Using Ansible to Manage install and update Apple OSX DHCP clients
- 
 To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
- 
 @DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients: To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!yes. That was one of the first things I recommended  
- 
 @DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients: To ask, can I add hosts by hostname to the host file rather than by IP address. Being these systems are portable, their IP can change at a moments notice and would cause all kinds of SSH complaints like WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!Yeah that's why I said you can either use FQDN or IP address and why I also mentioned disabling host key checking for Ansible. There are times not to disable it but shouldn't matter in this case. 
- 
 So you are going to have SSH open on everything while allowing root and/or password login? TF? 
- 
 @Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients: So you are going to have SSH open on everything while allowing root and/or password login? TF? SSH is open on Mac OSX by default already, nothing I'm doing is opening that. I'm looking to setup SSH keys alsoI've already setup SSH keys, so I'm not sending passwords.This is also still very early stage testing and things can be changed/improved well before deployment. 
- 
 @Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients: So you are going to have SSH open on everything while allowing root and/or password login? TF? You can use keys (recommended). Also, ideally you only run your management tools from one subnet. You only open ssh on the clients to that subnet. No reason for client1 to be able to SSH to client2. You could also get more restrictive and only allow specific IPs. 
- 
 @Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients: So you are going to have SSH open on everything while allowing root and/or password login? TF? Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication. Using the password only to set that up. Second where did the allowing root come from? That never came up. Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ. If you limit where SSH access can come from to a subnet (like @IRJ mentioned) or a single machine it's pretty much exactly what you have with ZeroMQ but just not a message bus. Plus this is ignoring the fact that when you get to fully immutable infrastructure (I realize the Macs aren't that) you can leverage Ansible through tools like Packer to build your image and never need SSH after the fact because you don't ever log in again at all. 
- 
 @stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients: Maybe tone it down a tad since you apparently don't understand what's happening. We are recommending using keys for authentication. Yeah, I didn't read all the way down before I wrote that. I don't always have time to read past the first few, and it wasn't mentioned in what I did read. My bad there. 
- 
 @stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients: Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ. No, it's a preference, and for some things Salt works better, nothing more. Just like Fedora is a preference, but I use Ubuntu and others as well where they work better. At work, we use Ansible, and it works well for that case. There may be a secondary need for config management in the immediate area I work with, and for that SaltStack will work better naturally vs Ansible. Just FYI, I take every technology case by case. Just because I show a preference, does not EVER mean I choose that by default. I always use the best option for that specific case, regardless of my preference, so long as I have a say. 
- 
 @Obsolesce said in Using Ansible to Manage install and update Apple OSX DHCP clients: @stacksofplates said in Using Ansible to Manage install and update Apple OSX DHCP clients: Third I know you're on the Salt is the savior of everything train, but SSH is just as secure as ZeroMQ. No, it's a preference, and for some things Salt works better, nothing more. Just like Fedora is a preference, but I use Ubuntu and others as well where they work better. At work, we use Ansible, and it works well for that case. There may be a secondary need for config management in the immediate area I work with, and for that SaltStack will work better naturally vs Ansible. Just FYI, I take every technology case by case. Just because I show a preference, does not EVER mean I choose that by default. I always use the best option for that specific case, regardless of my preference, so long as I have a say. I agree. Ansible isn't the best use case for laptop management unless you're using an SD-WAN or you are really immutable with them (kind of like what Google does with their Chromebooks). I mean there's "workarounds" to do remote callbacks to your config management platform (like remote triggers with Jenkins and provisioning callbacks in Tower or ansible-pull) but they are a little more advanced and aren't for everyone. 
- 
 Okay so I'm just now getting back to this after the break and the Monday rush. I'm having an issue that doesn't make sense to me. I can't use ansible to ping any of my hosts (the one of interest is everything dbeue) but I can ssh in without having to enter a password so keyauth is working.  What am I missing or have misconfigured here? 
- 
 @DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients: Okay so I'm just now getting back to this after the break and the Monday rush. I'm having an issue that doesn't make sense to me. I can't use ansible to ping any of my hosts (the one of interest is everything dbeue) but I can ssh in without having to enter a password so keyauth is working.  What am I missing or have misconfigured here? That looks like a DNS issue. 
- 
 @IRJ will add the IP and test again, but I'm pretty certain I was unable to ping even by IP address. 
- 
 I got it, the config file was set to use root for the remote user, updated my config file and now I can at least access the client via IP address. 
- 
 @DustinB3403 how are you liking ansible so far? 
- 
 @IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients: @DustinB3403 how are you liking ansible so far? I'm still just getting into it. I'm not sure how playbooks work or how to confirm that the formatting is correct. 
- 
 @DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients: @IRJ said in Using Ansible to Manage install and update Apple OSX DHCP clients: @DustinB3403 how are you liking ansible so far? I'm still just getting into it. I'm not sure how playbooks work or how to confirm that the formatting is correct.  
- 
 So this is where I'm at currently with a playbook I wrote out by hand (not at all sure if it's correct). ansible-playbook apple.yml --check ERROR! the role 'geerlineguy.homebrew' was not found in /etc/ansible/roles:/root/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/etc/ansible The error appears to be in '/etc/ansible/apple.yml': line 11, column 7, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: roles: - geerlineguy.homebrew ^ hereApple yaml file --- - name: Installing 1Password connection: network_cli gather_facts: false hosts: apple_workstations vars: homebrew_installed_packages: - 1password roles: - geerlineguy.homebrew ~So I guess I need to add something into the roles folder under /etc/anisble/roles
- 
 @DustinB3403 said in Using Ansible to Manage install and update Apple OSX DHCP clients: ERROR! the role 'geerlineguy.homebrew' was not found in /etc/ansible/roles:/root/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/etc/ansible You need to install the role 
- 
 sudo ansible-galaxy install



