Need help copying file from specific host to all targets

[Gordon Cooke]

I am trying to figure out how to copy a cert file generated on a specific host (ca-server) to the list of hosts defined in the playbook.  The scenario is something like this:

1) using delegate_to go to the ca-server and generate the client cert (stored locally on the ca-server) 

2) copy the client cert to local

3) push cert file to all targets in the play

using the "standard" modules, copy, fetch, synchronize etc. all seem to want to copy the file from local to the targets or fetch from the targets to local.   I do not have direct ssh access from the ca-server to the targets so cannot use "delegate_to" to copy as this appears to execute on the ca-server and tries to connect from there to the targets.  

copy: issue here is that it copies from local to the targets unless you define remote_sec as true in which case it is all on the target.

fetch: tries to pull from targets, if delegate_to is used it tries to pull from the targets directly to the delegate 

synchronize: requires direct access from ca-server to the targets

The following is the short version of what I am trying to do...

- hosts: not-the-ca-server

  become_user: root

  become_method: sudo

  tasks:

  - name: Generate the p12 cert

    command: "do stuff, execute custom script etc."

    delegate_to: ca-server

        

  - name: copy the p12 file locally

# this is where I am trying to figure out how to grab the file from the ca-server

   fetch (or something like this): >

      dest=ssl-certs

      src="<path to certs>/foo.p12"

  - name: copy the cert file to the targets

     copy: >

      dest=/etc/ssl/certs/

      src="ssl-certs/foo.p12"

 

There may be an obvious answer here as I am pretty new to ansible but  I havce bounced this off of a couple of people I know and it stumped them as well...

Thanks for any help.

Gordon

[Brian Coca]

looks fine, if you want to avoid copying the cert to disk you might want to switch to slurp and template to generate the copy.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6a6f36c6-6398-4fb9-83f9-59e8368cb58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

----------

Brian Coca

[Adam Morris]

Are you trying to generate one cert that is then used on all servers or generate individual certs for each server?

It seems that you are saying that you want to...

1) generate a single cert on the ca server
2) copy that to the ansible server
3) copy that cert to all of the other servers

If that is correct wouldn't it be best to have one pair of tasks to do 1 and 2 only on the CA server and 3 on the other servers.

Note that the cert will be different every time this is run so it will never not change. Splitting into two separate sets would allow the cert creation to be run independently from copying it out, and keep the cert push to only changing when the cert changes. An alternative would be to use creates to ensure the cert isn't recreated every time.

If the goal is to have a different cert for every host you should be able to just delegate the cert creation task and the fetch task to the ca server.

[Gordon Cooke]

Brian, the issue is that it does not work :)

let me map it out another way.  there is a host that is the certificate authority and certs are generated and signed on this host using a script.  this host is pretty locked down and has no direct access to the rest of the infrastructure via SSH.  The controller (where the playbook is invoked from) will have access to both the cert server and the targets but the targets and the ca server have no direct access.

So the signed cert gets generated doing this:

  - name: Generate the p12 cert

    command: "do stuff, execute custom script etc."

    delegate_to: ca-server

and now I have a cert sitting on the ca server in a file I need to copy to the hosts defined in the playbook.  Fetch will pull files from the targets and delegate_to just changes where the fetch gets invoked.  What I need to do it copy from the ca-server to local to targets.

Make sense?

[Adam Morris]

so, realistically you are saying that a delegated fetch does not do what is expected but a delegated command does.

My understanding is that delegate effectively changes the target, so fetch with delegate should involve the ansible host pulling the certificate from the ca server. If this is not the case then it seems to be a bug.

[Gordon Cooke]

My under standing of delegate_to means “run the command you would have run locally on this particular host”, yes? Delegating the command says “run this particular command on this particular host” and a delegated fetch says “run this fetch but run it from this particular host”, I may be totally off here as I only started working with Ansible a few weeks ago but that is the behavior I am seeing.

> On Jun 7, 2016, at 12:57 PM, Adam Morris <zwac...@gmail.com> wrote:
>
> so, realistically you are saying that a delegated fetch does not do what is expected but a delegated command does.
>
> My understanding is that delegate effectively changes the target, so fetch with delegate should involve the ansible host pulling the certificate from the ca server. If this is not the case then it seems to be a bug.
>

> --
> You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/-bEDcrqbbVs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

> To post to this group, send email to ansible...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8b6e8193-c755-4ab0-9539-a0588904dacc%40googlegroups.com.

[Adam Morris]

I would disagree with your summary, but I think you are right...

We have three hosts in the equation. The machine we are running ansible on (ansibleServer) the machine we are performing tasks on (inventoryServer) and a delegate machine (delegateServer)

- task: blah blah blah

would cause ansibleServer to run a task on the inventoryServer

- task: blah blah blah
delegate_to: delegateServer

should cause ansibleServer to run the task on the delegateServer on behalf of the inventoryServer.

So
- fetch: ...
delegate_to: delegateServer

SHOULD fetch a file from delegateServer to ansibleServer rather than from inventoryServer.

If not then there is a bug in my opinion.

[Brian Coca]

On Tue, Jun 7, 2016 at 2:00 PM, Gordon Cooke <jwgc...@sparkred.com> wrote:

My under standing of delegate_to means “run the command you would have run locally on this particular host”, yes?  

​incorrect, its

: command i would have run on 'inventory_hostname' run on 'delegate_to' host instead​

 

----------

Brian Coca

[Gordon Cooke]

I apologize for the delay in responding to this.  I will revalidate this but the fetch+delegate_to appears to pull a file from the inventoryServer to the delegateServer.  I will post output as soon as I have it.

[Gordon Cooke]

So apparently I was doing something wrong. As Adam indicated it should be, it all just works now... 

Running a simple case test:

- hosts: some_host

  become_user: root

  become_method: sudo

  tasks:

      - fetch: >

          dest=/tmp/foo

          fail_on_missing=yes

          src=/tmp/foo.txt

        delegate_to: delegateHost

          

it indeed pulls the right file from the right place.  

Thanks for you help!