Execute first role (tasks) as root, then proceed with regular admin user
109 views
Skip to first unread message
Rens Verhage
Jun 7, 2016, 2:58:55 PM6/7/16
to Ansible Project
I've been struggling with this some time now. Our production servers authenticate users against an LDAP. Therefore, in the playbook to setup a production server, I'd like to first execute the role that configures SSH to authenticate against the LDAP, disable root login and then proceed with the next role, web server setup or something like that, as my own user, 'verhage'.
Basically, the structure of the playbook is:
playbook.yml:
---
- hosts: test
become: yes
roles:
- ldap # this role has to run with remote_user root
- webserver # from now on, proceed as non-root
It would be great if remote_user could be used per role, something like:
- ldap { remote_user: root }
Sadly, this is not supported. How should I do a thing like this? I tried adding 'remote_user: root' to all tasks in the ldap role, but I couldn't get that to work either.
The only solution I can think of right now is to create separate playbooks, one for bootstrapping the server with LDAP user authentication, and another containing everything that might be done as a regular user.
All help is appreciated :)
Rens
Johannes Kastl
Jun 7, 2016, 3:51:46 PM6/7/16
to ansible...@googlegroups.com
On 07.06.16 20:48 Rens Verhage wrote:
> It would be great if remote_user could be used per role, something like:
>
> - ldap { remote_user: root }
>
> Sadly, this is not supported. How should I do a thing like this? I tried
> adding 'remote_user: root' to all tasks in the ldap role, but I couldn't
> get that to work either.
Why is this not supported? Just try the right syntax:
> It would be great if remote_user could be used per role, something like:
>
> - ldap { remote_user: root }
>
> Sadly, this is not supported. How should I do a thing like this? I tried
> adding 'remote_user: root' to all tasks in the ldap role, but I couldn't
> get that to work either.
roles:
- { role: ldap, remote_user: root, someVariable: foo}
See https://docs.ansible.com/ansible/playbooks_variables.html#id33
(parametrized roles)
Johannes
Johannes Kastl
Jun 7, 2016, 4:03:23 PM6/7/16
to ansible...@googlegroups.com
On 07.06.16 21:51 Johannes Kastl wrote:
> roles:
> - { role: ldap, remote_user: root, someVariable: foo}
Maybe you have to change something else. If there is not gather_facts:
> roles:
> - { role: ldap, remote_user: root, someVariable: foo}
no, before the tasks ansible will try to connect and gather facts
about the system. If this fails as user verhage, you might have to do
it the other way round:
hosts: foobar
remote_user: root
...
roles:
- {role: ldap}
- {role: whatever, remote_user: verhage}
Or maybe use a playbook with two different plays in it, i.e two
sections, each starting with "hosts: ..." and containing a roles-block.
Johannes
Rens Verhage
Jun 8, 2016, 4:00:24 AM6/8/16
to Ansible Project
You're right, I didn't get the syntax right. However, with the right syntax, I can't get it to work. The solution with two different plays in the same playbook is the best solution for me, as I don't want the handlers scheduled by the ldap role to be executed after all other roles in the playbook.
I changed my playbook to contain two separate plays:
---
- hosts: test
remote_user: root
roles:
- ldap
- hosts: test
remote_user: verhage
roles:
- webserver
I run the playbook with: ansible-playbook playbook.yml -k
On the password prompt, I enter the password for root and the ldap-role executes fine. At the end of the first play, root login over ssh is disabled and all user authentication is done through ldap. Now the second play uses my user 'verhage' to login and can do so through ssh private/public key. However, I get the message:
TASK [setup] *******************************************************************
fatal: [test]: UNREACHABLE! => {"changed": false, "msg": "Authentication failed.", "unreachable": true}
Rens Verhage
Jun 8, 2016, 4:14:24 AM6/8/16
to Ansible Project
What I think is happening here is that at first Ansible logs in with root and the supplied password. On the second play Ansible tries to login with user verhage, but I think it tries to do so with the root password...
After ansible-playbook terminates logging in with "ssh verhage test" using SSH keys works with no problem.
Rens Verhage
Jun 8, 2016, 4:15:37 AM6/8/16
to Ansible Project
After ansible-playbook terminates logging in with "ssh verhage test" using SSH keys works with no problem.
Typo: "ssh verhage test" should of course be "ssh verhage@test"
Rens Verhage
Jun 8, 2016, 4:28:52 AM6/8/16
to Ansible Project
This indeed seems to be the problem, according to /var/log/secure on my test machine:
For the second play, it tries to connect with the password I supplied on the command line using -k, which is the password for root...
Apr 7 11:15:11 localhost sshd[3488]: pam_unix(sshd:session): session opened for user root by (uid=0)Apr 7 11:15:11 localhost sshd[1083]: Received signal 15; terminating.Apr 7 11:15:12 localhost sshd[3523]: Server listening on 0.0.0.0 port 22.Apr 7 11:15:12 localhost sshd[3523]: Server listening on :: port 22.Apr 7 11:15:12 localhost sshd[3488]: pam_unix(sshd:session): session closed for user rootApr 7 11:15:14 localhost unix_chkpwd[3528]: password check failed for user (verhage)Apr 7 11:15:14 localhost sshd[3526]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.57.1 user=verhageApr 7 11:15:15 localhost sshd[3526]: pam_ldap(sshd:auth): Authentication failure; user=verhageApr 7 11:15:18 localhost sshd[3526]: Failed password for verhage from 192.168.57.1 port 57056 ssh2Apr 7 11:15:18 localhost sshd[3526]: Connection closed by 192.168.57.1 [preauth]Reply all
Reply to author
Forward
0 new messages