I have nginx with php app. I have also installed ansible and copied playbooks on this server. What I want to do is run ansible playbooks through webapp. I want to know how to do this safe way.
Nginx is running under user nginx, php-fpm is running under apache and ansible has it's own user.
Php app is in /var/www/html/ and ansible playbooks are in /var/www/html/ansible, but these dirs are readable for everyone.
So the flow should look like:
- user selects action on webpage
- ajax sends it to php
- php prepares ansible command and runs ansible playbook
- ansible runs
- php catches stdout&stderr and sends it back to webpage as json
- ajax will show stdout&stderr on webpage.
Now, in php script, I plan to exec('ansible-playbook site.yml -t …'). This will be executed as apache user. Or should I start it under ansible's user with sudo? Or better is to start nginx,php-fpm and ansible under nobody?
Not sure what is the best for this.
Thank you for you opinions.
Best Answer
Existing web interfaces for Ansible include:
Should you wish to build your own, use ansible-runner as the script/Python library/container to run Ansible in. ansible-playbook is for interactive use and does not have a stable API.
Before writing your own thing, understand this is a privilaged application that could do many things to your infrastructure. You are not limited by the default security model for your installed web servers.
For example, you could have a job runner daemon that runs as its own dedicated user, separate from the user the web server runs as. This way, compromising user nginx doesn't automatically get sudo to root, you also would need to go through some API.
Also appreciate the possibilities to isolate running playbooks. AWX chose to implement chroot style job isolation.
Development of a secure, usable web app in general is way too big a topic for one answer, and there are better Stack Exchange sites for development topics. Study what already exists.