Idempotency: How to determine which user to use when root is no longer allowed?
16 views
Skip to first unread message
Johannes Kastl
Jan 18, 2017, 2:59:00 PM1/18/17
to ansible...@googlegroups.com
Hi there,
say I get a new instance somewhere that allows logins as root. I want
to run a playbook that configures the machine and no longer allows
root logins. And I want it to be idempotent. ;-)
Consider this mock-up playbook:
################
- hosts: foobar
vars:
ansible_user: root
tasks:
- name: "Change sshd configuration and no longer allow root logins"
...
...
- hosts: foobar
vars:
ansible_user: bob
tasks:
- name: "Do stuff as bob via sudo..."
...
################
If I run this twice, the second run fails, as root is no longer
allowed after the first run.
How to determine gracefully, if root is allowed to login or not?
Apparently the "unreachable" error can not be ignored (ignore_errors
or failed_when: false) and this always fails.
For a port change in sshd I would use this and check, if it fails:
################
wait_for:
port: "22"
state: "started"
host: "foobar"
connect_timeout: "5"
timeout: "10"
register: "some_variable"
ignore_errors: "true"
delegate_to: localhost
################
How to do this for a username change, not for a port change?
Johannes
say I get a new instance somewhere that allows logins as root. I want
to run a playbook that configures the machine and no longer allows
root logins. And I want it to be idempotent. ;-)
Consider this mock-up playbook:
################
- hosts: foobar
vars:
ansible_user: root
tasks:
- name: "Change sshd configuration and no longer allow root logins"
...
...
- hosts: foobar
vars:
ansible_user: bob
tasks:
- name: "Do stuff as bob via sudo..."
...
################
If I run this twice, the second run fails, as root is no longer
allowed after the first run.
How to determine gracefully, if root is allowed to login or not?
Apparently the "unreachable" error can not be ignored (ignore_errors
or failed_when: false) and this always fails.
For a port change in sshd I would use this and check, if it fails:
################
wait_for:
port: "22"
state: "started"
host: "foobar"
connect_timeout: "5"
timeout: "10"
register: "some_variable"
ignore_errors: "true"
delegate_to: localhost
################
How to do this for a username change, not for a port change?
Johannes
Reply all
Reply to author
Forward
0 new messages