synchronize between 2 files on remote host uses private_key

[Michael Spiegle]

I have a simple task to copy a file from one path to another on a remote host.  I need a private key to SSH into the remote host, but the synchronize module automatically uses my private key in the rsync command too which seems unnecessary:

ansible-playbook --private-key=keys/mykey.pem playbook.yml --tags='main,role-timezone-set-localtime' -vvvv

... some ansible output ...
TASK: [timezone | set /etc/localtime to UTC] **********************************
(redacted output)

failed: [remote_machine -> remote_machine] => {"cmd": "rsync --delay-updates -FF --compress --checksum --archive --rsh 'ssh -i keys/mykey.pem -S none -o StrictHostKeyChecking=no' --out-format='<<CHANGED>>%i %n%L' \"us...@1.2.3.4:/usr/share/zoneinfo/UTC\" \"/etc/localtime\"", "failed": true, "rc": 255}

msg: Warning: Identity file keys/mykey.pem not accessible: No such file or directory.
ssh: connect to host 1.2.3.4 port 22: Connection timed out
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(605) [Receiver=3.0.9]

In the above, you can see that the rsync process running on the remote machine is trying to use an ssh private key to log into itself, but that key only exists on my laptop where I'm running Ansible from.  Here's what my task looks like (I tried nulling the private_key to no avail):

- name: set /etc/localtime to {{timezone}}

 synchronize:

   src: "{{tzfile}}"

   dest: /etc/localtime

   mode: pull

   times: yes

   checksum: yes

   private_key: ""

 delegate_to: "{{inventory_hostname}}"

 tags: role-timezone-set-localtime

[James Cammarata]

Hi Michael, have you tried setting the key option via the rsync_opts and/or rsync_path parameters to synchronize module?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2d473d23-d164-4fc1-9b3a-5d051e179836%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Spiegle]

I looked at the module code and it seemed like it would automatically add the key if it was being used.  I ended up running rsync directly using the command module and it seems to be working now.

Looking at the rsync_opts argument, it seems like it will only append to the existing arguments, not change any existing arguments.  Did this work for you?

[James Cammarata]

Actually, looking through the code I believe you're correct. Setting the option for -i again *might* work (assuming the rsync command will override the setting with the second value, instead of throwing an error), however I think using the rsync command directly is what you want anyway, as you said the rsync is for a remote -> remote copy. The synchronize module will only push or pull the file from or to the remote host and the Ansible controller normally - there is no option to do a completely remote rsync. I'm kind of surprised that using the delegate_to option makes it kind of work this way at all.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1ebada87-76b4-4a23-bdd9-5eb40a65405b%40googlegroups.com.

[ja...@ioctl.org]

On Mon, 9 Feb 2015, James Cammarata wrote:

> Actually, looking through the code I believe you're correct. Setting the
> option for -i again *might* work (assuming the rsync command will override
> the setting with the second value, instead of throwing an error), however I
> think using the rsync command directly is what you want anyway, as you said
> the rsync is for a remote -> remote copy. The synchronize module will only
> push or pull the file from or to the remote host and the Ansible controller
> normally - there is no option to do a completely remote rsync. I'm kind of
> surprised that using the delegate_to option makes it kind of work this way
> at all.

Actually, I've just tripped over this. I was attempting to use synchronize
to transfer files from the controller to a destination host. The
synchronize task was invoked with a remote_user: root, but run as a normal
user on the controller.

What happens, it seems, is that ansible first attempts to make an ssh
connection to root@localhost, to ship over the ansible module that'll
perform the sync; then that runs - and fails, because the root user
doesn't have the credentials available to make the conneciton to the
destination machine.

I could understand this being reasonable behaviour to support delegate_to,
but is there a way to make synchronize simply invoke rsync directly in the
common case (where the soruce is the ansible controller)?

(At the moment I have to use rsync via local_action, which feels pretty
ugly.)

Cheers,
jan


--
ja...@ioctl.org http://ioctl.org/jan/ Short, dark, ugly: pick any three
ioctl(2): probably the coolest Unix system call in the world