@@ -216,7 +216,7 @@ using the group variable system.</p>
...
@@ -216,7 +216,7 @@ using the group variable system.</p>
stop.yml</pre>
stop.yml</pre>
</div>
</div>
<p>Any directories or files not needed can be omitted. Not all modules may require <cite>vars</cite> or <cite>files</cite> sections, though most
<p>Any directories or files not needed can be omitted. Not all modules may require <cite>vars</cite> or <cite>files</cite> sections, though most
will require <cite>handlers</cite>, <cite>tasks</cite>, and <cite>templates</cite>. To review what each of these sections do, see ref:<cite>playbooks</cite> and ref:<cite>playbooks2</cite>.</p>
will require <cite>handlers</cite>, <cite>tasks</cite>, and <cite>templates</cite>. To review what each of these sections do, see <aclass="reference internal"href="playbooks.html"><em>Playbooks</em></a> and <aclass="reference internal"href="playbooks2.html"><em>Advanced Playbooks</em></a>.</p>
<p>The acme/setup.yml playbook would be as simple as:</p>
<p>The acme/setup.yml playbook would be as simple as:</p>
@@ -220,7 +220,7 @@ of control. Further, it was designed for deploying multi-node applications from
...
@@ -220,7 +220,7 @@ of control. Further, it was designed for deploying multi-node applications from
</div>
</div>
<divclass="section"id="simple-secure-by-default">
<divclass="section"id="simple-secure-by-default">
<h1>Simple & Secure By Default<aclass="headerlink"href="#simple-secure-by-default"title="Permalink to this headline">¶</a></h1>
<h1>Simple & Secure By Default<aclass="headerlink"href="#simple-secure-by-default"title="Permalink to this headline">¶</a></h1>
<p>Compared with most configuration managememnt tools, Ansible is also much more secure. While most configuration management tools use a daemon, running as root with full access to the system, with its own in-house developed PKI infrastructure, Ansible just uses SSH (and supports sudo as necessary). There is no additional attack surface and OpenSSH is one of the most peer reviewed security components out there.
<p>Compared with most configuration managememnt tools, Ansible is also much more secure. While most configuration management tools use a daemon, running as root with full access to the system, with its own in-house developed PKI infrastructure, Ansible just uses SSH (and supports sudo as neccesssary). There is no additional attack surface and OpenSSH is one of the most peer reviewed security components out there.
If a central server containing your playbooks are comprimised, your nodes are not – which is NOT the case
If a central server containing your playbooks are comprimised, your nodes are not – which is NOT the case
of these other tools, which can, more or less, turn into a botnet. Our security approach is to avoid writing custom
of these other tools, which can, more or less, turn into a botnet. Our security approach is to avoid writing custom
crypto code altogether, and rely on the most secure part of the Linux/Unix subsystem that your machines are already using. There is no PKI subsystem to maintain, which can be a frequent source of problems, particularly when reinstalling or migrating
crypto code altogether, and rely on the most secure part of the Linux/Unix subsystem that your machines are already using. There is no PKI subsystem to maintain, which can be a frequent source of problems, particularly when reinstalling or migrating
