10. Where's the problem?
Role example:
- name: Install Software
shell: curl http://get.mysoftware.com | sudo bash
11. CVE-2016-9587
CVE-2016-9587 is rated as HIGH in risk,
as a compromised remote system being
managed via Ansible can lead to
commands being run on the Ansible
controller (as the user running the ansible
or ansible-playbook command).
12. 2. From two days to 6 hours
(Virtual Machines O The
Shelf)
18. Best practice from mitchellh:
( )https://github.com/mitchellh/vagrant/tree/master/keys
“If you're working with a team or
company or with a custom box and you
want more secure SSH, you should create
your own keypair and con gure the
private key in the Vagrant le with
'con g.ssh.private_key_path'.”
21. I'll use Packer, and even more, boxcutter because they're so
famous!
But I shouldn't have... because of that:
$ cd boxcutter/debian/script && grep http: *
cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh
cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSION
cmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}
34. ...
box: Calculating and comparing box checksum...
The checksum of the downloaded box did not match the expected
value. Please verify that you have the proper URL setup and that
you're downloading the proper file.
Expected: imdesperate
Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40
35. We did it better
GPG signed checksums data
Metadata les served over TLS with checksum
information
https://github.com/quarkslab/packer-ubuntu#security
41. Pip dependencies
Freeze speci c versions and do not upgrade unless
you check the new versions
Do not download exotic packages even from PyPi
Do not rely on Github repos or things like that
Use of ine package
$ mkdir toto
$ pip install -d ./toto mypackage
#move the folder on the offline node
$ pip install --no-index --find-links ./toto mypackage
42. Apt dependencies
Just use
It will be:
Quickier
More secure
More stable
https://packages.debian.org/jessie/apt-of ine
43. The result
$ git clone https://github.com/quarkslab/irma.git
$ cd ansible && vagrant up