaining a host-deployment-script, see the PrivX Administrator Manual: Script-Based Certificate-Authentication Setup.
    • You are familiar with host-deployment-script options.

Deploying PrivX Hosts with Ansible

Unless otherwise specified, perform the following commands on your Ansible machine:

  1. Download the example playbook from GitHub to a directory on your Ansible machine.

    For the rest of the steps, we assume you downloaded the example playbook to the privx_ansible directory in your current working directory.

  2. From your target host, download the private key used for accessing the host. Place it at privx_ansible/privx_test.pem.

  3. From PrivX, download a host-deployment script. Place it at privx_ansible/deploy.py.

  4. Modify privx_ansible/privx_hosts as follows:
    *Under [webservers], specify the target host you will deploy to PrivX.

    • Under [webserver:vars], provide the SSH and Python settings to match your target host, and the location of the downloaded private key.
    • Set host_environment according to your host platform. For example: --aws for AWS hosts, or --standalone for non-cloud hosts.
    • Set --principals according to which roles you want accessing the target host.

  5. Go to the privx_ansible directory and run Ansible as follows:

    $ cd privx_ansible
$ ansible-playbook -b -i privx_hosts privx_hosts.yml

deploy.py requires sudo access (-b flag) for modifying OpenSSH-server configurations.

You should see output similar to the following on successful deployment:

PLAY [Deploy PrivX hosts]
****************************************

TASK [Gathering Facts]
****************************************
ok: [ubuntu1]

TASK [common : Copy deploy.py script to target host]
****************************************
ok: [ubuntu1]

TASK [common : Run deployment script]
****************************************
changed: [ubuntu1]

PLAY RECAP
****************************************
ubuntu1: ok=3    changed=2    unreachable=0    failed=0

By default the deployment script fails with already-deployed hosts. If you want to be able to rerun the script for the same host, you must enable Deployable in the host's settings in PrivX.

2284

Was this page helpful?

On this page