Having to bootstrap the guest as a separate phase is annoying and
can be avoided by assuming the root password is well-known.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 ansible/Makefile                |  5 +----
 ansible/bootstrap.yml           | 15 ---------------
 ansible/group_vars/all/main.yml |  1 +
 ansible/site.yml                |  8 ++++++++
 4 files changed, 10 insertions(+), 19 deletions(-)
 delete mode 100644 ansible/bootstrap.yml

diff --git a/ansible/Makefile b/ansible/Makefile
index 39ebe52..6af7ae3 100644
--- a/ansible/Makefile
+++ b/ansible/Makefile
@@ -3,10 +3,7 @@ all:
 site:
 	@ansible-playbook site.yml
 
-bootstrap:
-	@ansible-playbook --ask-pass bootstrap.yml
-
 clean:
 	@rm -f *.retry log
 
-.PHONY: all site bootstrap clean
+.PHONY: all site clean
diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml
deleted file mode 100644
index 544dd9d..0000000
--- a/ansible/bootstrap.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- hosts: all
-  gather_facts: no
-
-  tasks:
-
-    # Bootstrap Ansible itself
-    - include: tasks/bootstrap.yml
-
-- hosts: all
-
-  tasks:
-
-    # Prepare the base environment
-    - include: tasks/base.yml
diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml
index 81b7d43..493a51d 100644
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@@ -1,5 +1,6 @@
 ---
 ansible_user: root
+ansible_ssh_pass: root
 
 jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp
 
diff --git a/ansible/site.yml b/ansible/site.yml
index e6cf10d..9c75dcb 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -1,5 +1,13 @@
 ---
 - hosts: all
+  gather_facts: no
+
+  tasks:
+
+    # Bootstrap Ansible itself
+    - include: tasks/bootstrap.yml
+
+- hosts: all
 
   vars_files:
     - vars/mappings.yml
-- 
2.13.6

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Mon, Oct 16, 2017 at 06:02:04PM +0200, Andrea Bolognani wrote:
> Having to bootstrap the guest as a separate phase is annoying and
> can be avoided by assuming the root password is well-known.

I'm not sure about this.  Yes the password will be well known for us
but I would rather have it generated and stored somewhere on the host.

The guests are hidden from internet but they are still connected to
jenkins and are executing commands provided by jenkins.  Maybe I'm
just too paranoid :).

Pavel
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Tue, Oct 17, 2017 at 06:05:23PM +0200, Pavel Hrdina wrote:
> On Mon, Oct 16, 2017 at 06:02:04PM +0200, Andrea Bolognani wrote:
> > Having to bootstrap the guest as a separate phase is annoying and
> > can be avoided by assuming the root password is well-known.
> 
> I'm not sure about this.  Yes the password will be well known for us
> but I would rather have it generated and stored somewhere on the host.
> 
> The guests are hidden from internet but they are still connected to
> jenkins and are executing commands provided by jenkins.  Maybe I'm
> just too paranoid :).

Could we just generate a random root password, but install SSH public
keys and set SSH to only permit public key auth. 

That way if there is compromised code that we build for whatever
reasons, it can't use 'su' to escalate to root in the build VMs.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Tue, Oct 17, 2017 at 05:11:40PM +0100, Daniel P. Berrange wrote:
> On Tue, Oct 17, 2017 at 06:05:23PM +0200, Pavel Hrdina wrote:
> > On Mon, Oct 16, 2017 at 06:02:04PM +0200, Andrea Bolognani wrote:
> > > Having to bootstrap the guest as a separate phase is annoying and
> > > can be avoided by assuming the root password is well-known.
> > 
> > I'm not sure about this.  Yes the password will be well known for us
> > but I would rather have it generated and stored somewhere on the host.
> > 
> > The guests are hidden from internet but they are still connected to
> > jenkins and are executing commands provided by jenkins.  Maybe I'm
> > just too paranoid :).
> 
> Could we just generate a random root password, but install SSH public
> keys and set SSH to only permit public key auth. 

That's the idea, having the root password stored on the host is just
if something goes wrong and you need to use serial console.

Pavel
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Tue, 2017-10-17 at 18:16 +0200, Pavel Hrdina wrote:
> > Could we just generate a random root password, but install SSH public
> > keys and set SSH to only permit public key auth. 
> 
> That's the idea, having the root password stored on the host is just
> if something goes wrong and you need to use serial console.

Yeah, I like it. I'll figure out something.

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list