We're using Ansible to roll out security updates on all our EC2 instances which are running stateful services such as databases, search engines etc. This works fine.
I'm wondering what is the best way to make security updates on the ECS instances (which are running stateless web applications in Docker containers). Due to automatic scaling there is a lot of dynamics in the number of instances and their IP addresses. Ansible uses a hardcoded list of IP addresses (the hosts file), so it seems to not really fit the purpose.
Is it even a good idea to update these instances or should we rather tear them down and spawn new ones every once in a while?
Any best practices from DevOps folks out there?
Update:
I found out that Ansible supports dynamic inventory. There is a script that fetches information about the hosts from AWS and generates a dynamic inventory for Ansible, this works fine.
However, one problem remains. Whenever there is a new host that I had not connected to before, the following message is displayed and must be confirmed manually.
The authenticity of host '10.0.1.247 (10.0.1.247)' can't be established.
ECDSA key fingerprint is SHA256:GSogs6P6CzbOzLm9ByWsXkfz7/2A4qwj4PDvczApS/I.
Are you sure you want to continue connecting (yes/no)? yes
This is very annoying as I want to implement a fully automated update mechanism. Is there a solution for this problem?
Best Answer
Modify the
ssh_connectionof theansible.cfg, so that it contains-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/nullarguments.For example: