Ansible management of frequently off machines
I'd like to use Ansible to manage configuration on about a dozen Linux workstations. The problem is that, being physical machines that people use, they're frequently off. So I need a solution for ensuring that, as I change the centralized configuration, it gets not only pushed out to machines that are up, but that it eventually gets pushed machines that come up weeks from now.
The idea I've had, and I'm open to better, is to have a cron job run @reboot to SSH into the server and request the playbook run against itself.
That seems to mean I need to:
- Create a deploy user on the server (deploy@server)
- Create a deploy user on each workstation (deploy@ws) and give them sudo powers.
- Add the public key for deploy@server to the authorized_keys of deploy@ws
- Generate a new SSH key for deploy@ws, and add that newly generated SSH key to the authorized_keys of deploy@server
- Set up a workstation cron job to run as deploy@ws to SSH into the server and run ansible-playbook with a --limit of the workstation in question. That job runs as deploy@server, who then SSHs back in as deploy@ws to actually do the configuration.
That feels more than a little convoluted. Is there some more straightforward solution for this that I'm missing?
Solution 1:
Proxying to a central server and back is not needed. Install Python and Ansible on managed nodes and run plays on the local host. This changes Ansible from a push to a pull.
ansible-pull is the most well known example of such a script. It assumes plays can be retrieved from a source control repository. Not the most elegant thing, but certainly a useful example of scripting ansible-playbook with ad-hoc inventory. Namely, it by default limits the host pattern to localhost
plus socket.getfqdn()
so you can provide the full inventory but it only runs for itself.
An advantage of such a pull model is possibly removing the need for privilaged remote users, if the script is run as root in a scheduled task.
Disadvantage, this is much easier to run on hosts that can run Ansible, so POSIX operating systems, not Windows or network gear. Tracking inventory doesn't get easier in a pull model, consider implementing some kind of reporting by turning on callback plugins.
Solution 2:
Please take a look at ansible-pull
. I feel like you're about to try to recreate it.